On (2011-08-18 21:23 -0400), Stefan Fouant wrote: > Trio has nothing to do with this - the behavior when matching on a > port is completely different than using the bit-field match > operators. Even without Trio, if you specify a match on a port > without protocol, it will look in the appropriate locations > depending on whether the traffic is TCP or UDP. That is not the > case with bit-field match operators. > > See > http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-policy/policy-firewall-filter-how-to-specify-match-conditions.html#jd0e29000
Thanks for clearing that up. However if 'port' assumes implied udp/tcp (instead of just finding port values in predefined offset, regardless of protocol) why doesn't 'tcp-established' assume implied tcp? Is there any useful application behind this inconsistency? Also do you have access internally to information which you are able to share, when would JunOS CLI get 'match protocol udp|tcp|icmp' for ipv6? So users could, in existance of extension headers still match for L4 protocol? Thanks again, -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
