[j-nsp] EX4200 filter buggy?

Chris Morrow morrowc at ops-netman.net
Wed Dec 15 11:00:10 EST 2010

(ex-platform causes death/dismemberment/pain/anguish)

On 12/15/10 09:18, Charlie Allom wrote:
> On Sun, Dec 12, 2010 at 09:49:02PM -0600, Richard A Steenbergen <ras at e-gerbil.net> wrote:
>> On Mon, Dec 13, 2010 at 10:51:26AM +0800, Gavin Tweedie wrote:
>>> I also have a case open with JTAC.
>> For 
>> example, if you configured a single term to match on, 
>>, or, the firewall compiler would try to optimize 
>> that match into " && !". The problem is the NOT match 
>> wasn't supported on the EX, so it would ignore that operation and match 
>> the packets anyways, even though you didn't configure that 
>> range in your filter.
> Richard how did you come to this realisation? Was this a JTAC case or do
> you have a way to look at the filter optimization?

juniper doesn't normally release this sort of data, you can run some
command to dump the optimized code out though... it's kinda ugly :(

> I think I have seen similar outcomes, but don't know how to match it up
> with proof.

try this fun experiment:
  1) apply loopback filter, permit ssh/bgp/ospf (things you include
normally in your loopback filter)
  2) if you permit 'icmp' or 'traceroute' to the device (use the device
interface ips in the from clause, potentially with a prefix-list built
from an apply-path expression
  3) traceroute to something behind/beyond the device

note that the device doesn't show up in the traceroute? ;( packet
processing/firewalling fail.


More information about the juniper-nsp mailing list