Firewall Filter Nonterminating Actions
Firewall filters support different sets of nonterminating actions for each protocol
family, which include an implicit accept action. In this context, nonterminating means that other actions can follow these actions whereas no other actions can follow a terminating action. As such, you cannot configure the next term
action with a terminating action in the same filter term. You can,
however, configure the next term
action with another nonterminating action in the same filter term.
Table 1 describes the nonterminating actions you can configure for a firewall filter term.
Nonterminating Action |
Description |
Protocol Families |
---|---|---|
|
Count the packet in the named counter. |
|
|
Configure the value of the Don’t Fragment bit (flag) in the IPv4 header to specify whether the datagram can be fragmented:
Note:
The |
|
|
Set the IPv4 Differentiated Services code point (DSCP) bit. You can specify a numerical
value from The default DSCP value is You can also specify one of the following text synonyms:
Note:
MPC line cards running on MX series routers support any value (from 0 to 63) in
conjunction with the |
|
|
By default, a hierarchical policer processes the traffic it receives according to the
traffic’s forwarding class. Premium, expedited-forwarding traffic, has priority for
bandwidth over aggregate, best-effort traffic. The Note:
The |
|
|
Classify the packet to the named forwarding class:
|
|
|
Police the packet using the specified hierarchical policer |
|
|
Log the packet header information in a buffer within the Packet Forwarding Engine.
You can access this information by issuing the Note:
The Layer 2 (L2) families log action is available only for MX Series routers with MPCs (MPC mode if the router has only MPCs, or mix mode if it has MPCs and DCPs). For MX Series routers with DPCs, the log action for L2 families is ignored if configured. |
|
|
Set the packet loss priority (PLP) level. You cannot also configure the For IP traffic on MX Series routers with Enhanced II Flexible PIC Concentrators (FPCs), you must
include the |
|
|
Continue to the next term in a filter. |
|
|
Direct packets to the specified destination IPv4 address. |
|
|
Direct packets to the specified destination IPv6 address. |
|
|
Name of policer to use to rate-limit traffic. |
|
|
Port-mirror the packet based on the specified family. This action is supported on M120 routers, M320 routers configured with Enhanced III FPCs, MX Series routers, and PTX Series Packet Transport Routers only. We recommend that you do not
use both the |
|
|
Direct packets to the specified routing instance. |
|
|
Sample the packet. Note:
Junos OS does not sample packets originating from the router. If you configure a filter and apply it to the output side of an interface, then only the transit packets going through that interface are sampled. Packets that are sent from the Routing Engine to the Packet Forwarding Engine are not sampled. |
|
|
Use the inline counting mechanism when capturing subscriber per-service statistics. Count the packet for service accounting. The count is applied to a specific named counter
( The |
|
|
Use the deferred counting mechanism when capturing subscriber per-service statistics.
The count is applied to a specific named counter ( The |
|
|
(Only if the Indicate to subsequent filters in the chain that the packet was already processed. This
action, coupled with the |
|
|
Log the packet to the system log file. The syslog firewall action for existing Input interface, action, VLAN ID1, VLAN ID2, Ethernet type, source and destination MAC addresses, protocol, source and destination IP addresses, source and destination ports, and the number of packets. Note:
The L2 families syslog action is available only for MX Series routers with MPCs (MPC mode if the router has only MPCs, or mix mode if it has MPCs and DCPs). For MX Series routers with DPCs, the syslog action for L2 families is ignored if configured. |
|
|
Police the packet using the specified single-rate or two-rate three-color-policer. Note:
You cannot also configure the |
|
|
Specify the traffic-class code point. You can specify a numerical
value from The default traffic-class value is best effort, that is,
In place of the numeric value, you can specify one of the following text synonyms:
|
|