[j-nsp] Output filter on discard interface doesn't work as expected

[Alex D.]

Hi,

i have a problem with my firewall filter bound to a discard interface 
dsc.0 in a quite simple RTBH setup...
I receive a bgp route with a next-hop ip 192.0.2.101 which is configured 
on a discard interface. Blackholing works as expected, means that 
traffic coming in from a directly connected router is discarded. Problem 
is that blackholed traffic will not be counted by the configured filter. 
Configuration and counter looks as follows:

user@R1# show firewall
family inet {
    filter blackhole-counter {
        interface-specific;
        term one {
            then count blackholed-packets;
        }
    }
}

user@R1# show interfaces
dsc {
    unit 0 {
        family inet {
            filter {
                output blackhole-counter;
            }
            address 192.0.2.102/32 {
                destination 192.0.2.101;
            }
        }
    }
}

Here's the bgp route (don't be scared because of the ip, it's just a lab 
setup):
user@R1# run show route protocol bgp 8.8.8.8 detail

inet.0: 35 destinations, 35 routes (35 active, 0 holddown, 0 hidden)
8.8.8.8/32 (1 entry, 1 announced)
        *BGP    Preference: 170/-101
                Next hop type: Indirect
                Address: 0x9335600
                Next-hop reference count: 6
                Source: 1.1.1.99
                Next hop type: Router, Next hop index: 587
                Next hop: 192.0.2.101 via dsc.0, selected
                Protocol next hop: 192.0.2.101
                Indirect next hop: 94802b8 131071
                State: <Active Int Ext>
                Local AS:  1111 Peer AS:  1111
                Age: 34:10      Metric2: 0
                Task: BGP_1111.1.1.1.99+35805
                Announcement bits (3): 0-KRT 4-BGP_RT_Background 
5-Resolve tree 2
                AS path: I (Originator) Cluster list:  1.1.1.99
                AS path:  Originator ID: 10.15.40.154
                Communities: 1111:9999
                Accepted
                Localpref: 100
                Router ID: 1.1.1.99

My "problem" filter:
user@R1# run show firewall filter blackhole-counter-dsc.0-i

Filter: blackhole-counter-dsc.0-o
Counters:
Name                                                Bytes              
Packets
blackholed-packets-dsc.0-i                              
0                    0

Same filter on the interface towards an directly connected neighbor 
router, from where a ping to 8.8.8.8 is running, shows that traffic is 
comming in:
user@R1# run show firewall filter blackhole-counter-em0.0-i

Filter: blackhole-counter-em0.0-i
Counters:
Name                                                Bytes              
Packets
blackholed-packets-em0.0-i                         
166290                 2086

Any suggestions, why my firewall filter with count action doesn't work ?

Regards,
Alex
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp