[j-nsp] Juniper firewall chain behavior

Tue Apr 3 22:15:21 EDT 2007

IIRC, it is processed like a policy chain.  So, an accept, reject or discard
in the first filter will immediately end processing of the chain.  (Also,
recall that there is an implied 'then accept;' when you modify attributes in
the then clause.  For example, 'then forwarding-class expedited-forwarding;'
would imply an action of 'accept;' and also cause processing to stop.)

-Jon

On 4/3/07, Richard A Steenbergen <ras at e-gerbil.net> wrote:
>
> Ok, if this is actually documented somewhere I'll be damned if I can find
> it. When you do:
>
> interface ge-#/#/# {
>     unit 0 {
>         family inet {
>             filter {
>                 input-list [ filter1 filter2 filter3 ];
>             }
>         }
>     }
> }
>
> What is the behavior for evaluating a packet across chains? If you have an
> explicit "then accept" or "then discard" in filter1 does it end
> processing, or does it then move to the next filter? I would normally
> expect that it would behave similarly to policy chains, but since there is
> no "next filter" command I'm suspicious that it actually does something
> like fully evaluate filter1, then fully evaluate filter2, rather than
> compile it into one ruleset.
>
> The documentation says absolutely nothing about the behavior, as best as I
> can tell.
>
> --
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>