[j-nsp] Output filter on discard interface doesn't work as expected

Alex D. listensammler at gmx.de
Fri Mar 10 10:07:38 EST 2017 

Hi,

i have a problem with my firewall filter bound to a discard interface 
dsc.0 in a quite simple RTBH setup...
I receive a bgp route with a next-hop ip 192.0.2.101 which is configured 
on a discard interface. Blackholing works as expected, means that 
traffic coming in from a directly connected router is discarded. Problem 
is that blackholed traffic will not be counted by the configured filter. 
Configuration and counter looks as follows:

user at R1# show firewall
family inet {
     filter blackhole-counter {
         interface-specific;
         term one {
             then count blackholed-packets;
         }
     }
}

user at R1# show interfaces
dsc {
     unit 0 {
         family inet {
             filter {
                 output blackhole-counter;
             }
             address 192.0.2.102/32 {
                 destination 192.0.2.101;
             }
         }
     }
}

Here's the bgp route (don't be scared because of the ip, it's just a lab 
setup):
user at R1# run show route protocol bgp 8.8.8.8 detail

inet.0: 35 destinations, 35 routes (35 active, 0 holddown, 0 hidden)
8.8.8.8/32 (1 entry, 1 announced)
         *BGP    Preference: 170/-101
                 Next hop type: Indirect
                 Address: 0x9335600
                 Next-hop reference count: 6
                 Source: 1.1.1.99
                 Next hop type: Router, Next hop index: 587
                 Next hop: 192.0.2.101 via dsc.0, selected
                 Protocol next hop: 192.0.2.101
                 Indirect next hop: 94802b8 131071
                 State: <Active Int Ext>
                 Local AS:  1111 Peer AS:  1111
                 Age: 34:10      Metric2: 0
                 Task: BGP_1111.1.1.1.99+35805
                 Announcement bits (3): 0-KRT 4-BGP_RT_Background 
5-Resolve tree 2
                 AS path: I (Originator) Cluster list:  1.1.1.99
                 AS path:  Originator ID: 10.15.40.154
                 Communities: 1111:9999
                 Accepted
                 Localpref: 100
                 Router ID: 1.1.1.99

My "problem" filter:
user at R1# run show firewall filter blackhole-counter-dsc.0-i

Filter: blackhole-counter-dsc.0-o
Counters:
Name                                                Bytes              
Packets
blackholed-packets-dsc.0-i                              
0                    0

Same filter on the interface towards an directly connected neighbor 
router, from where a ping to 8.8.8.8 is running, shows that traffic is 
comming in:
user at R1# run show firewall filter blackhole-counter-em0.0-i

Filter: blackhole-counter-em0.0-i
Counters:
Name                                                Bytes              
Packets
blackholed-packets-em0.0-i                         
166290                 2086

Any suggestions, why my firewall filter with count action doesn't work ?

Regards,
Alex

More information about the juniper-nsp mailing list