ipv6 mangle

Packet alteration table.

vrouter running config# vrf <vrf> firewall ipv6 mangle

prerouting

Altering packets as soon as they come in.

vrouter running config# vrf <vrf> firewall ipv6 mangle prerouting

policy

Action when no rule match.

vrouter running config# vrf <vrf> firewall ipv6 mangle prerouting
vrouter running prerouting# policy POLICY
POLICY values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
Default value
accept

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle prerouting packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle prerouting bytes

rule

A rule to perform an action on matching packets.

vrouter running config# vrf <vrf> firewall ipv6 mangle prerouting
vrouter running prerouting# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <string> mask <string> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   mark [not] <string> mask <string> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   rpfilter invert true|false \
...   action STANDARD chain <string> \
...     connmark \
...       set-xmark <string> mask <string> \
...       save-mark nfmask <string> ctmask <string> \
...       restore-mark nfmask <string> ctmask <string> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <string> mask <string> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

description

A comment to describe the rule.

description <string>

id (state only)

Priority of the rule. High number means lower priority.

vrouter> show state vrf <vrf> firewall ipv6 mangle prerouting rule <uint64> id

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE
VALUE values Description
tcp TCP protocol.
udp UDP protocol.
sctp SCTP protocol.
ipv6-icmp ICMPv6 protocol.
esp IPsec ESP protocol.
ah IPsec AH protocol.
gre GRE protocol.
l2tp L2TP protocol.
ipip IP-in-IP protocol.
vrrp VRRP protocol.
all All protocols.
<uint16> Protocol from /etc/protocols.
<string> Protocol from /etc/protocols.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

icmpv6-type

Match the packet ICMP type.

icmpv6-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE
VALUE values Description
echo-request Echo request.
echo-reply Echo reply.
destination-unreachable Destination unreachable.
address-unreachable Address unreachable.
port-unreachable Port unreachable.
no-route No route to destination.
reject-route Reject route to destination.
communication-prohibited Communication with destination administratively prohibited.
beyond-scope Beyond scope of source address.
packet-too-big Packet too big.
failed-policy Source address failed ingress/egress policy.
ttl-exceeded TTL exceeded.
ttl-zero-during-transit Hop limit exceeded in transit.
ttl-zero-during-reassembly Fragment reassembly time exceeded.
parameter-problem Parameter problem.
bad-header Erroneous header field encountered.
unknown-header-type Unrecognized Next Header type encountered.
unknown-option Unrecognized IPv6 option encountered.
router-solicitation Router solicitation.
router-advertisement Router advertisement.
neighbor-solicitation Neighbor solicitation.
neighbor-advertisement Neighbor advertisement.
redirect Redirect message.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET
SET values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE
VALUE values Description
none No status.
expected This is an expected connection (i.e. a conntrack helper set it up).
seen_reply Conntrack has seen packets in both directions.
assured Conntrack entry should never be early-expired.
confirmed Connection is confirmed: originating packet has left box.
state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE
VALUE values Description
invalid Packet is associated with no known connection.
new Packet started new connection or associated with one which has not seen packets in both directions.
established Packet is associated with a connection which has seen packets in both directions.
related Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
untracked Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.
snat A virtual state, matching if the original source address differs from the reply destination.
dnat A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT
UNIT values Description
second Second.
minute Minute.
hour Hour.
day Day.

mark

Matches the mark field associated with a packet.

mark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE
SCOPE values Description
all Match all chunk types.
any Match any chunk type.
only Match exactly chunk type.
init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
set

Set flags.

set SET
SET values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).
shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

rpfilter

Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.

rpfilter invert true|false
invert

This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.

invert true|false
Default value
false

action

The action performed by this rule.

action STANDARD chain <string> \
     connmark \
       set-xmark <string> mask <string> \
       save-mark nfmask <string> ctmask <string> \
       restore-mark nfmask <string> ctmask <string> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <string> mask <string> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD
STANDARD values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
chain

Jump to the user chain by this name.

chain <string>
connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <string> mask <string> \
     save-mark nfmask <string> ctmask <string> \
     restore-mark nfmask <string> ctmask <string>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <string> mask <string>
<string> (mandatory)

XOR with this value.

<string>
mask

Zero the bits given by this mask.

mask <string>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <string> ctmask <string>
nfmask

Bits that should be XORed into the connection mark.

nfmask <string>
ctmask

Bits that should be cleared.

ctmask <string>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <string> ctmask <string>
nfmask

Bits that should be cleared.

nfmask <string>
ctmask

Bits that should be XORed into the packet mark.

ctmask <string>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL
LEVEL values Description
emergency Emergency level.
alert Alert level.
critical Critical level.
error Error level.
warning Warning level.
notice Notice level.
info Info level.
debug Debug level.
prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS values Description
tcp-sequence Log TCP sequence numbers.
tcp-options Log options from the TCP packet header.
ip-options Log options from the IP/IPv6 packet header.
user-id Log the userid of the process which generated the packet.
mark

Used to set the mark value associated with the packet.

mark <string> mask <string>
<string> (mandatory)

Bits that should be XORed into the packet mark.

<string>
mask

Zero the bits given by this mask in the packet mark.

mask <string>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle prerouting rule <uint64> counters packets
bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle prerouting rule <uint64> counters bytes

input

Altering packets before routing.

vrouter running config# vrf <vrf> firewall ipv6 mangle input

policy

Action when no rule match.

vrouter running config# vrf <vrf> firewall ipv6 mangle input
vrouter running input# policy POLICY
POLICY values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
Default value
accept

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle input packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle input bytes

rule

A rule to perform an action on matching packets.

vrouter running config# vrf <vrf> firewall ipv6 mangle input
vrouter running input# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <string> mask <string> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   mark [not] <string> mask <string> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   action STANDARD chain <string> \
...     connmark \
...       set-xmark <string> mask <string> \
...       save-mark nfmask <string> ctmask <string> \
...       restore-mark nfmask <string> ctmask <string> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <string> mask <string> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

description

A comment to describe the rule.

description <string>

id (state only)

Priority of the rule. High number means lower priority.

vrouter> show state vrf <vrf> firewall ipv6 mangle input rule <uint64> id

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE
VALUE values Description
tcp TCP protocol.
udp UDP protocol.
sctp SCTP protocol.
ipv6-icmp ICMPv6 protocol.
esp IPsec ESP protocol.
ah IPsec AH protocol.
gre GRE protocol.
l2tp L2TP protocol.
ipip IP-in-IP protocol.
vrrp VRRP protocol.
all All protocols.
<uint16> Protocol from /etc/protocols.
<string> Protocol from /etc/protocols.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

icmpv6-type

Match the packet ICMP type.

icmpv6-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE
VALUE values Description
echo-request Echo request.
echo-reply Echo reply.
destination-unreachable Destination unreachable.
address-unreachable Address unreachable.
port-unreachable Port unreachable.
no-route No route to destination.
reject-route Reject route to destination.
communication-prohibited Communication with destination administratively prohibited.
beyond-scope Beyond scope of source address.
packet-too-big Packet too big.
failed-policy Source address failed ingress/egress policy.
ttl-exceeded TTL exceeded.
ttl-zero-during-transit Hop limit exceeded in transit.
ttl-zero-during-reassembly Fragment reassembly time exceeded.
parameter-problem Parameter problem.
bad-header Erroneous header field encountered.
unknown-header-type Unrecognized Next Header type encountered.
unknown-option Unrecognized IPv6 option encountered.
router-solicitation Router solicitation.
router-advertisement Router advertisement.
neighbor-solicitation Neighbor solicitation.
neighbor-advertisement Neighbor advertisement.
redirect Redirect message.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET
SET values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE
VALUE values Description
none No status.
expected This is an expected connection (i.e. a conntrack helper set it up).
seen_reply Conntrack has seen packets in both directions.
assured Conntrack entry should never be early-expired.
confirmed Connection is confirmed: originating packet has left box.
state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE
VALUE values Description
invalid Packet is associated with no known connection.
new Packet started new connection or associated with one which has not seen packets in both directions.
established Packet is associated with a connection which has seen packets in both directions.
related Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
untracked Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.
snat A virtual state, matching if the original source address differs from the reply destination.
dnat A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT
UNIT values Description
second Second.
minute Minute.
hour Hour.
day Day.

mark

Matches the mark field associated with a packet.

mark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE
SCOPE values Description
all Match all chunk types.
any Match any chunk type.
only Match exactly chunk type.
init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
set

Set flags.

set SET
SET values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).
shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <string> \
     connmark \
       set-xmark <string> mask <string> \
       save-mark nfmask <string> ctmask <string> \
       restore-mark nfmask <string> ctmask <string> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <string> mask <string> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD
STANDARD values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
chain

Jump to the user chain by this name.

chain <string>
connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <string> mask <string> \
     save-mark nfmask <string> ctmask <string> \
     restore-mark nfmask <string> ctmask <string>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <string> mask <string>
<string> (mandatory)

XOR with this value.

<string>
mask

Zero the bits given by this mask.

mask <string>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <string> ctmask <string>
nfmask

Bits that should be XORed into the connection mark.

nfmask <string>
ctmask

Bits that should be cleared.

ctmask <string>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <string> ctmask <string>
nfmask

Bits that should be cleared.

nfmask <string>
ctmask

Bits that should be XORed into the packet mark.

ctmask <string>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL
LEVEL values Description
emergency Emergency level.
alert Alert level.
critical Critical level.
error Error level.
warning Warning level.
notice Notice level.
info Info level.
debug Debug level.
prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS values Description
tcp-sequence Log TCP sequence numbers.
tcp-options Log options from the TCP packet header.
ip-options Log options from the IP/IPv6 packet header.
user-id Log the userid of the process which generated the packet.
mark

Used to set the mark value associated with the packet.

mark <string> mask <string>
<string> (mandatory)

Bits that should be XORed into the packet mark.

<string>
mask

Zero the bits given by this mask in the packet mark.

mask <string>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle input rule <uint64> counters packets
bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle input rule <uint64> counters bytes

forward

Altering packets being routed.

vrouter running config# vrf <vrf> firewall ipv6 mangle forward

policy

Action when no rule match.

vrouter running config# vrf <vrf> firewall ipv6 mangle forward
vrouter running forward# policy POLICY
POLICY values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
Default value
accept

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle forward packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle forward bytes

rule

A rule to perform an action on matching packets.

vrouter running config# vrf <vrf> firewall ipv6 mangle forward
vrouter running forward# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <string> mask <string> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   mark [not] <string> mask <string> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   outbound-interface [not] <string> \
...   action STANDARD chain <string> \
...     connmark \
...       set-xmark <string> mask <string> \
...       save-mark nfmask <string> ctmask <string> \
...       restore-mark nfmask <string> ctmask <string> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <string> mask <string> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

description

A comment to describe the rule.

description <string>

id (state only)

Priority of the rule. High number means lower priority.

vrouter> show state vrf <vrf> firewall ipv6 mangle forward rule <uint64> id

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE
VALUE values Description
tcp TCP protocol.
udp UDP protocol.
sctp SCTP protocol.
ipv6-icmp ICMPv6 protocol.
esp IPsec ESP protocol.
ah IPsec AH protocol.
gre GRE protocol.
l2tp L2TP protocol.
ipip IP-in-IP protocol.
vrrp VRRP protocol.
all All protocols.
<uint16> Protocol from /etc/protocols.
<string> Protocol from /etc/protocols.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

icmpv6-type

Match the packet ICMP type.

icmpv6-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE
VALUE values Description
echo-request Echo request.
echo-reply Echo reply.
destination-unreachable Destination unreachable.
address-unreachable Address unreachable.
port-unreachable Port unreachable.
no-route No route to destination.
reject-route Reject route to destination.
communication-prohibited Communication with destination administratively prohibited.
beyond-scope Beyond scope of source address.
packet-too-big Packet too big.
failed-policy Source address failed ingress/egress policy.
ttl-exceeded TTL exceeded.
ttl-zero-during-transit Hop limit exceeded in transit.
ttl-zero-during-reassembly Fragment reassembly time exceeded.
parameter-problem Parameter problem.
bad-header Erroneous header field encountered.
unknown-header-type Unrecognized Next Header type encountered.
unknown-option Unrecognized IPv6 option encountered.
router-solicitation Router solicitation.
router-advertisement Router advertisement.
neighbor-solicitation Neighbor solicitation.
neighbor-advertisement Neighbor advertisement.
redirect Redirect message.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET
SET values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE
VALUE values Description
none No status.
expected This is an expected connection (i.e. a conntrack helper set it up).
seen_reply Conntrack has seen packets in both directions.
assured Conntrack entry should never be early-expired.
confirmed Connection is confirmed: originating packet has left box.
state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE
VALUE values Description
invalid Packet is associated with no known connection.
new Packet started new connection or associated with one which has not seen packets in both directions.
established Packet is associated with a connection which has seen packets in both directions.
related Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
untracked Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.
snat A virtual state, matching if the original source address differs from the reply destination.
dnat A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT
UNIT values Description
second Second.
minute Minute.
hour Hour.
day Day.

mark

Matches the mark field associated with a packet.

mark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE
SCOPE values Description
all Match all chunk types.
any Match any chunk type.
only Match exactly chunk type.
init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
set

Set flags.

set SET
SET values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).
shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <string> \
     connmark \
       set-xmark <string> mask <string> \
       save-mark nfmask <string> ctmask <string> \
       restore-mark nfmask <string> ctmask <string> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <string> mask <string> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD
STANDARD values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
chain

Jump to the user chain by this name.

chain <string>
connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <string> mask <string> \
     save-mark nfmask <string> ctmask <string> \
     restore-mark nfmask <string> ctmask <string>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <string> mask <string>
<string> (mandatory)

XOR with this value.

<string>
mask

Zero the bits given by this mask.

mask <string>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <string> ctmask <string>
nfmask

Bits that should be XORed into the connection mark.

nfmask <string>
ctmask

Bits that should be cleared.

ctmask <string>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <string> ctmask <string>
nfmask

Bits that should be cleared.

nfmask <string>
ctmask

Bits that should be XORed into the packet mark.

ctmask <string>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL
LEVEL values Description
emergency Emergency level.
alert Alert level.
critical Critical level.
error Error level.
warning Warning level.
notice Notice level.
info Info level.
debug Debug level.
prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS values Description
tcp-sequence Log TCP sequence numbers.
tcp-options Log options from the TCP packet header.
ip-options Log options from the IP/IPv6 packet header.
user-id Log the userid of the process which generated the packet.
mark

Used to set the mark value associated with the packet.

mark <string> mask <string>
<string> (mandatory)

Bits that should be XORed into the packet mark.

<string>
mask

Zero the bits given by this mask in the packet mark.

mask <string>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle forward rule <uint64> counters packets
bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle forward rule <uint64> counters bytes

output

Altering locally-generated packets before routing.

vrouter running config# vrf <vrf> firewall ipv6 mangle output

policy

Action when no rule match.

vrouter running config# vrf <vrf> firewall ipv6 mangle output
vrouter running output# policy POLICY
POLICY values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
Default value
accept

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle output packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle output bytes

rule

A rule to perform an action on matching packets.

vrouter running config# vrf <vrf> firewall ipv6 mangle output
vrouter running output# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <string> mask <string> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   mark [not] <string> mask <string> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   outbound-interface [not] <string> \
...   action STANDARD chain <string> \
...     connmark \
...       set-xmark <string> mask <string> \
...       save-mark nfmask <string> ctmask <string> \
...       restore-mark nfmask <string> ctmask <string> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <string> mask <string> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

description

A comment to describe the rule.

description <string>

id (state only)

Priority of the rule. High number means lower priority.

vrouter> show state vrf <vrf> firewall ipv6 mangle output rule <uint64> id

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE
VALUE values Description
tcp TCP protocol.
udp UDP protocol.
sctp SCTP protocol.
ipv6-icmp ICMPv6 protocol.
esp IPsec ESP protocol.
ah IPsec AH protocol.
gre GRE protocol.
l2tp L2TP protocol.
ipip IP-in-IP protocol.
vrrp VRRP protocol.
all All protocols.
<uint16> Protocol from /etc/protocols.
<string> Protocol from /etc/protocols.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

icmpv6-type

Match the packet ICMP type.

icmpv6-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE
VALUE values Description
echo-request Echo request.
echo-reply Echo reply.
destination-unreachable Destination unreachable.
address-unreachable Address unreachable.
port-unreachable Port unreachable.
no-route No route to destination.
reject-route Reject route to destination.
communication-prohibited Communication with destination administratively prohibited.
beyond-scope Beyond scope of source address.
packet-too-big Packet too big.
failed-policy Source address failed ingress/egress policy.
ttl-exceeded TTL exceeded.
ttl-zero-during-transit Hop limit exceeded in transit.
ttl-zero-during-reassembly Fragment reassembly time exceeded.
parameter-problem Parameter problem.
bad-header Erroneous header field encountered.
unknown-header-type Unrecognized Next Header type encountered.
unknown-option Unrecognized IPv6 option encountered.
router-solicitation Router solicitation.
router-advertisement Router advertisement.
neighbor-solicitation Neighbor solicitation.
neighbor-advertisement Neighbor advertisement.
redirect Redirect message.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET
SET values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE
VALUE values Description
none No status.
expected This is an expected connection (i.e. a conntrack helper set it up).
seen_reply Conntrack has seen packets in both directions.
assured Conntrack entry should never be early-expired.
confirmed Connection is confirmed: originating packet has left box.
state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE
VALUE values Description
invalid Packet is associated with no known connection.
new Packet started new connection or associated with one which has not seen packets in both directions.
established Packet is associated with a connection which has seen packets in both directions.
related Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
untracked Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.
snat A virtual state, matching if the original source address differs from the reply destination.
dnat A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT
UNIT values Description
second Second.
minute Minute.
hour Hour.
day Day.

mark

Matches the mark field associated with a packet.

mark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE
SCOPE values Description
all Match all chunk types.
any Match any chunk type.
only Match exactly chunk type.
init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
set

Set flags.

set SET
SET values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).
shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <string> \
     connmark \
       set-xmark <string> mask <string> \
       save-mark nfmask <string> ctmask <string> \
       restore-mark nfmask <string> ctmask <string> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <string> mask <string> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD
STANDARD values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
chain

Jump to the user chain by this name.

chain <string>
connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <string> mask <string> \
     save-mark nfmask <string> ctmask <string> \
     restore-mark nfmask <string> ctmask <string>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <string> mask <string>
<string> (mandatory)

XOR with this value.

<string>
mask

Zero the bits given by this mask.

mask <string>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <string> ctmask <string>
nfmask

Bits that should be XORed into the connection mark.

nfmask <string>
ctmask

Bits that should be cleared.

ctmask <string>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <string> ctmask <string>
nfmask

Bits that should be cleared.

nfmask <string>
ctmask

Bits that should be XORed into the packet mark.

ctmask <string>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL
LEVEL values Description
emergency Emergency level.
alert Alert level.
critical Critical level.
error Error level.
warning Warning level.
notice Notice level.
info Info level.
debug Debug level.
prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS values Description
tcp-sequence Log TCP sequence numbers.
tcp-options Log options from the TCP packet header.
ip-options Log options from the IP/IPv6 packet header.
user-id Log the userid of the process which generated the packet.
mark

Used to set the mark value associated with the packet.

mark <string> mask <string>
<string> (mandatory)

Bits that should be XORed into the packet mark.

<string>
mask

Zero the bits given by this mask in the packet mark.

mask <string>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle output rule <uint64> counters packets
bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle output rule <uint64> counters bytes

postrouting

Altering packets as they are about to go.

vrouter running config# vrf <vrf> firewall ipv6 mangle postrouting

policy

Action when no rule match.

vrouter running config# vrf <vrf> firewall ipv6 mangle postrouting
vrouter running postrouting# policy POLICY
POLICY values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
Default value
accept

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle postrouting packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle postrouting bytes

rule

A rule to perform an action on matching packets.

vrouter running config# vrf <vrf> firewall ipv6 mangle postrouting
vrouter running postrouting# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <string> mask <string> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   mark [not] <string> mask <string> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   outbound-interface [not] <string> \
...   action STANDARD chain <string> \
...     connmark \
...       set-xmark <string> mask <string> \
...       save-mark nfmask <string> ctmask <string> \
...       restore-mark nfmask <string> ctmask <string> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <string> mask <string> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

description

A comment to describe the rule.

description <string>

id (state only)

Priority of the rule. High number means lower priority.

vrouter> show state vrf <vrf> firewall ipv6 mangle postrouting rule <uint64> id

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE
VALUE values Description
tcp TCP protocol.
udp UDP protocol.
sctp SCTP protocol.
ipv6-icmp ICMPv6 protocol.
esp IPsec ESP protocol.
ah IPsec AH protocol.
gre GRE protocol.
l2tp L2TP protocol.
ipip IP-in-IP protocol.
vrrp VRRP protocol.
all All protocols.
<uint16> Protocol from /etc/protocols.
<string> Protocol from /etc/protocols.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

icmpv6-type

Match the packet ICMP type.

icmpv6-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE
VALUE values Description
echo-request Echo request.
echo-reply Echo reply.
destination-unreachable Destination unreachable.
address-unreachable Address unreachable.
port-unreachable Port unreachable.
no-route No route to destination.
reject-route Reject route to destination.
communication-prohibited Communication with destination administratively prohibited.
beyond-scope Beyond scope of source address.
packet-too-big Packet too big.
failed-policy Source address failed ingress/egress policy.
ttl-exceeded TTL exceeded.
ttl-zero-during-transit Hop limit exceeded in transit.
ttl-zero-during-reassembly Fragment reassembly time exceeded.
parameter-problem Parameter problem.
bad-header Erroneous header field encountered.
unknown-header-type Unrecognized Next Header type encountered.
unknown-option Unrecognized IPv6 option encountered.
router-solicitation Router solicitation.
router-advertisement Router advertisement.
neighbor-solicitation Neighbor solicitation.
neighbor-advertisement Neighbor advertisement.
redirect Redirect message.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET
SET values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE
VALUE values Description
none No status.
expected This is an expected connection (i.e. a conntrack helper set it up).
seen_reply Conntrack has seen packets in both directions.
assured Conntrack entry should never be early-expired.
confirmed Connection is confirmed: originating packet has left box.
state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE
VALUE values Description
invalid Packet is associated with no known connection.
new Packet started new connection or associated with one which has not seen packets in both directions.
established Packet is associated with a connection which has seen packets in both directions.
related Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
untracked Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.
snat A virtual state, matching if the original source address differs from the reply destination.
dnat A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT
UNIT values Description
second Second.
minute Minute.
hour Hour.
day Day.

mark

Matches the mark field associated with a packet.

mark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE
SCOPE values Description
all Match all chunk types.
any Match any chunk type.
only Match exactly chunk type.
init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
set

Set flags.

set SET
SET values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).
shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <string> \
     connmark \
       set-xmark <string> mask <string> \
       save-mark nfmask <string> ctmask <string> \
       restore-mark nfmask <string> ctmask <string> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <string> mask <string> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD
STANDARD values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
chain

Jump to the user chain by this name.

chain <string>
connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <string> mask <string> \
     save-mark nfmask <string> ctmask <string> \
     restore-mark nfmask <string> ctmask <string>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <string> mask <string>
<string> (mandatory)

XOR with this value.

<string>
mask

Zero the bits given by this mask.

mask <string>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <string> ctmask <string>
nfmask

Bits that should be XORed into the connection mark.

nfmask <string>
ctmask

Bits that should be cleared.

ctmask <string>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <string> ctmask <string>
nfmask

Bits that should be cleared.

nfmask <string>
ctmask

Bits that should be XORed into the packet mark.

ctmask <string>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL
LEVEL values Description
emergency Emergency level.
alert Alert level.
critical Critical level.
error Error level.
warning Warning level.
notice Notice level.
info Info level.
debug Debug level.
prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS values Description
tcp-sequence Log TCP sequence numbers.
tcp-options Log options from the TCP packet header.
ip-options Log options from the IP/IPv6 packet header.
user-id Log the userid of the process which generated the packet.
mark

Used to set the mark value associated with the packet.

mark <string> mask <string>
<string> (mandatory)

Bits that should be XORed into the packet mark.

<string>
mask

Zero the bits given by this mask in the packet mark.

mask <string>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle postrouting rule <uint64> counters packets
bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle postrouting rule <uint64> counters bytes

chain

User chain.

vrouter running config# vrf <vrf> firewall ipv6 mangle chain <string>

policy

Action when no rule match.

vrouter running config# vrf <vrf> firewall ipv6 mangle chain <string>
vrouter running chain <string># policy POLICY
POLICY values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
Default value
accept

name (state only)

The user chain name.

vrouter> show state vrf <vrf> firewall ipv6 mangle chain <string> name

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle chain <string> packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle chain <string> bytes

rule

A rule to perform an action on matching packets.

vrouter running config# vrf <vrf> firewall ipv6 mangle chain <string>
vrouter running chain <string># rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <string> mask <string> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   mark [not] <string> mask <string> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   outbound-interface [not] <string> \
...   rpfilter invert true|false \
...   action STANDARD chain <string> reject REJECT \
...     connmark \
...       set-xmark <string> mask <string> \
...       save-mark nfmask <string> ctmask <string> \
...       restore-mark nfmask <string> ctmask <string> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <string> mask <string> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

description

A comment to describe the rule.

description <string>

id (state only)

Priority of the rule. High number means lower priority.

vrouter> show state vrf <vrf> firewall ipv6 mangle chain <string> rule <uint64> id

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE
VALUE values Description
tcp TCP protocol.
udp UDP protocol.
sctp SCTP protocol.
ipv6-icmp ICMPv6 protocol.
esp IPsec ESP protocol.
ah IPsec AH protocol.
gre GRE protocol.
l2tp L2TP protocol.
ipip IP-in-IP protocol.
vrrp VRRP protocol.
all All protocols.
<uint16> Protocol from /etc/protocols.
<string> Protocol from /etc/protocols.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE
VALUE values Description
<domain-name> The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.
<X:X::X:X> An IPv6 address.
<X:X::X:X/M> An IPv6 prefix: address and CIDR mask.
port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE
VALUE A 16-bit port number used by a transport protocol such as TCP or UDP.
group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the address group.

<string>

icmpv6-type

Match the packet ICMP type.

icmpv6-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE
VALUE values Description
echo-request Echo request.
echo-reply Echo reply.
destination-unreachable Destination unreachable.
address-unreachable Address unreachable.
port-unreachable Port unreachable.
no-route No route to destination.
reject-route Reject route to destination.
communication-prohibited Communication with destination administratively prohibited.
beyond-scope Beyond scope of source address.
packet-too-big Packet too big.
failed-policy Source address failed ingress/egress policy.
ttl-exceeded TTL exceeded.
ttl-zero-during-transit Hop limit exceeded in transit.
ttl-zero-during-reassembly Fragment reassembly time exceeded.
parameter-problem Parameter problem.
bad-header Erroneous header field encountered.
unknown-header-type Unrecognized Next Header type encountered.
unknown-option Unrecognized IPv6 option encountered.
router-solicitation Router solicitation.
router-advertisement Router advertisement.
neighbor-solicitation Neighbor solicitation.
neighbor-advertisement Neighbor advertisement.
redirect Redirect message.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET
SET values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
syn SYN flag.
ack ACK flag.
fin FIN flag.
rst RST flag.
urg URG flag.
psh PSH flag.
all All flags.
none No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE
VALUE values Description
none No status.
expected This is an expected connection (i.e. a conntrack helper set it up).
seen_reply Conntrack has seen packets in both directions.
assured Conntrack entry should never be early-expired.
confirmed Connection is confirmed: originating packet has left box.
state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE
VALUE values Description
invalid Packet is associated with no known connection.
new Packet started new connection or associated with one which has not seen packets in both directions.
established Packet is associated with a connection which has seen packets in both directions.
related Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.
untracked Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.
snat A virtual state, matching if the original source address differs from the reply destination.
dnat A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT
UNIT values Description
second Second.
minute Minute.
hour Hour.
day Day.

mark

Matches the mark field associated with a packet.

mark [not] <string> mask <string>
not

Invert the match.

not
<string> (mandatory)

The mark value. Packets in connections are matched against this value.

<string>
mask

Logically ANDed with the mark before the comparison.

mask <string>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE
SCOPE values Description
all Match all chunk types.
any Match any chunk type.
only Match exactly chunk type.
init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
set

Set flags.

set SET
SET values Description
I SACK chunk should be sent back without delay.
U Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.
B Marks the beginning fragment. An unfragmented chunk has this flag set.
E Marks the end fragment. An unfragmented chunk has this flag set.
abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).
shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED
EXAMINED Means the sender sent its own Verification Tag (that receiver should check).
set

Set flags.

set SET
SET Means the sender sent its own Verification Tag (that receiver should check).

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

rpfilter

Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.

rpfilter invert true|false
invert

This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.

invert true|false
Default value
false

action

The action performed by this rule.

action STANDARD chain <string> reject REJECT \
     connmark \
       set-xmark <string> mask <string> \
       save-mark nfmask <string> ctmask <string> \
       restore-mark nfmask <string> ctmask <string> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <string> mask <string> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD
STANDARD values Description
accept Let the packet through.
drop Drop the packet.
return Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.
chain

Jump to the user chain by this name.

chain <string>
reject

Used to send back an error packet in response to the matched packet.

reject REJECT
REJECT values Description
icmp6-no-route Reject with ICMPv6 no route.
icmp6-adm-prohibited Reject with ICMPv6 admin prohibited.
icmp6-addr-unreachable Reject with ICMPv6 address unreachable.
icmp6-port-unreachable Reject with ICMPv6 port unreachable.
tcp-reset Reject with TCP RST packet. Can be used on rules which only match the TCP protocol.
connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <string> mask <string> \
     save-mark nfmask <string> ctmask <string> \
     restore-mark nfmask <string> ctmask <string>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <string> mask <string>
<string> (mandatory)

XOR with this value.

<string>
mask

Zero the bits given by this mask.

mask <string>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <string> ctmask <string>
nfmask

Bits that should be XORed into the connection mark.

nfmask <string>
ctmask

Bits that should be cleared.

ctmask <string>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <string> ctmask <string>
nfmask

Bits that should be cleared.

nfmask <string>
ctmask

Bits that should be XORed into the packet mark.

ctmask <string>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL
LEVEL values Description
emergency Emergency level.
alert Alert level.
critical Critical level.
error Error level.
warning Warning level.
notice Notice level.
info Info level.
debug Debug level.
prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS values Description
tcp-sequence Log TCP sequence numbers.
tcp-options Log options from the TCP packet header.
ip-options Log options from the IP/IPv6 packet header.
user-id Log the userid of the process which generated the packet.
mark

Used to set the mark value associated with the packet.

mark <string> mask <string>
<string> (mandatory)

Bits that should be XORed into the packet mark.

<string>
mask

Zero the bits given by this mask in the packet mark.

mask <string>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 mangle chain <string> rule <uint64> counters packets
bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 mangle chain <string> rule <uint64> counters bytes