Once upon a time, Leo Bicknell <bicknell@ufp.org> said:
The feature I would like is to set the _packet filter_ based on the _received routes_ over BGP.
On JUNOS, you can use routing-options { forwarding-table { unicast-reverse-path feasible-paths; } } to get that behavior (although it is a global option, not per-interface, I don't think there's any harm in using it).
Actually, received routes post prefix list. Consider this syntax:
neighbor 1.2.3.4 install-dynamic-filter Gig10/1/2 prefix-list customer-prefixes
Anything that was received would go through the prefix-list customer-prefixes (probably the same list used to filter their announcements), and then get turned into a dynamic ACL applied to the inbound interface (Gig10/1/2 in this case).
JUNOS does that as well. You can use the same prefix-list in both a BGP policy filter and a firewall filter. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.