Avoiding Conflicts When Terms Match
A fast update filter can contain multiple terms, each with a variety of match conditions. However, when you configure multiple terms in a filter, you must ensure that the terms do not overlap, or conflict with each other. Two terms are considered to overlap when it is possible for a packet to match all conditions of both terms. Because each term specifies a different action for matches, the router cannot determine which action to take. When terms overlap, a conflict error occurs and the session fails when the dynamic profile attempts to apply the filter. The error log indicates the overlapping terms.
How the Router Evaluates Terms in a Filter
The router creates a table of match conditions when examining
terms. The table, which is similar to a routing table, is based on
the conditions included in the match-order statement. When
the router receives a packet, the router examines the packet’s
contents in the sequence specified in the match-order statement.
For example, using the sample configuration in the following
Match-Order Example, the router first examines the packet’s source-address, then the destination-address, and
finally the destination-port. As shown in the following
table, the two terms in the filter do not overlap because each term
has a different destination-port specification. The router
then takes the appropriate filter action for the term that matches
the destination-port value of the packet.
Term |
source-address |
destination-address |
destination-port |
Action |
|---|---|---|---|---|
t55 |
subscriber’s address |
203.0.113.2/32 |
http |
count t55_cntr accept |
t999 |
subscriber’s address |
203.0.113.2/32 |
https |
count t999_cntr accept |
Match-Order Example
firewall {
family inet {
fast-update-filter psf1 {
interface-specific;
match-order [ source-address destination-address destination-port ];
term t55 {
from {
source-address $junos-subscriber-ip-address;
destination-address 203.0.113.2/32;
destination-port http;
}
then {
count t55_cntr;
accept;
}
}
term t999 {
from {
source-address $junos-subscriber-ip-address;
destination-address 203.0.113.2/32;
destination-port https;
}
then {
count t999_cntr;
accept;
}
}
}
}
}
Using Implied Wildcards
This section shows an example of how you might use an implied
wildcard specification in the match configuration. A condition in
the match-order statement is an implied wildcard when that
condition is not configured in the from specification of
a term in the filter.
When you use ranges (for example, a range of values or a wildcard)
in terms, the ranges must not overlap—overlapping ranges create
a conflict error. However, you can configure a range in one term and
an exact match in another term. For example, in the following filter
table, the wildcard destination port value in term t3 does
not overlap the destination port specifications in terms t55 and t999 because the http and https values are exact matches.
In the Implied Wildcard Example configuration, the router views
the destination-port condition in the match-order statement as an implied wildcard for term t3, because
there is no destination-port value configured in that term.
As a result, the wildcard specifies that for term t3 any destination-port value is accepted. The filter table appears
as follows:
Term |
source-address |
destination-address |
destination-port |
Action |
|---|---|---|---|---|
t3 |
subscriber’s address |
203.0.113.2/32 |
any (wildcard) |
count t3_cntr accept |
t55 |
subscriber’s address |
203.0.113.2/32 |
http |
count t55_cntr accept |
t999 |
subscriber’s address |
203.0.113.2/32 |
https |
count t999_cntr accept |
In the following filter configuration, traffic with a destination
port of http matches term t55 and traffic with
a destination port of https matches term t999. Traffic with a destination port other than http or https matches term t3, which is the implied wildcard.
Implied Wildcard Example
firewall {
family inet {
fast-update-filter psf1 {
interface-specific;
match-order [ source-address destination-address dscp protocol destination-port ];
term t3 {
from {
source-address $junos-subscriber-ip-address;
destination-address 203.0.113.2/32;
}
then {
count t3_cntr;
accept;
}
}
term t55 {
from {
source-address $junos-subscriber-ip-address;
destination-address 203.0.113.2/32;
destination-port http;
}
then {
count t55_cntr;
accept;
}
}
term t999 {
from {
source-address $junos-subscriber-ip-address;
destination-address 203.0.113.2/32;
destination-port https;
}
then {
count t999_cntr;
accept;
}
}
}
}
}
Conflict Caused by Overlapping Ranges
This section shows two examples of overlapping ranges in terms. When you use ranges (such as a wildcard or a range of values) in terms, the ranges must not overlap—overlapping ranges create a conflict error and the session fails.
In the following filter configuration, the destination-port ranges in the two terms overlap. Ports in the range from 50 through
80 match both term src0 and term src1, which
each specify different actions to take.
You can configure a range in one term and an exact match in another term. See the section, Using Implied Wildcards, for an example that uses a wildcard for a match condition in one term and an exact match for the condition in a second term.
Term |
source-address |
destination-address |
destination-port |
Action |
|---|---|---|---|---|
src0 |
subscriber’s address |
203.0.113.2/32 |
0–80 |
count c1_cntr accept |
src1 |
subscriber’s address |
203.0.113.2/32 |
50–100 |
count c2_cntr accept |
Overlapping Ranges Example 1
firewall {
family inet {
fast-update-filter fuf–src {
interface-specific;
match-order [ source-address destination-address destination-port ];
term src0 {
from {
source-address $junos-subscriber-ip-address;
destination-address 203.0.113.2/32;
destination-port 0–80;
}
then {
count c1_cntr;
accept;
}
}
term src1 {
from {
source-address $junos-subscriber-ip-address;
destination-address 203.0.113.2/32;
destination-port 50–100;
}
then {
count c2_cntr;
accept;
}
}
}
In this filter configuration, the protocol specification
in terms src21 and src22 use the implied wildcard,
which configures a range for each term. Because overlapping ranges
are not allowed, a conflict error results.
Term |
source-address |
destination-address |
protocol |
destination-port |
Action |
|---|---|---|---|---|---|
src20 |
subscriber’s address |
203.0.113.2/32 |
udp |
any (wildcard) |
count c20_cntr accept |
src21 |
subscriber’s address |
203.0.113.2/32 |
any (wildcard) |
http |
count c21_cntr accept |
src21 |
subscriber’s address |
203.0.113.2/32 |
any (wildcard) |
https |
count c22_cntr accept |
Overlapping Ranges Example 2
firewall {
family inet {
fast-update-filter fuf–src2 {
interface-specific;
match-order [ source-address destination-address protocol destination-port ];
term src20 {
from {
source-address $junos-subscriber-ip-address;
destination-address 203.0.113.2/32;
protocol udp;
}
then {
count c20_cntr;
accept;
}
}
term src21 {
from {
source-address $junos-subscriber-ip-address;
destination-address 203.0.113.2/32;
destination-port http;
}
then {
count c21_cntr;
accept;
}
}
term src22 {
from {
source-address $junos-subscriber-ip-address;
destination-address 203.0.113.2/32;
destination-port https;
}
then {
count c22_cntr;
accept;
}
}
}