ipv6 filter

Default table.

vrouter running config# vrf <vrf> firewall ipv6 filter

input

Packets destined to local sockets.

vrouter running config# vrf <vrf> firewall ipv6 filter input

policy

Action when no rule match.

vrouter running config# vrf <vrf> firewall ipv6 filter input
vrouter running input# policy POLICY

POLICY values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

Default value
accept

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 filter input packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 filter input bytes

rule

A rule to perform an action on matching packets.

vrouter running config# vrf <vrf> firewall ipv6 filter input
vrouter running input# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   action STANDARD chain <string> reject REJECT \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

<uint64>

Priority of the rule. High number means lower priority.

description

A comment to describe the rule.

description <string>

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE

VALUE values

Description

tcp

TCP protocol.

udp

UDP protocol.

sctp

SCTP protocol.

ipv6-icmp

ICMPv6 protocol.

esp

IPsec ESP protocol.

ah

IPsec AH protocol.

gre

GRE protocol.

l2tp

L2TP protocol.

ipip

IP-in-IP protocol.

vrrp

VRRP protocol.

all

All protocols.

<uint16>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

<string>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<X:X::X:X>

An IPv6 address.

<X:X::X:X/M>

An IPv6 prefix: address and CIDR mask.

port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<X:X::X:X>

An IPv6 address.

<X:X::X:X/M>

An IPv6 prefix: address and CIDR mask.

port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

icmpv6-type

Match the packet ICMP type.

icmpv6-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE

VALUE values

Description

echo-request

Echo request.

echo-reply

Echo reply.

destination-unreachable

Destination unreachable.

address-unreachable

Address unreachable.

port-unreachable

Port unreachable.

no-route

No route to destination.

reject-route

Reject route to destination.

communication-prohibited

Communication with destination administratively prohibited.

beyond-scope

Beyond scope of source address.

packet-too-big

Packet too big.

failed-policy

Source address failed ingress/egress policy.

ttl-exceeded

TTL exceeded.

ttl-zero-during-transit

Hop limit exceeded in transit.

ttl-zero-during-reassembly

Fragment reassembly time exceeded.

parameter-problem

Parameter problem.

bad-header

Erroneous header field encountered.

unknown-header-type

Unrecognized Next Header type encountered.

unknown-option

Unrecognized IPv6 option encountered.

router-solicitation

Router solicitation.

router-advertisement

Router advertisement.

neighbor-solicitation

Neighbor solicitation.

neighbor-advertisement

Neighbor advertisement.

redirect

Redirect message.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET

SET values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE

VALUE values

Description

none

No status.

expected

This is an expected connection (i.e. a conntrack helper set it up).

seen_reply

Conntrack has seen packets in both directions.

assured

Conntrack entry should never be early-expired.

confirmed

Connection is confirmed: originating packet has left box.

state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE

VALUE values

Description

invalid

Packet is associated with no known connection.

new

Packet started new connection or associated with one which has not seen packets in both directions.

established

Packet is associated with a connection which has seen packets in both directions.

related

Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.

untracked

Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.

snat

A virtual state, matching if the original source address differs from the reply destination.

dnat

A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT

UNIT values

Description

second

Second.

minute

Minute.

hour

Hour.

day

Day.

dscp

Match the DSCP.

dscp [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The DSCP value to match.

VALUE

VALUE values

Description

<uint8>

A differentiated services code point (DSCP) marking within the IP header.

af11

AF11 (assured forwarding) class (10).

af12

AF12 (assured forwarding) class (12).

af13

AF13 (assured forwarding) class (14).

af21

AF21 (assured forwarding) class (18).

af22

AF22 (assured forwarding) class (20).

af23

AF23 (assured forwarding) class (22).

af31

AF31 (assured forwarding) class (26).

af32

AF32 (assured forwarding) class (28).

af33

AF33 (assured forwarding) class (30).

af41

AF41 (assured forwarding) class (34).

af42

AF42 (assured forwarding) class (36).

af43

AF43 (assured forwarding) class (38).

be

BE (best effort) class (0).

cs0

CS0 (class selector) class (0).

cs1

CS1 (class selector) class (8).

cs2

CS2 (class selector) class (16).

cs3

CS3 (class selector) class (24).

cs4

CS4 (class selector) class (32).

cs5

CS5 (class selector) class (40).

cs6

CS6 (class selector) class (48).

cs7

CS7 (class selector) class (56).

ef

EF (expedited forwarding) class (46).

tos

Match the tos.

tos [not] <0x0-0xff> mask <0x0-0xff>
not

Invert the match.

not
<0x0-0xff> (mandatory)

The tos value. Packets in connections are matched against this value.

<0x0-0xff>
mask

Logically ANDed with the tos before the comparison.

mask <0x0-0xff>

mark

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE

SCOPE values

Description

all

Match all chunk types.

any

Match any chunk type.

only

Match exactly chunk type.

init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

set

Set flags.

set SET

SET values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <string> reject REJECT \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD

STANDARD values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

chain

Jump to the user chain by this name.

chain <string>
reject

Used to send back an error packet in response to the matched packet.

reject REJECT

REJECT values

Description

icmp6-no-route

Reject with ICMPv6 no route.

icmp6-adm-prohibited

Reject with ICMPv6 admin prohibited.

icmp6-addr-unreachable

Reject with ICMPv6 address unreachable.

icmp6-port-unreachable

Reject with ICMPv6 port unreachable.

tcp-reset

Reject with TCP RST packet. Can be used on rules which only match the TCP protocol.

connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

XOR with this value.

<0x0-0xffffffff>
mask

Zero the bits given by this mask.

mask <0x0-0xffffffff>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be XORed into the connection mark.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be cleared.

ctmask <0x0-0xffffffff>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be cleared.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be XORed into the packet mark.

ctmask <0x0-0xffffffff>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL

LEVEL values

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notice

Notice level.

info

Info level.

debug

Debug level.

prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS

ADDITIONAL-INFOS values

Description

tcp-sequence

Log TCP sequence numbers.

tcp-options

Log options from the TCP packet header.

ip-options

Log options from the IP/IPv6 packet header.

user-id

Log the userid of the process which generated the packet.

mark

Used to set the mark value associated with the packet.

mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

Bits that should be XORed into the packet mark.

<0x0-0xffffffff>
mask

Zero the bits given by this mask in the packet mark.

mask <0x0-0xffffffff>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 filter input rule <uint64> counters packets
bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 filter input rule <uint64> counters bytes

forward

Packets being routed.

vrouter running config# vrf <vrf> firewall ipv6 filter forward

policy

Action when no rule match.

vrouter running config# vrf <vrf> firewall ipv6 filter forward
vrouter running forward# policy POLICY

POLICY values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

Default value
accept

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 filter forward packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 filter forward bytes

rule

A rule to perform an action on matching packets.

vrouter running config# vrf <vrf> firewall ipv6 filter forward
vrouter running forward# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   outbound-interface [not] <string> \
...   action STANDARD chain <string> reject REJECT \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

<uint64>

Priority of the rule. High number means lower priority.

description

A comment to describe the rule.

description <string>

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE

VALUE values

Description

tcp

TCP protocol.

udp

UDP protocol.

sctp

SCTP protocol.

ipv6-icmp

ICMPv6 protocol.

esp

IPsec ESP protocol.

ah

IPsec AH protocol.

gre

GRE protocol.

l2tp

L2TP protocol.

ipip

IP-in-IP protocol.

vrrp

VRRP protocol.

all

All protocols.

<uint16>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

<string>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<X:X::X:X>

An IPv6 address.

<X:X::X:X/M>

An IPv6 prefix: address and CIDR mask.

port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<X:X::X:X>

An IPv6 address.

<X:X::X:X/M>

An IPv6 prefix: address and CIDR mask.

port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

icmpv6-type

Match the packet ICMP type.

icmpv6-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE

VALUE values

Description

echo-request

Echo request.

echo-reply

Echo reply.

destination-unreachable

Destination unreachable.

address-unreachable

Address unreachable.

port-unreachable

Port unreachable.

no-route

No route to destination.

reject-route

Reject route to destination.

communication-prohibited

Communication with destination administratively prohibited.

beyond-scope

Beyond scope of source address.

packet-too-big

Packet too big.

failed-policy

Source address failed ingress/egress policy.

ttl-exceeded

TTL exceeded.

ttl-zero-during-transit

Hop limit exceeded in transit.

ttl-zero-during-reassembly

Fragment reassembly time exceeded.

parameter-problem

Parameter problem.

bad-header

Erroneous header field encountered.

unknown-header-type

Unrecognized Next Header type encountered.

unknown-option

Unrecognized IPv6 option encountered.

router-solicitation

Router solicitation.

router-advertisement

Router advertisement.

neighbor-solicitation

Neighbor solicitation.

neighbor-advertisement

Neighbor advertisement.

redirect

Redirect message.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET

SET values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE

VALUE values

Description

none

No status.

expected

This is an expected connection (i.e. a conntrack helper set it up).

seen_reply

Conntrack has seen packets in both directions.

assured

Conntrack entry should never be early-expired.

confirmed

Connection is confirmed: originating packet has left box.

state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE

VALUE values

Description

invalid

Packet is associated with no known connection.

new

Packet started new connection or associated with one which has not seen packets in both directions.

established

Packet is associated with a connection which has seen packets in both directions.

related

Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.

untracked

Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.

snat

A virtual state, matching if the original source address differs from the reply destination.

dnat

A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT

UNIT values

Description

second

Second.

minute

Minute.

hour

Hour.

day

Day.

dscp

Match the DSCP.

dscp [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The DSCP value to match.

VALUE

VALUE values

Description

<uint8>

A differentiated services code point (DSCP) marking within the IP header.

af11

AF11 (assured forwarding) class (10).

af12

AF12 (assured forwarding) class (12).

af13

AF13 (assured forwarding) class (14).

af21

AF21 (assured forwarding) class (18).

af22

AF22 (assured forwarding) class (20).

af23

AF23 (assured forwarding) class (22).

af31

AF31 (assured forwarding) class (26).

af32

AF32 (assured forwarding) class (28).

af33

AF33 (assured forwarding) class (30).

af41

AF41 (assured forwarding) class (34).

af42

AF42 (assured forwarding) class (36).

af43

AF43 (assured forwarding) class (38).

be

BE (best effort) class (0).

cs0

CS0 (class selector) class (0).

cs1

CS1 (class selector) class (8).

cs2

CS2 (class selector) class (16).

cs3

CS3 (class selector) class (24).

cs4

CS4 (class selector) class (32).

cs5

CS5 (class selector) class (40).

cs6

CS6 (class selector) class (48).

cs7

CS7 (class selector) class (56).

ef

EF (expedited forwarding) class (46).

tos

Match the tos.

tos [not] <0x0-0xff> mask <0x0-0xff>
not

Invert the match.

not
<0x0-0xff> (mandatory)

The tos value. Packets in connections are matched against this value.

<0x0-0xff>
mask

Logically ANDed with the tos before the comparison.

mask <0x0-0xff>

mark

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE

SCOPE values

Description

all

Match all chunk types.

any

Match any chunk type.

only

Match exactly chunk type.

init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

set

Set flags.

set SET

SET values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <string> reject REJECT \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD

STANDARD values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

chain

Jump to the user chain by this name.

chain <string>
reject

Used to send back an error packet in response to the matched packet.

reject REJECT

REJECT values

Description

icmp6-no-route

Reject with ICMPv6 no route.

icmp6-adm-prohibited

Reject with ICMPv6 admin prohibited.

icmp6-addr-unreachable

Reject with ICMPv6 address unreachable.

icmp6-port-unreachable

Reject with ICMPv6 port unreachable.

tcp-reset

Reject with TCP RST packet. Can be used on rules which only match the TCP protocol.

connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

XOR with this value.

<0x0-0xffffffff>
mask

Zero the bits given by this mask.

mask <0x0-0xffffffff>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be XORed into the connection mark.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be cleared.

ctmask <0x0-0xffffffff>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be cleared.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be XORed into the packet mark.

ctmask <0x0-0xffffffff>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL

LEVEL values

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notice

Notice level.

info

Info level.

debug

Debug level.

prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS

ADDITIONAL-INFOS values

Description

tcp-sequence

Log TCP sequence numbers.

tcp-options

Log options from the TCP packet header.

ip-options

Log options from the IP/IPv6 packet header.

user-id

Log the userid of the process which generated the packet.

mark

Used to set the mark value associated with the packet.

mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

Bits that should be XORed into the packet mark.

<0x0-0xffffffff>
mask

Zero the bits given by this mask in the packet mark.

mask <0x0-0xffffffff>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 filter forward rule <uint64> counters packets
bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 filter forward rule <uint64> counters bytes

output

Locally-generated packets.

vrouter running config# vrf <vrf> firewall ipv6 filter output

policy

Action when no rule match.

vrouter running config# vrf <vrf> firewall ipv6 filter output
vrouter running output# policy POLICY

POLICY values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

Default value
accept

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 filter output packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 filter output bytes

rule

A rule to perform an action on matching packets.

vrouter running config# vrf <vrf> firewall ipv6 filter output
vrouter running output# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   outbound-interface [not] <string> \
...   action STANDARD chain <string> reject REJECT \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

<uint64>

Priority of the rule. High number means lower priority.

description

A comment to describe the rule.

description <string>

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE

VALUE values

Description

tcp

TCP protocol.

udp

UDP protocol.

sctp

SCTP protocol.

ipv6-icmp

ICMPv6 protocol.

esp

IPsec ESP protocol.

ah

IPsec AH protocol.

gre

GRE protocol.

l2tp

L2TP protocol.

ipip

IP-in-IP protocol.

vrrp

VRRP protocol.

all

All protocols.

<uint16>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

<string>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<X:X::X:X>

An IPv6 address.

<X:X::X:X/M>

An IPv6 prefix: address and CIDR mask.

port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<X:X::X:X>

An IPv6 address.

<X:X::X:X/M>

An IPv6 prefix: address and CIDR mask.

port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

icmpv6-type

Match the packet ICMP type.

icmpv6-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE

VALUE values

Description

echo-request

Echo request.

echo-reply

Echo reply.

destination-unreachable

Destination unreachable.

address-unreachable

Address unreachable.

port-unreachable

Port unreachable.

no-route

No route to destination.

reject-route

Reject route to destination.

communication-prohibited

Communication with destination administratively prohibited.

beyond-scope

Beyond scope of source address.

packet-too-big

Packet too big.

failed-policy

Source address failed ingress/egress policy.

ttl-exceeded

TTL exceeded.

ttl-zero-during-transit

Hop limit exceeded in transit.

ttl-zero-during-reassembly

Fragment reassembly time exceeded.

parameter-problem

Parameter problem.

bad-header

Erroneous header field encountered.

unknown-header-type

Unrecognized Next Header type encountered.

unknown-option

Unrecognized IPv6 option encountered.

router-solicitation

Router solicitation.

router-advertisement

Router advertisement.

neighbor-solicitation

Neighbor solicitation.

neighbor-advertisement

Neighbor advertisement.

redirect

Redirect message.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET

SET values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE

VALUE values

Description

none

No status.

expected

This is an expected connection (i.e. a conntrack helper set it up).

seen_reply

Conntrack has seen packets in both directions.

assured

Conntrack entry should never be early-expired.

confirmed

Connection is confirmed: originating packet has left box.

state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE

VALUE values

Description

invalid

Packet is associated with no known connection.

new

Packet started new connection or associated with one which has not seen packets in both directions.

established

Packet is associated with a connection which has seen packets in both directions.

related

Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.

untracked

Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.

snat

A virtual state, matching if the original source address differs from the reply destination.

dnat

A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT

UNIT values

Description

second

Second.

minute

Minute.

hour

Hour.

day

Day.

dscp

Match the DSCP.

dscp [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The DSCP value to match.

VALUE

VALUE values

Description

<uint8>

A differentiated services code point (DSCP) marking within the IP header.

af11

AF11 (assured forwarding) class (10).

af12

AF12 (assured forwarding) class (12).

af13

AF13 (assured forwarding) class (14).

af21

AF21 (assured forwarding) class (18).

af22

AF22 (assured forwarding) class (20).

af23

AF23 (assured forwarding) class (22).

af31

AF31 (assured forwarding) class (26).

af32

AF32 (assured forwarding) class (28).

af33

AF33 (assured forwarding) class (30).

af41

AF41 (assured forwarding) class (34).

af42

AF42 (assured forwarding) class (36).

af43

AF43 (assured forwarding) class (38).

be

BE (best effort) class (0).

cs0

CS0 (class selector) class (0).

cs1

CS1 (class selector) class (8).

cs2

CS2 (class selector) class (16).

cs3

CS3 (class selector) class (24).

cs4

CS4 (class selector) class (32).

cs5

CS5 (class selector) class (40).

cs6

CS6 (class selector) class (48).

cs7

CS7 (class selector) class (56).

ef

EF (expedited forwarding) class (46).

tos

Match the tos.

tos [not] <0x0-0xff> mask <0x0-0xff>
not

Invert the match.

not
<0x0-0xff> (mandatory)

The tos value. Packets in connections are matched against this value.

<0x0-0xff>
mask

Logically ANDed with the tos before the comparison.

mask <0x0-0xff>

mark

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE

SCOPE values

Description

all

Match all chunk types.

any

Match any chunk type.

only

Match exactly chunk type.

init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

set

Set flags.

set SET

SET values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <string> reject REJECT \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD

STANDARD values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

chain

Jump to the user chain by this name.

chain <string>
reject

Used to send back an error packet in response to the matched packet.

reject REJECT

REJECT values

Description

icmp6-no-route

Reject with ICMPv6 no route.

icmp6-adm-prohibited

Reject with ICMPv6 admin prohibited.

icmp6-addr-unreachable

Reject with ICMPv6 address unreachable.

icmp6-port-unreachable

Reject with ICMPv6 port unreachable.

tcp-reset

Reject with TCP RST packet. Can be used on rules which only match the TCP protocol.

connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

XOR with this value.

<0x0-0xffffffff>
mask

Zero the bits given by this mask.

mask <0x0-0xffffffff>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be XORed into the connection mark.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be cleared.

ctmask <0x0-0xffffffff>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be cleared.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be XORed into the packet mark.

ctmask <0x0-0xffffffff>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL

LEVEL values

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notice

Notice level.

info

Info level.

debug

Debug level.

prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS

ADDITIONAL-INFOS values

Description

tcp-sequence

Log TCP sequence numbers.

tcp-options

Log options from the TCP packet header.

ip-options

Log options from the IP/IPv6 packet header.

user-id

Log the userid of the process which generated the packet.

mark

Used to set the mark value associated with the packet.

mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

Bits that should be XORed into the packet mark.

<0x0-0xffffffff>
mask

Zero the bits given by this mask in the packet mark.

mask <0x0-0xffffffff>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 filter output rule <uint64> counters packets
bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 filter output rule <uint64> counters bytes

chain

User chain.

vrouter running config# vrf <vrf> firewall ipv6 filter chain <string>

<string>

The user chain name.

policy

Action when no rule match.

vrouter running config# vrf <vrf> firewall ipv6 filter chain <string>
vrouter running chain <string># policy POLICY

POLICY values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

Default value
accept

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 filter chain <string> packets

bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 filter chain <string> bytes

rule

A rule to perform an action on matching packets.

vrouter running config# vrf <vrf> firewall ipv6 filter chain <string>
vrouter running chain <string># rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   outbound-interface [not] <string> \
...   rpfilter invert true|false \
...   action STANDARD chain <string> reject REJECT \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

<uint64>

Priority of the rule. High number means lower priority.

description

A comment to describe the rule.

description <string>

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE

VALUE values

Description

tcp

TCP protocol.

udp

UDP protocol.

sctp

SCTP protocol.

ipv6-icmp

ICMPv6 protocol.

esp

IPsec ESP protocol.

ah

IPsec AH protocol.

gre

GRE protocol.

l2tp

L2TP protocol.

ipip

IP-in-IP protocol.

vrrp

VRRP protocol.

all

All protocols.

<uint16>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

<string>

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<X:X::X:X>

An IPv6 address.

<X:X::X:X/M>

An IPv6 prefix: address and CIDR mask.

port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE values

Description

<domain-name>

The domain-name type represents a DNS domain name. Fully quallified left to the models which utilize this type. Internet domain names are only loosely specified. Section 3.5 of RFC 1034 recommends a syntax (modified in Section 2.1 of RFC 1123). The pattern above is intended to allow for current practice in domain name use, and some possible future expansion. It is designed to hold various types of domain names, including names used for A or AAAA records (host names) and other records, such as SRV records. Note that Internet host names have a stricter syntax (described in RFC 952) than the DNS recommendations in RFCs 1034 and 1123, and that systems that want to store host names in schema nodes using the domain-name type are recommended to adhere to this stricter standard to ensure interoperability. The encoding of DNS names in the DNS protocol is limited to 255 characters. Since the encoding consists of labels prefixed by a length bytes and there is a trailing NULL byte, only 253 characters can appear in the textual dotted notation. Domain-name values use the US-ASCII encoding. Their canonical format uses lowercase US-ASCII characters. Internationalized domain names MUST be encoded in punycode as described in RFC 3492.

<X:X::X:X>

An IPv6 address.

<X:X::X:X/M>

An IPv6 prefix: address and CIDR mask.

port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

icmpv6-type

Match the packet ICMP type.

icmpv6-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE

VALUE values

Description

echo-request

Echo request.

echo-reply

Echo reply.

destination-unreachable

Destination unreachable.

address-unreachable

Address unreachable.

port-unreachable

Port unreachable.

no-route

No route to destination.

reject-route

Reject route to destination.

communication-prohibited

Communication with destination administratively prohibited.

beyond-scope

Beyond scope of source address.

packet-too-big

Packet too big.

failed-policy

Source address failed ingress/egress policy.

ttl-exceeded

TTL exceeded.

ttl-zero-during-transit

Hop limit exceeded in transit.

ttl-zero-during-reassembly

Fragment reassembly time exceeded.

parameter-problem

Parameter problem.

bad-header

Erroneous header field encountered.

unknown-header-type

Unrecognized Next Header type encountered.

unknown-option

Unrecognized IPv6 option encountered.

router-solicitation

Router solicitation.

router-advertisement

Router advertisement.

neighbor-solicitation

Neighbor solicitation.

neighbor-advertisement

Neighbor advertisement.

redirect

Redirect message.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET

SET values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

syn

SYN flag.

ack

ACK flag.

fin

FIN flag.

rst

RST flag.

urg

URG flag.

psh

PSH flag.

all

All flags.

none

No flag.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE

VALUE values

Description

none

No status.

expected

This is an expected connection (i.e. a conntrack helper set it up).

seen_reply

Conntrack has seen packets in both directions.

assured

Conntrack entry should never be early-expired.

confirmed

Connection is confirmed: originating packet has left box.

state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE

VALUE values

Description

invalid

Packet is associated with no known connection.

new

Packet started new connection or associated with one which has not seen packets in both directions.

established

Packet is associated with a connection which has seen packets in both directions.

related

Packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer or an ICMP error.

untracked

Packet is not tracked at all, which happens if you explicitly untrack it by using the notrack action in the raw table.

snat

A virtual state, matching if the original source address differs from the reply destination.

dnat

A virtual state, matching if the original destination differs from the reply source.

connmark

Matches the mark field associated with a connection.

connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT

UNIT values

Description

second

Second.

minute

Minute.

hour

Hour.

day

Day.

dscp

Match the DSCP.

dscp [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The DSCP value to match.

VALUE

VALUE values

Description

<uint8>

A differentiated services code point (DSCP) marking within the IP header.

af11

AF11 (assured forwarding) class (10).

af12

AF12 (assured forwarding) class (12).

af13

AF13 (assured forwarding) class (14).

af21

AF21 (assured forwarding) class (18).

af22

AF22 (assured forwarding) class (20).

af23

AF23 (assured forwarding) class (22).

af31

AF31 (assured forwarding) class (26).

af32

AF32 (assured forwarding) class (28).

af33

AF33 (assured forwarding) class (30).

af41

AF41 (assured forwarding) class (34).

af42

AF42 (assured forwarding) class (36).

af43

AF43 (assured forwarding) class (38).

be

BE (best effort) class (0).

cs0

CS0 (class selector) class (0).

cs1

CS1 (class selector) class (8).

cs2

CS2 (class selector) class (16).

cs3

CS3 (class selector) class (24).

cs4

CS4 (class selector) class (32).

cs5

CS5 (class selector) class (40).

cs6

CS6 (class selector) class (48).

cs7

CS7 (class selector) class (56).

ef

EF (expedited forwarding) class (46).

tos

Match the tos.

tos [not] <0x0-0xff> mask <0x0-0xff>
not

Invert the match.

not
<0x0-0xff> (mandatory)

The tos value. Packets in connections are matched against this value.

<0x0-0xff>
mask

Logically ANDed with the tos before the comparison.

mask <0x0-0xff>

mark

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE

SCOPE values

Description

all

Match all chunk types.

any

Match any chunk type.

only

Match exactly chunk type.

init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

set

Set flags.

set SET

SET values

Description

I

SACK chunk should be sent back without delay.

U

Indicates this data is an unordered chunk and the stream sequence number is invalid. If an unordered chunk is fragmented then each fragment has this flag set.

B

Marks the beginning fragment. An unfragmented chunk has this flag set.

E

Marks the end fragment. An unfragmented chunk has this flag set.

abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

Means the sender sent its own Verification Tag (that receiver should check).

set

Set flags.

set SET

SET

Means the sender sent its own Verification Tag (that receiver should check).

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

rpfilter

Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.

rpfilter invert true|false
invert

This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.

invert true|false
Default value
false

action

The action performed by this rule.

action STANDARD chain <string> reject REJECT \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD

STANDARD values

Description

accept

Let the packet through.

drop

Drop the packet.

return

Stop traversing this chain and resume at the next rule in the parent chain. For built-ins, go through the policy.

chain

Jump to the user chain by this name.

chain <string>
reject

Used to send back an error packet in response to the matched packet.

reject REJECT

REJECT values

Description

icmp6-no-route

Reject with ICMPv6 no route.

icmp6-adm-prohibited

Reject with ICMPv6 admin prohibited.

icmp6-addr-unreachable

Reject with ICMPv6 address unreachable.

icmp6-port-unreachable

Reject with ICMPv6 port unreachable.

tcp-reset

Reject with TCP RST packet. Can be used on rules which only match the TCP protocol.

connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

XOR with this value.

<0x0-0xffffffff>
mask

Zero the bits given by this mask.

mask <0x0-0xffffffff>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be XORed into the connection mark.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be cleared.

ctmask <0x0-0xffffffff>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be cleared.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be XORed into the packet mark.

ctmask <0x0-0xffffffff>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL

LEVEL values

Description

emergency

Emergency level.

alert

Alert level.

critical

Critical level.

error

Error level.

warning

Warning level.

notice

Notice level.

info

Info level.

debug

Debug level.

prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS

ADDITIONAL-INFOS values

Description

tcp-sequence

Log TCP sequence numbers.

tcp-options

Log options from the TCP packet header.

ip-options

Log options from the IP/IPv6 packet header.

user-id

Log the userid of the process which generated the packet.

mark

Used to set the mark value associated with the packet.

mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

Bits that should be XORed into the packet mark.

<0x0-0xffffffff>
mask

Zero the bits given by this mask in the packet mark.

mask <0x0-0xffffffff>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vrouter> show state vrf <vrf> firewall ipv6 filter chain <string> rule <uint64> counters packets
bytes (state only)

Bytes.

vrouter> show state vrf <vrf> firewall ipv6 filter chain <string> rule <uint64> counters bytes