Applying Filters and Services to Interfaces
When you have defined and grouped the service rules by configuring
the service-set definition, you can apply services to one or more
interfaces on the router. To associate a defined service set with
an interface, include the service-set
statement with the input
or output
statement at the [edit interfaces interface-name unit logical-unit-number family inet service]
hierarchy level:
[edit interfaces interface-name unit logical-unit-number family inet service] input { service-set service-set-name <service-filter filter-name>; post-service-filter filter-name; } output { service-set service-set-name <service-filter filter-name>; }
When you enable services on an interface, reverse-path
forwarding is not supported. You cannot configure services on the
management interface (fxp0
) or the loopback interface (lo0
).
You can configure different service sets on the input and output
sides of the interface. However, for service sets with bidirectional
service rules, you must include the same service set definition in
both the input
and output
statements. Any service
set you include in the service
statement must be configured
with the interface-service
statement at the [edit
services service-set service-set-name]
hierarchy
level; for more information, see Configuring Service Sets to be Applied to Services
Interfaces.
If you configure an interface with an input firewall filter that includes a reject action and with a service set that includes stateful firewall rules, the router executes the input firewall filter before the stateful firewall rules are run on the packet. As a result, when the Packet Forwarding Engine sends an Internet Control Message Protocol (ICMP) error message out through the interface, the stateful firewall rules might drop the packet because it was not seen in the input direction.
Possible workarounds are to include a forwarding-table filter to perform the reject action, because this type of filter is executed after the stateful firewall in the input direction, or to include an output service filter to prevent the locally generated ICMP packets from going to the stateful firewall service.
Configuring Service Filters
You can optionally include filters associated with each service
set to refine the target and additionally process the traffic. If
you include the service-set
statement without a service-filter
definition, the router software assumes that the match condition
is true and selects the service set for processing automatically.
To configure service filters, include the firewall
statement at the [edit]
hierarchy level:
firewall { family inet { service-filter filter-name { term term-name { from { match-conditions; } then { action; action-modifiers; } } } } }
You must specify inet
as the address family to configure
a service filter.
You configure service filters in a similar way to firewall filters. Service filters have the same match conditions as firewall filters, but the following specific actions:
count
—Add the packet to a counter total.log
—Log the packet.port-mirror
—Port-mirror the packet.sample
—Sample the packet.service
—Forward the packet for service processing.skip
—Omit the packet from service processing.
For more information about configuring firewall filters, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.
You can also include more than one service set definition on each side of the interface. If you include multiple service sets, the router software evaluates them in the order specified in the configuration. It executes the first service set for which it finds a match in the service filter and ignores the subsequent definitions.
An additional statement allows you to specify a filter for processing
the traffic after the input service set is executed. To configure
this type of filter, include the post-service-filter
statement
at the [edit interfaces interface-name unit logical-unit-number family inet service input]
hierarchy
level:
post-service-filter filter-name;
The software performs postservice filtering only when it has
selected and executed a service set. If the traffic does not meet
the match criteria for any of the configured service sets, the postservice
filter is ignored. The post-service-filter
statement is not supported when the service
interface is on an MS-MIC or MS-MPC.
For an example of applying a service set to an interface, see Examples: Configuring Services Interfaces.
For more information on applying filters to interfaces, see the Junos OS Network Interfaces Library for Routing Devices. For general information on filters, see the Routing Policies, Firewall Filters, and Traffic Policers User Guide.
After NAT processing is applied to packets, they are not subject to output service filters. The service filters affect only untranslated traffic.