Avoiding Conflicts When Terms Match
A fast update filter can contain multiple terms, each with a variety of match conditions. However, when you configure multiple terms in a filter, you must ensure that the terms do not overlap, or conflict with each other. Two terms are considered to overlap when it is possible for a packet to match all conditions of both terms. Because each term specifies a different action for matches, the router cannot determine which action to take. When terms overlap, a conflict error occurs and the session fails when the dynamic profile attempts to apply the filter. The error log indicates the overlapping terms.
How the Router Evaluates Terms in a Filter
The router creates a table of match conditions when examining
terms. The table, which is similar to a routing table, is based on
the conditions included in the match-order
statement. When
the router receives a packet, the router examines the packet’s
contents in the sequence specified in the match-order
statement.
For example, using the sample configuration in the following
Match-Order Example, the router first examines the packet’s source-address
, then the destination-address
, and
finally the destination-port
. As shown in the following
table, the two terms in the filter do not overlap because each term
has a different destination-port
specification. The router
then takes the appropriate filter action for the term that matches
the destination-port
value of the packet.
Term |
source-address |
destination-address |
destination-port |
Action |
---|---|---|---|---|
t55 |
subscriber’s address |
203.0.113.2/32 |
http |
count t55_cntr accept |
t999 |
subscriber’s address |
203.0.113.2/32 |
https |
count t999_cntr accept |
Match-Order Example
firewall { family inet { fast-update-filter psf1 { interface-specific; match-order [ source-address destination-address destination-port ]; term t55 { from { source-address $junos-subscriber-ip-address; destination-address 203.0.113.2/32; destination-port http; } then { count t55_cntr; accept; } } term t999 { from { source-address $junos-subscriber-ip-address; destination-address 203.0.113.2/32; destination-port https; } then { count t999_cntr; accept; } } } } }
Using Implied Wildcards
This section shows an example of how you might use an implied
wildcard specification in the match configuration. A condition in
the match-order
statement is an implied wildcard when that
condition is not configured in the from
specification of
a term in the filter.
When you use ranges (for example, a range of values or a wildcard)
in terms, the ranges must not overlap—overlapping ranges create
a conflict error. However, you can configure a range in one term and
an exact match in another term. For example, in the following filter
table, the wildcard destination port value in term t3
does
not overlap the destination port specifications in terms t55
and t999
because the http
and https
values are exact matches.
In the Implied Wildcard Example configuration, the router views
the destination-port
condition in the match-order
statement as an implied wildcard for term t3
, because
there is no destination-port
value configured in that term.
As a result, the wildcard specifies that for term t3
any destination-port
value is accepted. The filter table appears
as follows:
Term |
source-address |
destination-address |
destination-port |
Action |
---|---|---|---|---|
t3 |
subscriber’s address |
203.0.113.2/32 |
any (wildcard) |
count t3_cntr accept |
t55 |
subscriber’s address |
203.0.113.2/32 |
http |
count t55_cntr accept |
t999 |
subscriber’s address |
203.0.113.2/32 |
https |
count t999_cntr accept |
In the following filter configuration, traffic with a destination
port of http
matches term t55
and traffic with
a destination port of https
matches term t999
. Traffic with a destination port other than http
or https
matches term t3
, which is the implied wildcard.
Implied Wildcard Example
firewall { family inet { fast-update-filter psf1 { interface-specific; match-order [ source-address destination-address dscp protocol destination-port ]; term t3 { from { source-address $junos-subscriber-ip-address; destination-address 203.0.113.2/32; } then { count t3_cntr; accept; } } term t55 { from { source-address $junos-subscriber-ip-address; destination-address 203.0.113.2/32; destination-port http; } then { count t55_cntr; accept; } } term t999 { from { source-address $junos-subscriber-ip-address; destination-address 203.0.113.2/32; destination-port https; } then { count t999_cntr; accept; } } } } }
Conflict Caused by Overlapping Ranges
This section shows two examples of overlapping ranges in terms. When you use ranges (such as a wildcard or a range of values) in terms, the ranges must not overlap—overlapping ranges create a conflict error and the session fails.
In the following filter configuration, the destination-port
ranges in the two terms overlap. Ports in the range from 50 through
80 match both term src0
and term src1
, which
each specify different actions to take.
You can configure a range in one term and an exact match in another term. See the section, Using Implied Wildcards, for an example that uses a wildcard for a match condition in one term and an exact match for the condition in a second term.
Term |
source-address |
destination-address |
destination-port |
Action |
---|---|---|---|---|
src0 |
subscriber’s address |
203.0.113.2/32 |
0–80 |
count c1_cntr accept |
src1 |
subscriber’s address |
203.0.113.2/32 |
50–100 |
count c2_cntr accept |
Overlapping Ranges Example 1
firewall { family inet { fast-update-filter fuf–src { interface-specific; match-order [ source-address destination-address destination-port ]; term src0 { from { source-address $junos-subscriber-ip-address; destination-address 203.0.113.2/32; destination-port 0–80; } then { count c1_cntr; accept; } } term src1 { from { source-address $junos-subscriber-ip-address; destination-address 203.0.113.2/32; destination-port 50–100; } then { count c2_cntr; accept; } } }
In this filter configuration, the protocol
specification
in terms src21
and src22
use the implied wildcard,
which configures a range for each term. Because overlapping ranges
are not allowed, a conflict error results.
Term |
source-address |
destination-address |
protocol |
destination-port |
Action |
---|---|---|---|---|---|
src20 |
subscriber’s address |
203.0.113.2/32 |
udp |
any (wildcard) |
count c20_cntr accept |
src21 |
subscriber’s address |
203.0.113.2/32 |
any (wildcard) |
http |
count c21_cntr accept |
src21 |
subscriber’s address |
203.0.113.2/32 |
any (wildcard) |
https |
count c22_cntr accept |
Overlapping Ranges Example 2
firewall { family inet { fast-update-filter fuf–src2 { interface-specific; match-order [ source-address destination-address protocol destination-port ]; term src20 { from { source-address $junos-subscriber-ip-address; destination-address 203.0.113.2/32; protocol udp; } then { count c20_cntr; accept; } } term src21 { from { source-address $junos-subscriber-ip-address; destination-address 203.0.113.2/32; destination-port http; } then { count c21_cntr; accept; } } term src22 { from { source-address $junos-subscriber-ip-address; destination-address 203.0.113.2/32; destination-port https; } then { count c22_cntr; accept; } } }