Firewall Filter Match Conditions Based on Bit-Field Values
Match Conditions for Bit-Field Values
Table 1 lists the firewall filter match conditions that are based on whether certain bit fields in a packet are set or not set. The second and third columns list the types of traffic for which the match condition is supported.
Bit-Field Match Condition |
Match Values |
Protocol Families for Standard Stateless Firewall Filters |
Protocol Families for Service Filters |
|---|---|---|---|
fragment-flags flags |
Hexadecimal values or text aliases for the three-bit IP fragmentation flags field in the IP header. |
family inet |
family inet |
fragment-offset value |
Hexadecimal values or text aliases for the 13-bit fragment offset field in the IP header. |
family inet |
family inet |
tcp-flags value† |
Hexadecimal values or text aliases for the low-order 6 bits of the 8-bit TCP flags field in the TCP header. |
family inetfamily inet6family vplsfamily bridge |
family inetfamily inet6 |
† The Junos OS does not automatically check the first fragment bit when matching TCP flags for IPv4 traffic. To check the first fragment bit for IPv4 traffic only, use the first-fragment match condition. |
|||
Match Conditions for Common Bit-Field Values or Combinations
Table 2 describes firewall filter match conditions that are based on whether certain commonly used values or combinations of bit fields in a packet are set or not set.
You can use text synonyms to specify some common bit-field matches. In the previous example, you can specify tcp-initial as the same match condition.
Some of the numeric range and bit-field match conditions allow you to specify a text synonym. For a complete list of synonyms:
If you are using the J-Web interface, select the synonym from the appropriate list.
If you are using the CLI, type a question mark (?) after the from statement.
Match Condition |
Description |
Protocol Families for Standard Stateless Firewall Filters |
Protocol Families for Service Filters |
|---|---|---|---|
first-fragment |
Text alias for the bit-field match condition fragment-offset 0, which indicates the first fragment of a fragmented packet. |
family inet |
family inet |
is-fragment |
Text alias for the bit-field match condition fragment-offset 0 except, which indicates a trailing fragment of a fragmented packet. |
family inet |
family inet |
tcp-established |
Alias for the bit-field match condition tcp-flags "(ack | rst)", which indicates an established TCP session, but not the first packet of a TCP connection. |
family inetfamily inet6 |
— |
tcp-initial |
Alias for the bit-field match condition tcp-flags "(!ack & syn)", which indicates the first packet of a TCP connection, but not an established TCP session. |
family inetfamily inet6 |
— |
Logical Operators for Bit-Field Values
Table 3 lists the logical operators you can apply to single bit-field values when specifying stateless firewall filter match conditions. The operators are listed in order, from highest precedence to lowest precedence. Operations are left-associative, meaning that the operations are processed from left to right.
Precedence Order |
Bit-Field Logical Operator |
Description |
|---|---|---|
1 |
(complex-match-condition) |
Grouping—The complex match condition is evaluated before any operators outside the parentheses are applied. |
2 |
! match-condition |
Negation—A match occurs if the match condition is false. |
3 |
match-condition-1 & match-condition-2ormatch-condition-1 + match-condition-2 |
Logical AND—A match occurs if both match conditions are true. |
4 |
match-condition-1 | match-condition-2ormatch-condition-1 , match-condition-2 |
Logical OR—A match occurs if either match condition is true. |
Matching on a Single Bit-Field Value or Text Alias
For the fragment-flags and tcp-flags bit-match conditions, you can specify firewall filter match conditions based on whether a particular bit in the packet field is set or not set.
Numeric value to specify a single bit—You can specify a single bit-field match condition by using a numeric value that has one bit set. Depending on the match condition, you can specify a decimal value, a binary value, or a hexadecimal value. To specify a binary value, specify the number with the prefix b. To specify a hexadecimal value, specify the number with the prefix 0x.
In the following example, a match occurs if the RST bit in the TCP flags field is set:
[edit firewall family inet filter filter_tcp_rst_number term term1 from] user@host# set tcp-flags 0x04
Text alias to specify a single bit—You generally specify a single bit-field match condition by using a text alias enclosed in double-quotation marks (“ ”).
In the following example, a match occurs if the RST bit in the TCP flags field is set:
[edit firewall family inet filter filter_tcp_rst_alias term term1 from] user@host# set tcp-flags “rst”
Matching on Multiple Bit-Field Values or Text Aliases
You can specify a firewall filter match condition based on whether a particular set of bits in a packet field are set.
Numeric values to specify multiple set bits—When you specify a numeric value whose binary representation has more than one set bit, the value is treated as a logical AND of the set bits.
In the following example, the two match conditions are the same. A match occurs if either bit 0x01 or 0x02 is not set:
[edit firewall family inet filter reset_or_not_initial_packet term term5 from] user@host# set tcp-flags “!0x3” user@host# set tcp-flags “!(0x01 & 0x02)”
Text aliases that specify common bit-field matches—You can use text aliases to specify some common bit-field matches. You specify these matches as a single keyword.
In the following example, the tcp-established condition, which is an alias for “(ack | rst)”, specifies that a match occurs on TCP packets other than the first packet of a connection:
[edit firewall family inet filter reset_or_not_initial_packet term term6 from] user@host# set tcp-established
Matching on a Negated Bit-Field Value
To negate a match, precede the value with an exclamation point.
In the following example, a match occurs if the RST bit in the TCP flags field is set:
[edit firewall family inet filter filter_tcp_rst term term1 from] user@host# set tcp-flags “!rst”
Matching on the Logical OR of Two Bit-Field Values
You can use the (| or ,) to specify that a match occurs if a bit field matches either of two bit-field values specified.
In the following example, a match occurs if the packet is not the initial packet in a TCP session:
[edit firewall family inet filter not_initial_packet term term3 from] user@host# set tcp-flags "!syn | ack"
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. In a packet that is not the initial packet in a TCP session, either the SYN flag is not set or the ACK flag is set.
Matching on the Logical AND of Two Bit-Field Values
You can use the (& or +) to specify that a match occurs if a bit field matches both of two bit-field values specified.
In the following example, a match occurs if the packet is the initial packet in a TCP session:
[edit firewall family inet filter initial_packet term term2 from] user@host# set tcp-flags “syn & !ack”
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. In a packet that is an initial packet in a TCP session, the SYN flag is set and the ACK flag is not set.
Grouping Bit-Field Match Conditions
You can use the to specify that the complex match condition inside the parentheses is evaluated before any operators outside the parentheses are applied.
In the following example, a match occurs if the packet is a TCP reset or if the packet is not the initial packet in the TCP session:
[edit firewall family inet filter reset_or_not_initial_packet term term4 from] user@host# set tcp-flags “!(syn & !ack) | rst”
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. In a packet that is not the initial packet in a TCP session, the SYN flag is not set and the ACK field is set.