Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Parameterized Filter Processing Overview

 

When creating a parameterized filter, you first define the family address type (inet, inet6, or any) and then you define one or more terms that specify the filtering criteria and the action to take when a match occurs.

Each term, or rule, consists of the following components:

  • Match conditions—Specifies values or fields that the packet must contain. You can define various match conditions, including:

    • IP source address field

    • IP destination address field

    • Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port field

    • IP protocol field

    • Internet Control Message Protocol (ICMP) packet type

    • TCP flags

    • interfaces

  • Actions—Specifies what to do when a match condition occurs. Possible actions are to accept or discard a packet. In addition, packets can be counted to collect statistical information. If no action is specified for a term, the default action is to accept the packet.

The processing of parameterized filters is the same as classic filters. The order of the terms within a parameterized filter is important. Packets are tested against each term in the order in which the terms are listed in the firewall filter configuration. When a firewall filter contains multiple terms, the router takes a top-down approach and compares a packet against the first term in the firewall filter. If the packet matches the first term, the router executes the action defined by that term to either accept or reject the packet, and no other terms are evaluated. If the router does not find a match between the packet and first term, it then compares the packet to the next term in the firewall filter by using the same match process. If no match occurs between the packet and the second term, the router continues to compare the packet to each successive term defined in the firewall filter until a match is found. If a packet does not match any terms in a firewall filter, the default action is to discard the packet.

You can also specify a precedence (from 0 through 255) for input and output filters within a dynamic profile to force filter processing in a particular order. Setting a lower precedence value for a filter gives it a higher precedence within the dynamic profile. Filters with lower precedence values are applied to interfaces before filters with higher precedence values. A precedence of zero (the default) gives the filter the highest precedence. If no precedence is specified, the filter receives a precedence of zero (highest precedence). Filters with matching precedence (zero or otherwise) are applied in an unspecified order.

Note

Parameterized filters do not support outbound packets that are sourced from the routing engine.