[j-nsp] Re: Re: Interfaces, deactivate vs disable
Josef Buchsteiner
josefb at juniper.net
Thu Jun 9 06:33:27 EDT 2005
Thursday, June 9, 2005, 1:10:40 AM, you wrote:
LEG> On Wed, 8 Jun 2005, Daniel Roesen wrote:
>> On Wed, Jun 08, 2005 at 01:15:18PM -0400, Eric Van Tol wrote:
>>> This begs the question, if using a standardized config, such as a
>>> firewall filter, what should be done when the packets hit that term
>>> which references the empty prefix-list? should they be accepted or
>>> denied?
>>
>> That depends on the context in which the prefix-list is used. And
>> I disagree with IOS' semantics here.
>>
>> A prefix-list specifies prefixes which do match when the prefix-list
>> is being referenced. The natural no-surprises outcome of an empty
>> prefix-list is (should be) that no prefix matches. If I give you an
>> empty shopping list you don't come back with all the goods the shop
>> had to offer, do you? :-)
LEG> I couldn't agree more - I actually prefer the OLD JunOS behaviour that
LEG> would not let you commit a configuration with an empty prefix-list over
LEG> the current behaviour that allows empty lists, having been bit by the same
LEG> problem as the previous poster.
LEG> Firewall term referencing a prefix-list, with a discard-action. Remove the
LEG> last IP in the prefix-list and it suddenly matches ANY, not NONE - whoops,
this is a bug and fixed in 7.2+ 7.2R2 7.3R1 . Once the prefix
list is empty we should not match in the firewall. I need to look what the
issue is once we use an empty prefix-list in a policy.
Josef
LEG> there goes all your traffic into the big bitbucket in the sky. I'd rather
LEG> take the "checkout failed" message any day. :-/
LEG> /leg
LEG> _______________________________________________
LEG> juniper-nsp mailing list juniper-nsp at puck.nether.net
LEG> http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list