ipv4 filter

Note

requires a Product License.

Default table.

vsr running config# vrf <vrf> firewall ipv4 filter

input

Packets destined to local sockets.

vsr running config# vrf <vrf> firewall ipv4 filter input

policy

Action when no rule match.

vsr running config# vrf <vrf> firewall ipv4 filter input
vsr running input# policy POLICY

POLICY values

Description

accept

Let the packet through.

drop

Drop the packet.

Default value
accept

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 filter input packets

bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 filter input bytes

rule

A rule to perform an action on matching packets.

vsr running config# vrf <vrf> firewall ipv4 filter input
vsr running input# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   ipv4 [not] fragment \
...   icmp-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   action STANDARD chain <leafref> reject REJECT \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

<uint64>

Priority of the rule. High number means lower priority.

description

A comment to describe the rule.

description <string>

protocol

Match the protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE

VALUE values

Description

tcp

TCP protocol.

udp

UDP protocol.

sctp

SCTP protocol.

icmp

ICMP protocol.

esp

IPsec ESP protocol.

ah

IPsec AH protocol.

gre

GRE protocol.

l2tp

L2TP protocol.

ipip

IP-in-IP protocol.

vrrp

VRRP protocol.

all

All protocols.

<uint16>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

<string>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<A.B.C.D>

An IPv4 address.

<A.B.C.D/M>

An IPv4 prefix: address and CIDR mask.

port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<A.B.C.D>

An IPv4 address.

<A.B.C.D/M>

An IPv4 prefix: address and CIDR mask.

port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

ipv4

Match the fragment.

ipv4 [not] fragment
not

Invert the match.

not
fragment (mandatory)

Match if the packet is a fragment.

fragment

icmp-type

Match the packet ICMP type.

icmp-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE

VALUE values

Description

any

Any ICMP type.

echo-request

Echo request.

echo-reply

Echo reply.

destination-unreachable

Destination unreachable.

network-unreachable

Network unreachable.

host-unreachable

Host unreachable.

protocol-unreachable

Protocol unreachable.

port-unreachable

Port unreachable.

fragmentation-needed

Fragmentation needed.

source-route-failed

Source route failed.

network-unknown

Network unknown.

host-unknown

Host unknown.

network-prohibited

Network prohibited.

host-prohibited

Host prohibited.

TOS-network-unreachable

TOS network unreachable.

TOS-host-unreachable

TOS host unreachable.

communication-prohibited

Communication prohibited.

host-precedence-violation

Host precedence violation.

precedence-cutoff

Precedence cutoff.

source-quench

Source quench.

redirect

Redirect.

network-redirect

Network redirect.

host-redirect

Host redirect.

TOS-network-redirect

TOS network redirect.

TOS-host-redirect

TOS host redirect.

router-advertisement

Router advertisement.

router-solicitation

Router solicitation.

ttl-exceeded

TTL exceeded.

ttl-zero-during-transit

Time to Live exceeded in Transit.

ttl-zero-during-reassembly

Fragment Reassembly Time Exceeded.

parameter-problem

Parameter problem.

ip-header-bad

Bad IP header.

required-option-missing

Missing a Required Option.

timestamp-request

Timestamp request.

timestamp-reply

Timestamp reply.

information-request

Information request reply.

information-response

Information response reply.

address-mask-request

Address mask request.

address-mask-reply

Address mask reply.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set (mandatory)

Set flags.

set SET

SET values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The conntrack status to match.

VALUE

VALUE values

Description

none

No status.

expected

This is an expected connection (i.e. a conntrack helper set it up).

seen_reply

Conntrack has seen packets in both directions.

assured

Conntrack entry should never be early-expired.

confirmed

Connection is confirmed: originating packet has left box.

state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The packet states to match.

VALUE

VALUE values

Description

invalid

Packet is associated with no known connection.

new

Packet started new connection or associated with one which has not seen packets in both directions.

established

Packet is associated with a connection which has seen packets in both directions.

related

Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.

untracked

Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.

snat

A virtual state, matching if the original source address differs from the reply destination.

dnat

A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per second.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT

UNIT values

Description

second

Second.

minute

Minute.

hour

Hour.

day

Day.

Default value
second

dscp

Match the DSCP.

dscp [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The DSCP value to match.

VALUE

VALUE values

Description

<0-63>

A differentiated services code point (DSCP) marking within the IP header.

af11

AF11 (assured forwarding) class (10).

af12

AF12 (assured forwarding) class (12).

af13

AF13 (assured forwarding) class (14).

af21

AF21 (assured forwarding) class (18).

af22

AF22 (assured forwarding) class (20).

af23

AF23 (assured forwarding) class (22).

af31

AF31 (assured forwarding) class (26).

af32

AF32 (assured forwarding) class (28).

af33

AF33 (assured forwarding) class (30).

af41

AF41 (assured forwarding) class (34).

af42

AF42 (assured forwarding) class (36).

af43

AF43 (assured forwarding) class (38).

be

BE (best effort) class (0).

cs0

CS0 (class selector) class (0).

cs1

CS1 (class selector) class (8).

cs2

CS2 (class selector) class (16).

cs3

CS3 (class selector) class (24).

cs4

CS4 (class selector) class (32).

cs5

CS5 (class selector) class (40).

cs6

CS6 (class selector) class (48).

cs7

CS7 (class selector) class (56).

ef

EF (expedited forwarding) class (46).

tos

Match the tos.

tos [not] <0x0-0xff> mask <0x0-0xff>
not

Invert the match.

not
<0x0-0xff> (mandatory)

The tos value. Packets in connections are matched against this value.

<0x0-0xff>
mask

Logically ANDed with the tos before the comparison.

mask <0x0-0xff>

mark

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE

SCOPE values

Description

all

Match all chunk types.

any

Match any chunk type.

only

Match exactly chunk type.

init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

set

Set flags.

set SET

SET values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

abort

ABORT chunk.

abort examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <leafref> reject REJECT \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD

STANDARD values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

chain

Jump to the user chain by this name.

chain <leafref>
reject

Used to send back an error packet in response to the matched packet.

reject REJECT

REJECT values

Description

icmp-net-unreachable

Reject with ICMP network unreachable.

icmp-host-unreachable

Reject with ICMP host unreachable.

icmp-port-unreachable

Reject with ICMP port unreachable.

icmp-proto-unreachable

Reject with ICMP prototype unreachable.

icmp-net-prohibited

Reject with ICMP network prohibited.

icmp-host-prohibited

Reject with ICMP host prohibited.

icmp-admin-prohibited

Reject with ICMP admin prohibited.

tcp-reset

Reject with TCP RST packet. Can be used on rules which only match the TCP protocol.

connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

XOR with this value.

<0x0-0xffffffff>
mask

Zero the bits given by this mask.

mask <0x0-0xffffffff>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be XORed into the connection mark.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be cleared.

ctmask <0x0-0xffffffff>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be cleared.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be XORed into the packet mark.

ctmask <0x0-0xffffffff>
log

Turn on logging of matching packets.

log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL

LEVEL values

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notice

Notice level.

info

Info level.

debug

Debug level.

prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>{1,29}
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS

ADDITIONAL-INFOS values

Description

tcp-sequence

Log TCP sequence numbers.

tcp-options

Log options from the TCP packet header.

ip-options

Log options from the IP/IPv6 packet header.

user-id

Log the userid of the process which generated the packet.

mark

Used to set the mark value associated with the packet.

mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

Bits that should be XORed into the packet mark.

<0x0-0xffffffff>
mask

Zero the bits given by this mask in the packet mark.

mask <0x0-0xffffffff>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 filter input rule <uint64> counters packets
bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 filter input rule <uint64> counters bytes

forward

Packets being routed.

vsr running config# vrf <vrf> firewall ipv4 filter forward

policy

Action when no rule match.

vsr running config# vrf <vrf> firewall ipv4 filter forward
vsr running forward# policy POLICY

POLICY values

Description

accept

Let the packet through.

drop

Drop the packet.

Default value
accept

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 filter forward packets

bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 filter forward bytes

rule

A rule to perform an action on matching packets.

vsr running config# vrf <vrf> firewall ipv4 filter forward
vsr running forward# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   ipv4 [not] fragment \
...   icmp-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   outbound-interface [not] <string> \
...   action STANDARD chain <leafref> reject REJECT set-priority <uint32> \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

<uint64>

Priority of the rule. High number means lower priority.

description

A comment to describe the rule.

description <string>

protocol

Match the protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE

VALUE values

Description

tcp

TCP protocol.

udp

UDP protocol.

sctp

SCTP protocol.

icmp

ICMP protocol.

esp

IPsec ESP protocol.

ah

IPsec AH protocol.

gre

GRE protocol.

l2tp

L2TP protocol.

ipip

IP-in-IP protocol.

vrrp

VRRP protocol.

all

All protocols.

<uint16>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

<string>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<A.B.C.D>

An IPv4 address.

<A.B.C.D/M>

An IPv4 prefix: address and CIDR mask.

port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<A.B.C.D>

An IPv4 address.

<A.B.C.D/M>

An IPv4 prefix: address and CIDR mask.

port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

ipv4

Match the fragment.

ipv4 [not] fragment
not

Invert the match.

not
fragment (mandatory)

Match if the packet is a fragment.

fragment

icmp-type

Match the packet ICMP type.

icmp-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE

VALUE values

Description

any

Any ICMP type.

echo-request

Echo request.

echo-reply

Echo reply.

destination-unreachable

Destination unreachable.

network-unreachable

Network unreachable.

host-unreachable

Host unreachable.

protocol-unreachable

Protocol unreachable.

port-unreachable

Port unreachable.

fragmentation-needed

Fragmentation needed.

source-route-failed

Source route failed.

network-unknown

Network unknown.

host-unknown

Host unknown.

network-prohibited

Network prohibited.

host-prohibited

Host prohibited.

TOS-network-unreachable

TOS network unreachable.

TOS-host-unreachable

TOS host unreachable.

communication-prohibited

Communication prohibited.

host-precedence-violation

Host precedence violation.

precedence-cutoff

Precedence cutoff.

source-quench

Source quench.

redirect

Redirect.

network-redirect

Network redirect.

host-redirect

Host redirect.

TOS-network-redirect

TOS network redirect.

TOS-host-redirect

TOS host redirect.

router-advertisement

Router advertisement.

router-solicitation

Router solicitation.

ttl-exceeded

TTL exceeded.

ttl-zero-during-transit

Time to Live exceeded in Transit.

ttl-zero-during-reassembly

Fragment Reassembly Time Exceeded.

parameter-problem

Parameter problem.

ip-header-bad

Bad IP header.

required-option-missing

Missing a Required Option.

timestamp-request

Timestamp request.

timestamp-reply

Timestamp reply.

information-request

Information request reply.

information-response

Information response reply.

address-mask-request

Address mask request.

address-mask-reply

Address mask reply.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set (mandatory)

Set flags.

set SET

SET values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The conntrack status to match.

VALUE

VALUE values

Description

none

No status.

expected

This is an expected connection (i.e. a conntrack helper set it up).

seen_reply

Conntrack has seen packets in both directions.

assured

Conntrack entry should never be early-expired.

confirmed

Connection is confirmed: originating packet has left box.

state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The packet states to match.

VALUE

VALUE values

Description

invalid

Packet is associated with no known connection.

new

Packet started new connection or associated with one which has not seen packets in both directions.

established

Packet is associated with a connection which has seen packets in both directions.

related

Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.

untracked

Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.

snat

A virtual state, matching if the original source address differs from the reply destination.

dnat

A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per second.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT

UNIT values

Description

second

Second.

minute

Minute.

hour

Hour.

day

Day.

Default value
second

dscp

Match the DSCP.

dscp [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The DSCP value to match.

VALUE

VALUE values

Description

<0-63>

A differentiated services code point (DSCP) marking within the IP header.

af11

AF11 (assured forwarding) class (10).

af12

AF12 (assured forwarding) class (12).

af13

AF13 (assured forwarding) class (14).

af21

AF21 (assured forwarding) class (18).

af22

AF22 (assured forwarding) class (20).

af23

AF23 (assured forwarding) class (22).

af31

AF31 (assured forwarding) class (26).

af32

AF32 (assured forwarding) class (28).

af33

AF33 (assured forwarding) class (30).

af41

AF41 (assured forwarding) class (34).

af42

AF42 (assured forwarding) class (36).

af43

AF43 (assured forwarding) class (38).

be

BE (best effort) class (0).

cs0

CS0 (class selector) class (0).

cs1

CS1 (class selector) class (8).

cs2

CS2 (class selector) class (16).

cs3

CS3 (class selector) class (24).

cs4

CS4 (class selector) class (32).

cs5

CS5 (class selector) class (40).

cs6

CS6 (class selector) class (48).

cs7

CS7 (class selector) class (56).

ef

EF (expedited forwarding) class (46).

tos

Match the tos.

tos [not] <0x0-0xff> mask <0x0-0xff>
not

Invert the match.

not
<0x0-0xff> (mandatory)

The tos value. Packets in connections are matched against this value.

<0x0-0xff>
mask

Logically ANDed with the tos before the comparison.

mask <0x0-0xff>

mark

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE

SCOPE values

Description

all

Match all chunk types.

any

Match any chunk type.

only

Match exactly chunk type.

init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

set

Set flags.

set SET

SET values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

abort

ABORT chunk.

abort examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <leafref> reject REJECT set-priority <uint32> \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD

STANDARD values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

chain

Jump to the user chain by this name.

chain <leafref>
reject

Used to send back an error packet in response to the matched packet.

reject REJECT

REJECT values

Description

icmp-net-unreachable

Reject with ICMP network unreachable.

icmp-host-unreachable

Reject with ICMP host unreachable.

icmp-port-unreachable

Reject with ICMP port unreachable.

icmp-proto-unreachable

Reject with ICMP prototype unreachable.

icmp-net-prohibited

Reject with ICMP network prohibited.

icmp-host-prohibited

Reject with ICMP host prohibited.

icmp-admin-prohibited

Reject with ICMP admin prohibited.

tcp-reset

Reject with TCP RST packet. Can be used on rules which only match the TCP protocol.

set-priority

Value of the priority to attach to the packet.

set-priority <uint32>
connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

XOR with this value.

<0x0-0xffffffff>
mask

Zero the bits given by this mask.

mask <0x0-0xffffffff>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be XORed into the connection mark.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be cleared.

ctmask <0x0-0xffffffff>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be cleared.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be XORed into the packet mark.

ctmask <0x0-0xffffffff>
log

Turn on logging of matching packets.

log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL

LEVEL values

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notice

Notice level.

info

Info level.

debug

Debug level.

prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>{1,29}
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS

ADDITIONAL-INFOS values

Description

tcp-sequence

Log TCP sequence numbers.

tcp-options

Log options from the TCP packet header.

ip-options

Log options from the IP/IPv6 packet header.

user-id

Log the userid of the process which generated the packet.

mark

Used to set the mark value associated with the packet.

mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

Bits that should be XORed into the packet mark.

<0x0-0xffffffff>
mask

Zero the bits given by this mask in the packet mark.

mask <0x0-0xffffffff>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 filter forward rule <uint64> counters packets
bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 filter forward rule <uint64> counters bytes

output

Locally-generated packets.

vsr running config# vrf <vrf> firewall ipv4 filter output

policy

Action when no rule match.

vsr running config# vrf <vrf> firewall ipv4 filter output
vsr running output# policy POLICY

POLICY values

Description

accept

Let the packet through.

drop

Drop the packet.

Default value
accept

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 filter output packets

bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 filter output bytes

rule

A rule to perform an action on matching packets.

vsr running config# vrf <vrf> firewall ipv4 filter output
vsr running output# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   ipv4 [not] fragment \
...   icmp-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   outbound-interface [not] <string> \
...   action STANDARD chain <leafref> reject REJECT set-priority <uint32> \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

<uint64>

Priority of the rule. High number means lower priority.

description

A comment to describe the rule.

description <string>

protocol

Match the protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE

VALUE values

Description

tcp

TCP protocol.

udp

UDP protocol.

sctp

SCTP protocol.

icmp

ICMP protocol.

esp

IPsec ESP protocol.

ah

IPsec AH protocol.

gre

GRE protocol.

l2tp

L2TP protocol.

ipip

IP-in-IP protocol.

vrrp

VRRP protocol.

all

All protocols.

<uint16>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

<string>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<A.B.C.D>

An IPv4 address.

<A.B.C.D/M>

An IPv4 prefix: address and CIDR mask.

port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<A.B.C.D>

An IPv4 address.

<A.B.C.D/M>

An IPv4 prefix: address and CIDR mask.

port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

ipv4

Match the fragment.

ipv4 [not] fragment
not

Invert the match.

not
fragment (mandatory)

Match if the packet is a fragment.

fragment

icmp-type

Match the packet ICMP type.

icmp-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE

VALUE values

Description

any

Any ICMP type.

echo-request

Echo request.

echo-reply

Echo reply.

destination-unreachable

Destination unreachable.

network-unreachable

Network unreachable.

host-unreachable

Host unreachable.

protocol-unreachable

Protocol unreachable.

port-unreachable

Port unreachable.

fragmentation-needed

Fragmentation needed.

source-route-failed

Source route failed.

network-unknown

Network unknown.

host-unknown

Host unknown.

network-prohibited

Network prohibited.

host-prohibited

Host prohibited.

TOS-network-unreachable

TOS network unreachable.

TOS-host-unreachable

TOS host unreachable.

communication-prohibited

Communication prohibited.

host-precedence-violation

Host precedence violation.

precedence-cutoff

Precedence cutoff.

source-quench

Source quench.

redirect

Redirect.

network-redirect

Network redirect.

host-redirect

Host redirect.

TOS-network-redirect

TOS network redirect.

TOS-host-redirect

TOS host redirect.

router-advertisement

Router advertisement.

router-solicitation

Router solicitation.

ttl-exceeded

TTL exceeded.

ttl-zero-during-transit

Time to Live exceeded in Transit.

ttl-zero-during-reassembly

Fragment Reassembly Time Exceeded.

parameter-problem

Parameter problem.

ip-header-bad

Bad IP header.

required-option-missing

Missing a Required Option.

timestamp-request

Timestamp request.

timestamp-reply

Timestamp reply.

information-request

Information request reply.

information-response

Information response reply.

address-mask-request

Address mask request.

address-mask-reply

Address mask reply.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set (mandatory)

Set flags.

set SET

SET values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The conntrack status to match.

VALUE

VALUE values

Description

none

No status.

expected

This is an expected connection (i.e. a conntrack helper set it up).

seen_reply

Conntrack has seen packets in both directions.

assured

Conntrack entry should never be early-expired.

confirmed

Connection is confirmed: originating packet has left box.

state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The packet states to match.

VALUE

VALUE values

Description

invalid

Packet is associated with no known connection.

new

Packet started new connection or associated with one which has not seen packets in both directions.

established

Packet is associated with a connection which has seen packets in both directions.

related

Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.

untracked

Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.

snat

A virtual state, matching if the original source address differs from the reply destination.

dnat

A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per second.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT

UNIT values

Description

second

Second.

minute

Minute.

hour

Hour.

day

Day.

Default value
second

dscp

Match the DSCP.

dscp [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The DSCP value to match.

VALUE

VALUE values

Description

<0-63>

A differentiated services code point (DSCP) marking within the IP header.

af11

AF11 (assured forwarding) class (10).

af12

AF12 (assured forwarding) class (12).

af13

AF13 (assured forwarding) class (14).

af21

AF21 (assured forwarding) class (18).

af22

AF22 (assured forwarding) class (20).

af23

AF23 (assured forwarding) class (22).

af31

AF31 (assured forwarding) class (26).

af32

AF32 (assured forwarding) class (28).

af33

AF33 (assured forwarding) class (30).

af41

AF41 (assured forwarding) class (34).

af42

AF42 (assured forwarding) class (36).

af43

AF43 (assured forwarding) class (38).

be

BE (best effort) class (0).

cs0

CS0 (class selector) class (0).

cs1

CS1 (class selector) class (8).

cs2

CS2 (class selector) class (16).

cs3

CS3 (class selector) class (24).

cs4

CS4 (class selector) class (32).

cs5

CS5 (class selector) class (40).

cs6

CS6 (class selector) class (48).

cs7

CS7 (class selector) class (56).

ef

EF (expedited forwarding) class (46).

tos

Match the tos.

tos [not] <0x0-0xff> mask <0x0-0xff>
not

Invert the match.

not
<0x0-0xff> (mandatory)

The tos value. Packets in connections are matched against this value.

<0x0-0xff>
mask

Logically ANDed with the tos before the comparison.

mask <0x0-0xff>

mark

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE

SCOPE values

Description

all

Match all chunk types.

any

Match any chunk type.

only

Match exactly chunk type.

init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

set

Set flags.

set SET

SET values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

abort

ABORT chunk.

abort examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <leafref> reject REJECT set-priority <uint32> \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD

STANDARD values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

chain

Jump to the user chain by this name.

chain <leafref>
reject

Used to send back an error packet in response to the matched packet.

reject REJECT

REJECT values

Description

icmp-net-unreachable

Reject with ICMP network unreachable.

icmp-host-unreachable

Reject with ICMP host unreachable.

icmp-port-unreachable

Reject with ICMP port unreachable.

icmp-proto-unreachable

Reject with ICMP prototype unreachable.

icmp-net-prohibited

Reject with ICMP network prohibited.

icmp-host-prohibited

Reject with ICMP host prohibited.

icmp-admin-prohibited

Reject with ICMP admin prohibited.

tcp-reset

Reject with TCP RST packet. Can be used on rules which only match the TCP protocol.

set-priority

Value of the priority to attach to the packet.

set-priority <uint32>
connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

XOR with this value.

<0x0-0xffffffff>
mask

Zero the bits given by this mask.

mask <0x0-0xffffffff>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be XORed into the connection mark.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be cleared.

ctmask <0x0-0xffffffff>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be cleared.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be XORed into the packet mark.

ctmask <0x0-0xffffffff>
log

Turn on logging of matching packets.

log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL

LEVEL values

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notice

Notice level.

info

Info level.

debug

Debug level.

prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>{1,29}
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS

ADDITIONAL-INFOS values

Description

tcp-sequence

Log TCP sequence numbers.

tcp-options

Log options from the TCP packet header.

ip-options

Log options from the IP/IPv6 packet header.

user-id

Log the userid of the process which generated the packet.

mark

Used to set the mark value associated with the packet.

mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

Bits that should be XORed into the packet mark.

<0x0-0xffffffff>
mask

Zero the bits given by this mask in the packet mark.

mask <0x0-0xffffffff>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 filter output rule <uint64> counters packets
bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 filter output rule <uint64> counters bytes

chain

User chain.

vsr running config# vrf <vrf> firewall ipv4 filter chain <string>{1,28}

<string>{1,28}

The user chain name.

policy

Action when no rule match.

vsr running config# vrf <vrf> firewall ipv4 filter chain <string>{1,28}
vsr running chain <string>{1,28}# policy POLICY

POLICY values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

Default value
return

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 filter chain <string>{1,28} packets

bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 filter chain <string>{1,28} bytes

rule

A rule to perform an action on matching packets.

vsr running config# vrf <vrf> firewall ipv4 filter chain <string>{1,28}
vsr running chain <string>{1,28}# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   ipv4 [not] fragment \
...   icmp-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   outbound-interface [not] <string> \
...   action STANDARD chain <leafref> dscp DSCP reject REJECT \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu \
...     tos <0x0-0xff> mask <0x0-0xff>

<uint64>

Priority of the rule. High number means lower priority.

description

A comment to describe the rule.

description <string>

protocol

Match the protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE

VALUE values

Description

tcp

TCP protocol.

udp

UDP protocol.

sctp

SCTP protocol.

icmp

ICMP protocol.

esp

IPsec ESP protocol.

ah

IPsec AH protocol.

gre

GRE protocol.

l2tp

L2TP protocol.

ipip

IP-in-IP protocol.

vrrp

VRRP protocol.

all

All protocols.

<uint16>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

<string>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<A.B.C.D>

An IPv4 address.

<A.B.C.D/M>

An IPv4 prefix: address and CIDR mask.

port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>{1,253}

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<A.B.C.D>

An IPv4 address.

<A.B.C.D/M>

An IPv4 prefix: address and CIDR mask.

port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

ipv4

Match the fragment.

ipv4 [not] fragment
not

Invert the match.

not
fragment (mandatory)

Match if the packet is a fragment.

fragment

icmp-type

Match the packet ICMP type.

icmp-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE

VALUE values

Description

any

Any ICMP type.

echo-request

Echo request.

echo-reply

Echo reply.

destination-unreachable

Destination unreachable.

network-unreachable

Network unreachable.

host-unreachable

Host unreachable.

protocol-unreachable

Protocol unreachable.

port-unreachable

Port unreachable.

fragmentation-needed

Fragmentation needed.

source-route-failed

Source route failed.

network-unknown

Network unknown.

host-unknown

Host unknown.

network-prohibited

Network prohibited.

host-prohibited

Host prohibited.

TOS-network-unreachable

TOS network unreachable.

TOS-host-unreachable

TOS host unreachable.

communication-prohibited

Communication prohibited.

host-precedence-violation

Host precedence violation.

precedence-cutoff

Precedence cutoff.

source-quench

Source quench.

redirect

Redirect.

network-redirect

Network redirect.

host-redirect

Host redirect.

TOS-network-redirect

TOS network redirect.

TOS-host-redirect

TOS host redirect.

router-advertisement

Router advertisement.

router-solicitation

Router solicitation.

ttl-exceeded

TTL exceeded.

ttl-zero-during-transit

Time to Live exceeded in Transit.

ttl-zero-during-reassembly

Fragment Reassembly Time Exceeded.

parameter-problem

Parameter problem.

ip-header-bad

Bad IP header.

required-option-missing

Missing a Required Option.

timestamp-request

Timestamp request.

timestamp-reply

Timestamp reply.

information-request

Information request reply.

information-response

Information response reply.

address-mask-request

Address mask request.

address-mask-reply

Address mask reply.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set (mandatory)

Set flags.

set SET

SET values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The conntrack status to match.

VALUE

VALUE values

Description

none

No status.

expected

This is an expected connection (i.e. a conntrack helper set it up).

seen_reply

Conntrack has seen packets in both directions.

assured

Conntrack entry should never be early-expired.

confirmed

Connection is confirmed: originating packet has left box.

state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The packet states to match.

VALUE

VALUE values

Description

invalid

Packet is associated with no known connection.

new

Packet started new connection or associated with one which has not seen packets in both directions.

established

Packet is associated with a connection which has seen packets in both directions.

related

Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.

untracked

Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.

snat

A virtual state, matching if the original source address differs from the reply destination.

dnat

A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per second.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT

UNIT values

Description

second

Second.

minute

Minute.

hour

Hour.

day

Day.

Default value
second

dscp

Match the DSCP.

dscp [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The DSCP value to match.

VALUE

VALUE values

Description

<0-63>

A differentiated services code point (DSCP) marking within the IP header.

af11

AF11 (assured forwarding) class (10).

af12

AF12 (assured forwarding) class (12).

af13

AF13 (assured forwarding) class (14).

af21

AF21 (assured forwarding) class (18).

af22

AF22 (assured forwarding) class (20).

af23

AF23 (assured forwarding) class (22).

af31

AF31 (assured forwarding) class (26).

af32

AF32 (assured forwarding) class (28).

af33

AF33 (assured forwarding) class (30).

af41

AF41 (assured forwarding) class (34).

af42

AF42 (assured forwarding) class (36).

af43

AF43 (assured forwarding) class (38).

be

BE (best effort) class (0).

cs0

CS0 (class selector) class (0).

cs1

CS1 (class selector) class (8).

cs2

CS2 (class selector) class (16).

cs3

CS3 (class selector) class (24).

cs4

CS4 (class selector) class (32).

cs5

CS5 (class selector) class (40).

cs6

CS6 (class selector) class (48).

cs7

CS7 (class selector) class (56).

ef

EF (expedited forwarding) class (46).

tos

Match the tos.

tos [not] <0x0-0xff> mask <0x0-0xff>
not

Invert the match.

not
<0x0-0xff> (mandatory)

The tos value. Packets in connections are matched against this value.

<0x0-0xff>
mask

Logically ANDed with the tos before the comparison.

mask <0x0-0xff>

mark

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE

SCOPE values

Description

all

Match all chunk types.

any

Match any chunk type.

only

Match exactly chunk type.

init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

set

Set flags.

set SET

SET values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

abort

ABORT chunk.

abort examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined (mandatory)

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <leafref> dscp DSCP reject REJECT \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu \
     tos <0x0-0xff> mask <0x0-0xff>
STANDARD

Standard action.

STANDARD

STANDARD values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

chain

Jump to the user chain by this name.

chain <leafref>
dscp

Alters the value of the DSCP bits within the tos header of the IPv4 packet.

dscp DSCP

DSCP values

Description

<0-63>

A differentiated services code point (DSCP) marking within the IP header.

af11

AF11 (assured forwarding) class (10).

af12

AF12 (assured forwarding) class (12).

af13

AF13 (assured forwarding) class (14).

af21

AF21 (assured forwarding) class (18).

af22

AF22 (assured forwarding) class (20).

af23

AF23 (assured forwarding) class (22).

af31

AF31 (assured forwarding) class (26).

af32

AF32 (assured forwarding) class (28).

af33

AF33 (assured forwarding) class (30).

af41

AF41 (assured forwarding) class (34).

af42

AF42 (assured forwarding) class (36).

af43

AF43 (assured forwarding) class (38).

be

BE (best effort) class (0).

cs0

CS0 (class selector) class (0).

cs1

CS1 (class selector) class (8).

cs2

CS2 (class selector) class (16).

cs3

CS3 (class selector) class (24).

cs4

CS4 (class selector) class (32).

cs5

CS5 (class selector) class (40).

cs6

CS6 (class selector) class (48).

cs7

CS7 (class selector) class (56).

ef

EF (expedited forwarding) class (46).

reject

Used to send back an error packet in response to the matched packet.

reject REJECT

REJECT values

Description

icmp-net-unreachable

Reject with ICMP network unreachable.

icmp-host-unreachable

Reject with ICMP host unreachable.

icmp-port-unreachable

Reject with ICMP port unreachable.

icmp-proto-unreachable

Reject with ICMP prototype unreachable.

icmp-net-prohibited

Reject with ICMP network prohibited.

icmp-host-prohibited

Reject with ICMP host prohibited.

icmp-admin-prohibited

Reject with ICMP admin prohibited.

tcp-reset

Reject with TCP RST packet. Can be used on rules which only match the TCP protocol.

connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

XOR with this value.

<0x0-0xffffffff>
mask

Zero the bits given by this mask.

mask <0x0-0xffffffff>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be XORed into the connection mark.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be cleared.

ctmask <0x0-0xffffffff>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be cleared.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be XORed into the packet mark.

ctmask <0x0-0xffffffff>
log

Turn on logging of matching packets.

log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL

LEVEL values

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notice

Notice level.

info

Info level.

debug

Debug level.

prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>{1,29}
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS

ADDITIONAL-INFOS values

Description

tcp-sequence

Log TCP sequence numbers.

tcp-options

Log options from the TCP packet header.

ip-options

Log options from the IP/IPv6 packet header.

user-id

Log the userid of the process which generated the packet.

mark

Used to set the mark value associated with the packet.

mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

Bits that should be XORed into the packet mark.

<0x0-0xffffffff>
mask

Zero the bits given by this mask in the packet mark.

mask <0x0-0xffffffff>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu
tos

Alters the value of the tos header of the IPv4 packet.

tos <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)

Bits that should be XORed into the tos.

<0x0-0xff>
mask

Zero the bits given by this mask in the tos.

mask <0x0-0xff>

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 filter chain <string>{1,28} rule <uint64> counters packets
bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 filter chain <string>{1,28} rule <uint64> counters bytes