Specifying Address Filter Match Conditions

Address filter conditions match prefix values in a packet, such as IP source and destination prefixes. For address filter match conditions, you specify a keyword that identifies the field and one or more prefixes of that type that a packet must match. Table 29 describes the address filter match conditions.

You can specify the address in one of the following ways:

• Single prefix. A match occurs if the value of the field matches the prefix. For example:

[edit firewall family family-name filter filter-name term term-name from]

destination-address 10.0.0.0/8;

• Multiple prefixes. A match occurs if any one of the prefixes in the list matches the packet. For example:

[edit firewall family family-name filter filter-name term term-name from]

destination-address {

    10.0.0.0/8;

    192.168.0.0/32;

}

The order in which you list prefixes in the list is not significant. They are all evaluated to determine whether a match occurs. If prefixes overlap, longest-match rules are used to determine whether a match occurs. Each list of prefixes contains an implicit 0/0 except statement, which means that any prefix that does not match any prefix in the list is explicitly considered not to match.

To specify the address prefix, use the notation prefix/prefix-length. If you omit prefix-length, it defaults to /32. For example:

[edit firewall family family-name filter filter-name term term-name from]

user@host# set destination-address 10

[edit firewall family family-name filter filter-name term term-name from]

user@host# show

destination-address {

    10.0.0.0/32;

}

To exclude a prefix, specify the string except after the prefix. In the following example, any addresses that fall under 192.168.10.0/8 match, except for addresses that fall under 192.168.0.0/16. All other addresses implicitly do not match this condition.

[edit firewall family family-name filter filter-name term term-name from]

destination-address {

    192.168.0.0/16 except;

    192.168.10.0/8;

}

To match all destinations except one, in this example 10.1.1.0/24, configure the match conditions as follows:

[edit firewall family family-name filter filter-name term term-name from]

destination-address {

    0.0.0.0/0;

    10.1.1.0/24 except;

}

Because the prefixes are order-independent and use longest-match rules, longer prefixes subsume shorter ones as long as they are the same type (whether you specify except or not). This is because anything that would match the longer prefix would also match the shorter one. In the following example:

• 172.16.1.2 matches the 172.16.0.0/10 prefix, and thus the action in the then statement is taken.
• 172.16.2.2 matches the 172.16.2.0/16 prefix. Because this prefix is negated (that is, marked as except), an explicit mismatch occurs. The next term in the filter is evaluated, if there is one. If there are no more terms, the packet is discarded.
• 10.1.2.3 does not match any of the prefixes included in the source-address condition. Instead, it matches the implicit 0.0.0.0/0 except at the end of the list, and is considered to be a mismatch.
• The 172.16.3.0/16 statement is ignored because it falls under the address 172.16.0.0/10—both are the same type.
• The 10.2.2.2 except statement is ignored because it is subsumed by the implicit 0.0.0.0/0 except statement at the end of the list.

[edit firewall family family-name filter filter-name term term-name from]

source-address {

    172.16.0.0/10;

    172.16.2.0/16 except;

    192.168.1.0;

    192.168.1.192/26 except;

    192.168.1.254;

    172.16.3.0/16;                                                    # ignored

    10.2.2.2 except;                                                    # ignored

}

Table 29: Address Firewall Filter Match Conditions 

Match Condition	Description
address prefix	IP source or destination address field. You cannot specify both the address and the destination-address or source-address match conditions in the same term.
destination-address prefix	IP destination address field. You cannot specify the destination-address and address match conditions in the same term.
destination-prefix-list prefix-list	IP destination prefix list field. You cannot specify the destination-prefix-list and prefix-list match conditions in the same term.
prefix-list prefix-list	IP source or destination prefix list field. You cannot specify both the prefix-list and the destination-prefix-list or source-prefix-list match conditions in the same term.
source-address prefix	IP source address field. You cannot specify the source-address and address match conditions in the same rule.
source-prefix-list prefix-list	IP source prefix list field. You cannot specify the source-prefix-list and prefix-list match conditions in the same term.

You can also define a list of IP address prefixes under a prefix-list alias for frequent reference. You make this definition at the [edit policy-options] hierarchy level:

[edit policy-options]

    prefix-list prefix-list {

        address;

        address;

        address;

    }

}

Once you have defined a prefix list, you can use it when defining firewall filters:

[edit firewall family family-name filter filter-name term term-name]

from {

    source-prefix-list {

        prefix-list1;

        prefix-list2;

    }

    destination-prefix-list {

        prefix-list1;

    }

}

You can specify noncontiguous address prefixes in a filter term for firewall filters. Noncontiguous address prefixes are prefixes that are not adjacent or neighboring to one another. For example, in the following example, the following prefixes are noncontiguous: 0.0.0.10/0.0.0.255, 0.10.0.10/0.255.0.255, and 0.12.10.9/0.255.255.255:

[edit firewall family inet filter filter-name]

term term-name {

    address 0.0.0.10/0.0.0.255;

    destination-address 0.10.0.10/0.255.0.255;

    source-address 0.12.10.9/0.255.255.255 except;

}




   
NOTE: Noncontiguous address prefixes are valid only for IPv4 filters. IPv6 filters do not support noncontiguous address prefixes.


 

You can also specify a netmask value rather than a prefix length, for example:

[edit firewall family inet filter filter-name]

term term-name {

    address 10.0.0.10/255.0.0.255;

}

The prefix notation shown matches any address with a first and last octet of 10. The address and netmask are separated by a forward slash (/). The second and third bytes of the prefix can be any value from 0 through 255.

NOTE: When a firewall filter term includes the from address address match condition and a subsequent term includes the from source-address address match condition for the same address, packets may be processed by the latter term before they are evaluated by any intervening terms. Therefore, packets that should be rejected by the intervening terms may be accepted, or packets that should be accepted may be rejected. To prevent this from occurring, we recommend you do the following. For every firewall filter term that contains the from address address match condition, replace that term with two separate terms: one that contains the from source-address address match condition, and another that contains the from destination-address address match condition.

For more information about prefixes, see the JUNOS Routing Protocols Configuration Guide.