Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Service Filter Match Conditions for IPv4 or IPv6 Traffic

Service filters support only a subset of the stateless firewall filter match conditions for IPv4 and IPv6 traffic. Table 1 describes the service filter match conditions.

Table 1: Service Filter Match Conditions for IPv4 or IPv6 Traffic

Match Condition

Description

Protocol Families

address address

Match the IP source or destination address field.

  • family inet

  • family inet6

 

address address except

Do not match the IP source or destination address field.

  • family inet

  • family inet6

 

ah-spi spi-value

(M Series routers, except M120 and M320) Match on the IPsec authentication header (AH) security parameter index (SPI) value.

  • family inet

 

ah-spi-except spi-value

(M Series routers, except M120 and M320) Do not match on the IPsec AH SPI value.

  • family inet

 

destination-address address

Match the IP destination address field.

You cannot specify both the address and destination-address match conditions in the same term.

  • family inet

  • family inet6

 

destination-address address except

Do not match the IP destination address field.

You cannot specify both the address and destination-address match conditions in the same term.

  • family inet

  • family inet6

 

destination-port number

Match the UDP or TCP destination port field.

You cannot specify both the port and destination-port match conditions in the same term.

If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

If you configure this match condition for IPv6 traffic, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

  • family inet

  • family inet6

 

destination-port-except number

Do not match the UDP or TCP destination port field. For details, see the destination-port match description.

  • family inet

  • family inet6

family inet6

destination-prefix-list name

Match the list of destination prefixes. The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

  • family inet

  • family inet6

 

esp-spi value

Match the IPsec encapsulating security payload (ESP) SPI value. Specify a single value or a range of values. You can specify a value in hexadecimal, binary, or decimal form. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

  • family inet

  • family inet6

 

esp-spi-except value

Do not match the IPsec ESP SPI value or range of values. For details, see the esp-spi match condition.

  • family inet

  • family inet6

 

first-fragment

Match if the packet is the first fragment of a fragmented packet. Do not match if the packet is a trailing fragment of a fragmented packet. The first fragment of a fragmented packet has a fragment offset value of 0.

This match condition is an alias for the bit-field match condition fragment-offset 0 match condition.

To match both first and trailing fragments, you can use two terms that specify different match conditions: first-fragment and is-fragment.

  • family inet

 

forwarding-class

Match one or more of the following specified packet forwarding classes:

  • assured-forwarding

  • best-effort

  • expedited-forwarding

  • network-control

  • user-defined-name

For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues.

  • family inet

  • family inet6

forwarding-class-except

Do not match one or more of the following specified packet forwarding classes:

  • assured-forwarding

  • best-effort

  • expedited-forwarding

  • network-control

  • user-defined-name

  • family inet

  • family inet6

fragment-flags number

(Ingress only) Match the three-bit IP fragmentation flags field in the IP header.

In place of the numeric field value, you can specify one of the following keywords (the field values are also listed): dont-fragment (0x4), more-fragments (0x2), or reserved (0x8).

  • family inet

 

fragment-offset number

Match the 13-bit fragment offset field in the IP header. The value is the offset, in 8-byte units, in the overall datagram message to the data fragment. Specify a numeric value, a range of values, or a set of values. An offset value of 0 indicates the first fragment of a fragmented packet.

The first-fragment match condition is an alias for the fragment-offset 0 match condition.

To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment).

  • family inet

 

fragment-offset-except number

Do not match the 13-bit fragment offset field.

  • family inet

 

interface-group group-number

Match the interface group (set of one or more logical interfaces) on which the packet was received. For group-number, specify a value from 0 through 255.

For information about configuring interface groups, see Filtering Packets Received on a Set of Interface Groups Overview.

  • family inet

  • family inet6

 

interface-group-except group-number

Do not match the interface group on which the packet was received. for details, see the interface-group match condition.

  • family inet

  • family inet6

 

ip-options values

Match the 8-bit IP option field, if present, to the specified value or list of values.

In place of a numeric value, you can specify one of the following text synonyms (the option values are also listed): loose-source-route (131), record-route (7), router-alert (148), security (130), stream-id (136), strict-source-route (137), or timestamp (68).

To match any value for the IP option, use the text synonym any. To match on multiple values, specify the list of values within square brackets ('[’ and ']’). To match a range of values, use the value specification value1-value2 ].

For example, the match condition ip-options [ 0-147 ] matches on an IP options field that contains the loose-source-route, record-route, or security values, or any other value from 0 through 147. However, this match condition does not match on an IP options field that contains only the router-alert value (148).

For most interfaces, a filter term that specifies an ip-option match on one or more specific IP option values (a value other than any) causes packets to be sent to the Routing Engine so that the kernel can parse the IP option field in the packet header.

  • For a firewall filter term that specifies an ip-option match on one or more specific IP option values, you cannot specify the count, log, or syslog nonterminating actions unless you also specify the discard terminating action in the same term. This behavior prevents double-counting of packets for a filter applied to a transit interface on the router (or switch).

  • Packets processed on the kernel might be dropped in case of a system bottleneck. To ensure that matched packets are instead sent to the Packet Forwarding Engine (where packet processing is implemented in hardware), use the ip-options any match condition.

The 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Queuing Ethernet MPC, 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers and EX Series switches are capable of parsing the IP option field of the IPv4 packet header. This capability is supported on EX Series switches also. For interfaces configured on those MPCs, all packets that are matched using the ip-options match condition are sent to the Packet Forwarding Engine for processing.

family inet

  • family inet

ip-options-except values

Do not match the IP option field to the specified value or list of values. For details about specifying the values, see the ip-options match condition.

  • family inet

 

is-fragment

Match if the packet is a trailing fragment of a fragmented packet. Do  not match the first fragment of a fragmented packet.

This match condition is an alias for the bit-field match condition fragment-offset 0 except bits.

Note:

To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment).

  • family inet

 

loss-priority

Match one or more of the following specified packet loss priority (PLP) levels:

  • low

  • medium-low

  • medium-high

  • high

The PLP is used by schedulers in conjunction with the random early discard (RED) algorithm to control packet discard during periods of congestion. For information about PLP, see Managing Congestion by Setting Packet Loss Priority for Different Traffic Flows and Overview of Assigning Service Levels to Packets Based on Multiple Packet Header Fields.

  • family inet

  • family inet6

loss-priority-except

Do not match one or more of the following specified packet loss priority (PLP) levels:

  • low

  • medium-low

  • medium-high

  • high

  • family inet

  • family inet6

port number

Match the UDP or TCP source or destination port field.

If you configure this match condition, you cannot configure the destination-port match condition or the source-port match condition in the same term.

If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protoco tcp match statement in the same term to specify which protocol is being used on the port.

If you configure this match condition for IPv6 traffic, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the text synonyms listed under destination-port.

  • family inet

  • family inet6

 

port-except number

Do not match the UDP or TCP source or destination port field. For details, see the port match condition.

  • family inet

  • family inet6

 

prefix-list prefix-list-name

Match the prefixes of the source or destination address fields to the prefixes in the specified list. The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

  • family inet

  • family inet6

 

protocol number

Match the IP protocol type field.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).

  • family inet

protocol-except number

Do not match the IP protocol type field. For details, see the protocol match condition.

  • family inet

 

source-address address

Match the IP source address.

You cannot specify both the address and source-address match conditions in the same term.

  • family inet

  • family inet6

 

source-address address except

Do not match the IP source address.

You cannot specify both the address and source-address match conditions in the same term.

  • family inet

  • family inet6

 

source-port number

Match the UDP or TCP source port field.

You cannot specify the port and source-port match conditions in the same term.

If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

If you configure this match condition for IPv6 traffic, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition.

  • family inet

  • family inet6

 

source-port-except number

Do not match the UDP or TCP source port field. For details, see the source-port match condition.

  • family inet

  • family inet6

 

source-prefix-list name

Match source prefixes in the specified list. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level.

  • family inet

  • family inet6

 

tcp-flags value

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:

  • fin (0x01)

  • syn (0x02)

  • rst (0x04)

  • push (0x08)

  • ack (0x10)

  • urgent (0x20)

In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet.

You can string together multiple flags using the bit-field logical operators.

For combined bit-field match conditions, see the tcp-established and tcp-initial match conditions.

If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port.

If you configure this match condition for IPv6 traffic, we recommend that you also configure the next-header tcp match condition in the same term to specify that the TCP protocol is being used on the port.

  • family inet

  • family inet6

 
Note:

If you specify an IPv6 address in a match condition (the address, destination-address, or source-address match conditions), use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see “IPv6 Overview” in the Junos OS Routing Protocols Library for Routing Devices.