Juniper¶

Header Format¶

The juniper header designation has the following format:

targets:
    juniper: [filter name] {inet|inet6|bridge} {dsmo} {not-interface-specific}

filter name: defines the name of the juniper filter.
inet: specifies the output should be for IPv4 only filters. This is the default format.
inet6: specifies the output be for IPv6 only filters.
bridge: specifies the output should render a Juniper bridge filter.
dsmo: Enable discontinuous subnet mask summarization.
not-interface-specific: Toggles "interface-specific" inside of a term.
direction: The direction of the filter on an interface (optional). Use when a term needs this signal.
interface: The type of interface on which the filter will be applied (optional). Use when a term needs this signal.

When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses. The default format is inet4, and is implied if not other argument is given.

Term Format¶

for common keys see common.md
address: One or more network address tokens, matches source or destination.
restrict-address-family: Only include the term in the matching address family filter (eg. for mixed filters).
counter: Update a counter for matching packets
destination-exclude: Exclude one or more address tokens from the specified destination-address
destination-prefix: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
destination-prefix_except: Specify destination-prefix exception(TODO:cmas Fill in more).
dscp_except: Do not match the DSCP number.
dscp_match: Match a DSCP number.
dscp_set: Match a DSCP set.
ether_type: Match EtherType field.
filter-term: Include another filter
_flexible-match-range Filter based on flexible match options.
forwarding-class: Specify the forwarding class to match.
forwarding-class_except: Do not match the specified forwarding classes.
fragement-offset: specify a fragment offset of a fragmented packet
hop-limit: Match the hop limit to the specified hop limit or set of hop limits.
icmp-code: Specifies the ICMP code to filter on.
logging: Specify that this packet should be logged via syslog.
loss-priority: Specify loss priority.
next-ip: Used in filter based forwarding.
owner: Owner of the term, used for organizational purposes.
packet-length: specify packet length.
policer: specify which policer to apply to matching packets.
port: Matches on source or destination ports. Takes a service token.
port-mirror: Sends copies of the packets to a remote port, boolean value is used to render this config.
precedence: specify precedence of range 0-7. May be a single integer, or a space separated list.
protocol_except: allow all protocol "except" specified.
qos: apply quality of service classification to matching packets (e.g. qos:: af4)
routing-instance: specify routing instance for matching packets.
source-exclude: exclude one or more address tokens from the specified source-address.
source-prefix: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
source-prefix-except: specify destination-prefix exception(TODO:cmas Fill in more).
traffic-class-count:
traffic-type: specify traffic-type
ttl: Matches on TTL.
verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens¶

Actions¶

accept
deny
next
reject
reject-with-tcp-rst

Option¶

.*: wat
established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
first-fragment: Only match on first fragment of a fragmented pakcet.
sample: Samples traffic for netflow.
tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
tcp-initial: Only match initial packet for TCP protocol.