[j-nsp] Juniper firewall chain behavior
Richard A Steenbergen
ras at e-gerbil.net
Wed Apr 4 14:23:33 EDT 2007
On Wed, Apr 04, 2007 at 10:42:07AM -0400, Jonathan Looney wrote:
> As I mentioned before (and as Juniper's documentation indicates), there is
> an implicit "accept;" when you modify other things (which includes applying
> counters, sampling, etc.). If you want to override that, you can use the
> "next term;" action. So, using that action in the terms in your filter
> chain may allow you to achieve your desired result.
Except that when I finish off my BORDER filter with a "next term", I get:
[edit groups BASE-FIREWALL firewall]
'filter BORDER'
Next term specified but no following term exists
error: configuration check-out failed
Now whats strange is when I do it on a very simple filter, like:
filter TEST {
term TEST {
then {
count test;
next term;
}
}
}
And apply it as [ TEST SOMETHINGELSE ], it does apply successfully,
and correctly kick the packet over to the next filter. It doesn't stop
working until I have a more complex filter, such as this final term that
generates the error above:
term ICMP-OTHER {
from {
protocol icmp;
icmp-type-except [ echo-reply time-exceeded unreachable ];
}
then {
policer 50M;
count ICMP-OTHER;
loss-priority high;
next term;
}
}
This is 8.2R2. It also objects (same as above) if I add this as the final
term:
term DEFAULT {
then {
count test;
next term;
}
}
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list