2.19.3. ipv4 raw

Note

requires a Product License.

Mainly used to exempt packets from connection tracking.

vsr running config# vrf <vrf> firewall ipv4 raw

prerouting

Packets as soon as they come in.

vsr running config# vrf <vrf> firewall ipv4 raw prerouting

policy

Action when no rule match.

vsr running config# vrf <vrf> firewall ipv4 raw prerouting
vsr running prerouting# policy POLICY

POLICY

Standard actions.

Default value
accept

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 raw prerouting packets

bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 raw prerouting bytes

rule

A rule to perform an action on matching packets.

vsr running config# vrf <vrf> firewall ipv4 raw prerouting
vsr running prerouting# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   ipv4 [not] fragment \
...   icmp-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   rpfilter invert true|false \
...   action STANDARD chain <leafref> notrack \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

<uint64>

Priority of the rule. High number means lower priority.

description

A comment to describe the rule.

description <string>

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE

VALUE

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE

Address type.

port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE

Address type.

port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

ipv4

Match the fragment.

ipv4 [not] fragment
not

Invert the match.

not
fragment (mandatory)

Match if the packet is a fragment.

fragment

icmp-type

Match the packet ICMP type.

icmp-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE

VALUE

ICMP types.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET

SET

TCP flags.

examined

Examined flags.

examined EXAMINED

EXAMINED

TCP flags.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE

VALUE

Conntrack status.

state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE

VALUE

Conntrack state.

connmark

Matches the mark field associated with a connection.

connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT

UNIT

Units.

dscp

Match the DSCP.

dscp [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The DSCP value to match.

VALUE

VALUE

DSCP values.

tos

Match the tos.

tos [not] <0x0-0xff> mask <0x0-0xff>
not

Invert the match.

not
<0x0-0xff> (mandatory)

The tos value. Packets in connections are matched against this value.

<0x0-0xff>
mask

Logically ANDed with the tos before the comparison.

mask <0x0-0xff>

mark

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE

SCOPE values

Description

all

Match all chunk types.

any

Match any chunk type.

only

Match exactly chunk type.

init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

SCTP data flags.

set

Set flags.

set SET

SET

SCTP data flags.

abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

SCTP abort flag.

set

Set flags.

set SET

SET

SCTP abort flag.

shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

SCTP abort flag.

set

Set flags.

set SET

SET

SCTP abort flag.

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

rpfilter

Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.

rpfilter invert true|false
invert

This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.

invert true|false
Default value
false

action

The action performed by this rule.

action STANDARD chain <leafref> notrack \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD

STANDARD

Standard actions.

chain

Jump to the user chain by this name.

chain <leafref>
notrack

Disables connection tracking for this packet.

notrack
connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

XOR with this value.

<0x0-0xffffffff>
mask

Zero the bits given by this mask.

mask <0x0-0xffffffff>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be XORed into the connection mark.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be cleared.

ctmask <0x0-0xffffffff>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be cleared.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be XORed into the packet mark.

ctmask <0x0-0xffffffff>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL

LEVEL

Log levels.

prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS

ADDITIONAL-INFOS

Additional loggable infos.

mark

Used to set the mark value associated with the packet.

mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

Bits that should be XORed into the packet mark.

<0x0-0xffffffff>
mask

Zero the bits given by this mask in the packet mark.

mask <0x0-0xffffffff>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 raw prerouting rule <uint64> counters packets
bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 raw prerouting rule <uint64> counters bytes

output

Locally-generated packets before routing.

vsr running config# vrf <vrf> firewall ipv4 raw output

policy

Action when no rule match.

vsr running config# vrf <vrf> firewall ipv4 raw output
vsr running output# policy POLICY

POLICY

Standard actions.

Default value
accept

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 raw output packets

bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 raw output bytes

rule

A rule to perform an action on matching packets.

vsr running config# vrf <vrf> firewall ipv4 raw output
vsr running output# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   ipv4 [not] fragment \
...   icmp-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   outbound-interface [not] <string> \
...   action STANDARD chain <leafref> notrack set-priority <uint32> \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu

<uint64>

Priority of the rule. High number means lower priority.

description

A comment to describe the rule.

description <string>

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE

VALUE

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE

Address type.

port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE

Address type.

port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

ipv4

Match the fragment.

ipv4 [not] fragment
not

Invert the match.

not
fragment (mandatory)

Match if the packet is a fragment.

fragment

icmp-type

Match the packet ICMP type.

icmp-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE

VALUE

ICMP types.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET

SET

TCP flags.

examined

Examined flags.

examined EXAMINED

EXAMINED

TCP flags.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE

VALUE

Conntrack status.

state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE

VALUE

Conntrack state.

connmark

Matches the mark field associated with a connection.

connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT

UNIT

Units.

dscp

Match the DSCP.

dscp [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The DSCP value to match.

VALUE

VALUE

DSCP values.

tos

Match the tos.

tos [not] <0x0-0xff> mask <0x0-0xff>
not

Invert the match.

not
<0x0-0xff> (mandatory)

The tos value. Packets in connections are matched against this value.

<0x0-0xff>
mask

Logically ANDed with the tos before the comparison.

mask <0x0-0xff>

mark

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE

SCOPE values

Description

all

Match all chunk types.

any

Match any chunk type.

only

Match exactly chunk type.

init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

SCTP data flags.

set

Set flags.

set SET

SET

SCTP data flags.

abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

SCTP abort flag.

set

Set flags.

set SET

SET

SCTP abort flag.

shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

SCTP abort flag.

set

Set flags.

set SET

SET

SCTP abort flag.

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <leafref> notrack set-priority <uint32> \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD

Standard action.

STANDARD

STANDARD

Standard actions.

chain

Jump to the user chain by this name.

chain <leafref>
notrack

Disables connection tracking for this packet.

notrack
set-priority

Value of the priority to attach to the packet.

set-priority <uint32>
connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

XOR with this value.

<0x0-0xffffffff>
mask

Zero the bits given by this mask.

mask <0x0-0xffffffff>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be XORed into the connection mark.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be cleared.

ctmask <0x0-0xffffffff>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be cleared.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be XORed into the packet mark.

ctmask <0x0-0xffffffff>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL

LEVEL

Log levels.

prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS

ADDITIONAL-INFOS

Additional loggable infos.

mark

Used to set the mark value associated with the packet.

mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

Bits that should be XORed into the packet mark.

<0x0-0xffffffff>
mask

Zero the bits given by this mask in the packet mark.

mask <0x0-0xffffffff>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 raw output rule <uint64> counters packets
bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 raw output rule <uint64> counters bytes

chain

User chain.

vsr running config# vrf <vrf> firewall ipv4 raw chain <string>

<string>

The user chain name.

policy

Action when no rule match.

vsr running config# vrf <vrf> firewall ipv4 raw chain <string>
vsr running chain <string># policy POLICY

POLICY

Standard actions.

Default value
return

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 raw chain <string> packets

bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 raw chain <string> bytes

rule

A rule to perform an action on matching packets.

vsr running config# vrf <vrf> firewall ipv4 raw chain <string>
vsr running chain <string># rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   ipv4 [not] fragment \
...   icmp-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   outbound-interface [not] <string> \
...   action STANDARD chain <leafref> dscp DSCP reject REJECT \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu \
...     tos <0x0-0xff> mask <0x0-0xff> \
...   rpfilter invert true|false

<uint64>

Priority of the rule. High number means lower priority.

description

A comment to describe the rule.

description <string>

protocol

Match the protocol.

protocol [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The protocol to match.

VALUE

VALUE

Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc.

destination

Match on destination fields.

destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on destination address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE

Address type.

port

Match on destination port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on destination port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

source

Match on source fields.

source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address

Match on source address.

address [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The address to match.

VALUE

VALUE

Address type.

port

Match on source port.

port [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The port to match.

VALUE

VALUE

A 16-bit port number used by a transport protocol such as TCP or UDP.

port-range

Match on source port range (syntax: port[,port|,port-port]).

port-range [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

Port range, syntax is port[,port|,port-port].

VALUE

VALUE

A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’.

group

Matches a set of addresses or networks.

group [not] <string>
not

Not match-set.

not
<string> (mandatory)

The name of the group.

<string>

ipv4

Match the fragment.

ipv4 [not] fragment
not

Invert the match.

not
fragment (mandatory)

Match if the packet is a fragment.

fragment

icmp-type

Match the packet ICMP type.

icmp-type [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The ICMP type to match.

VALUE

VALUE

ICMP types.

tcp-flags

Match the packet TCP flags.

tcp-flags [not] set SET examined EXAMINED
not

Invert the match.

not
set

Set flags.

set SET

SET

TCP flags.

examined

Examined flags.

examined EXAMINED

EXAMINED

TCP flags.

conntrack

Match conntrack information.

conntrack \
     status [not] VALUE \
     state [not] VALUE
status

Match the connection status.

status [not] VALUE
not

Invert the match.

not
VALUE

The conntrack status to match.

VALUE

VALUE

Conntrack status.

state

Match the packet state regarding conntrack.

state [not] VALUE
not

Invert the match.

not
VALUE

The packet states to match.

VALUE

VALUE

Conntrack state.

connmark

Matches the mark field associated with a connection.

connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

limit

Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.

limit burst <uint32> \
     rate <uint32> UNIT
burst

Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.

burst <uint32>
rate

Matching rate, default unit is per hour.

rate <uint32> UNIT
<uint32> (mandatory)

The rate.

<uint32>
UNIT

Unit for rate.

UNIT

UNIT

Units.

dscp

Match the DSCP.

dscp [not] VALUE
not

Invert the match.

not
VALUE (mandatory)

The DSCP value to match.

VALUE

VALUE

DSCP values.

tos

Match the tos.

tos [not] <0x0-0xff> mask <0x0-0xff>
not

Invert the match.

not
<0x0-0xff> (mandatory)

The tos value. Packets in connections are matched against this value.

<0x0-0xff>
mask

Logically ANDed with the tos before the comparison.

mask <0x0-0xff>

mark

Matches the mark field associated with a packet.

mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not

Invert the match.

not
<0x0-0xffffffff> (mandatory)

The mark value. Packets in connections are matched against this value.

<0x0-0xffffffff>
mask

Logically ANDed with the mark before the comparison.

mask <0x0-0xffffffff>

sctp-chunk-types

This module matches Stream Control Transmission Protocol headers.

sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not

Invert the match.

not
SCOPE (mandatory)

Invert the match.

SCOPE

SCOPE values

Description

all

Match all chunk types.

any

Match any chunk type.

only

Match exactly chunk type.

init

INIT chunk.

init
init-ack

INIT ACK chunk.

init-ack
sack

SACK chunk.

sack
heartbeat

HEARTBEAT chunk.

heartbeat
heartbeat-ack

HEARTBEAT ACK chunk.

heartbeat-ack
shutdown

SHUTDOWN chunk.

shutdown
shutdown-ack

SHUTDOWN ACK chunk.

shutdown-ack
error

ERROR chunk.

error
ecn-ecne

ECN ECNE chunk.

ecn-ecne
ecn-cwr

ECN CWR chunk.

ecn-cwr
asconf

ASCONF chunk.

asconf
asconf-ack

ASCONF ACK chunk.

asconf-ack
forward-tsn

FORWARD TSN chunk.

forward-tsn
data

DATA chunk.

data examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

SCTP data flags.

set

Set flags.

set SET

SET

SCTP data flags.

abort

ABORT chunk.

abort examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

SCTP abort flag.

set

Set flags.

set SET

SET

SCTP abort flag.

shutdown-complete

SHUTDOWN COMPLETE chunk.

shutdown-complete examined EXAMINED set SET
examined

Examined flags.

examined EXAMINED

EXAMINED

SCTP abort flag.

set

Set flags.

set SET

SET

SCTP abort flag.

inbound-interface

Name of an interface via which a packet was received. Only for input, forward and prerouting.

inbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

outbound-interface

Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.

outbound-interface [not] <string>
not

Invert the match.

not
<string> (mandatory)

The interface to match.

<string>

action

The action performed by this rule.

action STANDARD chain <leafref> dscp DSCP reject REJECT \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu \
     tos <0x0-0xff> mask <0x0-0xff>
STANDARD

Standard action.

STANDARD

STANDARD

Standard actions.

chain

Jump to the user chain by this name.

chain <leafref>
dscp

Alters the value of the DSCP bits within the tos header of the IPv4 packet.

dscp DSCP

DSCP

DSCP values.

reject

Used to send back an error packet in response to the matched packet.

reject REJECT

REJECT

Packet type when packet is rejected.

connmark

Sets the mark value associated with a connection. The mark is 32 bits wide.

connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark

Zero out the bits given by mask and XOR value into the ctmark.

set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

XOR with this value.

<0x0-0xffffffff>
mask

Zero the bits given by this mask.

mask <0x0-0xffffffff>
save-mark

Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.

save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be XORed into the connection mark.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be cleared.

ctmask <0x0-0xffffffff>
restore-mark

Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.

restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
nfmask

Bits that should be cleared.

nfmask <0x0-0xffffffff>
ctmask

Bits that should be XORed into the packet mark.

ctmask <0x0-0xffffffff>
log

Turn on logging of matching packets.

log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level

Level of logging.

level LEVEL

LEVEL

Log levels.

prefix

Prefix log messages with the specified prefix, up to 29 letters long.

prefix <string>
additional-infos

Append additional informations to the logs.

additional-infos ADDITIONAL-INFOS

ADDITIONAL-INFOS

Additional loggable infos.

mark

Used to set the mark value associated with the packet.

mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)

Bits that should be XORed into the packet mark.

<0x0-0xffffffff>
mask

Zero the bits given by this mask in the packet mark.

mask <0x0-0xffffffff>
tcpmss

Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.

tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss

Explicitly sets MSS option to specified value.

set-mss <uint32>
clamp-mss-to-pmtu

Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).

clamp-mss-to-pmtu
tos

Alters the value of the tos header of the IPv4 packet.

tos <0x0-0xff> mask <0x0-0xff>
<0x0-0xff> (mandatory)

Bits that should be XORed into the tos.

<0x0-0xff>
mask

Zero the bits given by this mask in the tos.

mask <0x0-0xff>

rpfilter

Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.

rpfilter invert true|false
invert

This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.

invert true|false
Default value
false

counters (state only)

The counters of this rule.

packets (state only)

Packets.

vsr> show state vrf <vrf> firewall ipv4 raw chain <string> rule <uint64> counters packets
bytes (state only)

Bytes.

vsr> show state vrf <vrf> firewall ipv4 raw chain <string> rule <uint64> counters bytes