ipv6 mangle¶
Packet alteration table.
vsr running config# vrf <vrf> firewall ipv6 mangle
prerouting¶
Altering packets as soon as they come in.
vsr running config# vrf <vrf> firewall ipv6 mangle prerouting
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 mangle prerouting
vsr running prerouting# policy POLICY
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
- Default value
accept
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 mangle prerouting
vsr running prerouting# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... icmpv6-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... inbound-interface [not] <string> \
... rpfilter invert true|false \
... action STANDARD chain <string>{1,28} \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu
|
Priority of the rule. High number means lower priority. |
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
|
Description |
---|---|
|
TCP protocol. |
|
UDP protocol. |
|
SCTP protocol. |
|
ICMPv6 protocol. |
|
IPsec ESP protocol. |
|
IPsec AH protocol. |
|
GRE protocol. |
|
L2TP protocol. |
|
IP-in-IP protocol. |
|
VRRP protocol. |
|
All protocols. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on destination address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on source address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
icmpv6-type¶
Match the packet ICMP type.
icmpv6-type [not] VALUE
VALUE (mandatory)¶
The ICMP type to match.
VALUE
|
Description |
---|---|
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Address unreachable. |
|
Port unreachable. |
|
No route to destination. |
|
Reject route to destination. |
|
Communication with destination administratively prohibited. |
|
Beyond scope of source address. |
|
Packet too big. |
|
Source address failed ingress/egress policy. |
|
TTL exceeded. |
|
Hop limit exceeded in transit. |
|
Fragment reassembly time exceeded. |
|
Parameter problem. |
|
Erroneous header field encountered. |
|
Unrecognized Next Header type encountered. |
|
Unrecognized IPv6 option encountered. |
|
Router solicitation. |
|
Router advertisement. |
|
Neighbor solicitation. |
|
Neighbor advertisement. |
|
Redirect message. |
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
set (mandatory)¶
Set flags.
set SET
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
examined¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
VALUE (mandatory)¶
The conntrack status to match.
VALUE
|
Description |
---|---|
|
No status. |
|
This is an expected connection (i.e. a conntrack helper set it up). |
|
Conntrack has seen packets in both directions. |
|
Conntrack entry should never be early-expired. |
|
Connection is confirmed: originating packet has left box. |
state¶
Match the packet state regarding conntrack.
state [not] VALUE
VALUE (mandatory)¶
The packet states to match.
VALUE
|
Description |
---|---|
|
Packet is associated with no known connection. |
|
Packet started new connection or associated with one which has not seen packets in both directions. |
|
Packet is associated with a connection which has seen packets in both directions. |
|
Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error. |
|
Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table. |
|
A virtual state, matching if the original source address differs from the reply destination. |
|
A virtual state, matching if the original destination differs from the reply source. |
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
dscp¶
Match the DSCP.
dscp [not] VALUE
VALUE (mandatory)¶
The DSCP value to match.
VALUE
|
Description |
---|---|
|
A differentiated services code point (DSCP) marking within the IP header. |
|
AF11 (assured forwarding) class (10). |
|
AF12 (assured forwarding) class (12). |
|
AF13 (assured forwarding) class (14). |
|
AF21 (assured forwarding) class (18). |
|
AF22 (assured forwarding) class (20). |
|
AF23 (assured forwarding) class (22). |
|
AF31 (assured forwarding) class (26). |
|
AF32 (assured forwarding) class (28). |
|
AF33 (assured forwarding) class (30). |
|
AF41 (assured forwarding) class (34). |
|
AF42 (assured forwarding) class (36). |
|
AF43 (assured forwarding) class (38). |
|
BE (best effort) class (0). |
|
CS0 (class selector) class (0). |
|
CS1 (class selector) class (8). |
|
CS2 (class selector) class (16). |
|
CS3 (class selector) class (24). |
|
CS4 (class selector) class (32). |
|
CS5 (class selector) class (40). |
|
CS6 (class selector) class (48). |
|
CS7 (class selector) class (56). |
|
EF (expedited forwarding) class (46). |
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
---|---|
|
Match all chunk types. |
|
Match any chunk type. |
|
Match exactly chunk type. |
data¶
DATA chunk.
data examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
set¶
Set flags.
set SET
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
rpfilter¶
Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.
rpfilter invert true|false
invert¶
This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.
invert true|false
- Default value
false
action¶
The action performed by this rule.
action STANDARD chain <string>{1,28} \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
|
Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
|
Description |
---|---|
|
Emergency level. |
|
Alert level. |
|
Critical level. |
|
Error level. |
|
Warning level. |
|
Notice level. |
|
Info level. |
|
Debug level. |
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
|
Description |
---|---|
|
Log TCP sequence numbers. |
|
Log options from the TCP packet header. |
|
Log options from the IP/IPv6 packet header. |
|
Log the userid of the process which generated the packet. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
input¶
Altering packets before routing.
vsr running config# vrf <vrf> firewall ipv6 mangle input
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 mangle input
vsr running input# policy POLICY
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
- Default value
accept
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 mangle input
vsr running input# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... icmpv6-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... inbound-interface [not] <string> \
... action STANDARD chain <string>{1,28} dscp DSCP \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu \
... tos <0x0-0xff> mask <0x0-0xff>
|
Priority of the rule. High number means lower priority. |
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
|
Description |
---|---|
|
TCP protocol. |
|
UDP protocol. |
|
SCTP protocol. |
|
ICMPv6 protocol. |
|
IPsec ESP protocol. |
|
IPsec AH protocol. |
|
GRE protocol. |
|
L2TP protocol. |
|
IP-in-IP protocol. |
|
VRRP protocol. |
|
All protocols. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on destination address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on source address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
icmpv6-type¶
Match the packet ICMP type.
icmpv6-type [not] VALUE
VALUE (mandatory)¶
The ICMP type to match.
VALUE
|
Description |
---|---|
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Address unreachable. |
|
Port unreachable. |
|
No route to destination. |
|
Reject route to destination. |
|
Communication with destination administratively prohibited. |
|
Beyond scope of source address. |
|
Packet too big. |
|
Source address failed ingress/egress policy. |
|
TTL exceeded. |
|
Hop limit exceeded in transit. |
|
Fragment reassembly time exceeded. |
|
Parameter problem. |
|
Erroneous header field encountered. |
|
Unrecognized Next Header type encountered. |
|
Unrecognized IPv6 option encountered. |
|
Router solicitation. |
|
Router advertisement. |
|
Neighbor solicitation. |
|
Neighbor advertisement. |
|
Redirect message. |
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
set (mandatory)¶
Set flags.
set SET
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
examined¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
VALUE (mandatory)¶
The conntrack status to match.
VALUE
|
Description |
---|---|
|
No status. |
|
This is an expected connection (i.e. a conntrack helper set it up). |
|
Conntrack has seen packets in both directions. |
|
Conntrack entry should never be early-expired. |
|
Connection is confirmed: originating packet has left box. |
state¶
Match the packet state regarding conntrack.
state [not] VALUE
VALUE (mandatory)¶
The packet states to match.
VALUE
|
Description |
---|---|
|
Packet is associated with no known connection. |
|
Packet started new connection or associated with one which has not seen packets in both directions. |
|
Packet is associated with a connection which has seen packets in both directions. |
|
Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error. |
|
Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table. |
|
A virtual state, matching if the original source address differs from the reply destination. |
|
A virtual state, matching if the original destination differs from the reply source. |
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
dscp¶
Match the DSCP.
dscp [not] VALUE
VALUE (mandatory)¶
The DSCP value to match.
VALUE
|
Description |
---|---|
|
A differentiated services code point (DSCP) marking within the IP header. |
|
AF11 (assured forwarding) class (10). |
|
AF12 (assured forwarding) class (12). |
|
AF13 (assured forwarding) class (14). |
|
AF21 (assured forwarding) class (18). |
|
AF22 (assured forwarding) class (20). |
|
AF23 (assured forwarding) class (22). |
|
AF31 (assured forwarding) class (26). |
|
AF32 (assured forwarding) class (28). |
|
AF33 (assured forwarding) class (30). |
|
AF41 (assured forwarding) class (34). |
|
AF42 (assured forwarding) class (36). |
|
AF43 (assured forwarding) class (38). |
|
BE (best effort) class (0). |
|
CS0 (class selector) class (0). |
|
CS1 (class selector) class (8). |
|
CS2 (class selector) class (16). |
|
CS3 (class selector) class (24). |
|
CS4 (class selector) class (32). |
|
CS5 (class selector) class (40). |
|
CS6 (class selector) class (48). |
|
CS7 (class selector) class (56). |
|
EF (expedited forwarding) class (46). |
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
---|---|
|
Match all chunk types. |
|
Match any chunk type. |
|
Match exactly chunk type. |
data¶
DATA chunk.
data examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
set¶
Set flags.
set SET
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
action¶
The action performed by this rule.
action STANDARD chain <string>{1,28} dscp DSCP \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu \
tos <0x0-0xff> mask <0x0-0xff>
STANDARD¶
Standard action.
STANDARD
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
|
Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. |
dscp¶
Alters the value of the DSCP bits within the tos header of the IPv4 packet.
dscp DSCP
|
Description |
---|---|
|
A differentiated services code point (DSCP) marking within the IP header. |
|
AF11 (assured forwarding) class (10). |
|
AF12 (assured forwarding) class (12). |
|
AF13 (assured forwarding) class (14). |
|
AF21 (assured forwarding) class (18). |
|
AF22 (assured forwarding) class (20). |
|
AF23 (assured forwarding) class (22). |
|
AF31 (assured forwarding) class (26). |
|
AF32 (assured forwarding) class (28). |
|
AF33 (assured forwarding) class (30). |
|
AF41 (assured forwarding) class (34). |
|
AF42 (assured forwarding) class (36). |
|
AF43 (assured forwarding) class (38). |
|
BE (best effort) class (0). |
|
CS0 (class selector) class (0). |
|
CS1 (class selector) class (8). |
|
CS2 (class selector) class (16). |
|
CS3 (class selector) class (24). |
|
CS4 (class selector) class (32). |
|
CS5 (class selector) class (40). |
|
CS6 (class selector) class (48). |
|
CS7 (class selector) class (56). |
|
EF (expedited forwarding) class (46). |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
|
Description |
---|---|
|
Emergency level. |
|
Alert level. |
|
Critical level. |
|
Error level. |
|
Warning level. |
|
Notice level. |
|
Info level. |
|
Debug level. |
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
|
Description |
---|---|
|
Log TCP sequence numbers. |
|
Log options from the TCP packet header. |
|
Log options from the IP/IPv6 packet header. |
|
Log the userid of the process which generated the packet. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
forward¶
Altering packets being routed.
vsr running config# vrf <vrf> firewall ipv6 mangle forward
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 mangle forward
vsr running forward# policy POLICY
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
- Default value
accept
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 mangle forward
vsr running forward# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... icmpv6-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... inbound-interface [not] <string> \
... outbound-interface [not] <string> \
... action STANDARD chain <string>{1,28} set-priority <uint32> \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu
|
Priority of the rule. High number means lower priority. |
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
|
Description |
---|---|
|
TCP protocol. |
|
UDP protocol. |
|
SCTP protocol. |
|
ICMPv6 protocol. |
|
IPsec ESP protocol. |
|
IPsec AH protocol. |
|
GRE protocol. |
|
L2TP protocol. |
|
IP-in-IP protocol. |
|
VRRP protocol. |
|
All protocols. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on destination address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on source address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
icmpv6-type¶
Match the packet ICMP type.
icmpv6-type [not] VALUE
VALUE (mandatory)¶
The ICMP type to match.
VALUE
|
Description |
---|---|
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Address unreachable. |
|
Port unreachable. |
|
No route to destination. |
|
Reject route to destination. |
|
Communication with destination administratively prohibited. |
|
Beyond scope of source address. |
|
Packet too big. |
|
Source address failed ingress/egress policy. |
|
TTL exceeded. |
|
Hop limit exceeded in transit. |
|
Fragment reassembly time exceeded. |
|
Parameter problem. |
|
Erroneous header field encountered. |
|
Unrecognized Next Header type encountered. |
|
Unrecognized IPv6 option encountered. |
|
Router solicitation. |
|
Router advertisement. |
|
Neighbor solicitation. |
|
Neighbor advertisement. |
|
Redirect message. |
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
set (mandatory)¶
Set flags.
set SET
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
examined¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
VALUE (mandatory)¶
The conntrack status to match.
VALUE
|
Description |
---|---|
|
No status. |
|
This is an expected connection (i.e. a conntrack helper set it up). |
|
Conntrack has seen packets in both directions. |
|
Conntrack entry should never be early-expired. |
|
Connection is confirmed: originating packet has left box. |
state¶
Match the packet state regarding conntrack.
state [not] VALUE
VALUE (mandatory)¶
The packet states to match.
VALUE
|
Description |
---|---|
|
Packet is associated with no known connection. |
|
Packet started new connection or associated with one which has not seen packets in both directions. |
|
Packet is associated with a connection which has seen packets in both directions. |
|
Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error. |
|
Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table. |
|
A virtual state, matching if the original source address differs from the reply destination. |
|
A virtual state, matching if the original destination differs from the reply source. |
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
dscp¶
Match the DSCP.
dscp [not] VALUE
VALUE (mandatory)¶
The DSCP value to match.
VALUE
|
Description |
---|---|
|
A differentiated services code point (DSCP) marking within the IP header. |
|
AF11 (assured forwarding) class (10). |
|
AF12 (assured forwarding) class (12). |
|
AF13 (assured forwarding) class (14). |
|
AF21 (assured forwarding) class (18). |
|
AF22 (assured forwarding) class (20). |
|
AF23 (assured forwarding) class (22). |
|
AF31 (assured forwarding) class (26). |
|
AF32 (assured forwarding) class (28). |
|
AF33 (assured forwarding) class (30). |
|
AF41 (assured forwarding) class (34). |
|
AF42 (assured forwarding) class (36). |
|
AF43 (assured forwarding) class (38). |
|
BE (best effort) class (0). |
|
CS0 (class selector) class (0). |
|
CS1 (class selector) class (8). |
|
CS2 (class selector) class (16). |
|
CS3 (class selector) class (24). |
|
CS4 (class selector) class (32). |
|
CS5 (class selector) class (40). |
|
CS6 (class selector) class (48). |
|
CS7 (class selector) class (56). |
|
EF (expedited forwarding) class (46). |
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
---|---|
|
Match all chunk types. |
|
Match any chunk type. |
|
Match exactly chunk type. |
data¶
DATA chunk.
data examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
set¶
Set flags.
set SET
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
action¶
The action performed by this rule.
action STANDARD chain <string>{1,28} set-priority <uint32> \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
|
Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
|
Description |
---|---|
|
Emergency level. |
|
Alert level. |
|
Critical level. |
|
Error level. |
|
Warning level. |
|
Notice level. |
|
Info level. |
|
Debug level. |
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
|
Description |
---|---|
|
Log TCP sequence numbers. |
|
Log options from the TCP packet header. |
|
Log options from the IP/IPv6 packet header. |
|
Log the userid of the process which generated the packet. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
output¶
Altering locally-generated packets before routing.
vsr running config# vrf <vrf> firewall ipv6 mangle output
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 mangle output
vsr running output# policy POLICY
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
- Default value
accept
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 mangle output
vsr running output# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... icmpv6-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... outbound-interface [not] <string> \
... action STANDARD chain <string>{1,28} dscp DSCP set-priority <uint32> \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu \
... tos <0x0-0xff> mask <0x0-0xff>
|
Priority of the rule. High number means lower priority. |
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
|
Description |
---|---|
|
TCP protocol. |
|
UDP protocol. |
|
SCTP protocol. |
|
ICMPv6 protocol. |
|
IPsec ESP protocol. |
|
IPsec AH protocol. |
|
GRE protocol. |
|
L2TP protocol. |
|
IP-in-IP protocol. |
|
VRRP protocol. |
|
All protocols. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on destination address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on source address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
icmpv6-type¶
Match the packet ICMP type.
icmpv6-type [not] VALUE
VALUE (mandatory)¶
The ICMP type to match.
VALUE
|
Description |
---|---|
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Address unreachable. |
|
Port unreachable. |
|
No route to destination. |
|
Reject route to destination. |
|
Communication with destination administratively prohibited. |
|
Beyond scope of source address. |
|
Packet too big. |
|
Source address failed ingress/egress policy. |
|
TTL exceeded. |
|
Hop limit exceeded in transit. |
|
Fragment reassembly time exceeded. |
|
Parameter problem. |
|
Erroneous header field encountered. |
|
Unrecognized Next Header type encountered. |
|
Unrecognized IPv6 option encountered. |
|
Router solicitation. |
|
Router advertisement. |
|
Neighbor solicitation. |
|
Neighbor advertisement. |
|
Redirect message. |
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
set (mandatory)¶
Set flags.
set SET
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
examined¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
VALUE (mandatory)¶
The conntrack status to match.
VALUE
|
Description |
---|---|
|
No status. |
|
This is an expected connection (i.e. a conntrack helper set it up). |
|
Conntrack has seen packets in both directions. |
|
Conntrack entry should never be early-expired. |
|
Connection is confirmed: originating packet has left box. |
state¶
Match the packet state regarding conntrack.
state [not] VALUE
VALUE (mandatory)¶
The packet states to match.
VALUE
|
Description |
---|---|
|
Packet is associated with no known connection. |
|
Packet started new connection or associated with one which has not seen packets in both directions. |
|
Packet is associated with a connection which has seen packets in both directions. |
|
Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error. |
|
Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table. |
|
A virtual state, matching if the original source address differs from the reply destination. |
|
A virtual state, matching if the original destination differs from the reply source. |
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
dscp¶
Match the DSCP.
dscp [not] VALUE
VALUE (mandatory)¶
The DSCP value to match.
VALUE
|
Description |
---|---|
|
A differentiated services code point (DSCP) marking within the IP header. |
|
AF11 (assured forwarding) class (10). |
|
AF12 (assured forwarding) class (12). |
|
AF13 (assured forwarding) class (14). |
|
AF21 (assured forwarding) class (18). |
|
AF22 (assured forwarding) class (20). |
|
AF23 (assured forwarding) class (22). |
|
AF31 (assured forwarding) class (26). |
|
AF32 (assured forwarding) class (28). |
|
AF33 (assured forwarding) class (30). |
|
AF41 (assured forwarding) class (34). |
|
AF42 (assured forwarding) class (36). |
|
AF43 (assured forwarding) class (38). |
|
BE (best effort) class (0). |
|
CS0 (class selector) class (0). |
|
CS1 (class selector) class (8). |
|
CS2 (class selector) class (16). |
|
CS3 (class selector) class (24). |
|
CS4 (class selector) class (32). |
|
CS5 (class selector) class (40). |
|
CS6 (class selector) class (48). |
|
CS7 (class selector) class (56). |
|
EF (expedited forwarding) class (46). |
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
---|---|
|
Match all chunk types. |
|
Match any chunk type. |
|
Match exactly chunk type. |
data¶
DATA chunk.
data examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
set¶
Set flags.
set SET
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
action¶
The action performed by this rule.
action STANDARD chain <string>{1,28} dscp DSCP set-priority <uint32> \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu \
tos <0x0-0xff> mask <0x0-0xff>
STANDARD¶
Standard action.
STANDARD
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
|
Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. |
dscp¶
Alters the value of the DSCP bits within the tos header of the IPv4 packet.
dscp DSCP
|
Description |
---|---|
|
A differentiated services code point (DSCP) marking within the IP header. |
|
AF11 (assured forwarding) class (10). |
|
AF12 (assured forwarding) class (12). |
|
AF13 (assured forwarding) class (14). |
|
AF21 (assured forwarding) class (18). |
|
AF22 (assured forwarding) class (20). |
|
AF23 (assured forwarding) class (22). |
|
AF31 (assured forwarding) class (26). |
|
AF32 (assured forwarding) class (28). |
|
AF33 (assured forwarding) class (30). |
|
AF41 (assured forwarding) class (34). |
|
AF42 (assured forwarding) class (36). |
|
AF43 (assured forwarding) class (38). |
|
BE (best effort) class (0). |
|
CS0 (class selector) class (0). |
|
CS1 (class selector) class (8). |
|
CS2 (class selector) class (16). |
|
CS3 (class selector) class (24). |
|
CS4 (class selector) class (32). |
|
CS5 (class selector) class (40). |
|
CS6 (class selector) class (48). |
|
CS7 (class selector) class (56). |
|
EF (expedited forwarding) class (46). |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
|
Description |
---|---|
|
Emergency level. |
|
Alert level. |
|
Critical level. |
|
Error level. |
|
Warning level. |
|
Notice level. |
|
Info level. |
|
Debug level. |
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
|
Description |
---|---|
|
Log TCP sequence numbers. |
|
Log options from the TCP packet header. |
|
Log options from the IP/IPv6 packet header. |
|
Log the userid of the process which generated the packet. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
postrouting¶
Altering packets as they are about to go.
vsr running config# vrf <vrf> firewall ipv6 mangle postrouting
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 mangle postrouting
vsr running postrouting# policy POLICY
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
- Default value
accept
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 mangle postrouting
vsr running postrouting# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... icmpv6-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... outbound-interface [not] <string> \
... action STANDARD chain <string>{1,28} set-priority <uint32> \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu
|
Priority of the rule. High number means lower priority. |
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
|
Description |
---|---|
|
TCP protocol. |
|
UDP protocol. |
|
SCTP protocol. |
|
ICMPv6 protocol. |
|
IPsec ESP protocol. |
|
IPsec AH protocol. |
|
GRE protocol. |
|
L2TP protocol. |
|
IP-in-IP protocol. |
|
VRRP protocol. |
|
All protocols. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on destination address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on source address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
icmpv6-type¶
Match the packet ICMP type.
icmpv6-type [not] VALUE
VALUE (mandatory)¶
The ICMP type to match.
VALUE
|
Description |
---|---|
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Address unreachable. |
|
Port unreachable. |
|
No route to destination. |
|
Reject route to destination. |
|
Communication with destination administratively prohibited. |
|
Beyond scope of source address. |
|
Packet too big. |
|
Source address failed ingress/egress policy. |
|
TTL exceeded. |
|
Hop limit exceeded in transit. |
|
Fragment reassembly time exceeded. |
|
Parameter problem. |
|
Erroneous header field encountered. |
|
Unrecognized Next Header type encountered. |
|
Unrecognized IPv6 option encountered. |
|
Router solicitation. |
|
Router advertisement. |
|
Neighbor solicitation. |
|
Neighbor advertisement. |
|
Redirect message. |
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
set (mandatory)¶
Set flags.
set SET
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
examined¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
VALUE (mandatory)¶
The conntrack status to match.
VALUE
|
Description |
---|---|
|
No status. |
|
This is an expected connection (i.e. a conntrack helper set it up). |
|
Conntrack has seen packets in both directions. |
|
Conntrack entry should never be early-expired. |
|
Connection is confirmed: originating packet has left box. |
state¶
Match the packet state regarding conntrack.
state [not] VALUE
VALUE (mandatory)¶
The packet states to match.
VALUE
|
Description |
---|---|
|
Packet is associated with no known connection. |
|
Packet started new connection or associated with one which has not seen packets in both directions. |
|
Packet is associated with a connection which has seen packets in both directions. |
|
Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error. |
|
Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table. |
|
A virtual state, matching if the original source address differs from the reply destination. |
|
A virtual state, matching if the original destination differs from the reply source. |
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
dscp¶
Match the DSCP.
dscp [not] VALUE
VALUE (mandatory)¶
The DSCP value to match.
VALUE
|
Description |
---|---|
|
A differentiated services code point (DSCP) marking within the IP header. |
|
AF11 (assured forwarding) class (10). |
|
AF12 (assured forwarding) class (12). |
|
AF13 (assured forwarding) class (14). |
|
AF21 (assured forwarding) class (18). |
|
AF22 (assured forwarding) class (20). |
|
AF23 (assured forwarding) class (22). |
|
AF31 (assured forwarding) class (26). |
|
AF32 (assured forwarding) class (28). |
|
AF33 (assured forwarding) class (30). |
|
AF41 (assured forwarding) class (34). |
|
AF42 (assured forwarding) class (36). |
|
AF43 (assured forwarding) class (38). |
|
BE (best effort) class (0). |
|
CS0 (class selector) class (0). |
|
CS1 (class selector) class (8). |
|
CS2 (class selector) class (16). |
|
CS3 (class selector) class (24). |
|
CS4 (class selector) class (32). |
|
CS5 (class selector) class (40). |
|
CS6 (class selector) class (48). |
|
CS7 (class selector) class (56). |
|
EF (expedited forwarding) class (46). |
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
---|---|
|
Match all chunk types. |
|
Match any chunk type. |
|
Match exactly chunk type. |
data¶
DATA chunk.
data examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
set¶
Set flags.
set SET
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
action¶
The action performed by this rule.
action STANDARD chain <string>{1,28} set-priority <uint32> \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
|
Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
|
Description |
---|---|
|
Emergency level. |
|
Alert level. |
|
Critical level. |
|
Error level. |
|
Warning level. |
|
Notice level. |
|
Info level. |
|
Debug level. |
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
|
Description |
---|---|
|
Log TCP sequence numbers. |
|
Log options from the TCP packet header. |
|
Log options from the IP/IPv6 packet header. |
|
Log the userid of the process which generated the packet. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
chain¶
User chain.
vsr running config# vrf <vrf> firewall ipv6 mangle chain <string>{1,28}
|
The user chain name. |
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 mangle chain <string>{1,28}
vsr running chain <string>{1,28}# policy POLICY
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
|
Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. |
- Default value
return
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv6 mangle chain <string>{1,28} packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv6 mangle chain <string>{1,28} bytes
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 mangle chain <string>{1,28}
vsr running chain <string>{1,28}# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... icmpv6-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... inbound-interface [not] <string> \
... outbound-interface [not] <string> \
... action STANDARD chain <string>{1,28} reject REJECT \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu \
... rpfilter invert true|false
|
Priority of the rule. High number means lower priority. |
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
|
Description |
---|---|
|
TCP protocol. |
|
UDP protocol. |
|
SCTP protocol. |
|
ICMPv6 protocol. |
|
IPsec ESP protocol. |
|
IPsec AH protocol. |
|
GRE protocol. |
|
L2TP protocol. |
|
IP-in-IP protocol. |
|
VRRP protocol. |
|
All protocols. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
|
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on destination address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on source address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
|
Description |
---|---|
|
The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. |
|
An IPv6 address. |
|
An IPv6 prefix: address and CIDR mask. |
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
|
A 16-bit port number used by a transport protocol such as TCP or UDP. |
icmpv6-type¶
Match the packet ICMP type.
icmpv6-type [not] VALUE
VALUE (mandatory)¶
The ICMP type to match.
VALUE
|
Description |
---|---|
|
Echo request. |
|
Echo reply. |
|
Destination unreachable. |
|
Address unreachable. |
|
Port unreachable. |
|
No route to destination. |
|
Reject route to destination. |
|
Communication with destination administratively prohibited. |
|
Beyond scope of source address. |
|
Packet too big. |
|
Source address failed ingress/egress policy. |
|
TTL exceeded. |
|
Hop limit exceeded in transit. |
|
Fragment reassembly time exceeded. |
|
Parameter problem. |
|
Erroneous header field encountered. |
|
Unrecognized Next Header type encountered. |
|
Unrecognized IPv6 option encountered. |
|
Router solicitation. |
|
Router advertisement. |
|
Neighbor solicitation. |
|
Neighbor advertisement. |
|
Redirect message. |
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
set (mandatory)¶
Set flags.
set SET
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
examined¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SYN flag. |
|
ACK flag. |
|
FIN flag. |
|
RST flag. |
|
URG flag. |
|
PSH flag. |
|
All flags. |
|
No flag. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
VALUE (mandatory)¶
The conntrack status to match.
VALUE
|
Description |
---|---|
|
No status. |
|
This is an expected connection (i.e. a conntrack helper set it up). |
|
Conntrack has seen packets in both directions. |
|
Conntrack entry should never be early-expired. |
|
Connection is confirmed: originating packet has left box. |
state¶
Match the packet state regarding conntrack.
state [not] VALUE
VALUE (mandatory)¶
The packet states to match.
VALUE
|
Description |
---|---|
|
Packet is associated with no known connection. |
|
Packet started new connection or associated with one which has not seen packets in both directions. |
|
Packet is associated with a connection which has seen packets in both directions. |
|
Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error. |
|
Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table. |
|
A virtual state, matching if the original source address differs from the reply destination. |
|
A virtual state, matching if the original destination differs from the reply source. |
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
dscp¶
Match the DSCP.
dscp [not] VALUE
VALUE (mandatory)¶
The DSCP value to match.
VALUE
|
Description |
---|---|
|
A differentiated services code point (DSCP) marking within the IP header. |
|
AF11 (assured forwarding) class (10). |
|
AF12 (assured forwarding) class (12). |
|
AF13 (assured forwarding) class (14). |
|
AF21 (assured forwarding) class (18). |
|
AF22 (assured forwarding) class (20). |
|
AF23 (assured forwarding) class (22). |
|
AF31 (assured forwarding) class (26). |
|
AF32 (assured forwarding) class (28). |
|
AF33 (assured forwarding) class (30). |
|
AF41 (assured forwarding) class (34). |
|
AF42 (assured forwarding) class (36). |
|
AF43 (assured forwarding) class (38). |
|
BE (best effort) class (0). |
|
CS0 (class selector) class (0). |
|
CS1 (class selector) class (8). |
|
CS2 (class selector) class (16). |
|
CS3 (class selector) class (24). |
|
CS4 (class selector) class (32). |
|
CS5 (class selector) class (40). |
|
CS6 (class selector) class (48). |
|
CS7 (class selector) class (56). |
|
EF (expedited forwarding) class (46). |
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
---|---|
|
Match all chunk types. |
|
Match any chunk type. |
|
Match exactly chunk type. |
data¶
DATA chunk.
data examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
set¶
Set flags.
set SET
|
Description |
---|---|
|
SACK chunk should be sent back without delay. |
|
Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. |
|
Marks the beginning fragment. An unfragmented chunk has this flag set. |
|
Marks the end fragment. An unfragmented chunk has this flag set. |
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined (mandatory)¶
Examined flags.
examined EXAMINED
|
Means the sender sent its own Verification Tag (that receiver should check). |
set¶
Set flags.
set SET
|
Means the sender sent its own Verification Tag (that receiver should check). |
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
action¶
The action performed by this rule.
action STANDARD chain <string>{1,28} reject REJECT \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
|
Description |
---|---|
|
Let the packet through. |
|
Drop the packet. |
|
Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. |
reject¶
Used to send back an error packet in response to the matched packet.
reject REJECT
|
Description |
---|---|
|
Reject with ICMPv6 no route. |
|
Reject with ICMPv6 admin prohibited. |
|
Reject with ICMPv6 address unreachable. |
|
Reject with ICMPv6 port unreachable. |
|
Reject with TCP RST packet. Can be used on rules which only match the TCP protocol. |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string>{1,29} additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
|
Description |
---|---|
|
Emergency level. |
|
Alert level. |
|
Critical level. |
|
Error level. |
|
Warning level. |
|
Notice level. |
|
Info level. |
|
Debug level. |
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
|
Description |
---|---|
|
Log TCP sequence numbers. |
|
Log options from the TCP packet header. |
|
Log options from the IP/IPv6 packet header. |
|
Log the userid of the process which generated the packet. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
rpfilter¶
Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.
rpfilter invert true|false
invert¶
This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.
invert true|false
- Default value
false
counters (state only)¶
The counters of this rule.
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv6 mangle chain <string>{1,28} rule <uint64> counters packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv6 mangle chain <string>{1,28} rule <uint64> counters bytes