Firewall Filter Match Conditions and Actions (QFX10000 Switches)
Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.
When a packet matches a filter, the switch takes the action specified in the term. In addition, you can specify action modifiers to count, mirror, rate-limit, and classify packets. If no match conditions are specified for the term, the switch accepts the packet by default.
This topic describes the various match conditions, actions, and action modifiers that you can define in firewall filters on QFX10000 switches. For similar information about other QFX switches, see Firewall Filter Match Conditions and Actions (QFX and EX Series Switches).
Table 1 describes the match conditions you can specify when configuring a firewall filter. Some of the numeric range and bit-field match conditions allow you to specify a text synonym. To see a list of all the synonyms for a match condition, type ? at the appropriate place in a statement.
Table 2 shows the actions that you can specify in a term.
Table 3 shows the action modifiers you can use to count, mirror, rate-limit, and classify packets.
Table 1: Supported Match Conditions (QFX10000 Switches)
Match Condition | Description | Direction and Interface |
|---|---|---|
destination-address | IP destination address field, which is the address of the final destination node. | Ingress IPv4 (inet) interfaces and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Ingress IRB interface for EVPN/VXLAN fabric, where applicable |
destination-mac-address mac-address | Destination media access control (MAC) address of the packet. | Ingress ports and VLANs. Egress ports and VLANs. |
destination-port value | TCP or UDP destination port field. Typically, you specify this match in conjunction with the protocol match statement. For the following well-known ports you can specify text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813),radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), zephyr-hm (2104) | Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. ingress IRB interface for EVPN/VXLAN fabric, where applicable |
destination-prefix-list prefix-list | IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level. | Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. |
dscp value | Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
| Ingress ports, VLANs, and IPv4 (inet) interfaces. Egress ports, VLANs, and IPv4 (inet) interfaces. |
ether-type value | Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
| Ingress ports and VLANs. Egress ports and VLANs. |
forwarding-class class | Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:
| Egress IPv4 (inet) and IPv6 (inet6) interfaces. |
fragment-flags value | IP fragmentation flags. In place of the numeric value, you can specify one of the following text synonyms (the hexadecimal values are also listed):
| Ingress ports, VLANs, and IPv4 (inet) interfaces. |
hop-limit value | Match the specified hop limit or set of hop limits. Specify a single value or a range of values from 0 through 255. | Ingress and egress IPv6 (inet6) interfaces. |
icmp-code value | ICMP code field. Because the meaning of the value depends upon the associated icmp-type, you must specify a value for icmp-type along with a value for icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
| Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces |
icmp-type value | ICMP message type field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): IPv4: echo-reply (0), destination unreachable (3), source-quench (4), redirect (5), echo-request (8), IPv4 (inet)-advertisement (9), IPv4 (inet)-solicit (10), time-exceeded (11), parameter-problem (12), timestamp (13), timestamp-reply (14), info-request (15), info-reply (16), mask-request (17), mask-reply (18) IPv6: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), membership-query (130), membership-report (131), membership-termination (132), router-solicit (133), router-advertisement (134), neighbor-solicit (135), neighbor-advertisement (136), redirect (137), router-renumbering (138), node-information-request (139), node-information-reply (140) See also icmp-code variable. | Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. |
interface interface-name | Interface on which the packet is received, including the logical unit. You can include the wildcard character (*) as part of an interface name or logical unit. Note: An interface from which a packet is sent cannot be used as a match condition. | Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
ip-destination-address address | IPv4 address that is the final destination node address for the packet. | Ingress ports, egress ports, and VLANs. Ingress IRB interface for EVPN/VXLAN fabric, where applicable |
ip-options | Specify any to create a match if anything is specified in the options field in the IP header. | Ingress ports, VLANs, and IPv4 (inet) interfaces. |
ip-precedence ip-precedence-field | IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). | Ingress ports and VLANs. Egress ports and VLANs. |
ip-protocol number | IP protocol field. | Ingress ports and VLANs. Egress ports and VLANs. Ingress IRB interface for EVPN/VXLAN fabric, where applicable |
ip-source-address address | IPv4 address of the source node sending the packet. | Ingress ports and VLANs. Egress ports and VLANs. Ingress IRB interface for EVPN/VXLAN fabric, where applicable |
ip-version address | IP version of the packet. Use this condition to match IPv4 or IPv6 header fields in traffic that arrives on a Layer 2 port or VLAN interface. | Ingress ports and VLANs. Egress ports and VLANs. |
is-fragment | Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero. | Ingress ports, VLANs, and IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. |
learn-1p-priority number | Matches the specified IEEE 802.1p VLAN priority bits in the range 0-7. | Ingress ports and VLANs. Egress ports and VLANs. |
learn-vlan-id number | Matches the ID of a normal VLAN or the ID of the outer (service) VLAN (for Q-in-Q VLANs). To use filter memory most efficiently and maximize the number of possible filters, use this condition in addition to user-id when you want to match on the inner (customer) VLAN ID. The acceptable values are 1-4095. | Ingress ports and VLANs. Egress ports and VLANs. Ingress IRB interface for EVPN/VXLAN fabric, where applicable |
loss-priority (low | medium-low | medium-high | high) | Set the packet loss priority (PLP). Note: The loss-priority action modifier is not supported in combination with the policer action. | Egress IPv4 (inet) and IPv6 (inet6) interfaces. |
next-header value | IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed): hop-by-hop (0),icmp (1), icmp6 (58), igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132) | Ingress IPv6 (inet6) interfaces. Egress IPv6 (inet6) interfaces. |
packet-length number | Packet length in bytes. You must enter a number between 0 and 65535. | Ingress ports, VLANs, IPv4 (inet), and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
precedence value | IP precedence bits in the type-of-service (ToS) byte in the IP header. (This byte can also used for the DiffServ DSCP.) In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):
| Ingress IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. |
protocol type | IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed): hop-by-hop (0),icmp (1), icmp6, igmp (2), ipip (4), tcp (6), egp (8), udp (17), ipv6 (41), routing (43), fragment (44),rsvp (46), gre (47), esp (50), ah (51), icmp6 (58), no-next-header (59), dstopts (60), ospf (89), pim (103), vrrp (112), sctp (132) | Ingress IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. |
source-address | IP source address field, which is the address of the node that sent the packet. | Ingress IPv4 (inet) interfaces and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces. Ingress IRB interface for EVPN/VXLAN fabric, where applicable |
source-mac-address mac-address | Source media access control (MAC) address of the packet. | Ingress ports and VLANs. Egress ports and VLANs. |
source-port value | TCP or UDP source port. Typically, you specify this match in conjunction with the protocol match statement. In place of the numeric field, you can specify one of the text synonyms listed under destination-port. | Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Ingress IRB interface for EVPN/VXLAN fabric, where applicable |
source-prefix-list prefix-list | IP source prefix list. You can define a list of IP address prefixes under a prefix-list alias for frequent use. Define this list at the [edit policy-options] hierarchy level. | Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. |
tcp-established | Match packets of an established TCP connection. This condition matches packets other than those used to set up a TCP connection—that is, three-way handshake packets are not matched. When you specify tcp-established, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition. | Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
tcp-flags value | One or more TCP flags:
| Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
tcp-initial | Match the first TCP packet of a connection. A match occurs when the TCP flag SYN is set and the TCP flag ACK is not set. When you specify tcp-initial, a switch does not implicitly verify that the protocol is TCP. You must also specify the protocol tcp match condition. | Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
traffic-class value | 8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4. You can specify one of the following text synonyms (the field values are also listed): af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38), cs0 (0), cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56), ef (46) | Ingress IPv6 (inet6) interfaces. Egress IPv6 (inet6) interfaces. |
ttl value | IP Time-to-live (TTL) field in decimal. The value can be 1-255. | Ingress IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. Ingress IRB interface for EVPN/VXLAN fabric, where applicable |
user-vlan-id number | Matches the ID of the inner (customer) VLAN in a Q-in-Q VLAN. To use filter memory most efficiently and maximize the number of possible filters, use in combination with learn-vlan-id to match the outer (service) VLAN ID. The acceptable values are 1-4095. | Ingress ports and VLANs. Egress ports and VLANs. |
Use then statements to define actions that should occur if a packet matches all conditions in a from statement. Table 2 shows the actions that you can specify in a term. (If you do not include a then statement, the system accepts packets that match the filter.)
Table 2: Actions
Action | Description |
|---|---|
accept | Accept a packet. This is the default action for packets that match a term. |
discard | Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message. |
reject message-type | Discard a packet and send a “destination unreachable” ICMPv4 message (type 3). To log rejected packets, configure the syslog action modifier. You can specify one of the following message types: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, the system sends a TCP reset if the packet is a TCP packet; otherwise nothing is sent. If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.” Note: The reject action is supported on ingress interfaces only. |
routing-instance instance-name | Forward matched packets to a virtual routing instance. (The only supported instance type is virtual-router.) Packets can be forwarded to the default instance. |
vlan VLAN-name | Forward matched packets to a specific VLAN. Note: The vlan action is supported on ingress interfaces only. Note: This action is not supported on OCX series switches. |
You can also specify the action modifiers listed in Table 3 to count, mirror, rate-limit, and classify packets.
Table 3: Action Modifiers
Action Modifier | Description |
|---|---|
count counter-name | Count the number of packets that match the term. |
forwarding-class class | Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:
Note: To configure a forwarding class, you must also configure loss priority. |
log | Log the packet's header information in the Routing Engine. To view this information, enter the show firewall log operational mode command. Note: The log action modifier is supported on ingress interfaces only. |
loss-priority (low | medium-low | medium-high | high) | Set the packet loss priority (PLP). Note: The loss-priority action modifier is supported on ingress interfaces only. Note: The loss-priority action modifier is not supported in combination with the policer action. |
policer policer-name | Send packets to a policer (for the purpose of applying rate limiting). You can specify a policer for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) firewall filters. Note: The policer action modifier is not supported in combination with the loss-priority action. |
port-mirror | (ELS platforms) Mirror traffic (copy packets) to an output interface configured in a port-mirroring instance at the [edit forwarding-options port-mirroring] hierarchy level. You can specify port mirroring for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) firewall filters. |
port-mirror-instance port-mirror-instance-name | (ELS platforms) Mirror traffic to a port-mirroring instance configured at the [edit forwarding-options port-mirroring] hierarchy level. You can specify port mirroring for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) firewall filters. Note: |
syslog | Log an alert for this packet. Note: The syslog action modifier is supported on ingress interfaces only. |
three-color-policer three-color-policer-name | Send packets to a three-color policer (for the purpose of applying rate limiting). You can specify a three-color policer for ingress and egress port, VLAN, IPv4 (inet), and IPv6 (inet6) filters. Note: The policer action modifier is not supported in combination with the loss-priority action. |