Configuring a Filter Action Statement

[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring a Filter Action Statement
In a firewall filter term, you can specify the action to take if the packet matches the conditions you have configured in the term. To configure a filter action, include the then statement:
then {
    action;
    action-modifiers;
}
For IPv4 traffic, configure the filter action at the [edit firewall family inet filter filter-name term term-name] hierarchy level. For IPv6 traffic, configure the filter action at the [edit firewall family inet6 filter filter-name term term-name] hierarchy level. For MPLS traffic, configure the filter terms at the [edit firewall family mpls filter filter-name term term-name] hierarchy level.

You can specify zero or one then statement in a filter term. If you omit the then statement or do not specify an action, the packets that match the conditions in the from statement are accepted.

NOTE: We strongly recommend that you always explicitly configure an action in the then statement.

You can specify one of the following filter actions:

accept—The packet is accepted and is sent to its destination.

discard—The packet is not accepted and is not processed further.

next term—Evaluate the next term in the firewall filter.

reject—The packet is not accepted and a rejection message is returned. Rejected packets can be logged or sampled.

routing-instance—The packet is accepted and routed by the specified routing instance. For more information, see Configuring Filter-Based Forwarding.

In the filter action statement, you can also specify one or more of the following action modifiers:

count—Add packet to a count total.

forwarding-class—Specify the packet forwarding class name.

log—The packet's header information is stored on the Routing Engine or sent to a server.

NOTE: The firewall filter stops logging discard and reject actions at a high traffic rate.

loss-priority—Set the packet loss priority (PLP) to low, medium, or high.

NOTE: You must configure tricolor marking policer to set PLP to medium.

policer—Apply rate-limiting procedures to the traffic. For more information, see Policer Configuration.

sample—Sample the packet traffic. Apply this option only if you have enabled traffic sampling. For more information, see Traffic Sampling and Forwarding Configuration.

syslog—Log an alert for the packet.

ipsec-sa sa-name—Specify an IP Security (IPSec) security association (SA) for the packet. This is used with the source-address and destination-address match conditions.

You can include zero or one action statement, but any combination of action modifiers. For the action or action modifier to take effect, all conditions in the from statement must match. If you specify log as one of the actions in a term, this constitutes a termination action; whether any additional terms in the filter are processed depends on the traffic through the filter.

The action modifier operations carry a default accept action. For example, if you specify an action modifier and do not specify an action, the specified action modifier is implemented and the packet is accepted.

Policing uses a specific type of action, known as a policer action. For more information, see Policer Configuration.

For more information about forwarding classes and loss priority, see the JUNOS Class of Service Configuration Guide.

Table 26 shows the complete list of filter actions and action modifiers.

Table 26: Firewall Filter Actions and Action Modifiers

Action or Action Modifier

Description

Actions

accept

Accept a packet.

count counter-name

Count the packet in the specified counter.

dscp

Set the IPv4 or the IPv6 Differentiated Services code point (DSCP) bit to 0.

discard

Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling.

forwarding-class class

Classify packet to one of the following forwarding classes: as, assured-forwarding, best-effort, expedited-forwarding, or network-control.

ipsec-sa ipsec-sa

Use the specified IPSec security association.

load-balance group-name

Use the specified load-balancing group.

log

Log the packet.

logical-router logical-router-name

Use the specified logical router. This action is supported for both IPv4 and IPv6 firewall filters.

loss-priority (high | low | medium)

Set the loss priority level for packets.

out-of-profile

Indicate that the upper or lower bound of a policer has been met and starvation of queues is possible. The packets are marked as out of the profile of the policer. This action is supported on the J-series Services Router only as part of strict priority queuing. Out-of-profile packets are queued only if the port is not congested.

next term

Continue to the next term for evaluation.

next-hop-group group-name

Use the specified next-hop group.

policer policer-name

Rate-limit packets based on the specified policer.

port-mirror

Port-mirror the packets.

prefix-action name

Count or police packets based on the specified action name.

reject <message-type>

Discard a packet, sending an ICMPv4 or an ICMP v6 destination unreachable message. Rejected packets can be logged or sampled if you configure either of those action modifiers. You can specify one of the following message codes: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, a Transmission Control Protocol (TCP) reset is returned if the packet is a TCP packet. Otherwise, nothing is returned.

routing-instance routing-instance

Specify a routing instance to which packets are forwarded.

sample

Sample the packets.

syslog

Log information about the packets.

Action Modifiers

count counter-name

The number of the packets passing this filter/term/policer. The name can contain letters, numbers, and hyphens (-), and can be up to 24 characters long. A counter name is specific to the filter that uses it, so all interfaces that use the same filter increment the same counter.

forwarding-class class-name

A particular forwarding class.

ipsec-sa sa-name

An IPSec SA for the packet. Used with the source-address and destination-address match conditions.

log

Log the packet's header information in the Routing Engine. You can access this information by issuing the show log command at the command-line interface (CLI).

loss-priority priority

Set the PLP to low or high.

policer policer-name

Apply rate limits to the traffic using the named policer.

sample

Sample the traffic on the interface. Use this modifier only when traffic sampling is enabled. For more information, see Traffic Sampling and Forwarding Configuration.

syslog

Log an alert for this packet. The log can be sent to a server for storage and analysis.

three-color-policer policer-name

Apply rate limits to the traffic using the tricolor marking policer.

Example: Configure a Filter Action Statement

Count, sample, and accept the traffic:
term all {
    then {
        count sam-1;
        sample;                                                                     # default action is accept
    } 
}
Display the packet counter:
user@host> show firewall filter sam 
Filter:
Counters:
Name                       Bytes                                     Packets
sam
sam-1                                     98                   8028
Display the firewall log output:

user@host> show firewall log
Time     Filter     A Interface        Pro Source address  Destination address
23:09:09 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:80
23:09:07 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:56
23:09:07 -          A at-2/0/0.301     ICM 10.2.0.25       10.211.211.1:49552
23:02:27 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:56
23:02:25 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:80
23:01:22 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:23251
23:01:21 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:16557
23:01:20 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:29471
23:01:19 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:26873
This output file contains the following fields:

Time—Time at which the packet was received (not shown in the default).

Filter—Name of a filter that has been configured with the filter statement at the [edit firewall] hierarchy level. A hyphen (-) or the abbreviation pfe indicates that it was handled by the Packet Forwarding Engine. A space (no hyphen) indicates that the packet was handled by the Routing Engine.

A—Filter action:

A—Accept (or next term)

D—Discard

R—Reject

Interface—Interface on which the filter is configured.

NOTE: We strongly recommend that you always explicitly configure an action in the then statement.

Pro—Packet's protocol name or number.

Source address—Source IP address in the packet.

Destination address—Destination IP address in the packet.

Display the sampling output:
user@host> show log /var/tmp/sam
# Apr  7 15:48:50  
Time                    Dest           Src Dest Src Proto TOS Pkt Intf  IP   TCP
                        addr          addr port port          len num frag flags
Apr 7 15:48:54 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0
Apr 7 15:48:55 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0
Apr 7 15:48:56 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0
   
NOTE: When you enable reverse path forwarding (RPF) on an interface with an input filter for firewall log and count, the input firewall filter does not log the packets rejected by RPF, although the rejected packets are counted. To log the rejected packets, use an RPF check fail filter to log the rejected packets.


 
For more information about sampling output, see Configuring a Forwarding Table Filter.

Example: Set the DSCP bit to 0

Set the DSCP bit to 0 using a firewall filter:
firewall {
    filter filter1 {
           term 1 {
               from {
                   dscp 2;
               }
              then {
                    dscp 0;
                   forwarding-class best-effort;
              }
           }
           term 2 {
               from {
                     dscp 3;
               }
               then {
                   forwarding-class best-effort;
               }
        }
}
Apply this filter to the logical interface corresponding to the VRF:
interfaces so-0/1/0 {
        unit 0 {
            family inet {
                 filter input filter1;
            }
       }
}

Action or Action Modifier	Description
Actions
`accept`	Accept a packet.
`count` `counter-name`	Count the packet in the specified counter.
`dscp`	Set the IPv4 or the IPv6 Differentiated Services code point (DSCP) bit to 0.
`discard`	Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling.
`forwarding-class` class	Classify packet to one of the following forwarding classes: `as`, `assured-forwarding`, `best-effort, expedited-forwarding`, or `network-control`.
`ipsec-sa` `ipsec-sa`	Use the specified IPSec security association.
`load-balance` `group-name`	Use the specified load-balancing group.
`log`	Log the packet.
`logical-router` `logical-router-name`	Use the specified logical router. This action is supported for both IPv4 and IPv6 firewall filters.
`loss-priority (high \| low \| medium)`	Set the loss priority level for packets.
`out-of-profile`	Indicate that the upper or lower bound of a policer has been met and starvation of queues is possible. The packets are marked as out of the profile of the policer. This action is supported on the J-series Services Router only as part of strict priority queuing. Out-of-profile packets are queued only if the port is not congested.
`next` `term`	Continue to the next term for evaluation.
`next-hop-group` `group-name`	Use the specified next-hop group.
`policer` `policer-name`	Rate-limit packets based on the specified policer.
`port-mirror`	Port-mirror the packets.
`prefix-action` `name`	Count or police packets based on the specified action name.
`reject` `<message-type>`	Discard a packet, sending an ICMPv4 or an ICMP v6 destination unreachable message. Rejected packets can be logged or sampled if you configure either of those action modifiers. You can specify one of the following message codes: `administratively-prohibited` (default), `bad-host-tos`, `bad-network-tos`, `host-prohibited`, `host-unknown`, `host-unreachable`, `network-prohibited`, `network-unknown`, `network-unreachable`, `port-unreachable`, `precedence-cutoff`, `precedence-violation`, `protocol-unreachable`, `source-host-isolated`, `source-route-failed`, or `tcp-reset`. If you specify `tcp-reset`, a Transmission Control Protocol (TCP) reset is returned if the packet is a TCP packet. Otherwise, nothing is returned.
`routing-instance` `routing-instance`	Specify a routing instance to which packets are forwarded.
`sample`	Sample the packets.
`syslog`	Log information about the packets.
Action Modifiers
`count` `counter-name`	The number of the packets passing this filter/term/policer. The name can contain letters, numbers, and hyphens (-), and can be up to 24 characters long. A counter name is specific to the filter that uses it, so all interfaces that use the same filter increment the same counter.
`forwarding-class` `class-name`	A particular forwarding class.
`ipsec-sa` `sa-name`	An IPSec SA for the packet. Used with the `source-address` and `destination-address` match conditions.
`log`	Log the packet's header information in the Routing Engine. You can access this information by issuing the `show log` command at the command-line interface (CLI).
`loss-priority` `priority`	Set the PLP to `low` or `high`.
`policer` `policer-name`	Apply rate limits to the traffic using the named policer.
`sample`	Sample the traffic on the interface. Use this modifier only when traffic sampling is enabled. For more information, see Traffic Sampling and Forwarding Configuration.
`syslog`	Log an alert for this packet. The log can be sent to a server for storage and analysis.
`three-color-policer` `policer-name`	Apply rate limits to the traffic using the tricolor marking policer.

[Contents] [Prev] [Next] [Index] [Report an Error]