I personally think Dale's firewall configuration is better. The config allows for a packet to exit fw filter evaluation once a match condition is met, by being subjected to a single action. Derick's FW filter forces a packet to traverse all terms regardless of a match, and is subjected to at least two actions via two different terms (fwd-class + next-term AND accept). And there's no real need for the latter.
Regards, Addy. On 6/20/10, Derick Winkworth <dwinkwo...@att.net> wrote: > This is probably better: > > term BEST-EFFORT > thenforwarding-class best-effort > next-term > term DSCP-EF > fromdscp ef > thenforwarding-class expedited-forwarding > next-term > term default-accept > thenaccept > > > You can insert additional terms later to modify loss-priority, sampling, > etc... after the classification portion of the filter but before the > default-accept. I would use a rewrite rule to modify DSCP on egress, so > that its consistent across platforms. > > > > > > ________________________________ > From: Dale Shaw <dale.shaw+j-...@gmail.com> > To: juniper-nsp@puck.nether.net > Sent: Sun, June 20, 2010 3:59:12 AM > Subject: [j-nsp] Setting forwarding-class in firewall filter, non-match > behaviour > > Hi all, > > Re: setting the forwarding-class of a packet through a firewall filter. > > Many (almost all) of the examples I've looked at do not include a > catch-all term to handle packets not matched by any explicitly-defined > terms. At the risk of exposing myself as a J-noob... > > Is it safe to assume that, if the desired result is that packets NOT > matched by explicitly-defined terms are permitted, a catch-all term > must be configured with an 'accept' (or some other non-terminating) > action? > > Using this input filter example: > (stolen from > http://www.juniper.net/techpubs/en_US/junos10.2/topics/usage-guidelines/policy-configuring-actions-in-firewall-filter-terms.html) > > firewall { > filter filter1 { > term 1 { > from { > dscp 2; > } > then { > dscp 0; > forwarding-class best-effort; > } > } > term 2 { > from { > dscp 3; > } > then { > forwarding-class best-effort; > } > } > } > } > > I read this as: > > - if the packet is marked DSCP 2, set DSCP to 0 and place in > 'best-effort' forwarding class and accept the packet. > - if the packet is marked DSCP 3, place in 'best-effort' forwarding > class and accept the packet. > - discard all other packets > > Am I missing something? > > I think what I really want, to avoid dropping traffic, is something like: > > firewall { > filter FILTER1 { > term TERM1 { > from { > dscp ef; > } > then forwarding-class expedited-forwarding; > } > term DEFAULT { > then forwarding-class best-effort; > accept; > } > } > } > > ...then rewrite DSCP bits on egress based on the forwarding-class, or > do it all within the firewall filter (depending on platform). > > (I know I don't strictly need the 'accept;' command in the DEFAULT > term, but for the sake of clarity, I think it's a good option) > > Cheers, > Dale > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Sent from my mobile device _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp