[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring a Filter Action Statement

In a firewall filter term, you can specify the action to take if the packet matches the conditions you have configured in the term. To configure a filter action, include the then statement:



then {

action;

action-modifiers;
}

If you omit the then statement or do not specify an action, the packets that match the conditions in the from statement are accepted.

For IPv4 traffic, configure the filter action at the [edit firewall family inet filter filter-name term term-name] hierarchy level. For IPv6 traffic, configure the filter action at the [edit firewall family inet6 filter filter-name term term-name] hierarchy level. For MPLS traffic, configure the filter action at the [edit firewall family mpls filter filter-name term term-name] hierarchy level.

For Layer 2 traffic in a bridging environment, configure the filter action at the [edit firewall family bridge filter filter-name term term-name] hierarchy level. The bridge option is supported only on MX-series routers.

Note: We strongly recommend that you always explicitly configure an action in the then statement.

You can specify one of the following filter actions:

accept—Accept the packet, which is then sent to its destination.
discard—Discard the packet, which is not processed further.
next term—Evaluate the next term in the firewall filter.
reject—Reject the packet and send a rejection message. Rejected packets can be logged or sampled.
routing-instance—Accept the packet, which is then routed by the specified routing instance. For more information, see Configuring Filter-Based Forwarding.
topology—Accept the packet, which is then installed in the routing table of the specified topology. For more information, see the “Configuring Multitopology Routing” chapter in the JUNOS Routing Protocols Configuration Guide.

In the filter action statement, you can also specify one or more of the following action modifiers:

count—Add the packet to a count total.
forwarding-class—Specify the packet forwarding class name.
log—Store the packet header information in a buffer within the Packet Forwarding Engine.
loss-priority—Set the packet loss priority (PLP) to low, medium, or high.

Note: You must configure tricolor marking policer to set PLP to medium.
policer—Apply rate-limiting procedures to the traffic. For more information, see Policer Configuration.
sample—Sample the packet traffic. Apply this option only if you have enabled traffic sampling. For more information, see Traffic Sampling and Forwarding Configuration.
syslog—Store the packet header information on the Routing Engine and log it to the system log.

Note: The firewall filter syslog action stops logging at a high traffic rate to protect the Routing Engine from an excessive flow of messages.
ipsec-sa sa-name—Specify an IP Security (IPsec) security association (SA) for the packet. This is used with the source-address and destination-address match conditions.

You can specify only one filter action statement (or omit it), but you can specify any combination of action modifiers. For the action or action modifier to take effect, all conditions in the from statement must match. If you specify log as one of the actions in a term, this constitutes a termination action; whether any additional terms in the filter are processed depends on the traffic through the filter.

The action modifier operations carry a default accept action. For example, if you specify an action modifier and do not specify an action, the specified action modifier is implemented and the packet is accepted.

Note: You cannot configure both the loss-priority and three-color-policer action modifiers for the same firewall filter term.

Policing uses a specific type of action, known as a policer action. For more information, see Policer Configuration.

For more information about forwarding classes and loss priority, see the JUNOS Class of Service Configuration Guide.

Table 28 shows the complete list of filter actions and action modifiers.

Table 28: Firewall Filter Actions and Action Modifiers

Action or Action Modifier	Description
Actions
accept	Accept a packet.
count counter-name	Count the packet in the specified counter.
dscp	Set the IPv4 or the IPv6 Differentiated Services code point (DSCP) bit to 0.
discard	Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling.
forwarding-class class	Classify the packet into one of the following forwarding classes: as, assured-forwarding, best-effort, expedited-forwarding, or network-control.
ipsec-sa ipsec-sa	Use the specified IPsec security association.
load-balance group-name	Use the specified load-balancing group.
logical-system logical-system-name	Use the specified logical system. This action is supported for both IPv4 and IPv6 firewall filters.
loss-priority (high \| low \| medium)	Set the loss priority level for packets.
out-of-profile	Indicate that the upper or lower bound of a policer has been met and starvation of queues is possible. The packets are marked as out of the profile of the policer. This action is supported on the J-series Services Router only as part of strict priority queuing. Out-of-profile packets are queued only if the port is not congested.
next term	Continue to the next term for evaluation.
next-hop-group group-name	Use the specified next-hop group.
policer policer-name	Rate-limit packets based on the specified policer.
port-mirror	Port-mirror the packets.
prefix-action name	Count or police packets based on the specified action name.
reject message-type	Discard a packet, sending an ICMPv4 or an ICMPv6 destination unreachable message. Rejected packets can be logged or sampled if you configure either the sample or the syslog action modifier. You can specify one of the following message codes: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, a Transmission Control Protocol (TCP) reset is returned if the packet is a TCP packet. Otherwise, nothing is returned.
routing-instance routing-instance	Specify a routing instance to which packets are forwarded.
sample	Sample the packets.
topology topology-name	Specify a topology to which packets are forwarded.
Action Modifiers
count counter-name	Number of packets passing this filter/term/policer. The name can contain letters, numbers, underscores (_), and hyphens (-), and can be up to 64 characters long. A counter name is specific to the filter that uses it, so all interfaces that use the same filter increment the same counter.
forwarding-class class-name	Particular forwarding class.
ipsec-sa sa-name	IPsec SA for the packet. Used with the source-address and destination-address match conditions.
log	Log the packet header information in a buffer within the Packet Forwarding Engine. You can access this information by issuing the show firewall log command at the command-line interface (CLI).
loss-priority priority	Set the PLP to low or high. You cannot also configure the three-color-policer action modifier for the same firewall filter term. These two action modifiers are mutually exclusive.
policer policer-name	Apply rate limits to the traffic using the named policer.
sample	Sample the traffic on the interface. Use this modifier only when traffic sampling is enabled. For more information, see Traffic Sampling and Forwarding Configuration.
syslog	Store the packet header information on the Routing Engine and log it to the system log.
three-color-policer policer-name	Apply rate limits to the traffic using the tricolor marking policer. You cannot also configure the loss-priority action modifier for the same firewall filter term. These two action modifiers are mutually exclusive.

Example: Configure a Filter Action Statement

Count, sample, and accept the traffic:



term all {


then {
count sam-1;
sample; # default action is accept
}


}

Display the packet counter:

user@host> show firewall filter sam

Filter:
Counters:
Name              Bytes                Packets
sam
sam-1             98                   8028

Display the firewall log output:

user@host> show firewall log

Time     Filter     A Interface        Pro Source address  Destination address
23:09:09 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:80
23:09:07 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:56
23:09:07 -          A at-2/0/0.301     ICM 10.2.0.25       10.211.211.1:49552
23:02:27 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:56
23:02:25 -          A at-2/0/0.301     TCP 10.2.0.25       10.211.211.1:80
23:01:22 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:23251
23:01:21 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:16557
23:01:20 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:29471
23:01:19 -          A at-2/0/0.301     ICM 10.2.2.101      10.211.211.1:26873

This output file contains the following fields:

Time—Time at which the packet was received (not shown in the default).
Filter—Name of a filter that has been configured with the filter statement at the [edit firewall] hierarchy level. A hyphen (-) or the abbreviation pfe indicates that the packet was handled by the Packet Forwarding Engine. A space (no hyphen) indicates that the packet was handled by the Routing Engine.
A—Filter action:
- A—Accept (or next term)
- D—Discard
- R—Reject
Interface—Interface on which the filter is configured.

Note: We strongly recommend that you always explicitly configure an action in the then statement.
Pro—Packet’s protocol name or number.
Source address—Source IP address in the packet.
Destination address—Destination IP address in the packet.

Display the sampling output:

user@host> show log /var/tmp/sam

# Apr  7 15:48:50
Time                    Dest           Src Dest Src Proto TOS Pkt Intf  IP   TCP
                        addr          addr port port          len num frag flags
Apr 7 15:48:54 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0
Apr 7 15:48:55 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0
Apr 7 15:48:56 192.168.9.194 192.168.9.195   0    0   1   0x0  84  8   0x0   0x0

Note: When you enable reverse path forwarding (RPF) on an interface with an input filter for firewall log and count, the input firewall filter does not log the packets rejected by RPF, although the rejected packets are counted. To log the rejected packets, use an RPF check fail filter.

For more information about sampling output, see Configuring a Forwarding Table Filter.

Example: Set the DSCP Bit to 0

Set the DSCP bit to 0 using a firewall filter:



firewall {


filter filter1 {


term 1 {


from {
dscp 2;
}




then {
dscp 0;
forwarding-class best-effort;
}


}




term 2 {


from {
dscp 3;
}




then {
forwarding-class best-effort;
}


}


}


}

Apply this filter to the logical interface corresponding to the VPN routing and forwarding (VRF) instance:



interfaces so-0/1/0 {


unit 0 {


family inet {
filter input filter1;
}


}


}

[Contents] [Prev] [Next] [Index] [Report an Error]