Each filter contains rules or terms that are applied to packets or packet flows and either allow, disallow, or count certain packets. Filters can also modify flow behavior. Along with the ability to add dynamic policies, this functionality can be used for standard (programmable) firewall or policing functions on the router. The filters allow a range of tests and checks to be installed, which, in turn, allows you to customize behavior.
You use the functions in libdfwd, on the Routing Engine or the Multiservices PIC, to add firewall filters. The functions are documented in the SDK Library reference.
When you create a firewall filter by calling
junos_dfw_filter_trans_alloc() with the
JUNOS_DFW_FILTER_OP_ADD operation, you also specify the type of firewall filter:
JUNOS_DFW_FILTER_TYPE_CLASSIC) undergoes compilation and optimization. The order of term definition is the order of evaluation. Changing any term requires recompiling the entire filter. This was the original firewall filter in the JUNOS software and has the richest set of supported match conditions and actions. Classic filters can be configured through the command-line interface (CLI) or dynamically from an application.
JUNOS_DFW_FILTER_TYPE_FAST_UPDATE) allows terms to be updated without recompilation. These filters have a predetermined set of match fields and the order of fields to match must be determined when the filter is created. The match conditions and actions supported for fast-update filters are documented in the SDK Library Reference for libdfwd. Fast-update filters can be configured only from an application, not from the CLI.
Most applications use classic filters. For example, if the filter is monitoring an IP address that does not change over time, you would use a classic filter. You might use a fast-update filter if the filter is simple and will be updated frequently in response to rapidly changing conditions; for example, a policer that operates on a stream of voice data.
You can install a policy manager sample application that dynamically applies and removes filters and policers on logical interfaces; that code is in
sandbox/src/sbin/dpm-ctrl/dpm-ctrl_dfw.c in your development sandbox. Documentation is at The Dynamic Policy Manager Application.
The following figure shows how applications on the Routing Engine and the Multiservices PIC both use the same libdfwd library to add filters.
Firewall Filters on the Routing Engine and the Multiservices PIC