flexible-match-ranges
Syntax
flexible-match-ranges <flexible-ranges-name>
Hierarchy Level
[edit firewall family <inet | inet6 | ethernet-switching> filter <filter-name> term <term-name> from]
Description
Configure multiple flex match ranges within the same term, allowing traffic to be filtered based on several criteria simultaneously. Supported for family inet, inet6 and ethernet-switching.
flexible-match-ranges and
flexible-match-range cannot be configured in
the same term.
Options
-
match-start — Start point to match in packet.
payloadmatch-start is not supported. -
byte-offset — Byte offset after the match start point
-
bit-offset — Bit offset after the (match-start + byte) offset. (0..7)
-
bit-length —Length of the data to be matched in bits. (0..32)
-
range — Range of values to be matched.
-
flexible-range-name — Apply flexible-match template
The following example shows a configuration where flexible-match-ranges have been defined to match on multiple user-defined fields.
[edit]
root@host# show firewall
family inet6 {
filter f1 {
term t1 {
from {
flexible-match-ranges fr1 {
match-start layer-4;
byte-offset 4;
bit-offset 6;
bit-length 32;
range 200;
}
flexible-match-ranges fr2 {
match-start layer-3;
byte-offset 2;
bit-offset 6;
bit-length 24;
range 20-30;
}
flexible-match-ranges fr3 {
match-start layer-4;
byte-offset 4;
bit-offset 6;
bit-length 16;
range 0xab;
}
}
then {
accept;
}
}
}
}
The following example shows a configuration where flexible-match-ranges have been defined using flex-match template to match on multiple user-defined fields.
Define the template
set firewall flexible-match fm1 match-start layer-3 set firewall flexible-match fm1 byte-offset 40 set firewall flexible-match fm1 bit-offset 4 set firewall flexible-match fm1 bit-length 24
Apply template on flexible-match-ranges
set firewall family ethernet-switching filter f1 term t1 from flexible-match-ranges fr1 range 200 set firewall family ethernet-switching filter f1 term t1 from flexible-match-ranges fr1 flexible-range-name fm1
View the configuration
[edit]
root@host# show firewall
family ethernet-switching {
filter f1 {
term t1 {
from {
flexible-match-ranges fr1 {
range 200;
flexible-range-name fm1;
}
}
}
}
}
Required Privilege Level
interface—To view this statement in the configuration.
interface-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Evolved Release 25.4R1