SRXlo¶

SRX Loopback is a stateless Juniper ACL with minor changes. Please see code for changes.

Header Format¶

The juniper header designation has the following format:

targets:
    srxlo: [filter name] {inet|inet6|bridge} {dsmo} {not-interface-specific}

• filter name: defines the name of the juniper filter.
• inet: specifies the output should be for IPv4 only filters. This is the default format.
• inet6: specifies the output be for IPv6 only filters.
• bridge: specifies the output should render a Juniper bridge filter.
• dsmo: Enable discontinuous subnet mask summarization.
• not-interface-specific: Toggles "interface-specific" inside of a term.
• direction: The direction of the filter on an interface (optional). Use when a term needs this signal.
• interface: The type of interface on which the filter will be applied (optional). Use when a term needs this signal.

When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses. The default format is inet4, and is implied if not other argument is given.

Term Format¶

• for common keys see common.md

• address: One or more network address tokens, matches source or destination.

• counter: Update a counter for matching packets
• destination-exclude: Exclude one or more address tokens from the specified destination-address
• destination-prefix: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
• destination-prefix_except: Specify destination-prefix exception(TODO:cmas Fill in more).
• dscp_except: Do not match the DSCP number.
• dscp_match: Match a DSCP number.
• dscp_set: Match a DSCP set.
• ether_type: Match EtherType field.
• forwarding-class: Specify the forwarding class to match.
• forwarding-class_except: Do not match the specified forwarding classes.
• fragement-offset: specify a fragment offset of a fragmented packet
• hop-limit: Match the hop limit to the specified hop limit or set of hop limits.
• icmp-code: Specifies the ICMP code to filter on.
• logging: Specify that this packet should be logged via syslog.
• loss-priority: Specify loss priority.
• next-ip: Used in filter based forwarding.
• owner: Owner of the term, used for organizational purposes.
• packet-length: specify packet length.
• policer: specify which policer to apply to matching packets.
• port: Matches on source or destination ports. Takes a service token.
• precedence: specify precedence of range 0-7. May be a single integer, or a space separated list.
• protocol_except: allow all protocol "except" specified.
• qos: apply quality of service classification to matching packets (e.g. qos:: af4)
• routing-instance: specify routing instance for matching packets.
• source-exclude: exclude one or more address tokens from the specified source-address.
• source-prefix: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
• source-prefix-except: specify destination-prefix exception(TODO:cmas Fill in more).
• traffic-class-count:
• traffic-type: specify traffic-type
• ttl: Matches on TTL.
• verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens¶

Actions¶

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Option¶

• .*: wat
• established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• first-fragment: Only match on first fragment of a fragmented pakcet.
• sample: Samples traffic for netflow.
• tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• tcp-initial: Only match initial packet for TCP protocol.