ipv6 filter¶
Default table.
vsr running config# vrf <vrf> firewall ipv6 filter
input¶
Packets destined to local sockets.
vsr running config# vrf <vrf> firewall ipv6 filter input
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 filter input
vsr running input# policy POLICY
POLICY |
Standard actions. |
- Default value
accept
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 filter input
vsr running input# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... icmpv6-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... inbound-interface [not] <string> \
... action STANDARD chain <string> reject REJECT \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu
<uint64> |
Priority of the rule. High number means lower priority. |
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
VALUE |
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
|---|---|
all |
Match all chunk types. |
any |
Match any chunk type. |
only |
Match exactly chunk type. |
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
action¶
The action performed by this rule.
action STANDARD chain <string> reject REJECT \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu
reject¶
Used to send back an error packet in response to the matched packet.
reject REJECT
REJECT |
Packet type when packet is rejected. |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS |
Additional loggable infos. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
forward¶
Packets being routed.
vsr running config# vrf <vrf> firewall ipv6 filter forward
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 filter forward
vsr running forward# policy POLICY
POLICY |
Standard actions. |
- Default value
accept
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 filter forward
vsr running forward# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... icmpv6-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... inbound-interface [not] <string> \
... outbound-interface [not] <string> \
... action STANDARD chain <string> reject REJECT set-priority <uint32> \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu
<uint64> |
Priority of the rule. High number means lower priority. |
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
VALUE |
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
|---|---|
all |
Match all chunk types. |
any |
Match any chunk type. |
only |
Match exactly chunk type. |
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
action¶
The action performed by this rule.
action STANDARD chain <string> reject REJECT set-priority <uint32> \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu
reject¶
Used to send back an error packet in response to the matched packet.
reject REJECT
REJECT |
Packet type when packet is rejected. |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS |
Additional loggable infos. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
output¶
Locally-generated packets.
vsr running config# vrf <vrf> firewall ipv6 filter output
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 filter output
vsr running output# policy POLICY
POLICY |
Standard actions. |
- Default value
accept
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 filter output
vsr running output# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... icmpv6-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... outbound-interface [not] <string> \
... action STANDARD chain <string> reject REJECT set-priority <uint32> \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu
<uint64> |
Priority of the rule. High number means lower priority. |
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
VALUE |
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
|---|---|
all |
Match all chunk types. |
any |
Match any chunk type. |
only |
Match exactly chunk type. |
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
action¶
The action performed by this rule.
action STANDARD chain <string> reject REJECT set-priority <uint32> \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu
reject¶
Used to send back an error packet in response to the matched packet.
reject REJECT
REJECT |
Packet type when packet is rejected. |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS |
Additional loggable infos. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
chain¶
User chain.
vsr running config# vrf <vrf> firewall ipv6 filter chain <string>
<string> |
The user chain name. |
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 filter chain <string>
vsr running chain <string># policy POLICY
POLICY |
Standard actions. |
- Default value
accept
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv6 filter chain <string> packets
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 filter chain <string>
vsr running chain <string># rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... icmpv6-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... inbound-interface [not] <string> \
... outbound-interface [not] <string> \
... rpfilter invert true|false \
... action STANDARD chain <string> reject REJECT \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu
<uint64> |
Priority of the rule. High number means lower priority. |
protocol¶
Match the protocol.
protocol [not] VALUE
VALUE (mandatory)¶
The protocol to match.
VALUE
VALUE |
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
port¶
Match on destination port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
port¶
Match on source port.
port [not] VALUE
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
|---|---|
all |
Match all chunk types. |
any |
Match any chunk type. |
only |
Match exactly chunk type. |
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
rpfilter¶
Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.
rpfilter invert true|false
invert¶
This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.
invert true|false
- Default value
false
action¶
The action performed by this rule.
action STANDARD chain <string> reject REJECT \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu
reject¶
Used to send back an error packet in response to the matched packet.
reject REJECT
REJECT |
Packet type when packet is rejected. |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS |
Additional loggable infos. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>