在screenOS juniper防火墙配置中，“exit”语句的用途是什么？

Question

我想审计一个screenOS juniper防火墙。我已经获得了配置文件，但我不熟悉语法。我想知道“退出”命令。

在配置文件中，大多数策略后面跟着一个或两个附加命令和一个exit语句：

[...]
set policy id <id1> name "<name1>" from "<zone1>" to "<zone2>"  "<address1>" "<address2>" "<service1>" permit log 
set policy id <id1>
exit
set policy id <id2> name "<name2>" from "<zone1>" to "<zone2>"  "<address1>" "<address2>" "<service2>" permit log 
set policy id <id2>
set service "<service3>"
set service "<service4>"
set service "<service5>"
set service "<service6>"
exit
[...]

我该怎么解释呢？如果exit语句将策略组合在一起，那么只有多余的信息。策略id已经设置在上面的行中。服务3、4、5、6(设于较低的项目)已纳入服务2。

exit语句不仅出现在set policy语句之后。

Answer 1

Juniper ScreenOS配置文件只是一长串的CLI命令。如果我们在每一行的开头添加提示符，那么exit的目的就会更加清楚：

[...]
device-> set policy id <id1> name "<name1>" from "<zone1>" to "<zone2>"  "<address1>" "<address2>" "<service1>" permit log 
device-> set policy id <id1>
device(policy:<id1>)-> exit
device-> set policy id <id2> name "<name2>" from "<zone1>" to "<zone2>"  "<address1>" "<address2>" "<service2>" permit log 
device-> set policy id <id2>
device(policy:<id2>)-> set service "<service3>"
device(policy:<id2>)-> set service "<service4>"
device(policy:<id2>)-> set service "<service5>"
device(policy:<id2>)-> set service "<service6>"
device(policy:<id2>)-> exit
[...]
device-> save