[j-nsp] Juniper firewall chain behavior

Richard A Steenbergen ras at e-gerbil.net
Wed Apr 4 14:23:33 EDT 2007


On Wed, Apr 04, 2007 at 10:42:07AM -0400, Jonathan Looney wrote:
> As I mentioned before (and as Juniper's documentation indicates), there is
> an implicit "accept;" when you modify other things (which includes applying
> counters, sampling, etc.).  If you want to override that, you can use the
> "next term;" action.  So, using that action in the terms in your filter
> chain may allow you to achieve your desired result.

Except that when I finish off my BORDER filter with a "next term", I get:

[edit groups BASE-FIREWALL firewall]
  'filter BORDER'
    Next term specified but no following term exists
error: configuration check-out failed

Now whats strange is when I do it on a very simple filter, like:

            filter TEST {
                term TEST {
                    then {
                        count test;
                        next term;
                    }
                }
            }

And apply it as [ TEST SOMETHINGELSE ], it does apply successfully, 
and correctly kick the packet over to the next filter. It doesn't stop 
working until I have a more complex filter, such as this final term that 
generates the error above:

term ICMP-OTHER {
    from {
        protocol icmp;
        icmp-type-except [ echo-reply time-exceeded unreachable ];
    }
    then {
        policer 50M;
        count ICMP-OTHER;
        loss-priority high;
        next term;
    }
}

This is 8.2R2. It also objects (same as above) if I add this as the final 
term:

term DEFAULT {
    then {
        count test;
        next term;
    }
}

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list