term mirror is terminating, with or without the accept.
non-terminating actions always have an implicit accept to them which terminates processing, with "next-term" available to override this.
(firewall-filter-stateless-guidelines-for-configuring)
term2 doesn't exist, other than in config, despite to config validation error.
(note, I fixed the 2 errors in term2 to have it apply).
mx01_cr1> show configuration firewall family inet filter radu
term term1 {
from {
protocol tcp;
destination-port 444;
}
then {
discard;
}
}
term mirror {
then {
port-mirror;
accept;
}
}
term term2 {
from {
source-address {
1.1.1.1/32;
}
destination-address {
2.2.2.0/24;
}
}
then {
discard;
}
}
VMX-0(mx01_cr1 vty)# show firewall radu
Term Filters:
------------
Index Semantic Properties Name
-------- ---------- -------- ------
2 Classic - radu
VMX-0(mx01_cr1 vty)# show filter index 2 program
Filter index = 2
Optimization flag: 0xf7
Filter notify host id = 0
Pfe Mask = 0xFFFFFFFF
jnh inst = 0x0
Filter properties: None
Filter state = CONSISTENT
term term1
term priority 0
protocol
6
false branch to match action in rule mirror
destination-port
444
false branch to match action in rule mirror
then
discard
term mirror
term priority 0
then
accept
port-mirror
VMX-0(mx01_cr1 vty)#
If I set "next term" as an action, it replaces your (unnecessary) "accept".
mx01_cr1# show firewall family inet filter radu
term term1 {
from {
protocol tcp;
destination-port 444;
}
then {
discard;
}
}
term mirror {
then {
port-mirror;
next term;
}
}
term term2 {
from {
source-address {
1.1.1.1/32;
}
destination-address {
2.2.2.0/24;
}
}
then {
discard;
}
}
VMX-0(mx01_cr1 vty)# show filter index 2 program
Filter index = 2
Optimization flag: 0xf7
Filter notify host id = 0
Pfe Mask = 0xFFFFFFFF
jnh inst = 0x0
Filter properties: None
Filter state = CONSISTENT
term term1
term priority 0
protocol
6
false branch to match action in rule mirror
destination-port
444
false branch to match action in rule mirror
then
discard
term mirror
term priority 0
then
continue
port-mirror
term term2
term priority 0
source-address
1.1.1.1/32
false branch to match action in rule junos-internal-1
destination-address
2.2.2/24
false branch to match action in rule junos-internal-1
then
discard
term junos-internal-1
term priority 0
then
discard
Original Message:
Sent: 11-16-2022 08:57
From: Radu Mohan
Subject: MX port-mirroring
Hi
I'm curious how port-mirroring action works on a filter on MX router.
If I have the filter configured below with both accept and port-mirror action, will all traffic stop evaluation at that specific term or will it go on to subsequent terms.
accept is a terminating action for a filter and port-mirror is a non-terminating action, but i don't know how these behave together.
term term1 {from {protocol tcp;destination-port 444;}then {discard;}}term mirror {then {port-mirror;accept;}}term term2 {from {source-address {1.1.1.1/32}destination-address {2.2.2.2/24}}then deny;}
------------------------------
Radu Mohan
------------------------------