[j-nsp] EX4200 filter buggy?

Richard A Steenbergen ras at e-gerbil.net
Sun Dec 12 22:49:02 EST 2010


On Mon, Dec 13, 2010 at 10:51:26AM +0800, Gavin Tweedie wrote:
> 
> We're hitting the exact same issue on a EX4200 with 9.6R3.8, which 
> we're stuck on because of a bug preventing us from upgrading to 
> Junos10. We have 256 terms which are matching on source IP without 
> issue. Once each term is changed to match on 3 items per term rather 
> than 1 the errors begin.
> 
> I also have a case open with JTAC.

We hit a really nasty EX filter bug in early 10.1. Essentially the 
firewall compiler would try to optimize the filter in ways that weren't 
supported by the EX's hardware, causing unconfigured filter matches. For 
example, if you configured a single term to match on 0.0.0.0/8, 
1.0.0.0/8, or 3.0.0.0/8, the firewall compiler would try to optimize 
that match into "0.0.0.0/6 && !2.0.0.0/8". The problem is the NOT match 
wasn't supported on the EX, so it would ignore that operation and match 
the 2.0.0.0/8 packets anyways, even though you didn't configure that 
range in your filter.

Obviously that doesn't sound related to your issue, but the moral of the 
story is that I would be absurdly suspicious of EX filter code in JUNOS 
that is that old. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list