我发现有两个地方filter在防火墙下,[edit firewall filter filter-name]和[edit firewall family inet filter filter-name].
他们有什么区别?
junos中“编辑防火墙”下的两个“过滤器”有什么区别?
网络工程
杜松
杜松-朱诺斯
2022-03-02 16:39:54
1个回答
为了更清楚,我将用一些示例变量替换这些变量。
简短的版本是set firewall filter EXAMPLE-FILTERJunos 中的一个工件,它仍然有效,但一般来说,使用指定家庭的语法更统一。在某些情况下,不同的族对匹配条件和终止操作有不同的选择,尽管可能存在重叠。也就是说,如果您使用该set firewall filter选项,您看到的选项的功能不会改变。
注意:大部分输出切掉以保持帖子清洁。
例如,使用inet您不会看到适用于 VPLS 的某些 L2 条件:
jhead@R1# set firewall family inet filter EXAMPLE-FILTER term EXAMPLE-TERM from ?
Possible completions:
> address Match IP source or destination address
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
+ destination-class Match destination class
+ destination-class-except Do not match destination class
+ destination-port Match TCP/UDP destination port
+ destination-port-except Do not match TCP/UDP destination port
> destination-prefix-list Match IP destination prefixes in named list
+ dscp Match Differentiated Services (DiffServ) code point
+ dscp-except Do not match Differentiated Services (DiffServ) code point
+ esp-spi Match IPSec ESP SPI value
+ esp-spi-except Do not match IPSec ESP SPI value
first-fragment Match if packet is the first fragment
> flexible-match-mask Match flexible mask
> flexible-match-range Match flexible range
+ forwarding-class Match forwarding class
+ forwarding-class-except Do not match forwarding class
<...snip...>
例如,使用vpls您会看到这些条件,但不一定适用于 IPv4 的所有内容:
jhead@R1# set firewall family inet filter EXAMPLE-FILTER term EXAMPLE-TERM from ?
Possible completions:
<...snip...>
+ learn-vlan-1p-priority Match Learned 802.1p VLAN Priority
+ learn-vlan-1p-priority-except Do not match Learned 802.1p VLAN Priority
+ learn-vlan-dei Match Learnt VLAN ID DEI bit
+ learn-vlan-dei-except Do not match Learnt VLAN ID DEI bit
+ learn-vlan-id Match Learnt VLAN ID
+ learn-vlan-id-except Do not match Learnt VLAN ID
<...snip...>