[j-nsp] Juniper firewall chain behavior
Richard A Steenbergen
ras at e-gerbil.net
Wed Apr 4 02:53:40 EDT 2007
On Tue, Apr 03, 2007 at 08:20:40PM -0700, Kevin Oberman wrote:
> If any filter in the chain reaches an explicit 'accept' or 'deny', that
> is the end of the processing for the entire chain. Of course, there is
> an implicit accept at the end of the chain.
Funny, in normal firewall use there is an implicit discard at the end of
the chain. I wouldn't have expected such a major change in behavior,
especially if you might ever be expected to mix a filter in a chained and
non-chained role.
So, to test this out I tried to do the following:
firewall {
filter BORDER {
some generic border-wide filters and rate-limits here;
}
filter SAMPLE {
term SAMPLE {
then sample;
}
}
}
interfaces {
xe-0/1/0 {
unit 0 {
family inet {
filter {
input-list [ BORDER ... ];
output-list [ BORDER SAMPLE ... ];
}
}
}
}
}
At first I noticed that it didn't seem to be sampling anything, so I tried
to reorder it to [ SAMPLE BORDER ]. In this configuration, it sampled, but
never processed BORDER. So for the same of testing I did this:
filter SAMPLE {
term SAMPLE {
then {
count sampled;
}
}
}
filter DISCARD {
term DISCARD {
then {
count discarded;
discard;
}
}
}
And tried applying it as [ SAMPLE DISCARD ]. The results:
Filter: xe-0/1/0.50-o
sample-xe-0/1/0.50-o 1432935 16958
I get per-interface matches on the counter from my first filter, but the
counter for the second filter isn't even created, and no packets are
discarded. The only explanation for this would be that "then sample" and
"then count" act as terminating actions, which would seem exceedingly
lame. Combine with the lack of "next filter" and what is the point? The
whole thing becomes about as useful as route-map without continue. :)
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list