[j-nsp] Juniper firewall chain behavior

Kevin Oberman oberman at es.net
Tue Apr 3 23:20:40 EDT 2007


> Date: Tue, 3 Apr 2007 20:21:54 -0400
> From: Richard A Steenbergen <ras at e-gerbil.net>
> Sender: juniper-nsp-bounces at puck.nether.net
> 
> Ok, if this is actually documented somewhere I'll be damned if I can find 
> it. When you do:
> 
> interface ge-#/#/# {
>     unit 0 {
>         family inet {
>             filter {
>                 input-list [ filter1 filter2 filter3 ];
>             }
>         }
>     }
> }
> 
> What is the behavior for evaluating a packet across chains? If you have an 
> explicit "then accept" or "then discard" in filter1 does it end 
> processing, or does it then move to the next filter? I would normally 
> expect that it would behave similarly to policy chains, but since there is 
> no "next filter" command I'm suspicious that it actually does something 
> like fully evaluate filter1, then fully evaluate filter2, rather than 
> compile it into one ruleset.
> 
> The documentation says absolutely nothing about the behavior, as best as I 
> can tell.

If any filter in the chain reaches an explicit 'accept' or 'deny', that
is the end of the processing for the entire chain. Of course, there is
an implicit accept at the end of the chain.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 224 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20070403/198a6461/attachment.bin 


More information about the juniper-nsp mailing list