Firewall Filter Match Conditions for IPv6 Traffic
You can configure a firewall filter with match conditions for Internet Protocol version 6
(IPv6) traffic (family inet6
).
For MX Series routers with MPCs, you need to initialize the filter counter for
Trio-only match filters by walking the corresponding SNMP MIB, for example,
show snmp mib walk name ascii
. This forces
Junos to learn the filter counters and ensure that the filter statistics are
displayed. This guidance applies to all enhanced mode firewall filters, filters with
flexible conditions, and filters with the certain terminating actions. See those
topics, listed under Related Documentation, for details.
Table 1 describes the match conditions you can configure at the [edit firewall family
inet6 filter filter-name term term-name
from]
hierarchy level.
Match Condition |
Description |
|||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Match the IPv6 source or destination address field unless the
|
|||||||||||||||||||||||||||||
|
Specify which groups to inherit configuration data from. You can specify more than one group name. You must list them in order of inheritance priority. The configuration data in the first group takes priority over the data in subsequent groups. |
|||||||||||||||||||||||||||||
|
Specify which groups not to inherit configuration data from. You can specify more than one group name. |
|||||||||||||||||||||||||||||
|
Match the IPv6 destination address field unless the
You cannot specify both the |
|||||||||||||||||||||||||||||
|
Match one or more specified destination class names (sets of destination prefixes grouped together and given a class name). For more information, see Firewall Filter Match Conditions Based on Address Classes. |
|||||||||||||||||||||||||||||
|
Do not match one or more specified destination class names. For
details, see the |
|||||||||||||||||||||||||||||
|
Match the UDP or TCP destination port field. You cannot specify both the If you configure this match condition,
we recommend that you also configure the Note:
For Junos OS Evolved, you must configure the
In place of the numeric value, you can specify
one of the following text synonyms (the port numbers are also
listed): |
|||||||||||||||||||||||||||||
|
Do not match the UDP or TCP destination port field. For details, see
the |
|||||||||||||||||||||||||||||
|
Match the IPv6 destination prefix to the specified
list unless the
The prefix list is defined at the |
|||||||||||||||||||||||||||||
|
Match an extension header type that is contained in the packet by identifying a Next Header value. Note:
This match condition is only supported on MPCs in MX Series routers. In the first fragment of a packet, the filter searches for a match in any of the extension header types. When a packet with a fragment header is found (a subsequent fragment), the filter only searches for a match of the next extension header type because the location of other extension headers is unpredictable. In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed):
To match any value for the extension header option, use the
text synonym For MX Series routers with MPCs, initialize new firewall filters that include this condition by walking the corresponding SNMP MIB. |
|||||||||||||||||||||||||||||
|
Match if the packet is the first fragment. |
|||||||||||||||||||||||||||||
flow-label flow label value |
Match the 20-bit flow-label field in the header of an IPv6 packet. Values range from 0x1 to 0xFFFFF. flow-label and next-header match conditions cannot
co-exist. Only either one of these match conditions can be applied
at a time. To enable flow-label and disable
next-header apply the following configuration:
The following table summarizes the behavior of the flow-label match condition with the next-header condition.
Note:
The |
|||||||||||||||||||||||||||||
flow-label flow label value mask mask value |
In addition to the regular flow-label value, you can use a mask value while configuring the match; the mask value matches specific bits of the given flow-label value. Note:
The |
|||||||||||||||||||||||||||||
|
Do not match an extension header type that is contained in the
packet. For details, see the Note:
This match condition is only supported on MPCs in MX Series routers. |
|||||||||||||||||||||||||||||
|
|
Length of integer input (1..32 bits); (Optional) Length of string input (1..128 bits) |
||||||||||||||||||||||||||||
|
Bit offset after the (match-start + byte) offset (0..7) |
|||||||||||||||||||||||||||||
|
Byte offset after the match start point |
|||||||||||||||||||||||||||||
|
Select a flexible match from predefined template field |
|||||||||||||||||||||||||||||
|
Mask out bits in the packet data to be matched |
|||||||||||||||||||||||||||||
|
Start point to match in packet |
|||||||||||||||||||||||||||||
|
Value data/string to be matched |
|||||||||||||||||||||||||||||
See Firewall Filter Flexible Match Conditions for details |
||||||||||||||||||||||||||||||
Ranges should use the following format: Integer-Integer |
|
Length of the data to be matched in bits (0..32) |
||||||||||||||||||||||||||||
|
Bit offset after the (match-start + byte) offset (0..7) |
|||||||||||||||||||||||||||||
|
Byte offset after the match start point |
|||||||||||||||||||||||||||||
|
Select a flexible match from predefined template field |
|||||||||||||||||||||||||||||
|
Start point to match in packet |
|||||||||||||||||||||||||||||
|
Range of values to be matched |
|||||||||||||||||||||||||||||
|
Do not match this range of values |
|||||||||||||||||||||||||||||
See Firewall Filter Flexible Match Conditions for details |
||||||||||||||||||||||||||||||
|
Match the forwarding class of the packet. Specify For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues. |
|||||||||||||||||||||||||||||
|
Do not match the forwarding class of the packet. For details, see the
|
|||||||||||||||||||||||||||||
|
Match the hop limit to the specified hop limit or set of hop limits.
For Supported on interfaces hosted on MICs or MPCs in MX Series routers only. Note:
This match condition is supported on PTX series routers when
|
|||||||||||||||||||||||||||||
|
Do not match the hop limit to the specified hop limit or set of hop
limits. For details, see the Supported on interfaces hosted on MICs or MPCs in MX Series routers only. Note:
This match condition is supported on PTX series routers when
|
|||||||||||||||||||||||||||||
|
Match the ICMP message code field. If you configure this match condition, we recommend that you also
configure the If you configure this match condition, you must also configure the
In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
|
|||||||||||||||||||||||||||||
|
Do not match the ICMP message code field. For details, see the
|
|||||||||||||||||||||||||||||
|
Match the ICMP message type field. If you
configure this match condition, we recommend that you also configure
the Note:
For Junos OS Evolved, you must configure the
In
place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed):
For |
|||||||||||||||||||||||||||||
|
Do not match the ICMP message type field. For details, see the
|
|||||||||||||||||||||||||||||
|
Match the interface on which the packet was received. Note:
If you configure this match condition with an interface that does not exist, the term does not match any packet. |
|||||||||||||||||||||||||||||
|
Match the logical interface on which the packet was received to the
specified interface group or set of interface groups. For
To assign a logical interface to an interface group
For more information, see Filtering Packets Received on a Set of Interface Groups Overview. |
|||||||||||||||||||||||||||||
|
Do not match the logical interface on which the packet was received
to the specified interface group or set of interface groups. For
details, see the |
|||||||||||||||||||||||||||||
|
Match the interface on which the packet was received to the specified interface set. To define an interface set, include the
For more information, see Filtering Packets Received on an Interface Set Overview. |
|||||||||||||||||||||||||||||
|
Match the 8-bit IP option field, if present, to the specified value or list of values. In place of a numeric value, you can specify one of the following
text synonyms (the option values are also listed):
To match any value for the IP option, use the text synonym
For example, the match condition
For most interfaces, a filter term that specifies an
The 10-Gigabit Ethernet Modular Port Concentrator (MPC), 100-Gigabit
Ethernet MPC, 60-Gigabit Ethernet MPC, 60-Gigabit Queuing Ethernet
MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series
routers are capable of parsing the IP option field of the IPv4
packet header. For interfaces configured on those MPCs, all
packets that are matched using the |
|||||||||||||||||||||||||||||
|
Do not match the IP option field to the specified value or list of
values. For details about specifying the
|
|||||||||||||||||||||||||||||
|
Match if the packet is a fragment. |
|||||||||||||||||||||||||||||
|
Match if the packet is the last fragment. |
|||||||||||||||||||||||||||||
|
Match the packet loss priority (PLP) level. Specify a single level or multiple levels: Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers and EX Series switches. For IP traffic on M320, MX Series, T Series routers and EX Series
switches with Enhanced II Flexible PIC Concentrators (FPCs), you
must include the For information about the |
|||||||||||||||||||||||||||||
|
Do not match the PLP level. For details, see the
|
|||||||||||||||||||||||||||||
|
Match the first 8-bit Next Header field in the packet.
Support
for the Note:
MX platforms have a
Match the first 8-bit Next Header field in the packet. In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed):
Note:
|
|||||||||||||||||||||||||||||
|
Do not match the 8-bit Next Header field that identifies the type of
header between the IPv6 header and payload. For details, see the
|
|||||||||||||||||||||||||||||
|
Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. |
|||||||||||||||||||||||||||||
|
Do not match the length of the received packet, in bytes. For
details, see the |
|||||||||||||||||||||||||||||
|
Match the payload protocol type. In place of the You can also use the Note:
This match condition is only supported on MPCs on MX Series Routers. Initialize new firewall filters that include this condition by walking the corresponding SNMP MIB. |
|||||||||||||||||||||||||||||
|
Do not match the payload protocol type. For details, see the
Note:
This match condition is only supported on MPCs on MX Series Routers |
|||||||||||||||||||||||||||||
|
Match the UDP or TCP source or destination port field. If you configure this match condition, you cannot
configure the If you configure this match condition,
we recommend that you also configure the Note:
For Junos OS Evolved, you must configure the
In place of the numeric value, you can specify
one of the text synonyms listed under
|
|||||||||||||||||||||||||||||
|
Do not match the UDP or TCP source or destination port field. For
details, see the |
|||||||||||||||||||||||||||||
|
Match the prefixes of the source or destination address fields to the
prefixes in the specified list
unless the The prefix list is defined at the |
|||||||||||||||||||||||||||||
|
Match a packet received from a filter where a
|
|||||||||||||||||||||||||||||
|
Match the IPv6 address of the source node sending the packet unless
the You cannot specify both the |
|||||||||||||||||||||||||||||
|
Match one or more specified source class names (sets of source prefixes grouped together and given a class name). For more information, see Firewall Filter Match Conditions Based on Address Classes. |
|||||||||||||||||||||||||||||
|
Do not match one or more specified source class names. For details,
see the |
|||||||||||||||||||||||||||||
|
Match the UDP or TCP source port field. You cannot specify the If you configure this match condition,
we recommend that you also configure the Note:
For Junos OS Evolved, you must configure the
In place of the numeric value, you can specify
one of the text synonyms listed with the |
|||||||||||||||||||||||||||||
|
Do not match the UDP or TCP source port field. For details, see the
|
|||||||||||||||||||||||||||||
|
Match the IPv6 address prefix of the packet source
field unless the
Specify a prefix list name defined at the |
|||||||||||||||||||||||||||||
|
Match TCP packets other than the first packet of a connection. This
is a text synonym for Note:
This condition does not implicitly check that the protocol is
TCP. To check this, specify the If you configure this match condition, we recommend that you also
configure the |
|||||||||||||||||||||||||||||
|
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. For combined bit-field match conditions, see the
If you configure this match
condition, we recommend that you also configure the
|
|||||||||||||||||||||||||||||
|
Match the initial packet of a TCP connection. This is a text synonym
for This condition does not implicitly check that the protocol is TCP. If
you configure this match condition, we recommend that you also
configure the |
|||||||||||||||||||||||||||||
|
Match the 8-bit field that specifies the class-of-service (CoS) priority of the packet. This field was previously used as the type-of-service (ToS) field in IPv4. You can specify a numeric value from In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
|||||||||||||||||||||||||||||
|
Do not match the 8-bit field that specifies the CoS priority of the
packet. For details, see the |
source-port-range-optimize
and
destination-port-range-optimize
are supported for IPv6 firewall
filter in the ingress direction at the [edit firewall family inet6 filter
<filter-name> term <term-name> from]
hierarchy level.
There is limited TCAM space available for programming filter entries. TCAM space may
be exhausted when trying to match on large number of source or destination port
ranges. To resolve this, source-port-range-optimize
and
destination-port-range-optimize
can be configured from CLI
which will considerably reduce the number of TCAM entries used when source or
destination port ranges are configured in firewall filter match conditions.
An example configuration is shown below.
set firewall family ethernet-switching filter TEST term t1 from source-port 2000-10000 set firewall family ethernet-switching filter TEST term t1 from source-port-range-optimize set firewall family ethernet-switching filter TEST term t1 from destination-port 3000-9000 set firewall family ethernet-switching filter TEST term t1 from destination-port-range-optimize
If you specify an IPv6 address in a match condition (the address
,
destination-address
, or source-address
match
conditions), use the syntax for text representations described in RFC 4291, IP
Version 6 Addressing Architecture. For more information about IPv6
addresses, see IPv6 Overview and Supported IPv6
Standards.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
next-header
firewall match condition
is available in Junos OS Release 13.3R6 and later.