[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring IPv6 Match Conditions

Table 1 describes the firewall filter match conditions supported for IPv6 traffic.

To configure firewall filter match conditions for IPv6 traffic:

  • Include the match-conditions statement at the [edit firewall family inet6 filter filter-name term term-name from] hierarchy level.

Table 1: IPv6 Firewall Filter Match Conditions

Match Condition

Description

address address

128-bit address that supports the standard syntax for IPv6 addresses. For more information, see the JUNOS Routing Protocols Configuration Guide.

destination-address address

128-bit address that is the final destination node address for the packet. The filter description syntax supports the text representations for IPv6 addresses as described in RFC 2373, IP Version 6 Addressing Architecture. For more information about IPv6 address syntax, see the JUNOS Routing Protocols Configuration Guide.

destination-port number

TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term.

Normally, you specify this match in conjunction with the next-header match statement to determine which protocol is being used on the port. For more information, see Overview of Protocol Match Conditions.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), or zephyr-hm (2104).

destination-prefix-list name

Destination prefixes in the specified list name. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

forwarding-class class

Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

icmp-code number

ICMP code field. This value or keyword provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. For more information, see Overview of Protocol Match Conditions.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • parameter-problem: ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)
  • time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)
  • destination-unreachable: no-route-to-destination (0), administratively-prohibited (1), address-unreachable (3), port-unreachable (4)

icmp-type number

ICMP packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see Overview of Protocol Match Conditions.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (129), echo-request (128), membership-query (130), membership-report (131), membership-termination (132), neighbor-advertisement (136), neighbor-solicit (135), node-information-reply (140), node-information-request (139), packet-too-big (2), parameter-problem (4), redirect (137), router-advertisement (134), router-renumbering (138), router-solicit (133), time-exceeded (3), or destination-unreachable (1).

interface interface-name

Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received.

interface-group group-number

Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For information about configuring interface groups, see Applying Firewall Filters to Interfaces.

interface-set interface-set-name

(MX Series routers and routers with Enhanced IQ2 [IQ2E] PICs only) Interface set on which the packet was received. An interface set is a set of logical interfaces used to configure hierarchical class-of-service schedulers. For information about configuring an interface set, see the JUNOS Class of Service Configuration Guide and the JUNOS Network Interfaces Configuration Guide.

loss-priority level

Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

Supported on MX Series routers; M120 and M320 routers; and M7i and M10i routers with the Enhanced CFEB (CFEB-E).

On M320 routers, you must enable the tricolor statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tricolor statement is not referenced, you can only configure the high and low levels. This applies to all protocol families.

For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the JUNOS Class of Service Configuration Guide.

loss-priority-except level

Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the JUNOS Class of Service Configuration Guide.

next-header bytes

8-bit IP protocol field that identifies the type of header immediately following the IPv6 header. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmpv6 (1), igmp (2), ipip (4), ipv6 (41), no-next-header (59), ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).

packet-length bytes

Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.

port number

TCP or UDP source or destination port field. You cannot specify both the port match and either the destination-port or source-port match conditions in the same term.

Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see Overview of Protocol Match Conditions.

In place of the numeric value, you can specify one of the text synonyms listed under destination-port.

prefix-list name

Source or destination prefixes in the specified list name. Specify the name of a list defined at the [edit routing-options prefix-list prefix-list-name] hierarchy level.

source-address address

Address of the source node sending the packet; 128 bits in length. The filter description syntax supports the text representations for IPv6 addresses as described in RFC 2373. For more information about IPv6 address syntax, see the JUNOS Routing Protocols Configuration Guide.

source-port number

TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term.

Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For more information, see Overview of Protocol Match Conditions.

In place of the numeric field, you can specify one of the text synonyms listed under destination-port.

source-prefix-list name

Source prefixes in the specified prefix list. Specify a prefix list name defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

tcp-established

TCP packets other than the first packet of a connection. This is a synonym for "(ack | rst)".

This condition does not implicitly check that the protocol is TCP. To check this, specify the protocol tcp match condition.

tcp-flags flags

One or more of the following TCP flags:

  • bit-name: fin, syn, rst, push, ack, urgent

    You can string together multiple flags using logical operators.

  • numerical value: 0x01 through 0x20
  • text synonym: tcp-established, tcp-initial

Configuring the tcp-flags match condition requires that you configure the next-header tcp match condition.

tcp-initial

Initial packet of a TCP connection. Configuring the tcp-initial match condition also requires that you configure the next-header match condition.

traffic-class number

8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. The numerical value cannot be greater than 0x3f.

This field was previously used as the ToS field in IPv4. However, the semantics of this field (for example, DSCP) are identical to those of IPv4.


Published: 2010-04-15

[an error occurred while processing this directive]