Service Filter Match Conditions for IPv4 or IPv6 Traffic
Service filters support only a subset of the stateless firewall filter match conditions for IPv4 and IPv6 traffic. Table 1 describes the service filter match conditions.
|
Match Condition |
Description |
Protocol Families |
|---|---|---|
|
|
Match the IP source or destination address field. |
|
|
|
Do not match the IP source or destination address field. |
|
|
|
(M Series routers, except M120 and M320) Match on the IPsec authentication header (AH) security parameter index (SPI) value. |
|
|
|
(M Series routers, except M120 and M320) Do not match on the IPsec AH SPI value. |
|
|
|
Match the IP destination address field. You cannot specify both the |
|
|
|
Do not match the IP destination address field. You cannot specify both the |
|
|
|
Match the UDP or TCP destination port field. You cannot specify both the If you configure this match condition
for IPv4 traffic, we recommend that you also configure the
If you configure this match condition
for IPv6 traffic, we recommend that you also configure the
In place of the numeric value, you can specify
one of the following text synonyms (the port numbers are also
listed): |
|
|
|
Do not match the UDP or TCP destination port field. For details, see
the |
|
|
|
Match the list of destination prefixes. The prefix list is defined at
the |
|
|
|
Match the IPsec encapsulating security payload (ESP) SPI value.
Specify a single value or a range of values. You can specify a
value in hexadecimal, binary, or decimal
form. To specify the value in hexadecimal form, include
|
|
|
|
Do not match the IPsec ESP SPI value or range of values. For details,
see the |
|
|
|
Match if the packet is the first fragment of a fragmented packet.
Do not match if the packet is a trailing fragment of a fragmented
packet. The first fragment of a fragmented packet has a fragment
offset value of This match condition is an alias for the bit-field match condition
To match both first and trailing fragments, you can use two terms
that specify different match conditions:
|
|
|
|
Match one or more of the following specified packet forwarding classes:
For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues. |
|
|
|
Do not match one or more of the following specified packet forwarding classes:
|
|
|
|
(Ingress only) Match the three-bit IP fragmentation flags field in the IP header. In place of the numeric field value, you can specify one of the
following keywords (the field values are also listed):
|
|
|
|
Match the 13-bit fragment offset field in the IP header. The value is
the offset, in 8-byte units, in the overall datagram message to the
data fragment. Specify a numeric value, a range of values, or a set
of values. An offset value of The To match both first and trailing fragments, you can use two terms
that specify different match conditions
( |
|
|
|
Do not match the 13-bit fragment offset field. |
|
|
|
Match the interface group (set of one or more logical interfaces) on
which the packet was received. For
For information about configuring interface groups, see Filtering Packets Received on a Set of Interface Groups Overview. |
|
|
|
Do not match the interface group on which the packet was received.
for details, see the |
|
|
|
Match the 8-bit IP option field, if present, to the specified value or list of values. In place of a numeric value, you can specify one of the following
text synonyms (the option values are also listed):
To match any value for the IP option, use the text synonym
For example, the match condition
For most interfaces, a filter term that specifies an
The 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit
Ethernet MPC, 60-Gigabit Queuing Ethernet MPC, 60-Gigabit Ethernet
Enhanced Queuing MPC on MX Series routers and EX Series switches are
capable of parsing the IP option field of the IPv4 packet header.
This capability is supported on EX Series switches also. For
interfaces configured on those MPCs, all packets that are
matched using the |
|
|
|
Do not match the IP option field to the specified value or list of
values. For details about specifying the
|
|
|
|
Match if the packet is a trailing fragment of a fragmented packet. Do not match the first fragment of a fragmented packet. This match condition is an alias for the bit-field match condition
Note:
To match both first and trailing fragments, you can use two terms
that specify different match conditions
( |
|
|
|
Match one or more of the following specified packet loss priority (PLP) levels:
The PLP is used by schedulers in conjunction with the random early discard (RED) algorithm to control packet discard during periods of congestion. For information about PLP, see Managing Congestion by Setting Packet Loss Priority for Different Traffic Flows and Overview of Assigning Service Levels to Packets Based on Multiple Packet Header Fields. |
|
|
|
Do not match one or more of the following specified packet loss priority (PLP) levels:
|
|
|
|
Match the UDP or TCP source or destination port field. If you configure this match condition, you cannot
configure the If you configure this match condition
for IPv4 traffic, we recommend that you also configure the
If you configure this match condition
for IPv6 traffic, we recommend that you also configure the
In place of the numeric value, you can specify
one of the text synonyms listed under
|
|
|
|
Do not match the UDP or TCP source or destination port field. For
details, see the |
|
|
|
Match the prefixes of the source or destination address fields to the
prefixes in the specified list. The prefix list is defined at the
|
|
|
|
Match the IP protocol type field. In place of the numeric value, you can specify
one of the following text synonyms (the field values are also
listed): |
|
|
|
Do not match the IP protocol type field. For details, see the
|
|
|
|
Match the IP source address. You cannot specify both the |
|
|
|
Do not match the IP source address. You cannot specify both the |
|
|
|
Match the UDP or TCP source port field. You cannot specify the If you configure this match condition
for IPv4 traffic, we recommend that you also configure the
If you configure this match condition
for IPv6 traffic, we recommend that you also configure the
In place of the numeric value, you can specify
one of the text synonyms listed with the |
|
|
|
Do not match the UDP or TCP source port field. For details, see the
|
|
|
|
Match source prefixes in the specified list. Specify the name of a
prefix list defined at the |
|
|
|
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. For combined bit-field match conditions, see the
If you configure this match
condition for IPv4 traffic, we recommend that you also configure the
If you configure this match
condition for IPv6 traffic, we recommend that you also configure the
|
|
If you specify an IPv6 address in a match condition (the address, destination-address, or source-address match conditions),
use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture. For more information about
IPv6 addresses, see “IPv6 Overview” in the Junos OS Routing Protocols Library for Routing Devices.