[j-nsp] EX4200 filter buggy?

Charlie Allom charlie at playlouder.com
Wed Dec 15 09:18:26 EST 2010


On Sun, Dec 12, 2010 at 09:49:02PM -0600, Richard A Steenbergen <ras at e-gerbil.net> wrote:
> On Mon, Dec 13, 2010 at 10:51:26AM +0800, Gavin Tweedie wrote:
> > 
> > 
> > I also have a case open with JTAC.
> 
> For 
> example, if you configured a single term to match on 0.0.0.0/8, 
> 1.0.0.0/8, or 3.0.0.0/8, the firewall compiler would try to optimize 
> that match into "0.0.0.0/6 && !2.0.0.0/8". The problem is the NOT match 
> wasn't supported on the EX, so it would ignore that operation and match 
> the 2.0.0.0/8 packets anyways, even though you didn't configure that 
> range in your filter.

Richard how did you come to this realisation? Was this a JTAC case or do
you have a way to look at the filter optimization?

I think I have seen similar outcomes, but don't know how to match it up
with proof.

  C.
-- 
 +442077294797
 http://mediaserviceprovider.com/


More information about the juniper-nsp mailing list