Firewall Filter Match Conditions and Actions (ACX Series Routers)
On ACX Series Universal Metro Routers, you can configure firewall filters to filter packets and to perform an action on packets that match the filter. The match conditions specified to filter the packets are specific to the type of traffic being filtered.
Firewall filters with IPv6 match conditions not supported at the firewall family
inet6 filter name
hierarchy level on ACX6360-OR routers in Junos
OS Release 19.1R1.
On ACX Series routers, the filter for the exiting traffic (egress filter) can be applied only for interface-specific instances of the firewall filter.
On ACX Series routers, TCAM errors are seen when you modify a prefix or a term on the applied firewall filters. To modify a prefix or a term in the firewall filter, you need to remove the existing firewall filter and then apply the modified filter.
On ACX Series routers, you cannot apply a firewall filter in the egress direction on IRB interfaces.
Overview of Firewall Filter Match Conditions and Actions on ACX Series Routers
Table 1 describes the types of traffic for which you can configure standard stateless firewall filters.
Traffic Type |
Hierarchy Level at Which Match Conditions Are Specified |
---|---|
Protocol-independent |
No match conditions are supported for this traffic type on ACX Series routers. |
IPv4 |
For the complete list of match conditions, see Match Conditions for IPv4 Traffic (ACX Series Routers). |
MPLS |
For the complete list of match conditions, see Match Conditions for MPLS Traffic (ACX Series Routers). |
Layer 2 CCC |
No match conditions are supported for this traffic type on ACX Series routers. |
Bridge |
|
On ACX5448 router, the following ingress family filters can be scaled based on the availability of external-tcam:
family
ethernet-switching
family
ccc
family
inet
family
inet6
family
mpls
family
vpls
Under the then
statement for a standard stateless
firewall filter term, you can specify the actions to be taken on a
packet that matches the term.
Table 2 summarizes the types of actions you can specify in a standard stateless firewall filter term.
Type of Action |
Description |
Comment |
---|---|---|
Terminating |
Halts all evaluation of a firewall filter for a specific packet. The router performs the specified action, and no additional terms are used to examine the packet. You can specify only one terminating action in a standard firewall filter. You can, however, specify one terminating
action with one or more nonterminating actions in a single term. For example, within a term, you can specify |
|
Nonterminating |
Performs other functions on a packet (such as incriminating a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet. |
Match Conditions for Bridge Family Firewall Filters (ACX Series Routers)
Bridge Family Firewall Filters on ACX Series Routers
Bridge family firewall filters can be configured at the IFL-family level on ACX series routers. Bridge family filters are used to match the L2 bridge flows based on the supported Layer2/Layer3 fields and take firewall action. The maximum number of terms supported for bridge firewall filters on ACX Series routers is 124.
On ACX5448 and ACX7000 series routers, you need to apply the layer 2 firewall filters only on the layer 2 switched packets, even if the bridge domain has IRB attached to the bridge domain. If the packet is layer 3 forwarded, then layer 3 filters must be applied on the IRB.
On ACX Series routers, you cannot apply a firewall filter in the egress direction on IRB interfaces.
Table 3 shows the match conditions supported for bridge family filters.
Match Condition |
Description |
---|---|
apply-groups |
Set the groups from which to inherit configuration data |
apply-groups-except |
Set which groups will not broadcast configuration data |
destination-mac-address |
Set the destination MAC address |
destination-port |
Match the TCP/UDP destination port |
|
Match IP destination prefixes in named list. |
dscp |
Match the Differentiated Services (DiffServ) code point |
ether-type |
Match the Ethernet type |
icmp-code |
Match a ICMP message code |
icmp-type |
Match a ICMP message type |
interface-group |
Match an interface group |
ip-destination-address |
Match an IP destination address |
ip-precedence |
Match an IP precedence value |
ip-protocol |
Match an IP protocol type |
ip-source-address |
Match an IP source address |
learn-vlan-1p-priority |
Match the learned 802.1p VLAN Priority |
learn-vlan-dei |
Match user VLAN ID DEI bit |
learn-vlan-id |
Match a learnt VLAN ID |
source-mac-address |
Set the source MAC address |
|
Match IP source prefixes in named list. |
source-port |
Match a TCP/UDP source port |
user-vlan-1p-priority |
Match user 802.1p VLAN Priority |
user-vlan-id |
Match a user VLAN ID |
vlan-ether-type |
Match a VLAN Ethernet type |
Table 4 shows the action fields supported.
Action Field |
Description |
---|---|
accept |
Accept the packet |
count |
Count the packet in the named counter |
discard |
Discard the packet |
forwarding-class |
Classify packet to forwarding class |
loss-priority |
Packet’s loss priority |
log |
Log the packet header information in a buffer within the Packet Forwarding Engine. You can access this information by issuing the show firewall log command at the command-line interface (CLI). |
policer |
Name of policer to use to rate-limit traffic |
syslog |
Log the packet to the system log file. |
three-color-policer |
Police the packet using a three-colo-policer |
Bridge family firewall filters can be applied as an output filter
on Layer 2 interfaces. When the Layer 2 interface is on a bridge-domain
configured with the vlan-id
statement, ACX series routers
can match the outer-vlan of the packet using the user vlan-id match
specified in the bridge family firewall filter.
Match Conditions for CCC Firewall Family Filters (ACX Series Routers)
Match Conditions for CCC Family Firewall Filters
On ACX Series routers, you can configure a standard firewall filter with match conditions for circuit cross-connection (CCC) traffic (family ccc).
Table 5 describes
the match conditions you can configure at the [edit firewall
family ccc filter filter-name term term-name]
hierarchy level.
Field |
Description |
---|---|
|
Destination MAC address |
|
Matches TCP/UDP destination port |
|
Matches differentiated services (DiffServ) code point |
|
Matches ICMP message code |
|
Matches ICMP message type |
|
Matches destination IP address |
|
Matches IP precedence value |
|
Matches IP protocol type |
|
Matches source IP address |
|
Matches learned 802.1p VLAN priority |
|
Source MAC address |
|
Matches TCP/UDP source port |
|
Matches user 802.1p VLAN priority |
Match Conditions for IPv4 Traffic (ACX Series Routers)
On ACX Series routers, you can configure a standard stateless firewall filter with match
conditions for IP version 4 (IPv4) traffic (family inet
). Table 6 describes the match conditions
you can configure at the [edit firewall family inet filter filter-name term term-name from]
hierarchy level.
Match Condition |
Description |
---|---|
|
Match the IPv4 destination address field. Note:
On ACX Series routers, you can specify only one destination address. A list of IPv4 destination addresses is not supported. |
|
Match the UDP or TCP destination port field. If you configure this match condition, we recommend that
you also configure the In place of the numeric value, you can specify one of the following text synonyms (the
port numbers are also listed): |
|
Match IP destination prefixes in named list. |
|
Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic. You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
|
(Ingress only) Match the three-bit IP fragmentation flags field in the IP header. In place of the numeric field value, you can specify one of the following keywords (the
field values are also listed): |
|
Match the ICMP message code field. If you configure this match condition, we recommend
that you also configure the If you configure this match condition, you must also configure
the In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
|
|
Match the ICMP message type field. If you configure this match condition, we recommend
that you also configure the In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed): |
|
Match the 8-bit IP option field, if present, to the specified value. ACX Series routers support only the Note:
On ACX Series routers, you can specify only one IP option value. Configuring multiple values is not supported. |
|
Match the IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms
(the field values are also listed): |
|
Match the IP protocol type field. In place of the numeric value, you can specify
one of the following text synonyms (the field values are also listed): |
|
Match the IPv4 address of the source node sending the packet. |
|
Match the UDP or TCP source port field. If you configure this match condition for IPv4 traffic,
we recommend that you also configure the In place of the numeric value, you can specify one of the text
synonyms listed with the |
|
Match IP source prefixes in named list. |
|
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. For combined bit-field match conditions, see the If you configure this match condition, we
recommend that you also configure the |
|
Match the initial packet of a TCP connection. This is an alias for This condition does not implicitly check that the protocol is TCP. If you configure
this match condition, we recommend that you also configure the |
|
Match the IPv4 time-to-live number. Specify a TTL value or a range of TTL values.
For |
Match Conditions for IPv6 Traffic (ACX Series Routers)
You can configure a firewall filter with match conditions for
Internet Protocol version 6 (IPv6) traffic (family inet6
). Table 7 describes the match conditions you can configure at the [edit
firewall family inet6 filter filter-name term term-name from]
hierarchy level.
Match Condition |
Description |
|
---|---|---|
|
Match the IPv6 destination address field. |
|
|
Match the UDP or TCP destination port field. You cannot specify both the If you configure this match condition,
we recommend that you also configure the In place of the numeric value, you can
specify one of the following text synonyms (the port numbers are also
listed): |
|
|
Match IP destination prefixes in named list. |
|
|
Match an extension header type that is contained in the packet by identifying a Next Header value. In the first fragment of a packet, the filter searches for a match in any of the extension header types. When a packet with a fragment header is found (a subsequent fragment), the filter only searches for a match of the next extension header type because the location of other extension headers is unpredictable. In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed): To match any value for the extension header
option, use the text synonym Note:
Only the first extension header of the IPv6 packet can be matched. L4 header beyond one IPv6 extension header will be matched. |
|
|
Match the hop limit to
the specified hop limit or set of hop limits. For |
|
|
Match the ICMP message code field. If you configure this match condition, we recommend that you
also configure the If you configure this match condition, you must also configure
the In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
|
|
|
Match the ICMP message type field. If
you configure this match condition, we recommend that you also configure
the In
place of the numeric value, you can specify one of the following text
synonyms (the field values are also listed): For |
|
|
Match the first 8-bit Next Header field in the packet. Support
for the For IPv6, we recommend that you use the In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed): Note:
|
|
|
Match the IPv6 address of the source node sending the packet. |
|
|
Match the UDP or TCP source port field. You cannot specify the If you configure this match condition,
we recommend that you also configure the In place of the numeric value, you can
specify one of the text synonyms listed with the |
|
|
Match IP source prefixes in named list. |
|
|
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. For combined bit-field match conditions, see the If you configure this
match condition, we recommend that you also configure the |
|
|
Match the initial packet
of a TCP connection. This is a text synonym for This condition does not implicitly check that the protocol is
TCP. If you configure this match condition, we recommend that you
also configure the |
|
|
Match the 8-bit field that specifies the class-of-service (CoS) priority of the packet. This field was previously used as the type-of-service (ToS) field in IPv4. You can specify a numeric value from In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
If you specify an IPv6 address in a match condition (the address
, destination-address
, or source-address
match conditions), use the syntax for text representations described
in RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see IPv6 Overview and Supported IPv6 Standards.
The following is a sample firewall family inet6 configuration:
user@host# show firewall family inet6 filter ipv6-filter { term t1 { from { source-address { 2001:0000:0020:0020:0000:0000:0000:0150/128; } destination-address { 2001:0000:0040:0040:0000:0000:0000:0150/128; } next-header tcp; source-port 1000; destination-port 2000; extension-header dstopts; traffic-class ef; tcp-flags 0x20; hop-limit 254; } then count ipv6-t1-count; } term t2 { from { icmp-type neighbor-solicit; } then count ipv6-t2-count; } }
Match Conditions for MPLS Traffic (ACX Series Routers)
On ACX Series routers, you can configure a standard stateless
firewall filter with match conditions for MPLS traffic (family mpls
).
The input-list filter-names
and output-list filter-names
statements
for firewall filters for the mpls
protocol family are supported
on all interfaces with the exception of management interfaces and
internal Ethernet interfaces (fxp
or em0
), loopback
interfaces (lo0
), and USB modem interfaces (umd
).
Table 8 describes the match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from]
hierarchy level.
Match Condition | Description |
---|---|
|
Experimental (EXP) bit number or range of bit numbers
in the MPLS header. For |
Nonterminating Actions (ACX Series Routers)
Standard stateless firewall filters support different sets of nonterminating actions for each protocol family.
ACX Series routers do not support the next term
action.
ACX Series routers support log and syslog actions in ingress and egress directions for family inet and family bridge.
ACX5448, ACX710 and ACX7100 series routers do not support log, syslog, reject, forwarding-class, and loss-priority in the egress direction. In the ingress and egress direction, the routers support interface specific semantics only.
Table 9 describes the nonterminating actions you can configure for a standard firewall filter term.
Nonterminating Action |
Description |
Protocol Families |
---|---|---|
|
Count the packet in the named counter. |
|
|
Classify the packet based on the specified forwarding class:
Note:
This action is supported on ingress only. |
|
|
Log the packet header information in a buffer within
the Packet Forwarding Engine. You can access this information by issuing
the Note:
This action is supported on ingress and egress. The action on egress is not supported for family inet6. |
|
|
Set the packet loss priority (PLP) level. You cannot also configure the You must include the For information about the Note:
This action is supported on ingress only. |
|
|
Name of policer to use to rate-limit traffic. |
|
|
Port-mirror the packet based on the specified family. Note:
This action is supported on ingress only. ACX5048 and ACX5096 routers do not support port-mirror. |
|
|
Log the packet to the system log file. Note:
This action is supported on ingress and egress. The action on egress is not supported for family inet6. |
|
|
Police the packet using the specified single-rate or two-rate three-color policer. You cannot also configure the |
|
traffic-class |
Set traffic-class code point Note:
This action is supported on ingress only. |
|
Terminating Actions (ACX Series Routers)
Standard stateless firewall filters support different sets of terminating actions for each protocol family.
ACX Series routers do not support the next term
action.
Table 10 describes the terminating actions you can specify in a standard firewall filter term.
Terminating Action |
Description |
Protocols |
---|---|---|
|
Accept the packet. |
|
|
Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling. |
|
|
Reject the packet and return an ICMPv4 or ICMPv6 message:
Note:
The |
|
|
Direct the packet to the specified routing instance. |
|