acl icon indicating copy to clipboard operation
acl copied to clipboard
verified publisher icon jathanism

ACL parser enhancements for IPv4 Juniper firewall filters

Open jathanism opened this issue 12 years ago • 5 comments

Here's the syntax for the match conditions I have in the filters now:

    term evil-8065_DSCP { 
        /* Project:"non-zero TOS value DCSP"  */ 
        from { 
            dscp-except [ be cs0 ]; 
        } 

    term evil-8065_PRECEDENCE { 
        /* Project:"non-zero TOS value PRECEDENCE"  */ 
        from { 
            precedence-except routine; 
        }

Would like to go ahead and add the rest of the matches.

DSCP: af11 Assured forwarding class 1, low drop precedence af12 Assured forwarding class 1, medium drop precedence af13 Assured forwarding class 1, high drop precedence af21 Assured forwarding class 2, low drop precedence af22 Assured forwarding class 2, medium drop precedence af23 Assured forwarding class 2, high drop precedence af31 Assured forwarding class 3, low drop precedence af32 Assured forwarding class 3, medium drop precedence af33 Assured forwarding class 3, high drop precedence af41 Assured forwarding class 4, low drop precedence af42 Assured forwarding class 4, medium drop precedence af43 Assured forwarding class 4, high drop precedence be Best effort (default) cs0 Class selector 0 cs1 Class selector 1 cs2 Class selector 2 cs3 Class selector 3 cs4 Class selector 4 cs5 Class selector 5 cs6 Class selector 6 cs7 Class selector 7 ef Expedited forwarding

TOS: Possible completions: Range of values [ Open a set of values critical-ecp Critical/ECP flash Flash flash-override Flash override immediate Immediate internet-control Internet control net-control Network control priority Priority routine Routine

And also (obviously) make sure we support the non-except syntax, so...

from { 
            dscp [ all the same match variables ];

and

from { 
            precedence [ all the same match variables ];

jathanism avatar Feb 20 '13 15:02 jathanism

Notes on dcp and dscp-except arguments: https://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/junos-xml-ref-config/index.html?jd0e1231663.html

jathanism avatar Feb 27 '13 17:02 jathanism

Notes on precedence: https://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/junos-xml-ref-config/index.html?jd0e1231663.html

jathanism avatar Feb 27 '13 17:02 jathanism

Added dscp bits to local branch. Parses all of the dscp stuff I throw at it, but fails on a full acl. Will have to wait until tomorrow to investigate further.

chepazzo avatar Mar 20 '13 22:03 chepazzo

Initially, it looked like dscp wasn't working (even though dscp-except was) because this config:

        from {
            dscp-except [ af11 cs0 ];
            dscp [ af11 be cs0 cs7 ];
        }

Only showed the dscp-except on ouptut.

However, Juniper does not allow this construct. Observe:

me@router# load merge terminal
[Type ^D at a new line to end input]
firewall filter asdf {
    term DSCP_term {
        /* Project:"non-zero TOS value DCSP" */
        from {
            dscp-except [ af11 cs0 ];
            dscp [ af11 be cs0 cs7 ];
        }   
        then {
            count match_non_zero_DCSP;
            port-mirror;
            next term;
        }   
    }   
}
load complete

[edit]
me@router# show firewall filter asdf
term DSCP_term {
    /* Project:"non-zero TOS value DCSP" */
    from {
        dscp [ af11 be cs0 cs7 ];
    }
    then {
        count match_non_zero_DCSP;
        port-mirror;
        next term;
    }
}

[edit]
me@router#

chepazzo avatar Apr 02 '13 14:04 chepazzo

This was fixed a while back (Version 0.3). Now, we need to push these changes into Trigger.

chepazzo avatar Jul 22 '13 19:07 chepazzo