Mailing List Archive

configuration groups and firewall filter term order
Hi,

I have a question regarding configuration groups and firewall filter
term order in JUNOS.
Assume I have a set of "common" output filter terms and some interface
specific terms. The common terms should be tested against first.
I would like to use the configuration groups to define the common part.

The sample configuration looks like:

[edit]
groups {
common {
firewall {
family inet {
filter <*> {
term 1 {
from {
source-address {
10.0.0.0/8 except;
}
}
then discard;
}
}
}
}
}
}



[edit firewall family inet]
filter interface-1 {
apply-groups common;
term 100 {
from {
destination-port telnet;
}
then discard;
}
term 200 {
then accept;
}
}
filter interface-2 {
apply-groups common;
term 100 {
then accept;
}
}

The result is not what I wanted to achieve (the common part is appended
at the end):

[edit firewall family inet]
patrick@JNPR-1# show filter interface-1 | display inheritance | except #
term 100 {
from {
destination-port telnet;
}
then discard;
}
term 200 {
then accept;
}
term 1 {
from {
source-address {
10.0.0.0/8 except;
}
}
then discard;
}


Is there any way in JUNOS that I can force the order of the terms
inherited from the apply-groups statement ?

The config I had in mind was:

[edit firewall family inet]
patrick@JNPR-1# show filter interface-1 | display inheritance | except #
### How I wanted the config to look like ###
term 1 {
from {
source-address {
10.0.0.0/8 except;
}
}
then discard;
}
term 100 {
from {
destination-port telnet;
}
then discard;
}
term 200 {
then accept;
}


Best Regards,
Patrick.
configuration groups and firewall filter term order [ In reply to ]
Patrick Colman writes:
>Is there any way in JUNOS that I can force the order of the terms
>inherited from the apply-groups statement ?

Nope. The order is fixed. We traverse the foreground config then
the (non-wildcard) matches from each applied groups, in the order
listed from inner-most 'apply-groups' statement to outer-most.

apply-groups [ nine ten ];
firewall {
apply-groups [ seven eight ];
family inet {
apply-groups [ five six ];
filter foo {
apply-groups [ three four ];
term goo {
apply-groups [ one two ];
from {
source-address {
10.0.0.0/8 except;
}
}
}
}
}
}
}


The order here would be foreground (10/8 exact), then the groups
one two three ... ten. Any wildcards are matched against all
applied groups.


So the only way I can see to achieve your goal is to put
your current foreground config in a group and apply it
after your common group:

groups {
common {
firewall {
family inet {
filter <*> {
term 1 {
from {
source-address {
10.0.0.0/8 except;
}
}
then discard;
}
}
}
}
}
filter-interface-1 {
firewall {
family inet {
filter interface-1 {
term 100 {
from {
destination-port telnet;
}
then discard;
}
term 200 {
then accept;
}
}
}
}
}
filter-interface-2 {
firewall {
family inet {
filter interface-2 {
term 100 {
then accept;
}
}
}
}
}
}
firewall {
family inet {
filter interface-1 {
apply-groups [ common filter-interface-1 ];
}
filter interface-2 {
apply-groups [ common filter-interface-2 ];
}
}
}

Your 'then accept' could also be a distinct group which is applied
last (perhaps just at the [firewall] level.

Thanks,
Phil
configuration groups and firewall filter term order [ In reply to ]
Hello Phil , Hmm , This list seems a good place to mine for
ER's . The work around was very nice of you to provide .
Even if it is being a (imo) bit noisy . Too many extra groups to
define a single entry . I for one would like to request that the
design team review the "controlling how a 'group' statement is
ordered in the apply-groups" as Mr. Coleman asked . Tia , JimL

On Fri, 11 Apr 2003, Phil Shafer wrote:
> Patrick Colman writes:
> >Is there any way in JUNOS that I can force the order of the terms
> >inherited from the apply-groups statement ?
> Nope. The order is fixed. We traverse the foreground config then
> the (non-wildcard) matches from each applied groups, in the order
> listed from inner-most 'apply-groups' statement to outer-most.
--
+------------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS |
| Network Engineer | P.O. Box 854 | Give me Linux |
| babydr@baby-dragons.com | Coudersport PA 16915 | only on AXP |
+------------------------------------------------------------------+