[j-nsp] family inet/inet6 fw filters sharing the same prefix-list

[Chuck Anderson]

Has anyone seen strange behavior when using a single prefix-list
shared containing both IPv4 and IPv6 prefixes shared between two fw
filters, one family inet and one family inet6?  I just tried this, and
the family inet6 filter is executing the "then syslog" term even when
there is no match in the "from" clause.

Something like this:

family inet { AND family inet6 {
term PORT-MIRROR {
    then {
        port-mirror;
        next term;
    }
}
term TS-ALLOW {
    from {
        prefix-list {
            TS-ALLOW;
        }
    }
    then {
        count TS-ALLOW;
        syslog;
        next term;
    }
}
term Accept-All {
    then accept;
}
}

For the family inet version, everything works correctly.  For the
family inet6 version (configured at the same time), any/all IPv6
traffic, regardless if it matches the prefix-list TS-ALLOW, is being
subject to the syslog action.  I was seeing link-local ND and
site-local IPsec OSPF traffic matching.

The prefix-list TS-ALLOW contains only IPv4 address prefixes.  I tried
adding an IPv6 one (ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff/128) just
so there was at least one, but the result is the same.