[j-nsp] Re: Re: Interfaces, deactivate vs disable

Josef Buchsteiner josefb at juniper.net
Thu Jun 9 06:33:27 EDT 2005



Thursday, June 9, 2005, 1:10:40 AM, you wrote:

   
   
LEG> On Wed, 8 Jun 2005, Daniel Roesen wrote:
 
 >> On Wed, Jun 08, 2005 at 01:15:18PM -0400, Eric Van Tol wrote:
 >>> This begs the question, if using a standardized config, such as a
 >>> firewall filter, what should be done when the packets hit that term
 >>> which references the empty prefix-list?  should they be accepted or
 >>> denied?
 >>
 >> That depends on the context in which the prefix-list is used. And
 >> I disagree with IOS' semantics here.
 >>
 >> A prefix-list specifies prefixes which do match when the prefix-list
 >> is being referenced. The natural no-surprises outcome of an empty
 >> prefix-list is (should be) that no prefix matches. If I give you an
 >> empty shopping list you don't come back with all the goods the shop
 >> had to offer, do you? :-)
 
LEG>  I couldn't agree more - I actually prefer the OLD JunOS behaviour that
LEG>  would not let you commit a configuration with an empty prefix-list over
LEG>  the current behaviour that allows empty lists, having been bit by the same
LEG>  problem as the previous poster.
 
LEG>  Firewall term referencing a prefix-list, with a discard-action. Remove the
LEG>  last IP in the prefix-list and it suddenly matches ANY, not NONE - whoops,

      this is a bug and fixed in 7.2+ 7.2R2 7.3R1 . Once the prefix
      list is empty we should not match in the firewall. I need to look what the
      issue is once we use an empty prefix-list  in a policy.

      Josef


LEG>  there goes all your traffic into the big bitbucket in the sky. I'd rather
LEG>  take the "checkout failed" message any day. :-/




 
LEG>  /leg
LEG>  _______________________________________________
LEG>  juniper-nsp mailing list juniper-nsp at puck.nether.net
LEG>  http://puck.nether.net/mailman/listinfo/juniper-nsp
  
  
   

 


More information about the juniper-nsp mailing list