[j-nsp] configuration groups and firewall filter term order
Phil Shafer
phil at juniper.net
Fri Apr 11 11:10:05 EDT 2003
Patrick Colman writes:
>Is there any way in JUNOS that I can force the order of the terms
>inherited from the apply-groups statement ?
Nope. The order is fixed. We traverse the foreground config then
the (non-wildcard) matches from each applied groups, in the order
listed from inner-most 'apply-groups' statement to outer-most.
apply-groups [ nine ten ];
firewall {
apply-groups [ seven eight ];
family inet {
apply-groups [ five six ];
filter foo {
apply-groups [ three four ];
term goo {
apply-groups [ one two ];
from {
source-address {
10.0.0.0/8 except;
}
}
}
}
}
}
}
The order here would be foreground (10/8 exact), then the groups
one two three ... ten. Any wildcards are matched against all
applied groups.
So the only way I can see to achieve your goal is to put
your current foreground config in a group and apply it
after your common group:
groups {
common {
firewall {
family inet {
filter <*> {
term 1 {
from {
source-address {
10.0.0.0/8 except;
}
}
then discard;
}
}
}
}
}
filter-interface-1 {
firewall {
family inet {
filter interface-1 {
term 100 {
from {
destination-port telnet;
}
then discard;
}
term 200 {
then accept;
}
}
}
}
}
filter-interface-2 {
firewall {
family inet {
filter interface-2 {
term 100 {
then accept;
}
}
}
}
}
}
firewall {
family inet {
filter interface-1 {
apply-groups [ common filter-interface-1 ];
}
filter interface-2 {
apply-groups [ common filter-interface-2 ];
}
}
}
Your 'then accept' could also be a distinct group which is applied
last (perhaps just at the [firewall] level.
Thanks,
Phil
More information about the juniper-nsp
mailing list