2.19.6. ipv6 raw¶
Mainly used to exempt packets from connection tracking.
vsr running config# vrf <vrf> firewall ipv6 raw
prerouting¶
Packets as soon as they come in.
vsr running config# vrf <vrf> firewall ipv6 raw prerouting
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 raw prerouting
vsr running prerouting# policy POLICY
| POLICY | Standard actions. | 
- Default value
- accept
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv6 raw prerouting packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv6 raw prerouting bytes
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 raw prerouting
vsr running prerouting# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   rpfilter invert true|false \
...   action STANDARD chain <string> notrack \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu
| <uint64> | Priority of the rule. High number means lower priority. | 
description¶
A comment to describe the rule.
description <string>
protocol¶
Match the protocol.
protocol [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The protocol to match.
VALUE
| VALUE | Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. | 
destination¶
Match on destination fields.
destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on destination address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
| VALUE | Address type. | 
port¶
Match on destination port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
port-range¶
Match on destination port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
| VALUE | A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. | 
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
source¶
Match on source fields.
source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on source address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
| VALUE | Address type. | 
port¶
Match on source port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
port-range¶
Match on source port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
| VALUE | A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. | 
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
icmpv6-type¶
Match the packet ICMP type.
icmpv6-type [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The ICMP type to match.
VALUE
| VALUE | ICMP types. | 
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
not¶
Invert the match.
not
set¶
Set flags.
set SET
| SET | TCP flags. | 
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | TCP flags. | 
conntrack¶
Match conntrack information.
conntrack \
     status [not] VALUE \
     state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
not¶
Invert the match.
not
VALUE¶
The conntrack status to match.
VALUE
| VALUE | Conntrack status. | 
state¶
Match the packet state regarding conntrack.
state [not] VALUE
not¶
Invert the match.
not
VALUE¶
The packet states to match.
VALUE
| VALUE | Conntrack state. | 
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
     rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
rate¶
Matching rate, default unit is per hour.
rate <uint32> UNIT
<uint32> (mandatory)¶
The rate.
<uint32>
UNIT¶
Unit for rate.
UNIT
| UNIT | Units. | 
dscp¶
Match the DSCP.
dscp [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The DSCP value to match.
VALUE
| VALUE | DSCP values. | 
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
not¶
Invert the match.
not
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mask¶
Logically ANDed with the tos before the comparison.
mask <0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not¶
Invert the match.
not
SCOPE (mandatory)¶
Invert the match.
SCOPE
| 
 | Description | 
|---|---|
| all | Match all chunk types. | 
| any | Match any chunk type. | 
| only | Match exactly chunk type. | 
init¶
INIT chunk.
init
init-ack¶
INIT ACK chunk.
init-ack
sack¶
SACK chunk.
sack
heartbeat¶
HEARTBEAT chunk.
heartbeat
heartbeat-ack¶
HEARTBEAT ACK chunk.
heartbeat-ack
shutdown¶
SHUTDOWN chunk.
shutdown
shutdown-ack¶
SHUTDOWN ACK chunk.
shutdown-ack
error¶
ERROR chunk.
error
ecn-ecne¶
ECN ECNE chunk.
ecn-ecne
ecn-cwr¶
ECN CWR chunk.
ecn-cwr
asconf¶
ASCONF chunk.
asconf
asconf-ack¶
ASCONF ACK chunk.
asconf-ack
forward-tsn¶
FORWARD TSN chunk.
forward-tsn
data¶
DATA chunk.
data examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | SCTP data flags. | 
set¶
Set flags.
set SET
| SET | SCTP data flags. | 
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | SCTP abort flag. | 
set¶
Set flags.
set SET
| SET | SCTP abort flag. | 
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | SCTP abort flag. | 
set¶
Set flags.
set SET
| SET | SCTP abort flag. | 
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
rpfilter¶
Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.
rpfilter invert true|false
invert¶
This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.
invert true|false
- Default value
- false
action¶
The action performed by this rule.
action STANDARD chain <string> notrack \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
| STANDARD | Standard actions. | 
chain¶
Jump to the user chain by this name.
chain <string>
notrack¶
Disables connection tracking for this packet.
notrack
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
XOR with this value.
<0x0-0xffffffff>
Zero the bits given by this mask.
mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be XORed into the connection mark.
nfmask <0x0-0xffffffff>
Bits that should be cleared.
ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be cleared.
nfmask <0x0-0xffffffff>
Bits that should be XORed into the packet mark.
ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
| LEVEL | Log levels. | 
prefix¶
Prefix log messages with the specified prefix, up to 29 letters long.
prefix <string>
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
| ADDITIONAL-INFOS | Additional loggable infos. | 
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
Bits that should be XORed into the packet mark.
<0x0-0xffffffff>
mask¶
Zero the bits given by this mask in the packet mark.
mask <0x0-0xffffffff>
tcpmss¶
Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.
tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss¶
Explicitly sets MSS option to specified value.
set-mss <uint32>
clamp-mss-to-pmtu¶
Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).
clamp-mss-to-pmtu
counters (state only)¶
The counters of this rule.
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv6 raw prerouting rule <uint64> counters packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv6 raw prerouting rule <uint64> counters bytes
output¶
Locally-generated packets before routing.
vsr running config# vrf <vrf> firewall ipv6 raw output
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 raw output
vsr running output# policy POLICY
| POLICY | Standard actions. | 
- Default value
- accept
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv6 raw output packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv6 raw output bytes
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 raw output
vsr running output# rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   outbound-interface [not] <string> \
...   action STANDARD chain <string> notrack set-priority <uint32> \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu
| <uint64> | Priority of the rule. High number means lower priority. | 
description¶
A comment to describe the rule.
description <string>
protocol¶
Match the protocol.
protocol [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The protocol to match.
VALUE
| VALUE | Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. | 
destination¶
Match on destination fields.
destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on destination address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
| VALUE | Address type. | 
port¶
Match on destination port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
port-range¶
Match on destination port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
| VALUE | A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. | 
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
source¶
Match on source fields.
source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on source address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
| VALUE | Address type. | 
port¶
Match on source port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
port-range¶
Match on source port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
| VALUE | A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. | 
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
icmpv6-type¶
Match the packet ICMP type.
icmpv6-type [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The ICMP type to match.
VALUE
| VALUE | ICMP types. | 
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
not¶
Invert the match.
not
set¶
Set flags.
set SET
| SET | TCP flags. | 
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | TCP flags. | 
conntrack¶
Match conntrack information.
conntrack \
     status [not] VALUE \
     state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
not¶
Invert the match.
not
VALUE¶
The conntrack status to match.
VALUE
| VALUE | Conntrack status. | 
state¶
Match the packet state regarding conntrack.
state [not] VALUE
not¶
Invert the match.
not
VALUE¶
The packet states to match.
VALUE
| VALUE | Conntrack state. | 
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
     rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
rate¶
Matching rate, default unit is per hour.
rate <uint32> UNIT
<uint32> (mandatory)¶
The rate.
<uint32>
UNIT¶
Unit for rate.
UNIT
| UNIT | Units. | 
dscp¶
Match the DSCP.
dscp [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The DSCP value to match.
VALUE
| VALUE | DSCP values. | 
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
not¶
Invert the match.
not
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mask¶
Logically ANDed with the tos before the comparison.
mask <0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not¶
Invert the match.
not
SCOPE (mandatory)¶
Invert the match.
SCOPE
| 
 | Description | 
|---|---|
| all | Match all chunk types. | 
| any | Match any chunk type. | 
| only | Match exactly chunk type. | 
init¶
INIT chunk.
init
init-ack¶
INIT ACK chunk.
init-ack
sack¶
SACK chunk.
sack
heartbeat¶
HEARTBEAT chunk.
heartbeat
heartbeat-ack¶
HEARTBEAT ACK chunk.
heartbeat-ack
shutdown¶
SHUTDOWN chunk.
shutdown
shutdown-ack¶
SHUTDOWN ACK chunk.
shutdown-ack
error¶
ERROR chunk.
error
ecn-ecne¶
ECN ECNE chunk.
ecn-ecne
ecn-cwr¶
ECN CWR chunk.
ecn-cwr
asconf¶
ASCONF chunk.
asconf
asconf-ack¶
ASCONF ACK chunk.
asconf-ack
forward-tsn¶
FORWARD TSN chunk.
forward-tsn
data¶
DATA chunk.
data examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | SCTP data flags. | 
set¶
Set flags.
set SET
| SET | SCTP data flags. | 
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | SCTP abort flag. | 
set¶
Set flags.
set SET
| SET | SCTP abort flag. | 
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | SCTP abort flag. | 
set¶
Set flags.
set SET
| SET | SCTP abort flag. | 
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
action¶
The action performed by this rule.
action STANDARD chain <string> notrack set-priority <uint32> \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
| STANDARD | Standard actions. | 
chain¶
Jump to the user chain by this name.
chain <string>
notrack¶
Disables connection tracking for this packet.
notrack
set-priority¶
Value of the priority to attach to the packet.
set-priority <uint32>
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
XOR with this value.
<0x0-0xffffffff>
Zero the bits given by this mask.
mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be XORed into the connection mark.
nfmask <0x0-0xffffffff>
Bits that should be cleared.
ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be cleared.
nfmask <0x0-0xffffffff>
Bits that should be XORed into the packet mark.
ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
| LEVEL | Log levels. | 
prefix¶
Prefix log messages with the specified prefix, up to 29 letters long.
prefix <string>
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
| ADDITIONAL-INFOS | Additional loggable infos. | 
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
Bits that should be XORed into the packet mark.
<0x0-0xffffffff>
mask¶
Zero the bits given by this mask in the packet mark.
mask <0x0-0xffffffff>
tcpmss¶
Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.
tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss¶
Explicitly sets MSS option to specified value.
set-mss <uint32>
clamp-mss-to-pmtu¶
Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).
clamp-mss-to-pmtu
counters (state only)¶
The counters of this rule.
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv6 raw output rule <uint64> counters packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv6 raw output rule <uint64> counters bytes
chain¶
User chain.
vsr running config# vrf <vrf> firewall ipv6 raw chain <string>
| <string> | The user chain name. | 
policy¶
Action when no rule match.
vsr running config# vrf <vrf> firewall ipv6 raw chain <string>
vsr running chain <string># policy POLICY
| POLICY | Standard actions. | 
- Default value
- accept
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv6 raw chain <string> packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv6 raw chain <string> bytes
rule¶
A rule to perform an action on matching packets.
vsr running config# vrf <vrf> firewall ipv6 raw chain <string>
vsr running chain <string># rule <uint64> description <string> \
...   protocol [not] VALUE \
...   destination \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   source \
...     address [not] VALUE \
...     port [not] VALUE \
...     port-range [not] VALUE \
...     group [not] <string> \
...   icmpv6-type [not] VALUE \
...   tcp-flags [not] set SET examined EXAMINED \
...   conntrack \
...     status [not] VALUE \
...     state [not] VALUE \
...   connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   limit burst <uint32> \
...     rate <uint32> UNIT \
...   dscp [not] VALUE \
...   tos [not] <0x0-0xff> mask <0x0-0xff> \
...   mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff> \
...   sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack \
...   shutdown shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf \
...   asconf-ack forward-tsn \
...     data examined EXAMINED set SET \
...     abort examined EXAMINED set SET \
...     shutdown-complete examined EXAMINED set SET \
...   inbound-interface [not] <string> \
...   outbound-interface [not] <string> \
...   action STANDARD chain <string> reject REJECT \
...     connmark \
...       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
...     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
...     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
...     tcpmss set-mss <uint32> clamp-mss-to-pmtu \
...   rpfilter invert true|false
| <uint64> | Priority of the rule. High number means lower priority. | 
description¶
A comment to describe the rule.
description <string>
protocol¶
Match the protocol.
protocol [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The protocol to match.
VALUE
| VALUE | Protocol. The list can be obtained from the ‘show filter protocols’ command or the show-filter-protocols rpc. | 
destination¶
Match on destination fields.
destination \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on destination address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
| VALUE | Address type. | 
port¶
Match on destination port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
port-range¶
Match on destination port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
| VALUE | A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. | 
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
source¶
Match on source fields.
source \
     address [not] VALUE \
     port [not] VALUE \
     port-range [not] VALUE \
     group [not] <string>
address¶
Match on source address.
address [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The address to match.
VALUE
| VALUE | Address type. | 
port¶
Match on source port.
port [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The port to match.
VALUE
| VALUE | A 16-bit port number used by a transport protocol such as TCP or UDP. | 
port-range¶
Match on source port range (syntax: port[,port|,port-port]).
port-range [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
Port range, syntax is port[,port|,port-port].
VALUE
| VALUE | A comma-separated list of ports or ports ranges. Examples: ‘21,22,1024-2048’. | 
group¶
Matches a set of addresses or networks.
group [not] <string>
not¶
Not match-set.
not
<string> (mandatory)¶
The name of the group.
<string>
icmpv6-type¶
Match the packet ICMP type.
icmpv6-type [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The ICMP type to match.
VALUE
| VALUE | ICMP types. | 
tcp-flags¶
Match the packet TCP flags.
tcp-flags [not] set SET examined EXAMINED
not¶
Invert the match.
not
set¶
Set flags.
set SET
| SET | TCP flags. | 
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | TCP flags. | 
conntrack¶
Match conntrack information.
conntrack \
     status [not] VALUE \
     state [not] VALUE
status¶
Match the connection status.
status [not] VALUE
not¶
Invert the match.
not
VALUE¶
The conntrack status to match.
VALUE
| VALUE | Conntrack status. | 
state¶
Match the packet state regarding conntrack.
state [not] VALUE
not¶
Invert the match.
not
VALUE¶
The packet states to match.
VALUE
| VALUE | Conntrack state. | 
connmark¶
Matches the mark field associated with a connection.
connmark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
limit¶
Matches packets at a limited rate. If not set, the rate value is 3/hour and the burst value is 5.
limit burst <uint32> \
     rate <uint32> UNIT
burst¶
Maximum initial number of packets to match. This number gets recharged by one every time the rate is not reached, up to this number.
burst <uint32>
rate¶
Matching rate, default unit is per hour.
rate <uint32> UNIT
<uint32> (mandatory)¶
The rate.
<uint32>
UNIT¶
Unit for rate.
UNIT
| UNIT | Units. | 
dscp¶
Match the DSCP.
dscp [not] VALUE
not¶
Invert the match.
not
VALUE (mandatory)¶
The DSCP value to match.
VALUE
| VALUE | DSCP values. | 
tos¶
Match the tos.
tos [not] <0x0-0xff> mask <0x0-0xff>
not¶
Invert the match.
not
<0x0-0xff> (mandatory)¶
The tos value. Packets in connections are matched against this value.
<0x0-0xff>
mask¶
Logically ANDed with the tos before the comparison.
mask <0x0-0xff>
mark¶
Matches the mark field associated with a packet.
mark [not] <0x0-0xffffffff> mask <0x0-0xffffffff>
not¶
Invert the match.
not
<0x0-0xffffffff> (mandatory)¶
The mark value. Packets in connections are matched against this value.
<0x0-0xffffffff>
mask¶
Logically ANDed with the mark before the comparison.
mask <0x0-0xffffffff>
sctp-chunk-types¶
This module matches Stream Control Transmission Protocol headers.
sctp-chunk-types [not] SCOPE init init-ack sack heartbeat heartbeat-ack shutdown \
   shutdown-ack error cookie-echo cookie-ack ecn-ecne ecn-cwr asconf asconf-ack \
   forward-tsn \
     data examined EXAMINED set SET \
     abort examined EXAMINED set SET \
     shutdown-complete examined EXAMINED set SET
not¶
Invert the match.
not
SCOPE (mandatory)¶
Invert the match.
SCOPE
| 
 | Description | 
|---|---|
| all | Match all chunk types. | 
| any | Match any chunk type. | 
| only | Match exactly chunk type. | 
init¶
INIT chunk.
init
init-ack¶
INIT ACK chunk.
init-ack
sack¶
SACK chunk.
sack
heartbeat¶
HEARTBEAT chunk.
heartbeat
heartbeat-ack¶
HEARTBEAT ACK chunk.
heartbeat-ack
shutdown¶
SHUTDOWN chunk.
shutdown
shutdown-ack¶
SHUTDOWN ACK chunk.
shutdown-ack
error¶
ERROR chunk.
error
ecn-ecne¶
ECN ECNE chunk.
ecn-ecne
ecn-cwr¶
ECN CWR chunk.
ecn-cwr
asconf¶
ASCONF chunk.
asconf
asconf-ack¶
ASCONF ACK chunk.
asconf-ack
forward-tsn¶
FORWARD TSN chunk.
forward-tsn
data¶
DATA chunk.
data examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | SCTP data flags. | 
set¶
Set flags.
set SET
| SET | SCTP data flags. | 
abort¶
ABORT chunk.
abort examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | SCTP abort flag. | 
set¶
Set flags.
set SET
| SET | SCTP abort flag. | 
shutdown-complete¶
SHUTDOWN COMPLETE chunk.
shutdown-complete examined EXAMINED set SET
examined¶
Examined flags.
examined EXAMINED
| EXAMINED | SCTP abort flag. | 
set¶
Set flags.
set SET
| SET | SCTP abort flag. | 
inbound-interface¶
Name of an interface via which a packet was received. Only for input, forward and prerouting.
inbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
outbound-interface¶
Name of an interface via which a packet is going to be sent. Only for forward, output and postrouting.
outbound-interface [not] <string>
not¶
Invert the match.
not
<string> (mandatory)¶
The interface to match.
<string>
action¶
The action performed by this rule.
action STANDARD chain <string> reject REJECT \
     connmark \
       set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
       save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
       restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS \
     mark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     tcpmss set-mss <uint32> clamp-mss-to-pmtu
STANDARD¶
Standard action.
STANDARD
| STANDARD | Standard actions. | 
chain¶
Jump to the user chain by this name.
chain <string>
reject¶
Used to send back an error packet in response to the matched packet.
reject REJECT
| REJECT | Packet type when packet is rejected. | 
connmark¶
Sets the mark value associated with a connection. The mark is 32 bits wide.
connmark \
     set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff> \
     save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff> \
     restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
set-xmark¶
Zero out the bits given by mask and XOR value into the ctmark.
set-xmark <0x0-0xffffffff> mask <0x0-0xffffffff>
XOR with this value.
<0x0-0xffffffff>
Zero the bits given by this mask.
mask <0x0-0xffffffff>
save-mark¶
Copy the packet mark (nfmark) to the connection mark (ctmark) using the given masks. The new value is determined as follows: ctmark = (ctmark & ~ctmask) ^ (nfmark & nfmask) i.e. ctmask defines what bits to clear and nfmask what bits of the nfmark to XOR into the ctmark. ctmask and nfmask default to 0xFFFFFFFF.
save-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be XORed into the connection mark.
nfmask <0x0-0xffffffff>
Bits that should be cleared.
ctmask <0x0-0xffffffff>
restore-mark¶
Copy the connection mark (ctmark) to the packet mark (nfmark) using the given masks. The new ctmark value is determined as follows: nfmark = (nfmark & ~nfmask) ^ (ctmark & ctmask) i.e. nfmask defines what bits to clear and ctmask what bits of the ctmark to XOR into the packet mark. ctmask and nfmask default to 0xFFFFFFFF. restore-mark is only valid in the mangle table.
restore-mark nfmask <0x0-0xffffffff> ctmask <0x0-0xffffffff>
Bits that should be cleared.
nfmask <0x0-0xffffffff>
Bits that should be XORed into the packet mark.
ctmask <0x0-0xffffffff>
log¶
Turn on logging of matching packets.
log level LEVEL prefix <string> additional-infos ADDITIONAL-INFOS
level¶
Level of logging.
level LEVEL
| LEVEL | Log levels. | 
prefix¶
Prefix log messages with the specified prefix, up to 29 letters long.
prefix <string>
additional-infos¶
Append additional informations to the logs.
additional-infos ADDITIONAL-INFOS
| ADDITIONAL-INFOS | Additional loggable infos. | 
mark¶
Used to set the mark value associated with the packet.
mark <0x0-0xffffffff> mask <0x0-0xffffffff>
<0x0-0xffffffff> (mandatory)¶
Bits that should be XORed into the packet mark.
<0x0-0xffffffff>
mask¶
Zero the bits given by this mask in the packet mark.
mask <0x0-0xffffffff>
tcpmss¶
Alters the MSS value of TCP SYN packets, to control the maximum size for that connection.
tcpmss set-mss <uint32> clamp-mss-to-pmtu
set-mss¶
Explicitly sets MSS option to specified value.
set-mss <uint32>
clamp-mss-to-pmtu¶
Automatically clamp MSS value to (path_MTU - 40 for IPv4, - 60 for IPv6).
clamp-mss-to-pmtu
rpfilter¶
Performs a reverse path filter test on a packet. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match.
rpfilter invert true|false
invert¶
This will invert the sense of the match. Instead of matching packets that passed the reverse path filter test, match those that have failed it.
invert true|false
- Default value
- false
counters (state only)¶
The counters of this rule.
packets (state only)¶
Packets.
vsr> show state vrf <vrf> firewall ipv6 raw chain <string> rule <uint64> counters packets
bytes (state only)¶
Bytes.
vsr> show state vrf <vrf> firewall ipv6 raw chain <string> rule <uint64> counters bytes