Firewall Filter Terminating Actions
Firewall filters support a set of terminating actions for each protocol family. A filter-terminating action halts all evaluation of a firewall filter for a specific packet. The router performs the specified action, and no additional terms are examined.
You cannot configure the next term action with a terminating action in the same filter term. However, you can configure the next term action with another nonterminating action in the same filter term.
On
Junos OS and Junos OS Evolved, next term
cannot
appear as the last term of the action. A filter term where
next term
is specified as an action but without any match
conditions configured is not supported.
For MX Series routers with MPCs, you need to initialize the filter counter for
Trio-only match filters by walking the corresponding SNMP MIB, for example,
show snmp mib walk name ascii
. This forces
Junos to learn the filter counters and ensure that the filter statistics are
displayed. This guidance applies to all enhanced mode firewall filters, filters with
flexible conditions, and filters with the certain terminating actions. See those
topics, listed under Related Documentation, for details.
Table 1 describes the terminating actions you can specify in a firewall filter term.
Terminating Action |
Description |
Protocols |
---|---|---|
accept |
Accept the packet. |
|
|
At a customer-facing interface on an MX Series router installed at the provider edge (PE) of an IPv4 transport network, enable de-encapsulation of generic routing encapsulation (GRE) packets transported through a filter-based GRE tunnel. You can configure a filter term that pairs this action with a match
condition that includes a packet header match for the GRE protocol.
For an IPv4 filter, include the When the interface receives a matched packet, processes that run on the Packet Forwarding Engine perform the following operations:
By default, the Packet Forwarding Engine uses the default routing instance to forward payload packets to the destination network. If the payload is MPLS, the Packet Forwarding Engine performs route lookup on the MPLS path routing table using the route label in the MPLS header. If you specify the decapsulate action with an optional routing instance name, the Packet Forwarding Engine performs route lookup on the routing instance, and the instance must be configured. Note:
On MX960 routers, the For more information, see Understanding Filter-Based Tunneling Across IPv4 Networks and Components of Filter-Based Tunneling Across IPv4 Networks. |
|
|
At a customer-facing interface on an MX Series router installed at the provider edge (PE) of an IPv4 transport network, enable de-encapsulation of Layer 2 tunneling protocol (L2TP) packets transported through a filter-based L2TP tunnel. You can configure a filter term that pairs this action with a match
condition that includes a packet header match for the L2TP protocol.
For IPv4 traffic, an input firewall filter
The remote tunnel endpoint sends an IP tunnel packet that contains an Ethernet MAC address in the payload. If the destination MAC address of the payload packet contains the MAC address of the router, the Ethernet packet is sent in the outgoing direction towards the network, and it is processed and forwarded as though it is received on the customer port. If the source MAC address of the payload packet contains the MAC address of the router, the Ethernet packet is transmitted in the outgoing direction towards the customer port. If the tunnel does not contain the receive-cookie configured, packet injection does not happen. In such a case, any received tunnel packet is counted and dropped in the same manner in which packets that arrive with a wrong cookie are counted and dropped. The following parameters can be specified with the
Note:
The |
|
|
Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling. |
|
|
At a customer-facing interface on an MX Series router installed at the provider edge (PE) of an IPv4 transport network, enable filter-based generic routing encapsulation (GRE) tunneling using the specified tunnel template. You can configure a filter term that pairs this action with the appropriate match conditions, and then attach the filter to the input of an Ethernet logical interface or aggregated Ethernet interface on a Modular Interface Card (MIC) or Modular Port Concentrator (MPC) in the router. If you commit a configuration that attaches an encapsulating filter to an interface that does not support filter-based GRE tunneling, the system writes a syslog warning message that the interface does not support the filter. When the interface receives a matched packet, processes that run on the Packet Forwarding Engine use information in the specified tunnel template to perform the following operations:
The specified tunnel template must be configured using the
|
|
|
At a customer-facing interface on an MX Series router installed at the provider edge (PE) of an IPv4 transport network, enable filter-based L2TP tunneling using the specified tunnel template. You can configure a filter term that pairs this action with the appropriate match conditions, and then attach the filter to the input of an Ethernet logical interface or aggregated Ethernet interface on a Modular Interface Card (MIC) or Modular Port Concentrator (MPC) in the router. If you commit a configuration that attaches an encapsulating filter to an interface that does not support filter-based GRE tunneling, the system writes a syslog warning message that the interface does not support the filter. When the interface receives a matched packet, processes that run on the Packet Forwarding Engine use information in the specified tunnel template to perform the following operations:
|
|
|
Exclude the packet from being included in accurate accounting
statistics for tunneled subscribers on an L2TP LAC. Typically used
in filters that match DHCPv6 or ICMPv6 control traffic Failure to
exclude these packets results in the idle-timeout detection
mechanism considering these packets as data traffic, causing the
timeout to never expire. (The idle timeout is configured with the
The term excludes packets from being included in counts for both family accurate accounting and service accurate accounting. The packets are still included in the session interface statistics. The term is available for both |
|
|
Direct the packet to the specified logical system. Note:
This action is not supported on PTX Series Packet Transport Routers. |
|
|
Reject the packet and return an ICMPv4 or ICMPv6 message:
Note:
Rejected packets can be sampled or logged if you configure the
The On PTX1000 routers, the reject action is supported on ingress interfaces only. |
|
|
Direct the packet to the specified routing instance. |
|
|
Direct the packet to the specified topology. Note:
This action is not supported on PTX Series Packet Transport Routers. Each routing instance (primary or virtual-router) supports one default topology to which all forwarding classes are forwarded. For multitopology routing, you can configure a firewall filter on the ingress interface to match a specific forwarding class, such as expedited forwarding, with a specific topology. The traffic that matches the specified forwarding class is then added to the routing table for that topology. |
|
On QFX5120-48Y and QFX5120-32C switch models, configure discard
action explicitly to bring down a BFD session. However, note that if there is a
port-mirror
action configured before the
discard
action, then the BFD session will not be brought
down.