Mailing List Archive

How many bits/bytes of a packet can be matched in a firewall rule on Juniper MX-series?
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: How many bits/bytes of a packet can be matched in a firewall rule on Juniper MX-series? [ In reply to ]
Hey,

I'm not sure I can parse what you are asking. I thought you're asking
how far in the packet you can match with flexible-match-mask, which I
can commit up-to 255 byte offset, but didn't test. I know the original
Trio gets about 320B of the packet in the LU, but newer Trio's get a
little bit less.

Whenever MQ sends a packet to LU for lookup, if it is able to send the
entire packet, it sets the parcel type M2L_Packet, if it cannot send
the entire packet, it sends first N bytes and sets the parcel type
M2L_PacketHead.
Therefore if you ping through a quiet Trio, and increase packet size
byte by byte, once you see a counter shift from M2L_Packet to
M2L_PacketHead you've found the value of N.

You can review these counters on modern Trio via 'show mqss N lo
stats', such as:
IMPC2(r33.labxtx01.us.bb-re0 vty)# show mqss 0 lo stats
LO Block Parcel Name Counter Name Total
Rate
----------------------------------------------------------------------------------------------------------
0 M2L_Packet Parcels sent to LUSS 8194632996
3479 pps
0 M2L_PacketHead Parcels sent to LUSS
22929007899 7559 pps


But seeing you included a question about filter chaining, I'm not sure
I understood your question right.


On Fri, 9 Jul 2021 at 03:21, embolist via juniper-nsp
<juniper-nsp@puck.nether.net> wrote:
>
>
>
>
> ---------- Forwarded message ----------
> From: embolist <embolist@pm.me>
> To: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net>
> Cc:
> Bcc:
> Date: Fri, 09 Jul 2021 00:15:11 +0000
> Subject: How many bits/bytes of a packet can be matched in a firewall rule on Juniper MX-series?
> I'm trying to figure out how many bits/bytes of a packet I can match on in a firewall rule for a Juniper MX router. A lot of the documentation talks about a 128-bit match criteria, but then I see some examples which seem to imply that I can do multi-term matching, chaining match criteria together.
>
> Am I understanding this correctly? If so, how many 128-bit matching criteria can I chain together? Or am I totally misunderstanding?
>
> I'm a Juniper n00b (as if you couldn't tell), and would really appreciate any pointers. The documentation just doesn't seem to contain any information on how much of a packet I can match.
>
>
> ---------- Forwarded message ----------
> From: embolist via juniper-nsp <juniper-nsp@puck.nether.net>
> To: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net>
> Cc:
> Bcc:
> Date: Fri, 09 Jul 2021 00:15:11 +0000
> Subject: [j-nsp] How many bits/bytes of a packet can be matched in a firewall rule on Juniper MX-series?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: How many bits/bytes of a packet can be matched in a firewall rule on Juniper MX-series? [ In reply to ]
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: How many bits/bytes of a packet can be matched in a firewall rule on Juniper MX-series? [ In reply to ]
On Fri, 9 Jul 2021 at 13:24, embolist <embolist@pm.me> wrote:

> So, I can match a bit pattern within the first 256 bytes from the start of the IP header, is that correct?
> How many bits can I match within that first 256 bytes?

You can set the match-start from L3, L4 or payload and take 256 bytes
offset from that. The documents say 128 bits.
<bit-length> Length of integer input (1..32 bits), Optional
length of string input (1..128 bits)
https://kb.juniper.net/InfoCenter/index?page=content&id=KB34222&cat=MX_SERIES&actp=LIST

What have you done thus far? This seems eminently testable.


--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp