Filter Operation

This section takes a deep dive into the operation and capabilities of firewall filters on MX routers. Ready, set, go.

Stateless Filter Processing

A firewall filter consists of one or more terms, with each term typically having both a set of match criteria and a set of actions to be performed on matching traffic. Traffic is evaluated against each term in the order listed until a match is found with a terminating action. Figure 3-1 illustrates these filter processing rules.

Filter Processing.

Figure 3-1. Filter Processing.

The traffic being evaluated begins at term 1, on the left, and makes its way toward the right through each successive term until a match is found, at which point the associated actions are carried out. Terminating actions are shown on the bottom of each filter term while nonterminating (action modifiers) are shown at the top. As was noted previously, traffic that does not match any of the configured terms is subjected to an implicit deny-all term that, as it name might imply, matches on all remaining traffic and directs it to a discard action.

While the block diagram is useful, there is nothing like dealing with actual filter syntax to help drive these processing points home. Consider the multiterm firewall filter called EF_limit_G=768K:

filter EF_limit_G=768K {
    term EF {
        from {
            forwarding-class EF;
        }
        then policer POL_EF_G=768K;
    }
    term default {
        then accept;
    }
}

Here, the ...

Get Juniper MX Series now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.