Firewall Filter Match Conditions and Actions in ACX Series Routers (Junos OS Evolved)
Supported Firewall Filter Match Conditions and Actions in the Ingress and Egress Directions on ACX Series Routers running Junos OS Evolved
Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.
When a packet matches a filter, a switch takes the action specified in the term. In addition, you can specify action modifiers to count, mirror, rate-limit, and classify packets. If no match conditions are specified for the term, the switch accepts the packet by default. See Table 1 and Table 2.
Match Condition |
Description |
Ingress |
Egress |
Firewall Filter Families (Ingress) |
Firewall Filter Families (Egress) |
---|---|---|---|---|---|
destination-address ip-destination-address |
IPv4 address that is the final destination node address for the packet. Use |
Yes |
Yes |
IPv4, IPv6, Ethernet-Switching, and CCC |
IPv4 and IPv6 |
source-address ip-source-address |
IPv4 address of the source node sending the packet. Use |
Yes |
Yes |
IPv4, IPv6, Ethernet-Switching, and CCC |
IPv4 |
destination-prefix-list |
IP destination prefix list field. You can define a list of IP
address prefixes under a prefix-list alias for frequent use.
Define this list at the |
Yes |
Yes |
IPv4, IPv6, and Ethernet-Switching |
IPv4, IPv6 |
source-prefix-list |
IP source prefix list. You can define a list of IP address
prefixes under a prefix-list alias for frequent use. Define this
list at the |
Yes |
Yes |
IPv4, IPv6, and Ethernet-Switching |
IPv4 |
destination-port |
TCP or UDP destination port field. Typically, you specify this
match in conjunction with the
|
Yes |
Yes |
IPv4, IPv6, Ethernet-Switching, and CCC |
IPv4, IPv6, Ethernet-Switching, and CCC |
source-port |
TCP or UDP source port. Typically, you specify this match in
conjunction with the |
Yes |
Yes |
IPv4, IPv6, Ethernet-Switching, and CCC |
IPv4, IPv6, Ethernet-Switching, and CCC |
protocol ip-protocol |
IP protocol field Use |
Yes |
Yes |
IPv4, Ethernet-Switching, and CCC |
IPv4, Ethernet-Switching, and CCC |
first-fragment |
Match if the packet is the first fragment of a fragmented packet. Avoiding matching the packet if it is a trailing fragment of a fragmented packet. The first fragment of a fragmented packet has a fragment offset value of 0. This match condition is an alias for the bit-field match condition fragment-offset 0 match condition. To match both first and trailing fragments, you can use two terms
that specify different match conditions: |
Yes |
No |
IPv4 |
NA |
icmp-code |
ICMP code field. Because the meaning of the value depends upon
the associated
|
Yes |
Yes |
IPv4, IPv6, Ethernet-Switching, and CCC |
IPv4, IPv6, Ethernet-Switching, and CCC |
icmp-type |
ICMP message type field. Typically, you specify this match in
conjunction with the IPv4:
IPv6:
See also |
Yes |
Yes |
IPv4, IPv6, Ethernet-Switching, and CCC |
IPv4, IPv6, Ethernet-Switching, and CCC |
ip-options |
Specify |
Yes |
No |
IPv4 |
NA |
precedence ip-precedence |
IP precedence field. In place of the numeric field value, you can
specify one of the following text synonyms (the field values are
also listed): Use |
Yes |
No |
IPv4, Ethernet-Switching, and CCC |
NA |
is-fragment |
Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero. |
Yes |
No |
IPv4 |
NA |
tcp-established |
Matches packets of an established TCP three-way handshake
connection (SYN, SYN-ACK, ACK). The only packet not matched is
the first packet of the handshake since only the SYN bit is set.
For this packet, you must specify When you specify |
Yes |
Yes |
IPv4 and IPv6 |
IPv4 and IPv6 |
tcp-flags |
One or more TCP flags:
|
Yes |
No |
IPv4 and IPv6 |
NA |
tcp-initial |
Match the first TCP packet of a connection. A match occurs when
the TCP flag When you specify |
Yes |
No |
IPv4 and IPv6 |
NA |
ttl |
IP Time-to-live (TTL) field in decimal. The value can be 1-255. |
Yes |
Yes |
IPv4 |
IPv4 |
destination-mac-address |
Destination MAC address of the packet. |
Yes |
Yes |
Ethernet-Switching and CCC |
Ethernet-Switching and CCC |
source-mac-address |
Source media access control (MAC) address of the packet. |
Yes |
Yes |
Ethernet-Switching and CCC |
Ethernet-Switching and CCC |
dscp |
Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
Yes |
Yes |
IPv4, Ethernet-Switching, and CCC |
IPv4, Ethernet-Switching, and CCC |
ether-type |
Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
Yes |
Yes |
Ethernet-Switching and CCC |
Ethernet-Switching and CCC |
learn-vlan-1p-priority |
Match on the IEEE 802.1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802.1Q VLAN tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7. |
Yes |
Yes |
Ethernet-Switching and CCC |
Ethernet-Switching and CCC |
user-vlan-1p-priority |
Matches the specified 802.1p VLAN priority in the range
|
Yes |
Yes |
Ethernet-Switching and CCC |
Ethernet-Switching and CCC |
exp |
Match on MPLS EXP bits. |
Yes |
No |
MPLS |
NA |
label |
Match on MPLS label bits. |
Yes |
No |
MPLS |
NA |
traffic-class |
8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4. You can specify one of the following text synonyms (the field values are also listed):
|
Yes |
Yes |
IPv6 |
IPv6 |
hop-limit |
Match the specified hop limit or set of hop limits. Specify a single value or a range of values from 0 through 255. |
Yes |
Yes |
IPv6 |
IPv6 |
next-header |
IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):
|
Yes |
Yes |
IPv6 |
IPv6 |
Action |
Description |
Ingress |
Egress |
Firewall Filter Families (Ingress) |
Firewall Filter Families (Egress) |
---|---|---|---|---|---|
count |
Count the number of packets that match the term. |
Yes |
Yes |
IPv4, IPv6, Ethernet-Switching, CCC, MPLS, and Any |
IPv4, IPv6, Ethernet-Switching, CCC, and Any |
discard |
Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message. |
Yes |
Yes |
IPv4, IPv6, Ethernet-Switching, CCC, MPLS, and Any |
IPv4, IPv6, Ethernet-Switching, CCC, and Any |
log |
Log the packet's header information in the Routing Engine. To
view this information, enter the |
Yes |
No |
IPv4 and IPv6 |
NA |
forwarding-class |
Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:
To configure a forwarding class, you must also configure loss priority. |
Yes |
No |
IPv4, IPv6, Ethernet-Switching, CCC, and MPLS |
NA |
next-interface |
Direct packets to the specified outgoing interface. |
Yes |
No |
IPv4 and IPv6 |
NA |
loss-priority |
Set the packet loss priority (PLP) level. You cannot also configure the
|
Yes |
No |
IPv4, IPv6, Ethernet-Switching, CCC, and MPLS |
NA |
next-ip |
Direct packets to the specified destination IPv4 address. |
Yes |
No |
Yes |
NA |
next-ip6 |
Direct packets to the specified destination IPv6 address. |
Yes |
No |
IPv6 |
NA |
policer |
Name of policer to use to rate-limit traffic. |
Yes |
Yes |
IPv4, IPv6, Ethernet-Switching, CCC, MPLS, and Any |
IPv4, IPv6, Ethernet-Switching, CCC and Any |
reject |
Discard a packet and send a “destination unreachable” ICMPv4
message (type 3). To log rejected packets, configure the
You can specify one of the following message types:
administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed,or tcp-reset .If you specify If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.” |
Yes |
No |
IPv4 and IPv6 |
NA |
syslog |
Log an alert for this packet. |
Yes |
No |
IPv4 and IPv6 |
NA |
sample |
Sample the packet traffic. Apply this option only if you have enabled traffic sampling. |
Yes |
No |
IPv4 and IPv6 |
NA |
three-color-policer |
Send packets to a three-color policer (for the purpose of applying rate limiting). |
Yes |
Yes |
IPv4, IPv6, Ethernet-Switching, CCC, MPLS, and Any |
IPv4, IPv6, Ethernet-Switching, CCC and Any |