Configuring a Filter Action Statement

In a firewall filter term, you can specify the action to take if the packet matches the conditions you have configured in the term. To configure a filter action, include the then statement:

then {

    action;

    action-modifiers;

}

For IPv4 traffic, configure the filter action at the [edit firewall family inet filter filter-name term term-name] hierarchy level. For IPv6 traffic, configure the filter action at the [edit firewall family inet6 filter filter-name term term-name] hierarchy level. For MPLS traffic, configure the filter terms at the [edit firewall family mpls filter filter-name term term-name] hierarchy level.

You can specify zero or one then statement in a filter term. If you omit the then statement or do not specify an action, the packets that match the conditions in the from statement are accepted.

NOTE: We strongly recommend that you always explicitly configure an action in the then statement.

You can specify one of the following filter actions:

• accept—The packet is accepted and is sent to its destination.
• discard—The packet is not accepted and is not processed further. Discarded packets cannot be logged or sampled.
• next term—Evaluate the next term in the firewall filter.
• reject—The packet is not accepted and a rejection message is returned. Rejected packets can be logged or sampled.
• routing-instance—The packet is accepted and routed by the specified routing instance. For more information, see Configuring Filter-Based Forwarding.

In the filter action statement, you can also specify one or more of the following action modifiers:

• count—Add packet to a count total.
• forwarding-class—Specify the packet forwarding class name.
• log—Store the packet's header information on the Routing Engine.
• loss-priority—Set the packet loss priority (PLP) to low or high.
• policer—Apply rate-limiting procedures to the traffic. For more information, see Policer Configuration.
• sample—Sample the packet traffic. Apply this option only if you have enabled traffic sampling. For more information, see Traffic Sampling and Forwarding Configuration.
• syslog—Log an alert for the packet.
• ipsec-sa sa-name—Specify an IP Security (IPSec) security association (SA) for the packet. This is used with the source-address and destination-address match conditions.

You can include zero or one action statement, but any combination of action modifiers. For the action or action modifier to take effect, all conditions in the from statement must match. If you specify log as one of the actions in a term, this constitutes a termination action; whether any additional terms in the filter are processed depends on the traffic through the filter.

The action modifier operations carry a default accept action. For example, if you specify an action modifier and do not specify an action, the specified action modifier is implemented and the packet is accepted.

Policing uses a specific type of action, known as a policer action. For more information, see Policer Configuration.

For more information about forwarding classes and loss priority, see the JUNOS Network Interfaces and Class of Service Configuration Guide.

Table 22 describes the filter actions and action modifiers.

Table 22: Firewall Filter Actions and Action Modifiers

Action or Action Modifier	Description
Actions
accept	Accept a packet. This is the default.
discard	Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are not available for logging or sampling.
next term	Continue to the next term for evaluation.
reject <message-type>	Discard a packet, sending an ICMP destination unreachable message. Rejected packets can be logged or sampled if you configure either of those action modifiers. You can specify one of the following message codes: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, a Transmission Control Protocol (TCP) reset is returned if the packet is a TCP packet. Otherwise, nothing is returned.
routing-instance routing-instance	Specify a routing instance to which packets are forwarded.
Action Modifiers
count counter-name	The number of the packets passing this filter/term/policer. The name can contain letters, numbers, and hyphens (-), and can be up to 24 characters long. A counter name is specific to the filter that uses it, so all interfaces that use the same filter increment the same counter.
forwarding-class class-name	A particular forwarding class.
ipsec-sa sa-name	An IPSec SA for the packet. Used with the source-address and destination-address match conditions.
log	Log the packet's header information in the Routing Engine. You can access this information by issuing the show log command at the command-line interface (CLI).
loss-priority priority	Set the PLP to low or high.
policer policer-name	Apply rate limits to the traffic using the named policer.
sample	Sample the traffic on the interface. Use this modifier only when traffic sampling is enabled. For more information, see Traffic Sampling and Forwarding Configuration.
syslog	Log an alert for this packet. The log can be sent to a server for storage and analysis.

Example: Configure a Filter Action Statement

Count, sample, and accept the traffic:

term all {

    then {

        count sam-1;

        sample;                                                                     # default action is accept

    } 

}

Display the packet counter:

user@host> show firewall filter sam 

Filter:

Counters:

Name                       Bytes                                     Packets

sam

sam-1                                     98                   8028

Display the firewall log output:

user@host> show firewall log

Time     Filter     A Interface        Pro Source address  Destination address

23:09:09 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:80

23:09:07 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:56

23:09:07 -          A at-2/0/0.301     ICM 10.2.0.25       10.211.211.1:49552

23:02:27 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:56

23:02:25 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:80

23:01:22 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:23251

23:01:21 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:16557

23:01:20 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:29471

23:01:19 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:26873

This output file contains the following fields:

• Time—Time at which the packet was received (not shown in the default).
• Filter—Name of a filter that has been configured with the filter statement at the [edit firewall] hierarchy level. A hyphen (-) or the abbreviation pfe indicates that it was handled by the Packet Forwarding Engine. A space (no hyphen) indicates that the packet was handled by the Routing Engine.
• A—Filter action:

• A—Accept (or next term)
• D—Discard
• R—Reject

• Interface—Interface on which the filter is configured.
  

  NOTE: When general routing encapsulation (GRE) packets are rejected, the firewall log output might display an incorrect interface.

  
  
• Pro—Packet's protocol name or number.
• Source address—Source IP address in the packet.
• Destination address—Destination IP address in the packet.

Display the sampling output:

user@host> show log /var/tmp/sam

# Apr  7 15:48:50  

Time                    Dest           Src Dest Src Proto TOS Pkt Intf  IP   TCP

                        addr          addr port port          len num frag flags

Apr 7 15:48:54 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0

Apr 7 15:48:55 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0

Apr 7 15:48:56 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0

   
NOTE: When you enable reverse-path forwarding (RPF) on an interface with an input filter for firewall log and count, the input firewall filter does not log the packets rejected by RPF, although the rejected packets are counted. To log the rejected packets, use an RPF check fail filter to log the rejected packets.


 

For more information about sampling output, see Configuring a Forwarding Table Filter.