Firewall Filter Terminating Actions
Firewall filters support a set of terminating actions for each protocol family. A filter-terminating action halts all evaluation of a firewall filter for a specific packet. The router performs the specified action, and no additional terms are examined.
You cannot configure the next term action with a terminating action in the same filter term. However, you can configure the next term action with another nonterminating action in the same filter term.
For MX Series routers with MPCs, you need to initialize the filter counter for Trio-only
match filters by walking the corresponding SNMP MIB, for example, show snmp mib walk name ascii
. This forces Junos to learn the filter counters and ensure that
the filter statistics are displayed. This guidance applies to all enhanced mode firewall filters,
filters with flexible conditions, and filters with the certain terminating actions. See those
topics, listed under Related Documentation, for details.
Table 1 describes the terminating actions you can specify in a firewall filter term.
Terminating Action |
Description |
Protocols |
---|---|---|
accept |
Accept the packet. |
|
|
Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling. |
|
|
Exclude the packet from being included in accurate accounting statistics for
tunneled subscribers on an L2TP LAC. Typically used in filters that match DHCPv6 or ICMPv6
control traffic Failure to exclude these packets results in the idle-timeout detection mechanism
considering these packets as data traffic, causing the timeout to never expire. (The idle
timeout is configured with the The term excludes packets from being included in counts for both family accurate accounting and service accurate accounting. The packets are still included in the session interface statistics. The term is available for both |
|
|
Reject the packet and return an ICMPv4 or ICMPv6 message:
The |
|