[j-nsp] Strange behaviour of filter
Wei Keong
chooweikeong at pacific.net.sg
Wed May 12 05:25:36 EDT 2004
Hi all,
I notice the filter in m20 does not behave as per design.
As shown in the config below, the traffic from source 10.2.196.0/27 should
only be handled by the last term. However, somehow, the traffic is being
handled by term-I, redirecting to instance-A.
Notice that when the term test-1 is disabled, the term test-2 also
disappeared from the count...
Has anyone known of bug with junos filter???
Thanks,
Wei Keong
# run show firewall filter test-filter
Filter: test-filter
Counters:
Name Bytes
term-A 215958376409398
term-D 7030494695227
term-B 1224274223382
term-C 17496166094
term-E 722677793997
term-F 284061283579
term-H 1641871632568
term-I 1195945397511
default 1987071312241
# show firewall filter test-filter
term term-A {
from {
destination-port-except 80;
}
then {
count term-A;
accept;
}
}
term term-B {
from {
source-address {
10.0.1.160/28;
}
}
then {
count term-B;
routing-instance instance-A;
}
}
term term-C {
from {
source-address {
10.1.89.104/32;
10.1.89.97/32;
10.1.89.81/32;
}
}
then {
count term-C;
routing-instance instance-B;
}
}
term term-D {
from {
source-address {
10.0.0.0/23;
10.1.68.0/24;
10.1.72.0/22;
10.1.89.0/24;
10.1.90.0/24;
10.1.91.0/24;
10.1.94.0/23;
10.1.96.0/22;
}
}
then {
count term-D;
accept;
}
}
term term-E {
from {
destination-address {
10.0.1.1/32;
}
}
then {
count term-E;
accept;
}
}
term term-F {
from {
source-address {
10.2.64.0/19;
10.2.96.0/21;
10.2.104.0/23;
10.2.106.0/23;
10.2.108.0/22;
10.2.112.0/20;
10.2.208.0/20;
10.2.224.0/20;
10.2.200.0/21;
}
}
then {
count term-F;
routing-instance instance-B;
}
}
inactive: term term-G {
from {
source-address {
10.2.64.0/18;
10.2.200.0/21;
10.2.208.0/20;
10.2.224.0/20;
10.2.240.0/20;
10.3.80.0/21;
10.3.88.0/22;
10.4.0.0/20;
10.4.16.0/20;
10.4.32.0/22;
}
}
then {
count term-G;
routing-instance instance-C;
}
}
term term-H {
from {
source-address {
10.2.208.0/20;
10.2.224.0/20;
10.2.240.0/20;
10.4.16.0/20;
10.4.32.0/22;
}
}
then {
count term-H;
routing-instance instance-D;
}
}
inactive: term test-1 {
from {
source-address {
10.2.196.0/27;
}
}
then {
count test-1;
next term;
}
}
term term-I {
from {
source-address {
10.2.64.0/18;
10.3.80.0/21;
10.3.88.0/22;
10.4.0.0/20;
10.4.63.0/24;
10.2.200.0/21;
}
}
then {
count term-I;
routing-instance instance-A;
}
}
term test-2 {
from {
source-address {
10.2.196.0/27;
}
}
then {
count test-2;
next term;
}
}
term default {
then {
count default;
routing-instance instance-E;
}
}
More information about the juniper-nsp
mailing list