[j-nsp] "ping: sendto: Operation not permitted" in LAN
Saku Ytti
saku at ytti.fi
Fri Aug 19 05:01:02 EDT 2011
On (2011-08-18 21:23 -0400), Stefan Fouant wrote:
> Trio has nothing to do with this - the behavior when matching on a
> port is completely different than using the bit-field match
> operators. Even without Trio, if you specify a match on a port
> without protocol, it will look in the appropriate locations
> depending on whether the traffic is TCP or UDP. That is not the
> case with bit-field match operators.
Could you confirm this from DE? I just tested with MX80 11.2R1 and agilent like
so:
X> show configuration firewall filter YTTI-TEST
term moi {
from {
tcp-initial;
}
then {
count moi;
reject;
}
}
term rest {
then accept;
}
I'm sending packets which will transit the local PE, i.e. hardware switched, not received/punted.
My IPv4 protocol is set to TCP (6) and I have TCP packet with SYN bit on. Packets get rejected by filter and 'moi' counter increases.
Now I do exactly 1 change to the packet, I change IPv4 protocol field from 6 to 7, unaffecting syn bit location wholly, and filter no longer rejects packets, and I see PE egress interface sending packets out.
So unless my test is faulthy (I can't see how it could be, rather elementary)
infact tcp-initial implies TCP in trio.
I wanted to test IPV6 too, but CLI doesn't allow you to specify tcp-initial
without 'next-header tcp' which is damn shame, considering trio is able to
classify packets was TCP just fine. (And next-header is huge security problem,
hopefully 'protocol match appears soon)
--
++ytti
More information about the juniper-nsp
mailing list