[j-nsp] solution to a firewall question

Vijesh Chandran vijesh at juniper.net
Thu Apr 23 21:44:02 EDT 2015 

T​his would probably need a tweak. Juniper does not support filter reference inside a term with 'from' inside it. There will be commit error.

however let me try this and come back. Thanks for solution.


-Thanks,

 VIjesh



________________________________
From: Damien DeVille <damien.deville at gmail.com>
Sent: Thursday, April 23, 2015 5:54 PM
To: Vijesh Chandran
Cc: Olivier Benghozi; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] solution to a firewall question

You are correct -- I misread the documentation.  I think this will achieve you goal  -- Though it would be simpler to write a filter with 2 terms the first to match and count with an action of "next-term" and the second term to classify and shunt the packets into a forwarding class.

You can call one filter as part of another, in this example f2 (applied as the input on the interface) calls f1 prior to processing the match conditions in term 1:

ddeville at testlab-rtr# show
unit 0 {
    family inet {
        filter {
            input f2;
        }
        dhcp;
    }
}

ddeville at testlab-rtr# show firewall
filter f1 {
    term 1 {
        from {
            protocol tcp;
            destination-port 80;
        }
        then {
            count tcp_80;
            accept;
        }
    }
}
filter f2 {
    term 1 {
        filter f1;
        from {
            dscp ef;
        }
        then {
            forwarding-class expedited-forwarding;
            accept;
        }
    }
}





- Damien

On Thu, Apr 23, 2015 at 8:24 PM, Vijesh Chandran <vijesh at juniper.net<mailto:vijesh at juniper.net>> wrote:

Is there a programming difference between 'firewall filter' and 'firewall family inet filter'? (ignore the v4 part of that)?

  afaik, family inet filter will skip all subsequent term if a packet matches first term. Is that not true for family filter?


-Vijesh


________________________________
From: Damien DeVille <damien.deville at gmail.com<mailto:damien.deville at gmail.com>>
Sent: Thursday, April 23, 2015 5:17 PM
To: Vijesh Chandran
Cc: Olivier Benghozi; juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>

Subject: Re: [j-nsp] solution to a firewall question

Actually, my example is incorrect.  Filter f1 should read as follows:

ddeville at testlab-rtr# show firewall
filter f1 {
    term 1 {
        from {
            protocol tcp;
            destination-port 80;
        }
        then {
            count tcp_80;
        }
    }
}

When written this way, the second filter "f2" will be evaluated as part of the chain.  See http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195



- Damien

On Thu, Apr 23, 2015 at 6:12 PM, Damien DeVille <damien.deville at gmail.com<mailto:damien.deville at gmail.com>> wrote:
While I don't understand why you have the requirement that you can't use next-term (seems to be arbitrary), you can accomplish this the "input-list" option (https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
)

Here is a sample configuration:

ddeville at testlab-rtr# show interfaces ge-0/0/0
unit 0 {
    family inet {
        filter {
            input-list [ f1 f2 ];
        }
        address 192.168.1.2/32<http://192.168.1.2/32>;
    }
}

ddeville at testlab-rtr# show firewall
filter f1 {
    term 1 {
        from {
            protocol tcp;
            destination-port 80;
        }
        then {
            count tcp_80;
            accept;
        }
    }
}
filter f2 {
    term 1 {
        from {
            dscp ef;
        }
        then {
            forwarding-class expedited-forwarding;
            accept;
        }
    }
}





- Damien

On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran <vijesh at juniper.net<mailto:vijesh at juniper.net>> wrote:
Hi Olivier,
 My bad that I didn't specify this in original mail...
Caveat here is that, next term shall be avoided as per requirement.
-Thanks,
 Vijesh


________________________________________
From: juniper-nsp <juniper-nsp-bounces at puck.nether.net<mailto:juniper-nsp-bounces at puck.nether.net>> on behalf of Olivier Benghozi <olivier.benghozi at wifirst.fr<mailto:olivier.benghozi at wifirst.fr>>
Sent: Thursday, April 23, 2015 11:39 AM
To: juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] solution to a firewall question

Replace accept with next term in f1 ?

next term works across filter list from what I see and according to the documentation ( http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html <http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html> ).


Olivier

> Le 23 avr. 2015 à 17:18, Vijesh Chandran <vijesh at juniper.net<mailto:vijesh at juniper.net>> a écrit :
>
> Hi all,
>  I am wondering if we have a solution to this issue.
>  I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
>  Input-list [f1 f2]
>  f1 to match a condition (all tcp port 80) and accept and count that packet.
>  f2 to classify those packets based on code points and push to a forwarding class. Is this possible?

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list