address address [ except ]
|
Match the IPv6 source or
destination address field unless the except option is included.
If the option is included, do not match the IPv6 source or destination
address field.
|
destination-address address [ except ]
|
Match the IPv6 destination
address field unless the except option is included. If
the option is included, do not match the IPv6 destination address
field.
You cannot specify both the address and destination-address match conditions in the same
term.
|
destination-port number
|
Match the UDP or TCP destination
port field.
You cannot specify both the port and destination-port match conditions in the same term.
If you configure this match condition,
we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to
specify which protocol is being used on the port.
In place of the numeric value, you can
specify one of the following text synonyms (the port numbers are also
listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).
|
destination-port-except number
|
Do not match the UDP or
TCP destination port field. For details, see the destination-port match condition.
|
destination-prefix-list prefix-list-name [ except ]
|
Match the IPv6 destination
prefix to the specified list unless
the except option is included. If the option is included,
do not match the IPv6 destination prefix to the specified list.
The prefix list is defined at the [edit policy-options
prefix-list prefix-list-name ] hierarchy
level.
|
forwarding-class class
|
Match the forwarding class
of the packet.
Specify assured-forwarding , best-effort , expedited-forwarding , or network-control .
For information about forwarding classes and router-internal
output queues, see Understanding How Forwarding
Classes Assign Classes to Output Queues.
|
forwarding-class-except class
|
Do not match the forwarding
class of the packet. For details, see the forwarding-class match condition.
|
icmp-code message-code
|
Match the ICMP message
code field.
If you configure this match condition, we recommend that you
also configure the next-header icmp or next-header
icmp6 match condition in the same term.
If you configure this match condition, you must also configure
the icmp-type message-type match condition
in the same term. An ICMP message code provides more specific information
than an ICMP message type, but the meaning of an ICMP message code
is dependent on the associated ICMP message type.
In place of the numeric value,
you can specify one of the following text synonyms (the field values
are also listed). The keywords are grouped by the ICMP type with which
they are associated:
parameter-problem: ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)
time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)
destination-unreachable: administratively-prohibited (1), address-unreachable (3), no-route-to-destination (0), port-unreachable (4)
|
icmp-code-except message-code
|
Do not match the ICMP message
code field. For details, see the icmp-code match condition.
|
icmp-type message-type
|
Match the ICMP message
type field.
If
you configure this match condition, we recommend that you also configure
the next-header icmp or next-header icmp6 match
condition in the same term.
In
place of the numeric value, you can specify one of the following text
synonyms (the field values are also listed): certificate-path-advertisement (149), certificate-path-solicitation (148), destination-unreachable (1), echo-reply (129), echo-request (128), home-agent-address-discovery-reply (145), home-agent-address-discovery-request (144), inverse-neighbor-discovery-advertisement (142), inverse-neighbor-discovery-solicitation (141), membership-query (130), membership-report (131), membership-termination (132), mobile-prefix-advertisement-reply (147), mobile-prefix-solicitation (146), neighbor-advertisement (136), neighbor-solicit (135), node-information-reply (140), node-information-request (139), packet-too-big (2), parameter-problem (4), private-experimentation-100 (100), private-experimentation-101 (101), private-experimentation-200 (200), private-experimentation-201 (201), redirect (137), router-advertisement (134), router-renumbering (138), router-solicit (133), or time-exceeded (3).
For private-experimentation-201 (201), you can also
specify a range of values within square brackets.
|
icmp-type-except message-type
|
Do not match the ICMP message
type field. For details, see the icmp-type match condition.
|
loss-priority level
|
Match the packet loss priority (PLP) level.
Specify a single level or multiple levels: low , medium-low , medium-high , or high .
Supported on M120 and M320 routers; M7i and M10i routers with
the Enhanced CFEB (CFEB-E); and MX Series routers and EX Series
switches.
For IP traffic on M320, MX Series, T Series routers
and EX Series switches with Enhanced II Flexible PIC Concentrators
(FPCs), you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration
with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families.
For information about the tri-color statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers
to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes
to Output Queues.
|
loss-priority-except level
|
Do not match the PLP level.
For details, see the loss-priority match condition.
|
next-header header-type
|
Match the first 8-bit Next Header field in the packet. Support for the next-header firewall match condition is available in Junos OS Release 13.3R6
and later.
For IPv6, we recommend that you use the payload-protocol term rather than the next-header term
when configuring a firewall filter with match conditions. Although
either can be used, payload-protocol provides
the more reliable match condition because it uses the actual payload
protocol to find a match, whereas next-header simply takes whatever appears in the first header following the
IPv6 header, which may or may not be the actual protocol. In addition,
if next-header is used with IPv6, the accelerated
filter block lookup process is bypassed and the standard filter used
instead.
Match the first 8-bit Next Header field in the packet.
In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed): ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), mobility (135), no-next-header (59), ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).
Note: next-header icmp6 and next-header icmpv6 match conditions perform the same function. next-header icmp6 is the preferred option. next-header icmpv6 is hidden
in the Junos OS CLI.
|
next-header-except header-type
|
Do not match the 8-bit
Next Header field that identifies the type of header between the IPv6
header and payload. For details, see the next-header match
type.
|
packet-length bytes
|
Match the length of the
received packet, in bytes. The length refers only to the IP packet,
including the packet header, and does not include any Layer 2
encapsulation overhead.
|
packet-length-except bytes
|
Do not match the length
of the received packet, in bytes. For details, see the packet-length match type.
|
port number
|
Match the UDP or TCP source
or destination port field.
If you configure this match condition, you
cannot configure the destination-port match condition or
the source-port match condition in the same term.
If you configure this match condition,
we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to
specify which protocol is being used on the port.
In place of the numeric value, you can
specify one of the text synonyms listed under the destination-port match condition.
|
port-except number
|
Do not match the UDP or
TCP source or destination port field. For details, see the port match condition.
|
prefix-list prefix-list-name [ except ]
|
Match the prefixes of the
source or destination address fields to the prefixes in the specified
list unless the except option is included. If the option is included, do not match
the prefixes of the source or destination address fields to the prefixes
in the specified list.
The prefix list is defined at the [edit policy-options
prefix-list prefix-list-name] hierarchy
level.
|
service-filter-hit
|
Match a packet received
from a filter where a service-filter-hit action was applied.
|
source-address address [ except ]
|
Match the IPv6 address
of the source node sending the packet unless the except option is included. If the option is included, do not match
the IPv6 address of the source node sending the packet.
You cannot specify both the address and source-address match conditions in the same term.
|
source-class class-names
|
Match one or more specified
source class names (sets of source prefixes grouped together and given
a class name). For more information, see Firewall Filter Match Conditions Based on Address Classes.
|
source-class-except class-names
|
Do not match one or more
specified source class names. For details, see the source-class match condition.
|
source-port number
|
Match the UDP or TCP source
port field.
You cannot specify the port and source-port match conditions in the same term.
If you configure this match condition,
we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to
specify which protocol is being used on the port.
In place of the numeric value, you can
specify one of the text synonyms listed with the destination-port number match condition.
|
source-port-except number
|
Do not match
the UDP or TCP source port field. For details, see the source-port match condition.
|
source-prefix-list name [ except ]
|
Match the IPv6 address
prefix of the packet source field
unless the except option is included. If the option is
included, do not match the IPv6 address prefix of the packet
source field.
Specify a prefix list name defined at the [edit policy-options
prefix-list prefix-list-name] hierarchy
level.
|
traffic-class number
|
Match the 8-bit field that
specifies the class-of-service (CoS) priority of the packet.
This field was previously used as the type-of-service (ToS)
field in IPv4.
You can specify a numeric value from 0 through 63 . To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.
In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed):
RFC 3246, An Expedited Forwarding PHB (Per-Hop
Behavior), defines one code point: ef (46).
RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class,
for a total of 12 code points:
af11 (10), af12 (12), af13 (14)
af21 (18), af22 (20), af23 (22)
af31 (26), af32 (28), af33 (30)
af41 (34), af42 (36), af43 (38)
|
traffic-class-except number
|
Do not match the 8-bit
field that specifies the CoS priority of the packet. For details,
see the traffic-class match description.
|