[j-nsp] Juniper firewall chain behavior
Richard A Steenbergen
ras at e-gerbil.net
Tue Apr 3 20:21:54 EDT 2007
Ok, if this is actually documented somewhere I'll be damned if I can find
it. When you do:
interface ge-#/#/# {
unit 0 {
family inet {
filter {
input-list [ filter1 filter2 filter3 ];
}
}
}
}
What is the behavior for evaluating a packet across chains? If you have an
explicit "then accept" or "then discard" in filter1 does it end
processing, or does it then move to the next filter? I would normally
expect that it would behave similarly to policy chains, but since there is
no "next filter" command I'm suspicious that it actually does something
like fully evaluate filter1, then fully evaluate filter2, rather than
compile it into one ruleset.
The documentation says absolutely nothing about the behavior, as best as I
can tell.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list