[j-nsp] Strange behaviour of filter
joshua sahala
jejs at sahala.org
Wed May 12 10:11:39 EDT 2004
On (12/05/04 17:25), Wei Keong wrote:
>
> As shown in the config below, the traffic from source 10.2.196.0/27 should
> only be handled by the last term. However, somehow, the traffic is being
> handled by term-I, redirecting to instance-A.
term-A is counting everything that isn't destined for port 80, so in
terms of the list, first term that matches, 'wins'
from the junos docs:
The order of the terms within a firewall filter is significant.
Packets are tested against each term in the order in which they are
listed in the configuration. When the first matching conditions are
found, the action associated with that term is applied to the packet
and the evaluation of the firewall filter ends, unless the next term
action modifier is included. If the next term action is included, the
matching packet is then evaluated against the next term in the
firewall filter; otherwise, the matching packet is not evaluated
against subsequent terms in the firewall filter.
so you might try using 'next term' in your filters
as far as term2 not being in the count...i'm not sure
/joshua
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
- Douglas Adams -
More information about the juniper-nsp
mailing list