Configuring Forwarding Table Filters
Forwarding table filters are defined the same as other firewall filters, but you apply them differently:
Instead of applying forwarding table filters to interfaces, you apply them to forwarding tables, each of which is associated with a routing instance and a virtual private network (VPN).
Instead of applying input and output filters by default, you can apply an input forwarding table filter only.
All packets are subjected to the input forwarding table filter that applies to the forwarding table. A forwarding table filter controls which packets the router accepts and then performs a lookup for the forwarding table, thereby controlling which packets the router forwards on the interfaces.
When the router receives a packet, it determines the best route to the ultimate destination by looking in a forwarding table, which is associated with the VPN on which the packet is to be sent. The router then forwards the packet toward its destination through the appropriate interface.
For transit packets exiting the router through the tunnel, forwarding table filtering is not supported on the interfaces you configure as the output interface for tunnel traffic.
A forwarding table filter allows you to filter data packets
based on their components and to perform an action on packets that
match the filter; it essentially controls which bearer packets the
router accepts and forwards. To configure a forwarding table filter,
include the firewall statement at the [edit] hierarchy level:
[edit]
firewall {
family family-name {
filter filter-name {
term term-name {
from {
match-conditions;
}
then {
action;
action-modifiers;
}
}
}
}
}
family-name is the family address type: IPv4 (inet), IPv6 (inet6), Layer 2 traffic (bridge), or MPLS (mpls).
term-name is a named structure in which match conditions and actions are defined.
match-conditions are the criteria against which a bearer packet is compared; for example, the IP address of a source device or a destination device. You can specify multiple criteria in a match condition.
action specifies what happens if a packet matches all criteria; for example, the gateway GPRS support node (GGSN) accepting the bearer packet, performing a lookup in the forwarding table, and forwarding the packet to its destination; discarding the packet; and discarding the packet and returning a rejection message.
action-modifiers are actions that are taken in addition to the GGSN accepting or discarding a packet when all criteria match; for example, counting the packets and logging a packet.
To create a forwarding table, include the instance-type statement with the forwarding option at the [edit
routing-instances instance-name] hierarchy
level:
[edit]
routing-instances instance-name {
instance-type forwarding;
}
To apply a forwarding table filter to a VPN routing and forwarding
(VRF) table, include the filter and input statements
at the [edit routing-instance instance-name forwarding-options family family-name] hierarchy level:
[edit routing-instances instance-name]
instance-type forwarding;
forwarding-options {
family family-name {
filter {
input filter-name;
}
}
}
To apply a forwarding table filter to a forwarding table, include
the filter and input statements at the [edit forwarding-options family family-name] hierarchy level:
[edit forwarding-options family family-name]
filter {
input filter-name;
}
To apply a forwarding table filter to the default forwarding
table inet.0, which is not associated with a specific routing
instance, include the filter and input statements
at the [edit forwarding-options family inet] hierarchy
level:
[edit forwarding-options family inet]
filter {
input filter-name;
}