[j-nsp] solution to a firewall question

Damien DeVille damien.deville at gmail.com
Thu Apr 23 20:54:54 EDT 2015


You are correct -- I misread the documentation.  I think this will achieve
you goal  -- Though it would be simpler to write a filter with 2 terms the
first to match and count with an action of "next-term" and the second term
to classify and shunt the packets into a forwarding class.

You can call one filter as part of another, in this example f2 (applied as
the input on the interface) calls f1 prior to processing the match
conditions in term 1:

ddeville at testlab-rtr# show
unit 0 {
    family inet {
        filter {
            input f2;
        }
        dhcp;
    }
}

ddeville at testlab-rtr# show firewall
filter f1 {
    term 1 {
        from {
            protocol tcp;
            destination-port 80;
        }
        then {
            count tcp_80;
            accept;
        }
    }
}
filter f2 {
    term 1 {
        filter f1;
        from {
            dscp ef;
        }
        then {
            forwarding-class expedited-forwarding;
            accept;
        }
    }
}





- Damien

On Thu, Apr 23, 2015 at 8:24 PM, Vijesh Chandran <vijesh at juniper.net> wrote:

>  Is there a programming difference between 'firewall filter' and
> 'firewall family inet filter'? (ignore the v4 part of that)?
>
>   afaik, family inet filter will skip all subsequent term if a packet
> matches first term. Is that not true for family filter?
>
>
>  -Vijesh
>
>
>  ------------------------------
> *From:* Damien DeVille <damien.deville at gmail.com>
> *Sent:* Thursday, April 23, 2015 5:17 PM
> *To:* Vijesh Chandran
> *Cc:* Olivier Benghozi; juniper-nsp at puck.nether.net
>
> *Subject:* Re: [j-nsp] solution to a firewall question
>
>   Actually, my example is incorrect.  Filter f1 should read as follows:
>
> ddeville at testlab-rtr# show firewall
> filter f1 {
>     term 1 {
>         from {
>             protocol tcp;
>             destination-port 80;
>         }
>         then {
>             count tcp_80;
>         }
>     }
> }
>
>  When written this way, the second filter "f2" will be evaluated as part
> of the chain.  See
> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195
>
>
>
> - Damien
>
> On Thu, Apr 23, 2015 at 6:12 PM, Damien DeVille <damien.deville at gmail.com>
> wrote:
>
>> While I don't understand why you have the requirement that you can't use
>> next-term (seems to be arbitrary), you can accomplish this the "input-list"
>> option (
>> https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
>> )
>>
>> Here is a sample configuration:
>>
>> ddeville at testlab-rtr# show interfaces ge-0/0/0
>> unit 0 {
>>     family inet {
>>         filter {
>>             input-list [ f1 f2 ];
>>         }
>>         address 192.168.1.2/32;
>>     }
>> }
>>
>> ddeville at testlab-rtr# show firewall
>> filter f1 {
>>     term 1 {
>>         from {
>>             protocol tcp;
>>             destination-port 80;
>>         }
>>         then {
>>             count tcp_80;
>>             accept;
>>         }
>>     }
>> }
>> filter f2 {
>>     term 1 {
>>         from {
>>             dscp ef;
>>         }
>>         then {
>>             forwarding-class expedited-forwarding;
>>             accept;
>>         }
>>     }
>> }
>>
>>
>>
>>
>>
>> - Damien
>>
>> On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran <vijesh at juniper.net>
>> wrote:
>>
>>> Hi Olivier,
>>>  My bad that I didn't specify this in original mail...
>>> Caveat here is that, next term shall be avoided as per requirement.
>>> -Thanks,
>>>  Vijesh
>>>
>>>
>>> ________________________________________
>>> From: juniper-nsp <juniper-nsp-bounces at puck.nether.net> on behalf of
>>> Olivier Benghozi <olivier.benghozi at wifirst.fr>
>>> Sent: Thursday, April 23, 2015 11:39 AM
>>> To: juniper-nsp at puck.nether.net
>>> Subject: Re: [j-nsp] solution to a firewall question
>>>
>>>  Replace accept with next term in f1 ?
>>>
>>> next term works across filter list from what I see and according to the
>>> documentation (
>>> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html
>>> <
>>> http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html>
>>> ).
>>>
>>>
>>> Olivier
>>>
>>> > Le 23 avr. 2015 à 17:18, Vijesh Chandran <vijesh at juniper.net> a écrit
>>> :
>>> >
>>> > Hi all,
>>> >  I am wondering if we have a solution to this issue.
>>> >  I need two firewall attached to an interface as input-list. e.g.: f1
>>> and f2.
>>> >  Input-list [f1 f2]
>>> >  f1 to match a condition (all tcp port 80) and accept and count that
>>> packet.
>>> >  f2 to classify those packets based on code points and push to a
>>> forwarding class. Is this possible?
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>


More information about the juniper-nsp mailing list