trigger.acl.tools.check_access() looks for both permits and denies and can search for membership within networks or port-ranges, protocols, but does not check modifiers such as fragment-offsets, or other header options. Because term block_snmp_fragments has a fragment-offset 0 modifier in the term, the access was not an exact match and therefore was being skipped.
Note in this output below that it displays term block_snmp_fragments as being part of the access path, but it does not accurately determine it to be dropping the traffic because were weren't asking it to check fragment-offset 0. It reports the following term 10net-TCPUDP-ALLOW as permitting the access with the inline comment "/*check_access: PERMITTED HERE*/".
% ./check_access acl.123 10.180.124.82/32 1.2.3.4/32 udp 161
term cflow {
then {
next term;
count arbor-cflow;
}
}
term block_snmp_fragments {
/* DIsallow snmp fragments */
from {
fragment-offset 0;
protocol udp;
destination-port 161-162;
}
then {
discard;
count T42;
}
}
term 10net-TCPUDP-ALLOW {
/*check_access: PERMITTED HERE*/
from {
source-address {
10.0.0.0/16;
10.2.0.0/16;
...
trigger.acl.tools.check_access()looks for both permits and denies and can search for membership within networks or port-ranges, protocols, but does not check modifiers such as fragment-offsets, or other header options. Because termblock_snmp_fragmentshas afragment-offset 0modifier in the term, the access was not an exact match and therefore was being skipped.Note in this output below that it displays term
block_snmp_fragmentsas being part of the access path, but it does not accurately determine it to be dropping the traffic because were weren't asking it to checkfragment-offset 0. It reports the following term10net-TCPUDP-ALLOWas permitting the access with the inline comment"/*check_access: PERMITTED HERE*/".