Hello Velociraptor,
Yes you are corect. The firewall filter have implicit deny. Normally a firewall filter will have an implicit deny at the end of the filter, which denies everything that does not match the filter. If it matches, then it exits out of the input-list chain and applies the actions of the filter. If it doesn not match, it proceeds to the next filter.
So here in this case, it is better to match the prefixes with source and destination (as this is repetitive) and apply DSCP markings later. As you have mentioned, the second example would be best suited.
> Create a firewall filter to accept packets from specific source and destination. If it matches, then we check the next term in filter. If not, the filter is ignored.
set firewall family inet filter QoS-IN term accept-prefixes from source-prefix-list PL_1
set firewall family inet filter QoS-IN term accept-prefixes from destination-prefix-list PL_2
set firewall family inet filter QoS-IN term accept-prefixes then next term
set firewall family inet filter QoS-IN term BE from dscp-except ef
set firewall family inet filter QoS-IN term BE from dscp-except af31
set firewall family inet filter QoS-IN term BE then loss-priority high
set firewall family inet filter QoS-IN term BE then forwarding-class be
set firewall family inet filter QoS-IN term BE then dscp be
set firewall family inet filter QoS-IN term BE then count BE
set firewall family inet filter QoS-IN term BE then log
set firewall family inet filter QoS-IN term BE then accept
set firewall family inet filter QoS-IN term CS5 source-prefix-list PL_1
set firewall family inet filter QoS-IN term CS5 destination-prefix-list PL_2
set firewall family inet filter QoS-IN term CS5 from dscp af31
set firewall family inet filter QoS-IN term CS5 then loss-priority low
set firewall family inet filter QoS-IN term CS5 then forwarding-class af
set firewall family inet filter QoS-IN term CS5 then dscp cs5
set firewall family inet filter QoS-IN term CS5 then count CS5
set firewall family inet filter QoS-IN term CS5 then log
set firewall family inet filter QoS-IN term CS5 then accept
set firewall family inet filter QoS-IN term EF from source-prefix-list PL_1
set firewall family inet filter QoS-IN term EF from destination-prefix-list PL_2
set firewall family inet filter QoS-IN term EF from dscp ef
set firewall family inet filter QoS-IN term EF then loss-priority low
set firewall family inet filter QoS-IN term EF then forwarding-class ef
set firewall family inet filter QoS-IN term EF then count EF
set firewall family inet filter QoS-IN term EF then log
set firewall family inet filter QoS-IN term EF then accept
I hope this helps. Please mark this post "Accept as solution" if this answers your query.
Kudos are always appreciated!
Best Regards,
Vishaal