[j-nsp] Juniper firewall chain behavior
Richard A Steenbergen
ras at e-gerbil.net
Wed Apr 4 15:25:30 EDT 2007
On Wed, Apr 04, 2007 at 02:23:33PM -0400, Richard A Steenbergen wrote:
> On Wed, Apr 04, 2007 at 10:42:07AM -0400, Jonathan Looney wrote:
> > As I mentioned before (and as Juniper's documentation indicates), there is
> > an implicit "accept;" when you modify other things (which includes applying
> > counters, sampling, etc.). If you want to override that, you can use the
> > "next term;" action. So, using that action in the terms in your filter
> > chain may allow you to achieve your desired result.
>
> Except that when I finish off my BORDER filter with a "next term", I get:
Ok, the plot thickens. I think I found the root of my issue. It turns out
that you can only configure a filter with a final term that does "next
term" if you are actively USING that filter in a firewall chain.
In other words, you can commit the following:
firewall {
filter EXAMPLE {
whatever here;
term FINAL {
then {
next term;
}
}
}
}
ONLY if you have a reference to input/output-list [ EXAMPLE SOMETHINGELSE
] in your configuration. Objecting to its use at the end of a chain or in
a non-chain is somewhat logical (though annoying, since you can't reuse
the same filter code in both chains and non-chains), but not letting you
configure the filter at all even if it is not referenced anywhere seems
like a bug to me.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list