Service Filter Match Conditions for IPv4 or IPv6 Traffic
Service filters support only a subset of the stateless firewall filter match conditions for IPv4 and IPv6 traffic. Table 1 describes the service filter match conditions.
Table 1: Service Filter Match Conditions for IPv4 or IPv6 Traffic
Match Condition | Description | Protocol Families | |
|---|---|---|---|
address address | Match the IP source or destination address field. | family inet | family inet6 |
address address except | Do not match the IP source or destination address field. | family inet | family inet6 |
ah-spi spi-value | (M Series routers, except M120 and M320) Match on the IPsec authentication header (AH) security parameter index (SPI) value. | family inet | — |
ah-spi-except spi-value | (M Series routers, except M120 and M320) Do not match on the IPsec AH SPI value. | family inet | — |
destination-address address | Match the IP destination address field. You cannot specify both the address and destination-address match conditions in the same term. | family inet | family inet6 |
destination-address address address | Do not match the IP destination address field. You cannot specify both the address and destination-address match conditions in the same term. | family inet | family inet6 |
destination-port number | Match the UDP or TCP destination port field. You cannot specify both the port and destination-port match conditions in the same term. If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. If you configure this match condition for IPv6 traffic, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177). | family inet | family inet6 |
destination-port-except number | Do not match the UDP or TCP destination port field. For details, see the destination-port match description. | family inet | family inet6 |
destination-prefix-list name | Match the list of destination prefixes. The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. | family inet | family inet6 |
esp-spi value | Match the IPsec encapsulating security payload (ESP) SPI value. Specify a single value or a range of values. You can specify a value in hexadecimal, binary, or decimal form. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix. | family inet | family inet6 |
esp-spi-except value | Do not match the IPsec ESP SPI value or range of values. For details, see the esp-spi match condition. | family inet | family inet6 |
first-fragment | Match if the packet is the first fragment of a fragmented packet. Do not match if the packet is a trailing fragment of a fragmented packet. The first fragment of a fragmented packet has a fragment offset value of 0. This match condition is an alias for the bit-field match condition fragment-offset 0 match condition. To match both first and trailing fragments, you can use two terms that specify different match conditions: first-fragment and is-fragment. | family inet | — |
fragment-flags number | (Ingress only) Match the three-bit IP fragmentation flags field in the IP header. In place of the numeric field value, you can specify one of the following keywords (the field values are also listed): dont-fragment (0x4), more-fragments (0x2), or reserved (0x8). | family inet | — |
fragment-offset number | Match the 13-bit fragment offset field in the IP header. The value is the offset, in 8-byte units, in the overall datagram message to the data fragment. Specify a numeric value, a range of values, or a set of values. An offset value of 0 indicates the first fragment of a fragmented packet. The first-fragment match condition is an alias for the fragment-offset 0 match condition. To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment). | family inet | — |
fragment-offset-except number | Do not match the 13-bit fragment offset field. | family inet | — |
interface-group group-number | Match the interface group (set of one or more logical interfaces) on which the packet was received. For group-number, specify a value from 0 through 255. For information about configuring interface groups, see Filtering Packets Received on a Set of Interface Groups Overview. | family inet | family inet6 |
interface-group-except group-number | Do not match the interface group on which the packet was received. for details, see the interface-group match condition. | family inet | family inet6 |
ip-options values | Match the 8-bit IP option field, if present, to the specified value or list of values. In place of a numeric value, you can specify one of the following text synonyms (the option values are also listed): loose-source-route (131), record-route (7), router-alert (148), security (130), stream-id (136), strict-source-route (137), or timestamp (68). To match any value for the IP option, use the text synonym any. To match on multiple values, specify the list of values within square brackets ('[’ and ']’). To match a range of values, use the value specification [ value1-value2 ]. For example, the match condition ip-options [ 0-147 ] matches on an IP options field that contains the loose-source-route, record-route, or security values, or any other value from 0 through 147. However, this match condition does not match on an IP options field that contains only the router-alert value (148). For most interfaces, a filter term that specifies an ip-option match on one or more specific IP option values (a value other than any) causes packets to be sent to the Routing Engine so that the kernel can parse the IP option field in the packet header.
The 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Queuing Ethernet MPC, 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers and EX Series switches are capable of parsing the IP option field of the IPv4 packet header. This capability is supported on EX Series switches also. For interfaces configured on those MPCs, all packets that are matched using the ip-options match condition are sent to the Packet Forwarding Engine for processing. | family inet | — |
ip-options-except values | Do not match the IP option field to the specified value or list of values. For details about specifying the values, see the ip-options match condition. | family inet | — |
is-fragment | Match if the packet is a trailing fragment of a fragmented packet. Do not match the first fragment of a fragmented packet. This match condition is an alias for the bit-field match condition fragment-offset 0 except bits. Note: To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment). | family inet | — |
port number | Match the UDP or TCP source or destination port field. If you configure this match condition, you cannot configure the destination-port match condition or the source-port match condition in the same term. If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protoco tcp match statement in the same term to specify which protocol is being used on the port. If you configure this match condition for IPv6 traffic, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port. In place of the numeric value, you can specify one of the text synonyms listed under destination-port. | family inet | family inet6 |
port-except number | Do not match the UDP or TCP source or destination port field. For details, see the port match condition. | family inet | family inet6 |
prefix-list prefix-list-name | Match the prefixes of the source or destination address fields to the prefixes in the specified list. The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. | family inet | family inet6 |
protocol number | Match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112). | family inet | — |
protocol-except number | Do not match the IP protocol type field. For details, see the protocol match condition. | family inet | — |
source-address address | Match the IP source address. You cannot specify both the address and source-address match conditions in the same term. | family inet | family inet6 |
source-address address except | Do not match the IP source address. You cannot specify both the address and source-address match conditions in the same term. | family inet | family inet6 |
source-port number | Match the UDP or TCP source port field. You cannot specify the port and source-port match conditions in the same term. If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. If you configure this match condition for IPv6 traffic, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port. In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition. | family inet | family inet6 |
source-port-except number | Do not match the UDP or TCP source port field. For details, see the source-port match condition. | family inet | family inet6 |
source-prefix-list name | Match source prefixes in the specified list. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. | family inet | family inet6 |
tcp-flags value | Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. For combined bit-field match conditions, see the tcp-established and tcp-initial match conditions. If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port. If you configure this match condition for IPv6 traffic, we recommend that you also configure the next-header tcp match condition in the same term to specify that the TCP protocol is being used on the port. | family inet | family inet6 |
 | Note: If you specify an IPv6 address in a match condition (the address, destination-address, or source-address match conditions), use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see “IPv6 Overview” and “IPv6 Standards” in the Junos OS Routing Protocols Configuration Guide. |
