[j-nsp] Firewall filter using a prefix-list, not updating
Richard A Steenbergen
ras at e-gerbil.net
Mon Mar 5 00:14:03 EST 2012
On Sun, Mar 04, 2012 at 04:45:04PM -0000, David Gee wrote:
>
> If I create a relatively simple filter such as the one below, and
> attach it as an output filter on a vlan interface, it works as per the
> prefix-list it references. However, if I update the prefix-list, like
> add an additional /32, the firewall filter does not permit it. If I
> remove and re-apply the filter, it has no effect on the new addition
> to the prefix-list (even though the prefix shows up in the
> prefix-list). To force the new prefix to become active, I have had to
> re-apply the firewall filter statement that references the prefix-list
> (i.e. delete it, and re-apply it). Is this normal?
Depends on your definition of "normal". I run into firewall bugs like
this all the time these days (probably on my 6th one in the last 2
years). When in doubt, remove the filter and re-apply, this causes a
data structure rebuild on the hw and makes the badness go away. And just
consider yourself lucky that it doesn't cause the FPCs to crash when you
reorder firewall terms like on EX8200 running 11.1R5. :)
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list