Parameterized Filter Nonterminating and Terminating Actions and Modifiers

count counter-name

Count the packet in the named counter.

dscp value

Set the IPv4 Differentiated Services code point (DSCP) bit. You can specify a numerical value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

The default DSCP value is best effort, that is, be or 0.

You can also specify one of the following text synonyms:

• af11—Assured forwarding class 1, low drop precedence

• af12—Assured forwarding class 1, medium drop precedence

• af13—Assured forwarding class 1, high drop precedence

• af21—Assured forwarding class 2, low drop precedence

• af22—Assured forwarding class 2, medium drop precedence

• af23—Assured forwarding class 2, high drop precedence

• af31—Assured forwarding class 3, low drop precedence

• af32—Assured forwarding class 3, medium drop precedence

• af33—Assured forwarding class 3, high drop precedence

• af41—Assured forwarding class 4, low drop precedence

• af42—Assured forwarding class 4, medium drop precedence

• af43—Assured forwarding class 4, high drop precedence

• be—Best effort

• cs0—Class selector 0

• cs1—Class selector 1

• cs2—Class selector 2

• cs3—Class selector 3

• cs4—Class selector 4

• cs5—Class selector 5

• cs6—Class selector 6

• cs7—Class selector 7

• ef—Expedited forwarding

forwarding-class class-name

Classify the packet to the named forwarding class:

• assured-forwarding

• best-effort

• expedited-forwarding

• network-control

hierarchical-policer

Police the packet using the specified hierarchical policer.

log

Log the packet header information in a buffer within the Packet Forwarding Engine. You can access this information by issuing the show firewall log command at the CLI.

loss-priority (high | medium-high | medium-low | low)

Set the packet loss priority (PLP) level.

You cannot also configure the three-color-policer nonterminating action for the same firewall filter term. These two nonterminating actions are mutually exclusive.

For IP traffic on MX Series routers with Enhanced II Flexible PIC Concentrators (FPCs), you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families.

For information about the tri-color statement and using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

next

Proceed to the next filter term.

next-ip ip-address <routing-instance routing-instance>

(MX Series) Direct packets to the specified destination IPv4 address. You can optionally specify a routing instance for the address. In the following example, the variables $IP-address and $RT-name would be defined in [edit dynamic-profiles service-profile-name variables]:

[edit dynamic-profiles service-profile-name firewall family inet filter $nextip]
user@host# set term t1 then next-ip $IP-address routing-instance $RT-name

Supported starting in Junos OS Release 18.2R1.

next-ip6 ipv6-address <routing-instance routing-instance>

(MX Series) Direct packets to the specified destination IPv6 address. You can optionally specify a routing instance for the address. In the following example, the variables $IPv6-address and $RT-name would be defined in [edit dynamic-profiles service-profile-name variables]

[edit dynamic-profiles service-profile-name firewall family inet filter $nextip6]
user@host# set term t1 then next-ip6 $IPv6-address routing-instance $RT-name

Supported starting in Junos OS Release 18.2R1.

policer policer-name

Name of policer to use to rate-limit traffic.

port-mirror instance-name

Port-mirror the packet based on the specified family.

We recommend that you do not use both the next-hop-group and the port-mirror actions in the same firewall filter.

port-mirror-instance instance-name

Port-mirror a packet for an instance. This action is supported only on the MX Series routers.

We recommend that you do not use both the next-hop-group and the port-mirror-instance actions in the same firewall filter.

routing-instance routing-instance-name

Direct packets to the specified routing instance.

sample

Sample the packet.

service-accounting

Use the inline counting mechanism when capturing subscriber per-service statistics.

Count the packet for service accounting. The count is applied to a specific named counter (__junos-dyn-service-counter) that RADIUS can obtain.

The service-accounting and service-accounting-deferred keywords are mutually exclusive, both per-term and per-filter.

service-accounting- deferred

Use the deferred counting mechanism when capturing subscriber per-service statistics. The count is applied to a specific named counter (__junos-dyn-service-counter) that RADIUS can obtain.

The service-accounting and service-accounting-deferred keywords are mutually exclusive, both per-term and per-filter.

service-filter-hit

(Only if the service-filter-hit flag is marked by a previous filter in the current type of chained filters) Direct the packet to the next type of filters.

Indicate to subsequent filters in the chain that the packet was already processed. This action, coupled with the service-filter-hit match condition in receiving filters, helps to streamline filter processing.

three-color-policer (single-rate | two-rate) policer-name

Police the packet using the specified single-rate or two-rate three-color-policer.

traffic-class value

Specify the traffic-class code point. You can specify a numerical value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

The default traffic-class value is best effort, that is, be or 0.

In place of the numeric value, you can specify one of the following text synonyms:

• af11—Assured forwarding class 1, low drop precedence

• af12—Assured forwarding class 1, medium drop precedence

• af13—Assured forwarding class 1, high drop precedence

• af21—Assured forwarding class 2, low drop precedence

• af22—Assured forwarding class 2, medium drop precedence

• af23—Assured forwarding class 2, high drop precedence

• af31—Assured forwarding class 3, low drop precedence

• af32—Assured forwarding class 3, medium drop precedence

• af33—Assured forwarding class 3, high drop precedence

• af41—Assured forwarding class 4, low drop precedence

• af42—Assured forwarding class 4, medium drop precedence

• af43—Assured forwarding class 4, high drop precedence

• be—Best effort

• cs0—Class selector 0

• cs1—Class selector 1

• cs2—Class selector 2

• cs3—Class selector 3

• cs4—Class selector 4

• cs5—Class selector 5

• cs6—Class selector 6

• cs7—Class selector 7

• ef—Expedited forwarding

accept

Accept the packet.

discard

Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling.

reject message-type

Reject the packet and return an ICMPv4 or ICMPv6 message:

• If no message-type is specified, a destination unreachable message is returned by default.

• If tcp-reset is specified as the message-type, tcp-reset is returned only if the packet is a TCP packet. Otherwise, the administratively-prohibited message, which has a value of 13, is returned.

• If any other message-type is specified, that message is returned.

The message-type can be one of the following values: address-unreachable, administratively-prohibited, bad-host-tos, bad-network-tos, beyond-scope, fragmentation-needed, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, no-route, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset.