Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Firewall Filter Match Conditions for IPv6 Traffic

You can configure a firewall filter with match conditions for Internet Protocol version 6 (IPv6) traffic (family inet6).

Note:

For MX Series routers with MPCs, you need to initialize the filter counter for Trio-only match filters by walking the corresponding SNMP MIB, for example, show snmp mib walk name ascii. This forces Junos to learn the filter counters and ensure that the filter statistics are displayed. This guidance applies to all enhanced mode firewall filters, filters with flexible conditions, and filters with the certain terminating actions. See those topics, listed under Related Documentation, for details.

Table 1 describes the match conditions you can configure at the [edit firewall family inet6 filter filter-name term term-name from] hierarchy level.

Table 1: Firewall Filter Match Conditions for IPv6 Traffic

Match Condition

Description

address address [ except ]

Match the IPv6 source or destination address field unless the except option is included. If the option is included, do not match the IPv6 source or destination address field.

destination-address address [ except ]

Match the IPv6 destination address field unless the except option is included. If the option is included, do not match the IPv6 destination address field.

You cannot specify both the address and destination-address match conditions in the same term.

destination-port number

Match the UDP or TCP destination port field.

You cannot specify both the port and destination-port match conditions in the same term.

If you configure this match condition, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

destination-port-except number

Do not match the UDP or TCP destination port field. For details, see the destination-port match condition.

destination-prefix-list prefix-list-name [ except ]

Match the IPv6 destination prefix to the specified list unless the except option is included. If the option is included, do not match the IPv6 destination prefix to the specified list.

The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

extension-header header-type

Match an extension header type that is contained in the packet by identifying a Next Header value.

Note:

This match condition is only supported on MPCs in MX Series routers.

In the first fragment of a packet, the filter searches for a match in any of the extension header types. When a packet with a fragment header is found (a subsequent fragment), the filter only searches for a match of the next extension header type because the location of other extension headers is unpredictable.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), destination (60), esp (50), fragment (44), hop-by-hop (0), mobility (135), or routing (43).

To match any value for the extension header option, use the text synonym any.

For MX Series routers with MPCs, initialize new firewall filters that include this condition by walking the corresponding SNMP MIB.

extension-headers-except header-type

Do not match an extension header type that is contained in the packet. For details, see the extension-headers match condition.

Note:

This match condition is only supported on MPCs in MX Series routers.

first-fragment

Match if the packet is the first fragment.

flexible-match-mask value

bit-length

Length of integer input (1..32 bits);

(Optional) Length of string input (1..128 bits)

bit-offset

Bit offset after the (match-start + byte) offset (0..7)

byte-offset

Byte offset after the match start point

flexible-mask-name

Select a flexible match from predefined template field

mask-in-hex

Mask out bits in the packet data to be matched

match-start

Start point to match in packet

prefix

Value data/string to be matched

flexible-match-range value

Ranges should use the following format: Integer-Integer

bit-length

Length of the data to be matched in bits (0..32)

bit-offset

Bit offset after the (match-start + byte) offset (0..7)

byte-offset

Byte offset after the match start point

flexible-range-name

Select a flexible match from predefined template field

match-start

Start point to match in packet

range

Range of values to be matched

range-except

Do not match this range of values

forwarding-class class

Match the forwarding class of the packet.

Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

forwarding-class-except class

Do not match the forwarding class of the packet. For details, see the forwarding-class match condition.

hop-limit hop-limit

Match the hop limit to the specified hop limit or set of hop limits. For hop-limit, specify a single value or a range of values from 0 through 255.

Supported on interfaces hosted on MICs or MPCs in MX Series routers only.

Note:

This match condition is supported on PTX series routers when enhanced-mode is configured on the router.

hop-limit-except hop-limit

Do not match the hop limit to the specified hop limit or set of hop limits. For details, see the hop-limit match condition.

Supported on interfaces hosted on MICs or MPCs in MX Series routers only.

Note:

This match condition is supported on PTX series routers when enhanced-mode is configured on the router.

icmp-code message-code

Match the ICMP message code field.

If you configure this match condition, we recommend that you also configure the next-header icmp or next-header icmp6 match condition in the same term.

If you configure this match condition, you must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • parameter-problem: ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

  • destination-unreachable: administratively-prohibited (1), address-unreachable (3), no-route-to-destination (0), port-unreachable (4)

icmp-code-except message-code

Do not match the ICMP message code field. For details, see the icmp-code match condition.

icmp-type message-type

Match the ICMP message type field.

If you configure this match condition, we recommend that you also configure the next-header icmp or next-header icmp6 match condition in the same term.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): certificate-path-advertisement (149), certificate-path-solicitation (148), destination-unreachable (1), echo-reply (129), echo-request (128), home-agent-address-discovery-reply (145), home-agent-address-discovery-request (144), inverse-neighbor-discovery-advertisement (142), inverse-neighbor-discovery-solicitation (141), membership-query (130), membership-report (131), membership-termination (132), mobile-prefix-advertisement-reply (147), mobile-prefix-solicitation (146), neighbor-advertisement (136), neighbor-solicit (135), node-information-reply (140), node-information-request (139), packet-too-big (2), parameter-problem (4), private-experimentation-100 (100), private-experimentation-101 (101), private-experimentation-200 (200), private-experimentation-201 (201), redirect (137), router-advertisement (134), router-renumbering (138), router-solicit (133), or time-exceeded (3).

For private-experimentation-201 (201), you can also specify a range of values within square brackets.

icmp-type-except message-type

Do not match the ICMP message type field. For details, see the icmp-type match condition.

is-fragment

Match if the packet is a fragment.

 

last-fragment

Match if the packet is the last fragment.

 

loss-priority level

Match the packet loss priority (PLP) level.

Specify a single level or multiple levels: low, medium-low, medium-high, or high.

For IP traffic on MX Series routers with Enhanced II Flexible PIC Concentrators (FPCs), you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families.

loss-priority-except level

Do not match the PLP level. For details, see the loss-priority match condition.

next-header header-type

Match the first 8-bit Next Header field in the packet. Support for the next-header firewall match condition is available in Junos OS Release 13.3R6 and later.

For IPv6, we recommend that you use the payload-protocol term rather than the next-header term when configuring a firewall filter with match conditions. Although either can be used, payload-protocol provides the more reliable match condition because it uses the actual payload protocol to find a match, whereas next-header simply takes whatever appears in the first header following the IPv6 header, which may or may not be the actual protocol. In addition, if next-header is used with IPv6, the accelerated filter block lookup process is bypassed and the standard filter used instead.

Match the first 8-bit Next Header field in the packet.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), mobility (135), no-next-header (59), ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp  (17), or vrrp (112).

Note:

next-header icmp6 and next-header icmpv6 match conditions perform the same function. next-header icmp6 is the preferred option. next-header icmpv6 is hidden in the Junos OS CLI.

next-header-except header-type

Do not match the 8-bit Next Header field that identifies the type of header between the IPv6 header and payload. For details, see the next-header match type.

packet-length bytes

Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.

packet-length-except bytes

Do not match the length of the received packet, in bytes. For details, see the packet-length match type.

payload-protocol protocol-type

Match the payload protocol type.

In place of the protocol-type numeric value, you can specify one of the following text synonyms (the field values are also listed): specify one or a set of of the following: ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58, igmp (2), ipip (4), ipv6 (41), no-next-header, ospf (89), pim (103), routing, rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112) (dstopts (60), fragment (44), hop-by-hop 0), and routing are not available in Junos OS Release 16.1 and later).

You can also use the payload-protocol condition to match an extension header type that the Juniper Networks firmware cannot interpret. You can specify a range of extension header values within square brackets. When the firmware finds the first extension header type that it cannot interpret in a packet, the payload-protocol value is set to that extension header type. The firewall filter only examines the first extension header type that the firmware cannot interpret in the packet.

Note:

This match condition is only supported on MPCs on MX Series Routers. Initialize new firewall filters that include this condition by walking the corresponding SNMP MIB.

payload-protocol-except protocol-type

Do not match the payload protocol type. For details, see the payload-protocol match type.

Note:

This match condition is only supported on MPCs on MX Series Routers

port number

Match the UDP or TCP source or destination port field.

If you configure this match condition, you cannot configure the destination-port match condition or the source-port match condition in the same term.

If you configure this match condition, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the text synonyms listed under destination-port.

port-except number

Do not match the UDP or TCP source or destination port field. For details, see the port match condition.

prefix-list prefix-list-name [ except ]

Match the prefixes of the source or destination address fields to the prefixes in the specified list unless the except option is included. If the option is included, do not match the prefixes of the source or destination address fields to the prefixes in the specified list.

The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

service-filter-hit

Match a packet received from a filter where a service-filter-hit action was applied.

source-address address [ except ]

Match the IPv6 address of the source node sending the packet unless the except option is included. If the option is included, do not match the IPv6 address of the source node sending the packet.

You cannot specify both the address and source-address match conditions in the same term.

source-port number

Match the UDP or TCP source port field.

You cannot specify the port and source-port match conditions in the same term.

If you configure this match condition, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition.

source-port-except number

Do not match the UDP or TCP source port field. For details, see the source-port match condition.

source-prefix-list name [ except ]

Match the IPv6 address prefix of the packet source field unless the except option is included. If the option is included, do not match the IPv6 address prefix of the packet source field.

Specify a prefix list name defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

tcp-established

Match TCP packets other than the first packet of a connection. This is a text synonym for tcp-flags "(ack | rst)" (0x14).

Note:

This condition does not implicitly check that the protocol is TCP. To check this, specify the protocol tcp match condition.

If you configure this match condition, we recommend that you also configure the next-header tcp match condition in the same term.

tcp-flags flags

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:

  • fin (0x01)

  • syn (0x02)

  • rst (0x04)

  • push (0x08)

  • ack (0x10)

  • urgent (0x20)

In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet.

You can string together multiple flags using the bit-field logical operators.

For combined bit-field match conditions, see the tcp-established and tcp-initial match conditions.

If you configure this match condition, we recommend that you also configure the next-header tcp match condition in the same term to specify that the TCP protocol is being used on the port.

tcp-initial

Match the initial packet of a TCP connection. This is a text synonym for tcp-flags "(!ack & syn)".

This condition does not implicitly check that the protocol is TCP. If you configure this match condition, we recommend that you also configure the next-header tcp match condition in the same term.

traffic-class number

Match the 8-bit field that specifies the class-of-service (CoS) priority of the packet.

This field was previously used as the type-of-service (ToS) field in IPv4.

You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).

  • RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points:

    • af11 (10), af12 (12), af13 (14)

    • af21 (18), af22 (20), af23 (22)

    • af31 (26), af32 (28), af33 (30)

    • af41 (34), af42 (36), af43 (38)

traffic-class-except number

Do not match the 8-bit field that specifies the CoS priority of the packet. For details, see the traffic-class match description.

Note:

If you specify an IPv6 address in a match condition (the address, destination-address, or source-address match conditions), use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture.