FlowSpec rules being installed, but not matching any traffic

Paul S. contact at winterei.se
Thu Apr 14 05:26:01 EDT 2022 

Hey folks,

We're trying to build a little something where we block malicious 
traffic after detection via BGP flowspec. This is a super simple network 
with a pair of QFX5100-24Q-2P acting as our l3 gateways, which then runs 
a single VLAN.

Configuration snippets below. The problem we're seeing is that announced 
flowspec rules get installed in the rib, and on the firewall filter -- 
but that filter matches nothing, no counters get incremented. If we try 
to set traffic-rate to 0 via src/dst IPs, that doesn't work either.

What I'm seeing is very similar to 
https://www.reddit.com/r/Juniper/comments/g70f8n/flowspec_rules_not_matching_anything_at_all/

Is this a platform limitation, or am I doing something wrong?

root at member0# run show firewall filter __flowspec_default_inet__

Filter: __flowspec_default_inet__
Counters:
Name                                                Bytes              
Packets
10.1.1.2,*                                        0                    0 
<-- Note the empty counters
224.0.0.2,*                                                  0           
          0


root at member0# run show route table inetflow.0 extensive

inetflow.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
10.1.1.2,*/term:1 (1 entry, 1 announced)
TSI:
KRT in dfwd;
Action(s): discard,count
         *BGP    Preference: 170/-101
                 Next hop type: Fictitious, Next hop index: 0
                 Address: 0xc9e3780
                 Next-hop reference count: 2
                 Next hop:
                 State: <Active Int Ext SendNhToPFE>
                 Peer AS: 1234
                 Age: 22:02
                 Validation State: unverified
                 Task: BGP_394727_394727.172.16.1.2
                 Announcement bits (1): 0-Flow
                 AS path: I
                 Communities: traffic-rate:0:0
                 Accepted
                 Localpref: 100
                 Router ID: 172.16.1.2
                 Thread: junos-main


Configs

root at member0# show protocols bgp group FLOWSPEC
type internal;
neighbor 172.16.1.2 {
     local-address 172.16.1.1;
     family inet {
         unicast;
         flow {
             no-validate flowspec-import;
         }
     }
}

{master:0}[edit]
root at member0# show routing-options
static {
     route 0.0.0.0/0 next-hop [ 1.2.3.4 ];
}
flow {
     term-order standard;
}
nonstop-routing;

root at member0# show interfaces irb.1181
bandwidth 40g;
family inet {
     address 10.0.0.1/24;
}

More information about the juniper-nsp mailing list