ipv4 raw¶
Mainly used to exempt packets from connection tracking.
vrouter running config# vrf <vrf> firewall ipv4 raw
prerouting¶
Packets as soon as they come in.
vrouter running config# vrf <vrf> firewall ipv4 raw prerouting
policy¶
Action when no rule match.
vrouter running config# vrf <vrf> firewall ipv4 raw prerouting
vrouter running prerouting# policy POLICY
| 
 | Description | 
|---|---|
| accept | Let the packet through. | 
| drop | Drop the packet. | 
| return | Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. | 
- Default value
- accept
rule¶
A rule to perform an action on matching packets.
vrouter running config# vrf <vrf> firewall ipv4 raw prerouting
vrouter running prerouting# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   ipv4 [not] fragment \
...   icmp-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   rpfilter invert true|false \
...   action STANDARD chain <leafref> notrack \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu
| <uint64> | Priority of the rule. High number means lower priority. | 
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
| 
 | Description | 
|---|---|
| tcp | TCP protocol. | 
| udp | UDP protocol. | 
| sctp | SCTP protocol. | 
| icmp | ICMP protocol. | 
| esp | IPsec ESP protocol. | 
| ah | IPsec AH protocol. | 
| gre | GRE protocol. | 
| l2tp | L2TP protocol. | 
| ipip | IP-in-IP protocol. | 
| vrrp | VRRP protocol. | 
| all | All protocols. | 
| <uint16> | Protocol from /etc/protocols. | 
| <string> | Protocol from /etc/protocols. | 
destination¶
Match on destination fields.
destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on destination address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
| 
 | Description | 
|---|---|
| <domain-name> | The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. | 
| <A.B.C.D> | An IPv4 address. | 
| <A.B.C.D/M> | An IPv4 prefix: address and CIDR mask. | 
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
source¶
Match on source fields.
source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on source address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
| 
 | Description | 
|---|---|
| <domain-name> | The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. | 
| <A.B.C.D> | An IPv4 address. | 
| <A.B.C.D/M> | An IPv4 prefix: address and CIDR mask. | 
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
icmp-type¶
Match the packet ICMP type.
icmp-type [not] VALUE
VALUE (mandatory)¶
The ICMP type to match.
VALUE
| 
 | Description | 
|---|---|
| any | Any ICMP type. | 
| echo-request | Echo request. | 
| echo-reply | Echo reply. | 
| destination-unreachable | Destination unreachable. | 
| network-unreachable | Network unreachable. | 
| host-unreachable | Host unreachable. | 
| protocol-unreachable | Protocol unreachable. | 
| port-unreachable | Port unreachable. | 
| fragmentation-needed | Fragmentation needed. | 
| source-route-failed | Source route failed. | 
| network-unknown | Network unknown. | 
| host-unknown | Host unknown. | 
| network-prohibited | Network prohibited. | 
| host-prohibited | Host prohibited. | 
| TOS-network-unreachable | TOS network unreachable. | 
| TOS-host-unreachable | TOS host unreachable. | 
| communication-prohibited | Communication prohibited. | 
| host-precedence-violation | Host precedence violation. | 
| precedence-cutoff | Precedence cutoff. | 
| source-quench | Source quench. | 
| redirect | Redirect. | 
| network-redirect | Network redirect. | 
| host-redirect | Host redirect. | 
| TOS-network-redirect | TOS network redirect. | 
| TOS-host-redirect | TOS host redirect. | 
| router-advertisement | Router advertisement. | 
| router-solicitation | Router solicitation. | 
| ttl-exceeded | TTL exceeded. | 
| ttl-zero-during-transit | Time to Live exceeded in Transit. | 
| ttl-zero-during-reassembly | Fragment Reassembly Time Exceeded. | 
| parameter-problem | Parameter problem. | 
| ip-header-bad | Bad IP header. | 
| required-option-missing | Missing a Required Option. | 
| timestamp-request | Timestamp request. | 
| timestamp-reply | Timestamp reply. | 
| address-mask-request | Address mask request. | 
| address-mask-reply | Address mask reply. | 
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
set¶
Set flags.
set SET
| 
 | Description | 
|---|---|
| syn | SYN flag. | 
| ack | ACK flag. | 
| fin | FIN flag. | 
| rst | RST flag. | 
| urg | URG flag. | 
| psh | PSH flag. | 
| all | All flags. | 
| none | No flag. | 
examined¶
Examined flags.
examined EXAMINED
| 
 | Description | 
|---|---|
| syn | SYN flag. | 
| ack | ACK flag. | 
| fin | FIN flag. | 
| rst | RST flag. | 
| urg | URG flag. | 
| psh | PSH flag. | 
| all | All flags. | 
| none | No flag. | 
conntrack¶
Match conntrack information.
conntrack \
     status [not] VALUE \
     state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
VALUE¶
The conntrack status to match.
VALUE
| 
 | Description | 
|---|---|
| none | No status. | 
| expected | This is an expected connection (i.e. a conntrack helper set it up). | 
| seen_reply | Conntrack has seen packets in both directions. | 
| assured | Conntrack entry should never be early-expired. | 
| confirmed | Connection is confirmed: originating packet has left box. | 
state¶
Match the packet state regarding conntrack.
state [not] VALUE
VALUE¶
The packet states to match.
VALUE
| 
 | Description | 
|---|---|
| invalid | Packet is associated with no known connection. | 
| new | Packet started new connection or associated with one which has not seen packets in both directions. | 
| established | Packet is associated with a connection which has seen packets in both directions. | 
| related | Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error. | 
| untracked | Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table. | 
| snat | A virtual state, matching if the original source address differs from the reply destination. | 
| dnat | A virtual state, matching if the original destination differs from the reply source. | 
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
     rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
dscp¶
Match the DSCP.
dscp [not] VALUE
VALUE (mandatory)¶
The DSCP value to match.
VALUE
| 
 | Description | 
|---|---|
| <uint8> | A differentiated services code point (DSCP) marking within the IP header. | 
| af11 | AF11 (assured forwarding) class (10). | 
| af12 | AF12 (assured forwarding) class (12). | 
| af13 | AF13 (assured forwarding) class (14). | 
| af21 | AF21 (assured forwarding) class (18). | 
| af22 | AF22 (assured forwarding) class (20). | 
| af23 | AF23 (assured forwarding) class (22). | 
| af31 | AF31 (assured forwarding) class (26). | 
| af32 | AF32 (assured forwarding) class (28). | 
| af33 | AF33 (assured forwarding) class (30). | 
| af41 | AF41 (assured forwarding) class (34). | 
| af42 | AF42 (assured forwarding) class (36). | 
| af43 | AF43 (assured forwarding) class (38). | 
| be | BE (best effort) class (0). | 
| cs0 | CS0 (class selector) class (0). | 
| cs1 | CS1 (class selector) class (8). | 
| cs2 | CS2 (class selector) class (16). | 
| cs3 | CS3 (class selector) class (24). | 
| cs4 | CS4 (class selector) class (32). | 
| cs5 | CS5 (class selector) class (40). | 
| cs6 | CS6 (class selector) class (48). | 
| cs7 | CS7 (class selector) class (56). | 
| ef | EF (expedited forwarding) class (46). | 
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
| 
 | Description | 
|---|---|
| all | Match all chunk types. | 
| any | Match any chunk type. | 
| only | Match exactly chunk type. | 
data¶
DATA chunk.
data examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| 
 | Description | 
|---|---|
| I | SACK chunk should be sent back without delay. | 
| U | Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. | 
| B | Marks the beginning fragment. An unfragmented chunk has this flag set. | 
| E | Marks the end fragment. An unfragmented chunk has this flag set. | 
set¶
Set flags.
set SET
| 
 | Description | 
|---|---|
| I | SACK chunk should be sent back without delay. | 
| U | Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. | 
| B | Marks the beginning fragment. An unfragmented chunk has this flag set. | 
| E | Marks the end fragment. An unfragmented chunk has this flag set. | 
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | Means the sender sent its own Verification Tag (that receiver should check). | 
set¶
Set flags.
set SET
| SET | Means the sender sent its own Verification Tag (that receiver should check). | 
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | Means the sender sent its own Verification Tag (that receiver should check). | 
set¶
Set flags.
set SET
| SET | Means the sender sent its own Verification Tag (that receiver should check). | 
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
rpfilter¶
Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.
rpfilter invert true|false
invert¶
This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.
invert true|false
- Default value
- false
action¶
The action performed by this rule.
action STANDARD chain <leafref> notrack \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
| 
 | Description | 
|---|---|
| accept | Let the packet through. | 
| drop | Drop the packet. | 
| return | Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. | 
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
| 
 | Description | 
|---|---|
| emergency | Emergency level. | 
| alert | Alert level. | 
| critical | Critical level. | 
| error | Error level. | 
| warning | Warning level. | 
| notice | Notice level. | 
| info | Info level. | 
| debug | Debug level. | 
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
| 
 | Description | 
|---|---|
| tcp-sequence | Log TCP sequence numbers. | 
| tcp-options | Log options from the TCP packet header. | 
| ip-options | Log options from the IP/IPv6 packet header. | 
| user-id | Log the userid of the process which generated the packet. | 
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
output¶
Locally-generated packets before routing.
vrouter running config# vrf <vrf> firewall ipv4 raw output
policy¶
Action when no rule match.
vrouter running config# vrf <vrf> firewall ipv4 raw output
vrouter running output# policy POLICY
| 
 | Description | 
|---|---|
| accept | Let the packet through. | 
| drop | Drop the packet. | 
| return | Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. | 
- Default value
- accept
rule¶
A rule to perform an action on matching packets.
vrouter running config# vrf <vrf> firewall ipv4 raw output
vrouter running output# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   ipv4 [not] fragment \
...   icmp-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   outbound-interface [not] <string> \
...   action STANDARD chain <leafref> notrack \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu
| <uint64> | Priority of the rule. High number means lower priority. | 
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
| 
 | Description | 
|---|---|
| tcp | TCP protocol. | 
| udp | UDP protocol. | 
| sctp | SCTP protocol. | 
| icmp | ICMP protocol. | 
| esp | IPsec ESP protocol. | 
| ah | IPsec AH protocol. | 
| gre | GRE protocol. | 
| l2tp | L2TP protocol. | 
| ipip | IP-in-IP protocol. | 
| vrrp | VRRP protocol. | 
| all | All protocols. | 
| <uint16> | Protocol from /etc/protocols. | 
| <string> | Protocol from /etc/protocols. | 
destination¶
Match on destination fields.
destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on destination address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
| 
 | Description | 
|---|---|
| <domain-name> | The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. | 
| <A.B.C.D> | An IPv4 address. | 
| <A.B.C.D/M> | An IPv4 prefix: address and CIDR mask. | 
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
source¶
Match on source fields.
source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on source address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
| 
 | Description | 
|---|---|
| <domain-name> | The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. | 
| <A.B.C.D> | An IPv4 address. | 
| <A.B.C.D/M> | An IPv4 prefix: address and CIDR mask. | 
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
icmp-type¶
Match the packet ICMP type.
icmp-type [not] VALUE
VALUE (mandatory)¶
The ICMP type to match.
VALUE
| 
 | Description | 
|---|---|
| any | Any ICMP type. | 
| echo-request | Echo request. | 
| echo-reply | Echo reply. | 
| destination-unreachable | Destination unreachable. | 
| network-unreachable | Network unreachable. | 
| host-unreachable | Host unreachable. | 
| protocol-unreachable | Protocol unreachable. | 
| port-unreachable | Port unreachable. | 
| fragmentation-needed | Fragmentation needed. | 
| source-route-failed | Source route failed. | 
| network-unknown | Network unknown. | 
| host-unknown | Host unknown. | 
| network-prohibited | Network prohibited. | 
| host-prohibited | Host prohibited. | 
| TOS-network-unreachable | TOS network unreachable. | 
| TOS-host-unreachable | TOS host unreachable. | 
| communication-prohibited | Communication prohibited. | 
| host-precedence-violation | Host precedence violation. | 
| precedence-cutoff | Precedence cutoff. | 
| source-quench | Source quench. | 
| redirect | Redirect. | 
| network-redirect | Network redirect. | 
| host-redirect | Host redirect. | 
| TOS-network-redirect | TOS network redirect. | 
| TOS-host-redirect | TOS host redirect. | 
| router-advertisement | Router advertisement. | 
| router-solicitation | Router solicitation. | 
| ttl-exceeded | TTL exceeded. | 
| ttl-zero-during-transit | Time to Live exceeded in Transit. | 
| ttl-zero-during-reassembly | Fragment Reassembly Time Exceeded. | 
| parameter-problem | Parameter problem. | 
| ip-header-bad | Bad IP header. | 
| required-option-missing | Missing a Required Option. | 
| timestamp-request | Timestamp request. | 
| timestamp-reply | Timestamp reply. | 
| address-mask-request | Address mask request. | 
| address-mask-reply | Address mask reply. | 
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
set¶
Set flags.
set SET
| 
 | Description | 
|---|---|
| syn | SYN flag. | 
| ack | ACK flag. | 
| fin | FIN flag. | 
| rst | RST flag. | 
| urg | URG flag. | 
| psh | PSH flag. | 
| all | All flags. | 
| none | No flag. | 
examined¶
Examined flags.
examined EXAMINED
| 
 | Description | 
|---|---|
| syn | SYN flag. | 
| ack | ACK flag. | 
| fin | FIN flag. | 
| rst | RST flag. | 
| urg | URG flag. | 
| psh | PSH flag. | 
| all | All flags. | 
| none | No flag. | 
conntrack¶
Match conntrack information.
conntrack \
     status [not] VALUE \
     state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
VALUE¶
The conntrack status to match.
VALUE
| 
 | Description | 
|---|---|
| none | No status. | 
| expected | This is an expected connection (i.e. a conntrack helper set it up). | 
| seen_reply | Conntrack has seen packets in both directions. | 
| assured | Conntrack entry should never be early-expired. | 
| confirmed | Connection is confirmed: originating packet has left box. | 
state¶
Match the packet state regarding conntrack.
state [not] VALUE
VALUE¶
The packet states to match.
VALUE
| 
 | Description | 
|---|---|
| invalid | Packet is associated with no known connection. | 
| new | Packet started new connection or associated with one which has not seen packets in both directions. | 
| established | Packet is associated with a connection which has seen packets in both directions. | 
| related | Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error. | 
| untracked | Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table. | 
| snat | A virtual state, matching if the original source address differs from the reply destination. | 
| dnat | A virtual state, matching if the original destination differs from the reply source. | 
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
     rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
dscp¶
Match the DSCP.
dscp [not] VALUE
VALUE (mandatory)¶
The DSCP value to match.
VALUE
| 
 | Description | 
|---|---|
| <uint8> | A differentiated services code point (DSCP) marking within the IP header. | 
| af11 | AF11 (assured forwarding) class (10). | 
| af12 | AF12 (assured forwarding) class (12). | 
| af13 | AF13 (assured forwarding) class (14). | 
| af21 | AF21 (assured forwarding) class (18). | 
| af22 | AF22 (assured forwarding) class (20). | 
| af23 | AF23 (assured forwarding) class (22). | 
| af31 | AF31 (assured forwarding) class (26). | 
| af32 | AF32 (assured forwarding) class (28). | 
| af33 | AF33 (assured forwarding) class (30). | 
| af41 | AF41 (assured forwarding) class (34). | 
| af42 | AF42 (assured forwarding) class (36). | 
| af43 | AF43 (assured forwarding) class (38). | 
| be | BE (best effort) class (0). | 
| cs0 | CS0 (class selector) class (0). | 
| cs1 | CS1 (class selector) class (8). | 
| cs2 | CS2 (class selector) class (16). | 
| cs3 | CS3 (class selector) class (24). | 
| cs4 | CS4 (class selector) class (32). | 
| cs5 | CS5 (class selector) class (40). | 
| cs6 | CS6 (class selector) class (48). | 
| cs7 | CS7 (class selector) class (56). | 
| ef | EF (expedited forwarding) class (46). | 
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
| 
 | Description | 
|---|---|
| all | Match all chunk types. | 
| any | Match any chunk type. | 
| only | Match exactly chunk type. | 
data¶
DATA chunk.
data examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| 
 | Description | 
|---|---|
| I | SACK chunk should be sent back without delay. | 
| U | Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. | 
| B | Marks the beginning fragment. An unfragmented chunk has this flag set. | 
| E | Marks the end fragment. An unfragmented chunk has this flag set. | 
set¶
Set flags.
set SET
| 
 | Description | 
|---|---|
| I | SACK chunk should be sent back without delay. | 
| U | Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. | 
| B | Marks the beginning fragment. An unfragmented chunk has this flag set. | 
| E | Marks the end fragment. An unfragmented chunk has this flag set. | 
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | Means the sender sent its own Verification Tag (that receiver should check). | 
set¶
Set flags.
set SET
| SET | Means the sender sent its own Verification Tag (that receiver should check). | 
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | Means the sender sent its own Verification Tag (that receiver should check). | 
set¶
Set flags.
set SET
| SET | Means the sender sent its own Verification Tag (that receiver should check). | 
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
action¶
The action performed by this rule.
action STANDARD chain <leafref> notrack \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
| 
 | Description | 
|---|---|
| accept | Let the packet through. | 
| drop | Drop the packet. | 
| return | Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. | 
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
| 
 | Description | 
|---|---|
| emergency | Emergency level. | 
| alert | Alert level. | 
| critical | Critical level. | 
| error | Error level. | 
| warning | Warning level. | 
| notice | Notice level. | 
| info | Info level. | 
| debug | Debug level. | 
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
| 
 | Description | 
|---|---|
| tcp-sequence | Log TCP sequence numbers. | 
| tcp-options | Log options from the TCP packet header. | 
| ip-options | Log options from the IP/IPv6 packet header. | 
| user-id | Log the userid of the process which generated the packet. | 
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
chain¶
User chain.
vrouter running config# vrf <vrf> firewall ipv4 raw chain <string>
| <string> | The user chain name. | 
policy¶
Action when no rule match.
vrouter running config# vrf <vrf> firewall ipv4 raw chain <string>
vrouter running chain <string># policy POLICY
| 
 | Description | 
|---|---|
| accept | Let the packet through. | 
| drop | Drop the packet. | 
| return | Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. | 
- Default value
- accept
packets (state only)¶
Packets.
vrouter> show state vrf <vrf> firewall ipv4 raw chain <string> packets
rule¶
A rule to perform an action on matching packets.
vrouter running config# vrf <vrf> firewall ipv4 raw chain <string>
vrouter running chain <string># rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   ipv4 [not] fragment \
...   icmp-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   outbound-interface [not] <string> \
...   rpfilter invert true|false \
...   action STANDARD chain <leafref> dscp DSCP reject REJECT \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu \
...     tos <0x0-0xff> mask <0x0-0xff>
| <uint64> | Priority of the rule. High number means lower priority. | 
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
| 
 | Description | 
|---|---|
| tcp | TCP protocol. | 
| udp | UDP protocol. | 
| sctp | SCTP protocol. | 
| icmp | ICMP protocol. | 
| esp | IPsec ESP protocol. | 
| ah | IPsec AH protocol. | 
| gre | GRE protocol. | 
| l2tp | L2TP protocol. | 
| ipip | IP-in-IP protocol. | 
| vrrp | VRRP protocol. | 
| all | All protocols. | 
| <uint16> | Protocol from /etc/protocols. | 
| <string> | Protocol from /etc/protocols. | 
destination¶
Match on destination fields.
destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on destination address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
| 
 | Description | 
|---|---|
| <domain-name> | The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. | 
| <A.B.C.D> | An IPv4 address. | 
| <A.B.C.D/M> | An IPv4 prefix: address and CIDR mask. | 
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
source¶
Match on source fields.
source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on source address.
address [not] VALUE
VALUE (mandatory)¶
The address to match.
VALUE
| 
 | Description | 
|---|---|
| <domain-name> | The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492. | 
| <A.B.C.D> | An IPv4 address. | 
| <A.B.C.D/M> | An IPv4 prefix: address and CIDR mask. | 
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
icmp-type¶
Match the packet ICMP type.
icmp-type [not] VALUE
VALUE (mandatory)¶
The ICMP type to match.
VALUE
| 
 | Description | 
|---|---|
| any | Any ICMP type. | 
| echo-request | Echo request. | 
| echo-reply | Echo reply. | 
| destination-unreachable | Destination unreachable. | 
| network-unreachable | Network unreachable. | 
| host-unreachable | Host unreachable. | 
| protocol-unreachable | Protocol unreachable. | 
| port-unreachable | Port unreachable. | 
| fragmentation-needed | Fragmentation needed. | 
| source-route-failed | Source route failed. | 
| network-unknown | Network unknown. | 
| host-unknown | Host unknown. | 
| network-prohibited | Network prohibited. | 
| host-prohibited | Host prohibited. | 
| TOS-network-unreachable | TOS network unreachable. | 
| TOS-host-unreachable | TOS host unreachable. | 
| communication-prohibited | Communication prohibited. | 
| host-precedence-violation | Host precedence violation. | 
| precedence-cutoff | Precedence cutoff. | 
| source-quench | Source quench. | 
| redirect | Redirect. | 
| network-redirect | Network redirect. | 
| host-redirect | Host redirect. | 
| TOS-network-redirect | TOS network redirect. | 
| TOS-host-redirect | TOS host redirect. | 
| router-advertisement | Router advertisement. | 
| router-solicitation | Router solicitation. | 
| ttl-exceeded | TTL exceeded. | 
| ttl-zero-during-transit | Time to Live exceeded in Transit. | 
| ttl-zero-during-reassembly | Fragment Reassembly Time Exceeded. | 
| parameter-problem | Parameter problem. | 
| ip-header-bad | Bad IP header. | 
| required-option-missing | Missing a Required Option. | 
| timestamp-request | Timestamp request. | 
| timestamp-reply | Timestamp reply. | 
| address-mask-request | Address mask request. | 
| address-mask-reply | Address mask reply. | 
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
set¶
Set flags.
set SET
| 
 | Description | 
|---|---|
| syn | SYN flag. | 
| ack | ACK flag. | 
| fin | FIN flag. | 
| rst | RST flag. | 
| urg | URG flag. | 
| psh | PSH flag. | 
| all | All flags. | 
| none | No flag. | 
examined¶
Examined flags.
examined EXAMINED
| 
 | Description | 
|---|---|
| syn | SYN flag. | 
| ack | ACK flag. | 
| fin | FIN flag. | 
| rst | RST flag. | 
| urg | URG flag. | 
| psh | PSH flag. | 
| all | All flags. | 
| none | No flag. | 
conntrack¶
Match conntrack information.
conntrack \
     status [not] VALUE \
     state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
VALUE¶
The conntrack status to match.
VALUE
| 
 | Description | 
|---|---|
| none | No status. | 
| expected | This is an expected connection (i.e. a conntrack helper set it up). | 
| seen_reply | Conntrack has seen packets in both directions. | 
| assured | Conntrack entry should never be early-expired. | 
| confirmed | Connection is confirmed: originating packet has left box. | 
state¶
Match the packet state regarding conntrack.
state [not] VALUE
VALUE¶
The packet states to match.
VALUE
| 
 | Description | 
|---|---|
| invalid | Packet is associated with no known connection. | 
| new | Packet started new connection or associated with one which has not seen packets in both directions. | 
| established | Packet is associated with a connection which has seen packets in both directions. | 
| related | Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error. | 
| untracked | Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table. | 
| snat | A virtual state, matching if the original source address differs from the reply destination. | 
| dnat | A virtual state, matching if the original destination differs from the reply source. | 
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
     rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
dscp¶
Match the DSCP.
dscp [not] VALUE
VALUE (mandatory)¶
The DSCP value to match.
VALUE
| 
 | Description | 
|---|---|
| <uint8> | A differentiated services code point (DSCP) marking within the IP header. | 
| af11 | AF11 (assured forwarding) class (10). | 
| af12 | AF12 (assured forwarding) class (12). | 
| af13 | AF13 (assured forwarding) class (14). | 
| af21 | AF21 (assured forwarding) class (18). | 
| af22 | AF22 (assured forwarding) class (20). | 
| af23 | AF23 (assured forwarding) class (22). | 
| af31 | AF31 (assured forwarding) class (26). | 
| af32 | AF32 (assured forwarding) class (28). | 
| af33 | AF33 (assured forwarding) class (30). | 
| af41 | AF41 (assured forwarding) class (34). | 
| af42 | AF42 (assured forwarding) class (36). | 
| af43 | AF43 (assured forwarding) class (38). | 
| be | BE (best effort) class (0). | 
| cs0 | CS0 (class selector) class (0). | 
| cs1 | CS1 (class selector) class (8). | 
| cs2 | CS2 (class selector) class (16). | 
| cs3 | CS3 (class selector) class (24). | 
| cs4 | CS4 (class selector) class (32). | 
| cs5 | CS5 (class selector) class (40). | 
| cs6 | CS6 (class selector) class (48). | 
| cs7 | CS7 (class selector) class (56). | 
| ef | EF (expedited forwarding) class (46). | 
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
| 
 | Description | 
|---|---|
| all | Match all chunk types. | 
| any | Match any chunk type. | 
| only | Match exactly chunk type. | 
data¶
DATA chunk.
data examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| 
 | Description | 
|---|---|
| I | SACK chunk should be sent back without delay. | 
| U | Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. | 
| B | Marks the beginning fragment. An unfragmented chunk has this flag set. | 
| E | Marks the end fragment. An unfragmented chunk has this flag set. | 
set¶
Set flags.
set SET
| 
 | Description | 
|---|---|
| I | SACK chunk should be sent back without delay. | 
| U | Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set. | 
| B | Marks the beginning fragment. An unfragmented chunk has this flag set. | 
| E | Marks the end fragment. An unfragmented chunk has this flag set. | 
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | Means the sender sent its own Verification Tag (that receiver should check). | 
set¶
Set flags.
set SET
| SET | Means the sender sent its own Verification Tag (that receiver should check). | 
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | Means the sender sent its own Verification Tag (that receiver should check). | 
set¶
Set flags.
set SET
| SET | Means the sender sent its own Verification Tag (that receiver should check). | 
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
rpfilter¶
Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.
rpfilter invert true|false
invert¶
This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.
invert true|false
- Default value
- false
action¶
The action performed by this rule.
action STANDARD chain <leafref> dscp DSCP reject REJECT \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu \
     tos <0x0-0xff> mask <0x0-0xff>
STANDARD¶
Standard action.
STANDARD
| 
 | Description | 
|---|---|
| accept | Let the packet through. | 
| drop | Drop the packet. | 
| return | Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy. | 
dscp¶
Alters the value of the DSCP bits within the tos header of the IPv4 packet.
dscp DSCP
| 
 | Description | 
|---|---|
| <uint8> | A differentiated services code point (DSCP) marking within the IP header. | 
| af11 | AF11 (assured forwarding) class (10). | 
| af12 | AF12 (assured forwarding) class (12). | 
| af13 | AF13 (assured forwarding) class (14). | 
| af21 | AF21 (assured forwarding) class (18). | 
| af22 | AF22 (assured forwarding) class (20). | 
| af23 | AF23 (assured forwarding) class (22). | 
| af31 | AF31 (assured forwarding) class (26). | 
| af32 | AF32 (assured forwarding) class (28). | 
| af33 | AF33 (assured forwarding) class (30). | 
| af41 | AF41 (assured forwarding) class (34). | 
| af42 | AF42 (assured forwarding) class (36). | 
| af43 | AF43 (assured forwarding) class (38). | 
| be | BE (best effort) class (0). | 
| cs0 | CS0 (class selector) class (0). | 
| cs1 | CS1 (class selector) class (8). | 
| cs2 | CS2 (class selector) class (16). | 
| cs3 | CS3 (class selector) class (24). | 
| cs4 | CS4 (class selector) class (32). | 
| cs5 | CS5 (class selector) class (40). | 
| cs6 | CS6 (class selector) class (48). | 
| cs7 | CS7 (class selector) class (56). | 
| ef | EF (expedited forwarding) class (46). | 
reject¶
Used to send back an error packet in response to the matched packet.
reject REJECT
| 
 | Description | 
|---|---|
| icmp-net-unreachable | Reject with ICMP network unreachable. | 
| icmp-host-unreachable | Reject with ICMP host unreachable. | 
| icmp-port-unreachable | Reject with ICMP port unreachable. | 
| icmp-proto-unreachable | Reject with ICMP prototype unreachable. | 
| icmp-net-prohibited | Reject with ICMP network prohibited. | 
| icmp-host-prohibited | Reject with ICMP host prohibited. | 
| icmp-admin-prohibited | Reject with ICMP admin prohibited. | 
| tcp-reset | Reject with TCP RST packet. Can be used on rules which only match the TCP protocol. | 
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
| 
 | Description | 
|---|---|
| emergency | Emergency level. | 
| alert | Alert level. | 
| critical | Critical level. | 
| error | Error level. | 
| warning | Warning level. | 
| notice | Notice level. | 
| info | Info level. | 
| debug | Debug level. | 
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
| 
 | Description | 
|---|---|
| tcp-sequence | Log TCP sequence numbers. | 
| tcp-options | Log options from the TCP packet header. | 
| ip-options | Log options from the IP/IPv6 packet header. | 
| user-id | Log the userid of the process which generated the packet. | 
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>