[j-nsp] firewall filter terminating action
Dragan Jovicic
draganj84 at gmail.com
Tue Nov 22 09:23:39 EST 2016
Hi,
Yes, any non-terminating action - log, syslog, police, sample, count, etc -
has an implicit accept at the end.
On Tue, Nov 22, 2016 at 10:35 AM, Chen Jiang <ilovebgp4 at gmail.com> wrote:
> Hi! Experts
>
> Sorry for disturbing, I have a question but couldn't find the answer, could
> you pls shed some light on this?
>
> From the documents we know that Juniper firewall filter has 3 termination
> actions: accept, discard, and reject.
>
> but when we configured mirror and sample action, if we didn't include a
> "next-term", then the packets will not go through next term and just be
> forwarded, it seems there is a implicit "accept" after sample and mirror
> action. Is this expected behaviour?
>
> Below is our test example, the packets will not hit the policer in term
> "test-download" if we don't include a "next-term" in term "port-mirror"
> lab at r1#show firewall family inet
> filter csnet-filter-in {
> term port-mirror {
> then {
> sample;
> port-mirror-instance port-mirror-base-instance;
> }
> }
> term test-download {
> from {
> destination-address {
> 119.254.116.88/30;
> }
> }
> then {
> policer 1m;
> accept;
> }
> }
> term 3 {
> then {
> discard;
> }
> }
> }
> }
>
>
> --
> BR!
>
>
>
> James Chen
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list