2.19.1. ipv4 filter¶
Note
requires a Product License.
Default table.
vsr running config# vrf <vrf> firewall ipv4 filter
input¶
Packets destined to local sockets.
vsr running config# vrf <vrf> firewall ipv4 filter input
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv4 filter input
vsr running input# policy POLICY
POLICY |
Standard actions. |
- Default value
accept
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv4 filter input packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv4 filter input bytes
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv4 filter input
vsr running input# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... ipv4 [not] fragment \
... icmp-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... inbound-interface [not] <string> \
... action STANDARD chain <leafref> reject REJECT \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu
<uint64> |
Priority of the rule. High number means lower priority. |
description¶
A comment to describe the rule.
description <string>
protocol¶
Match the protocol.
protocol [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The protocol to match.
VALUE
VALUE |
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on destination address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match on destination port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on destination port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on source address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match on source port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on source port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
ipv4¶
Match the fragment.
ipv4 [not] fragment
not¶
Invert the match.
not
fragment (mandatory)¶
Match if the packet is a fragment.
fragment
icmp-type¶
Match the packet ICMP type.
icmp-type [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The ICMP type to match.
VALUE
VALUE |
ICMP types. |
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
not¶
Invert the match.
not
set¶
Set flags.
set SET
SET |
TCP flags. |
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
TCP flags. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
not¶
Invert the match.
not
VALUE¶
The conntrack status to match.
VALUE
VALUE |
Conntrack status. |
state¶
Match the packet state regarding conntrack.
state [not] VALUE
not¶
Invert the match.
not
VALUE¶
The packet states to match.
VALUE
VALUE |
Conntrack state. |
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
rate¶
Matching rate, default unit is per hour.
rate <uint32> UNIT
<uint32> (mandatory)¶
The rate.
<uint32>
UNIT¶
Unit for rate.
UNIT
UNIT |
Units. |
dscp¶
Match the DSCP.
dscp [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The DSCP value to match.
VALUE
VALUE |
DSCP values. |
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
not¶
Invert the match.
not
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mask¶
Logically ANDed with the tos before the comparison.
mask <0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
not¶
Invert the match.
not
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
|---|---|
all |
Match all chunk types. |
any |
Match any chunk type. |
only |
Match exactly chunk type. |
init¶
INIT chunk.
init
init-ack¶
INIT ACK chunk.
init-ack
sack¶
SACK chunk.
sack
heartbeat¶
HEARTBEAT chunk.
heartbeat
heartbeat-ack¶
HEARTBEAT ACK chunk.
heartbeat-ack
shutdown¶
SHUTDOWN chunk.
shutdown
shutdown-ack¶
SHUTDOWN ACK chunk.
shutdown-ack
error¶
ERROR chunk.
error
ecn-ecne¶
ECN ECNE chunk.
ecn-ecne
ecn-cwr¶
ECN CWR chunk.
ecn-cwr
asconf¶
ASCONF chunk.
asconf
asconf-ack¶
ASCONF ACK chunk.
asconf-ack
forward-tsn¶
FORWARD TSN chunk.
forward-tsn
data¶
DATA chunk.
data examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP data flags. |
set¶
Set flags.
set SET
SET |
SCTP data flags. |
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP abort flag. |
set¶
Set flags.
set SET
SET |
SCTP abort flag. |
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP abort flag. |
set¶
Set flags.
set SET
SET |
SCTP abort flag. |
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
action¶
The action performed by this rule.
action STANDARD chain <leafref> reject REJECT \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
STANDARD |
Standard actions. |
chain¶
Jump to the user chain by this name.
chain <leafref>
reject¶
Used to send back an error packet in response to the matched packet.
reject REJECT
REJECT |
Packet type when packet is rejected. |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
XOR with this value.
<0x0-0xffffffff>
Zero the bits given by this mask.
mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be XORed into the connection mark.
nfmask <0x0-0xffffffff>
Bits that should be cleared.
ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be cleared.
nfmask <0x0-0xffffffff>
Bits that should be XORed into the packet mark.
ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
LEVEL |
Log levels. |
prefix¶
Prefix log messages with the specified prefix, up to 29 letters long.
prefix <string>
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS |
Additional loggable infos. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
Bits that should be XORed into the packet mark.
<0x0-0xffffffff>
mask¶
Zero the bits given by this mask in the packet mark.
mask <0x0-0xffffffff>
tcpmss¶
Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.
tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss¶
Explicitly sets MSS option to specified value.
set-mss <uint32>
clamp-mss-to-pmtu¶
Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).
clamp-mss-to-pmtu
counters (state only)¶
The counters of this rule.
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv4 filter input rule <uint64> counters packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv4 filter input rule <uint64> counters bytes
forward¶
Packets being routed.
vsr running config# vrf <vrf> firewall ipv4 filter forward
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv4 filter forward
vsr running forward# policy POLICY
POLICY |
Standard actions. |
- Default value
accept
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv4 filter forward packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv4 filter forward bytes
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv4 filter forward
vsr running forward# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... ipv4 [not] fragment \
... icmp-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... inbound-interface [not] <string> \
... outbound-interface [not] <string> \
... action STANDARD chain <leafref> reject REJECT set-priority <uint32> \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu
<uint64> |
Priority of the rule. High number means lower priority. |
description¶
A comment to describe the rule.
description <string>
protocol¶
Match the protocol.
protocol [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The protocol to match.
VALUE
VALUE |
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on destination address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match on destination port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on destination port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on source address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match on source port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on source port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
ipv4¶
Match the fragment.
ipv4 [not] fragment
not¶
Invert the match.
not
fragment (mandatory)¶
Match if the packet is a fragment.
fragment
icmp-type¶
Match the packet ICMP type.
icmp-type [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The ICMP type to match.
VALUE
VALUE |
ICMP types. |
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
not¶
Invert the match.
not
set¶
Set flags.
set SET
SET |
TCP flags. |
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
TCP flags. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
not¶
Invert the match.
not
VALUE¶
The conntrack status to match.
VALUE
VALUE |
Conntrack status. |
state¶
Match the packet state regarding conntrack.
state [not] VALUE
not¶
Invert the match.
not
VALUE¶
The packet states to match.
VALUE
VALUE |
Conntrack state. |
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
rate¶
Matching rate, default unit is per hour.
rate <uint32> UNIT
<uint32> (mandatory)¶
The rate.
<uint32>
UNIT¶
Unit for rate.
UNIT
UNIT |
Units. |
dscp¶
Match the DSCP.
dscp [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The DSCP value to match.
VALUE
VALUE |
DSCP values. |
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
not¶
Invert the match.
not
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mask¶
Logically ANDed with the tos before the comparison.
mask <0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
not¶
Invert the match.
not
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
|---|---|
all |
Match all chunk types. |
any |
Match any chunk type. |
only |
Match exactly chunk type. |
init¶
INIT chunk.
init
init-ack¶
INIT ACK chunk.
init-ack
sack¶
SACK chunk.
sack
heartbeat¶
HEARTBEAT chunk.
heartbeat
heartbeat-ack¶
HEARTBEAT ACK chunk.
heartbeat-ack
shutdown¶
SHUTDOWN chunk.
shutdown
shutdown-ack¶
SHUTDOWN ACK chunk.
shutdown-ack
error¶
ERROR chunk.
error
ecn-ecne¶
ECN ECNE chunk.
ecn-ecne
ecn-cwr¶
ECN CWR chunk.
ecn-cwr
asconf¶
ASCONF chunk.
asconf
asconf-ack¶
ASCONF ACK chunk.
asconf-ack
forward-tsn¶
FORWARD TSN chunk.
forward-tsn
data¶
DATA chunk.
data examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP data flags. |
set¶
Set flags.
set SET
SET |
SCTP data flags. |
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP abort flag. |
set¶
Set flags.
set SET
SET |
SCTP abort flag. |
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP abort flag. |
set¶
Set flags.
set SET
SET |
SCTP abort flag. |
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
action¶
The action performed by this rule.
action STANDARD chain <leafref> reject REJECT set-priority <uint32> \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
STANDARD |
Standard actions. |
chain¶
Jump to the user chain by this name.
chain <leafref>
reject¶
Used to send back an error packet in response to the matched packet.
reject REJECT
REJECT |
Packet type when packet is rejected. |
set-priority¶
Value of the priority to attach to the packet.
set-priority <uint32>
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
XOR with this value.
<0x0-0xffffffff>
Zero the bits given by this mask.
mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be XORed into the connection mark.
nfmask <0x0-0xffffffff>
Bits that should be cleared.
ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be cleared.
nfmask <0x0-0xffffffff>
Bits that should be XORed into the packet mark.
ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
LEVEL |
Log levels. |
prefix¶
Prefix log messages with the specified prefix, up to 29 letters long.
prefix <string>
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS |
Additional loggable infos. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
Bits that should be XORed into the packet mark.
<0x0-0xffffffff>
mask¶
Zero the bits given by this mask in the packet mark.
mask <0x0-0xffffffff>
tcpmss¶
Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.
tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss¶
Explicitly sets MSS option to specified value.
set-mss <uint32>
clamp-mss-to-pmtu¶
Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).
clamp-mss-to-pmtu
counters (state only)¶
The counters of this rule.
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv4 filter forward rule <uint64> counters packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv4 filter forward rule <uint64> counters bytes
output¶
Locally-generated packets.
vsr running config# vrf <vrf> firewall ipv4 filter output
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv4 filter output
vsr running output# policy POLICY
POLICY |
Standard actions. |
- Default value
accept
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv4 filter output packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv4 filter output bytes
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv4 filter output
vsr running output# rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... ipv4 [not] fragment \
... icmp-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... outbound-interface [not] <string> \
... action STANDARD chain <leafref> reject REJECT set-priority <uint32> \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu
<uint64> |
Priority of the rule. High number means lower priority. |
description¶
A comment to describe the rule.
description <string>
protocol¶
Match the protocol.
protocol [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The protocol to match.
VALUE
VALUE |
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on destination address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match on destination port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on destination port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on source address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match on source port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on source port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
ipv4¶
Match the fragment.
ipv4 [not] fragment
not¶
Invert the match.
not
fragment (mandatory)¶
Match if the packet is a fragment.
fragment
icmp-type¶
Match the packet ICMP type.
icmp-type [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The ICMP type to match.
VALUE
VALUE |
ICMP types. |
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
not¶
Invert the match.
not
set¶
Set flags.
set SET
SET |
TCP flags. |
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
TCP flags. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
not¶
Invert the match.
not
VALUE¶
The conntrack status to match.
VALUE
VALUE |
Conntrack status. |
state¶
Match the packet state regarding conntrack.
state [not] VALUE
not¶
Invert the match.
not
VALUE¶
The packet states to match.
VALUE
VALUE |
Conntrack state. |
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
rate¶
Matching rate, default unit is per hour.
rate <uint32> UNIT
<uint32> (mandatory)¶
The rate.
<uint32>
UNIT¶
Unit for rate.
UNIT
UNIT |
Units. |
dscp¶
Match the DSCP.
dscp [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The DSCP value to match.
VALUE
VALUE |
DSCP values. |
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
not¶
Invert the match.
not
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mask¶
Logically ANDed with the tos before the comparison.
mask <0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
not¶
Invert the match.
not
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
|---|---|
all |
Match all chunk types. |
any |
Match any chunk type. |
only |
Match exactly chunk type. |
init¶
INIT chunk.
init
init-ack¶
INIT ACK chunk.
init-ack
sack¶
SACK chunk.
sack
heartbeat¶
HEARTBEAT chunk.
heartbeat
heartbeat-ack¶
HEARTBEAT ACK chunk.
heartbeat-ack
shutdown¶
SHUTDOWN chunk.
shutdown
shutdown-ack¶
SHUTDOWN ACK chunk.
shutdown-ack
error¶
ERROR chunk.
error
ecn-ecne¶
ECN ECNE chunk.
ecn-ecne
ecn-cwr¶
ECN CWR chunk.
ecn-cwr
asconf¶
ASCONF chunk.
asconf
asconf-ack¶
ASCONF ACK chunk.
asconf-ack
forward-tsn¶
FORWARD TSN chunk.
forward-tsn
data¶
DATA chunk.
data examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP data flags. |
set¶
Set flags.
set SET
SET |
SCTP data flags. |
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP abort flag. |
set¶
Set flags.
set SET
SET |
SCTP abort flag. |
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP abort flag. |
set¶
Set flags.
set SET
SET |
SCTP abort flag. |
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
action¶
The action performed by this rule.
action STANDARD chain <leafref> reject REJECT set-priority <uint32> \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
STANDARD |
Standard actions. |
chain¶
Jump to the user chain by this name.
chain <leafref>
reject¶
Used to send back an error packet in response to the matched packet.
reject REJECT
REJECT |
Packet type when packet is rejected. |
set-priority¶
Value of the priority to attach to the packet.
set-priority <uint32>
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
XOR with this value.
<0x0-0xffffffff>
Zero the bits given by this mask.
mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be XORed into the connection mark.
nfmask <0x0-0xffffffff>
Bits that should be cleared.
ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be cleared.
nfmask <0x0-0xffffffff>
Bits that should be XORed into the packet mark.
ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
LEVEL |
Log levels. |
prefix¶
Prefix log messages with the specified prefix, up to 29 letters long.
prefix <string>
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS |
Additional loggable infos. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
Bits that should be XORed into the packet mark.
<0x0-0xffffffff>
mask¶
Zero the bits given by this mask in the packet mark.
mask <0x0-0xffffffff>
tcpmss¶
Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.
tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss¶
Explicitly sets MSS option to specified value.
set-mss <uint32>
clamp-mss-to-pmtu¶
Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).
clamp-mss-to-pmtu
counters (state only)¶
The counters of this rule.
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv4 filter output rule <uint64> counters packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv4 filter output rule <uint64> counters bytes
chain¶
User chain.
vsr running config# vrf <vrf> firewall ipv4 filter chain <string>
<string> |
The user chain name. |
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv4 filter chain <string>
vsr running chain <string># policy POLICY
POLICY |
Standard actions. |
- Default value
return
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv4 filter chain <string> packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv4 filter chain <string> bytes
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv4 filter chain <string>
vsr running chain <string># rule <uint64> description <string> \
... protocol [not] VALUE \
... destination \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... source \
... address [not] VALUE \
... port [not] VALUE \
... port-range [not] VALUE \
... group [not] <string> \
... ipv4 [not] fragment \
... icmp-type [not] VALUE \
... tcp-flags [not] set SET examined EXAMINED \
... conntrack \
... status [not] VALUE \
... state [not] VALUE \
... connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... limit burst <uint32> \
... rate <uint32> UNIT \
... dscp [not] VALUE \
... tos [not] <0x0-0xff> mask <0x0-0xff> \
... mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
... sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
... shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
... asconf-ack forward-tsn \
... data examined EXAMINED set SET \
... abort examined EXAMINED set SET \
... shutdown-complete examined EXAMINED set SET \
... inbound-interface [not] <string> \
... outbound-interface [not] <string> \
... action STANDARD chain <leafref> dscp DSCP reject REJECT \
... connmark \
... set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
... log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
... mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
... tcpmss set-mss <uint32> clamp-mss-to-pmtu \
... tos <0x0-0xff> mask <0x0-0xff>
<uint64> |
Priority of the rule. High number means lower priority. |
description¶
A comment to describe the rule.
description <string>
protocol¶
Match the protocol.
protocol [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The protocol to match.
VALUE
VALUE |
Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. |
destination¶
Match on destination fields.
destination \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on destination address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match on destination port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on destination port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
source¶
Match on source fields.
source \
address [not] VALUE \
port [not] VALUE \
port-range [not] VALUE \
group [not] <string>
address¶
Match on source address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
VALUE |
Address type. |
port¶
Match on source port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
VALUE |
A 16-bit port number used by a transport protocol such as TCP or UDP. |
port-range¶
Match on source port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
VALUE |
A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. |
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
ipv4¶
Match the fragment.
ipv4 [not] fragment
not¶
Invert the match.
not
fragment (mandatory)¶
Match if the packet is a fragment.
fragment
icmp-type¶
Match the packet ICMP type.
icmp-type [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The ICMP type to match.
VALUE
VALUE |
ICMP types. |
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
not¶
Invert the match.
not
set¶
Set flags.
set SET
SET |
TCP flags. |
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
TCP flags. |
conntrack¶
Match conntrack information.
conntrack \
status [not] VALUE \
state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
not¶
Invert the match.
not
VALUE¶
The conntrack status to match.
VALUE
VALUE |
Conntrack status. |
state¶
Match the packet state regarding conntrack.
state [not] VALUE
not¶
Invert the match.
not
VALUE¶
The packet states to match.
VALUE
VALUE |
Conntrack state. |
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
rate¶
Matching rate, default unit is per hour.
rate <uint32> UNIT
<uint32> (mandatory)¶
The rate.
<uint32>
UNIT¶
Unit for rate.
UNIT
UNIT |
Units. |
dscp¶
Match the DSCP.
dscp [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The DSCP value to match.
VALUE
VALUE |
DSCP values. |
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
not¶
Invert the match.
not
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mask¶
Logically ANDed with the tos before the comparison.
mask <0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
forward-tsn \
data examined EXAMINED set SET \
abort examined EXAMINED set SET \
shutdown-complete examined EXAMINED set SET
not¶
Invert the match.
not
SCOPE (mandatory)¶
Invert the match.
SCOPE
|
Description |
|---|---|
all |
Match all chunk types. |
any |
Match any chunk type. |
only |
Match exactly chunk type. |
init¶
INIT chunk.
init
init-ack¶
INIT ACK chunk.
init-ack
sack¶
SACK chunk.
sack
heartbeat¶
HEARTBEAT chunk.
heartbeat
heartbeat-ack¶
HEARTBEAT ACK chunk.
heartbeat-ack
shutdown¶
SHUTDOWN chunk.
shutdown
shutdown-ack¶
SHUTDOWN ACK chunk.
shutdown-ack
error¶
ERROR chunk.
error
ecn-ecne¶
ECN ECNE chunk.
ecn-ecne
ecn-cwr¶
ECN CWR chunk.
ecn-cwr
asconf¶
ASCONF chunk.
asconf
asconf-ack¶
ASCONF ACK chunk.
asconf-ack
forward-tsn¶
FORWARD TSN chunk.
forward-tsn
data¶
DATA chunk.
data examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP data flags. |
set¶
Set flags.
set SET
SET |
SCTP data flags. |
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP abort flag. |
set¶
Set flags.
set SET
SET |
SCTP abort flag. |
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
EXAMINED |
SCTP abort flag. |
set¶
Set flags.
set SET
SET |
SCTP abort flag. |
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
action¶
The action performed by this rule.
action STANDARD chain <leafref> dscp DSCP reject REJECT \
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
tcpmss set-mss <uint32> clamp-mss-to-pmtu \
tos <0x0-0xff> mask <0x0-0xff>
STANDARD¶
Standard action.
STANDARD
STANDARD |
Standard actions. |
chain¶
Jump to the user chain by this name.
chain <leafref>
dscp¶
Alters the value of the DSCP bits within the tos header of the IPv4 packet.
dscp DSCP
DSCP |
DSCP values. |
reject¶
Used to send back an error packet in response to the matched packet.
reject REJECT
REJECT |
Packet type when packet is rejected. |
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
XOR with this value.
<0x0-0xffffffff>
Zero the bits given by this mask.
mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be XORed into the connection mark.
nfmask <0x0-0xffffffff>
Bits that should be cleared.
ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be cleared.
nfmask <0x0-0xffffffff>
Bits that should be XORed into the packet mark.
ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
LEVEL |
Log levels. |
prefix¶
Prefix log messages with the specified prefix, up to 29 letters long.
prefix <string>
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
ADDITIONAL-INFOS |
Additional loggable infos. |
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
Bits that should be XORed into the packet mark.
<0x0-0xffffffff>
mask¶
Zero the bits given by this mask in the packet mark.
mask <0x0-0xffffffff>
tcpmss¶
Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.
tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss¶
Explicitly sets MSS option to specified value.
set-mss <uint32>
clamp-mss-to-pmtu¶
Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).
clamp-mss-to-pmtu
tos¶
Alters the value of the tos header of the IPv4 packet.
tos <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)¶
Bits that should be XORed into the tos.
<0x0-0xff>
mask¶
Zero the bits given by this mask in the tos.
mask <0x0-0xff>
counters (state only)¶
The counters of this rule.
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv4 filter chain <string> rule <uint64> counters packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv4 filter chain <string> rule <uint64> counters bytes