 |
Note: The JUNOS software does not automatically check the first fragment bit when matching TCP flags. To include the first fragment bit, include the fragment-offset match condition described in Table 29. |
Bit-field filter conditions match packet fields if particular bits in those fields are or are not set. You can match the IP options, TCP flags, and IP fragmentation fields. For bit-field filter match conditions, you specify a keyword that identifies the field and tests to determine that the option is present in the field. Table 33 describes the bit-field match conditions.
|
Note: The JUNOS software does not automatically check the first fragment bit when matching TCP flags. To include the first fragment bit, include the fragment-offset match condition described in Table 29. |
To specify the bit-field value to match, enclose the value in quotation marks (“ ”). For example, a match occurs if the RST bit in the TCP flags field is set:
- tcp-flags “rst”;
Generally, you specify the bits being tested using keywords. Bit-field match keywords always map to a single bit value. You also can specify bit fields as hexadecimal or decimal numbers.
To negate a match, precede the value with an exclamation point. For example, a match occurs only if the RST bit in the TCP flags field is not set:
- tcp-flags “!rst”;
To match multiple bit-field values, use the logical operators list in Table 34. The operators are listed in order, from highest precedence to lowest precedence. Operations are left-associative.
As an example of a logical AND operation, in the following, a match occurs if the packet is the initial packet on a TCP session:
- tcp-flags “syn & !ack”;
As an example of a logical OR operation, in the following, a match occurs if the packet is not the initial packet on a TCP session:
- tcp-flags "!syn | ack";
As an example of grouping, in the following, a match occurs for any packet that is either a TCP reset or is not the initial packet in the session:
- tcp-flags “!(syn & !ack) | rst”;
When you specify a numeric value that has more than one bit set, the value is treated as a logical AND of the set bits. For example, the following two values are the same and a match occurs only if either bit 0x01 or 0x02 is not set:
- tcp-flags “!0x3”;
- tcp-flags “!(0x01 & 0x02)”;
You can use text synonyms to specify some common bit-field matches. You specify these matches as a single keyword. For example:
- tcp-established;
Table 33: Bit-Field Firewall Filter Match Conditions
|
Match Condition |
Description |
|---|---|
| Conditions with Variables | |
|
fragment-flags number |
IP fragmentation flags. In place of the numeric field value, you can specify one of the following keywords (the field values are also listed): dont-fragment (0x4000), more-fragments (0x2000), or reserved (0x8000). |
|
ip-options number |
IP options. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): any, loose-source-route (131), record-route (7), router-alert (148), security (130), stream-id (136),strict-source-route (137), or timestamp (68). |
|
tcp-flags number |
TCP flags. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more details, see How Firewall Filters Test a Packet’s Protocol. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ack (0x10), fin (0x01), push (0x08), rst (0x04), syn (0x02), or urgent (0x20). |
| Text Synonyms | |
|
first-fragment |
First fragment of a fragmented packet. This condition does not match unfragmented packets. |
|
is-fragment |
This condition matches if the packet is a trailing fragment; it does not match the first fragment of a fragmented packet. To match both first and trailing fragments, you can use two terms. |
|
tcp-established |
TCP packets other than the first packet of a connection. This is a synonym for " (ack | rst)". This condition does not implicitly check that the protocol is TCP. To check this, specify the protocol tcp match condition. |
|
tcp-initial |
First TCP packet of a connection. This is a synonym for "(syn & !ack)". This condition does not implicitly check that the protocol is TCP. To check this, specify the protocol tcp match condition. |
Table 34: Bit-Field Logical Operators
|
Logical Operator |
Description |
|---|---|
|
(...) |
Grouping |
|
! |
Negation |
|
& or + |
Logical AND |
|
| or , |
Logical OR |
 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |