Skip to content

Generator Reference

Common

This lists contains all the common keys that are used across all generators (with a few highlighted exceptions).

Term Format

  • action: The action to take when matched. See the Actions section for each generator.
  • comment: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
  • destination-address: One or more destination address tokens.
  • destination-port: One or more service definition tokens.
  • expiration: Stop rendering this term after specified date in YYYY-MM-DD format. E.g. 2000-12-31.
  • icmp-type: Specify icmp-type code to match, see ICMP types for list of valid arguments (Not supported on: aruba, gce, k8s)
  • name: Name of the term.
  • option: See platforms supported Options section. (Not supported on: k8s, gce, windows_advfirewall, windows_ipsec)
  • platform: one or more target platforms for which this term should ONLY be rendered.
  • platform-exclude: one or more target platforms for which this term should NEVER be rendered.
  • protocol: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
  • source-address: one or more source address tokens.
  • source-port: one or more service definition tokens. (Note supported on: aruba, k8s)

Arista Traffic-Policy

Header Format

The arista_tp header designation has the following format:

targets:
    arista_tp: [filter name] {inet|inet6|mixed}
  • inet: specifies that the resulting filter should only render IPv4 addresses.
  • inet6: specifies the output be for IPv6 only filters.
  • mixed: specifies output will include both IPv6 and IPv4 filters. (default)

Filter types

Traffic-policies are dual-address-family by default (i.e.: mixed). A term may be either of type ipv4 or ipv6. If the filter type is defined as mixed (the default), then match/action statements for each address family will be generated.

If the operator wishes to create an ipv4 or ipv6 only filter, the inet and inet6 tokens within the header will be honored and only addresses from the respective address family will be rendered. However, EOS will still, by default, create an 'ipvX-default-all' term for the alternate address family. (see below)

Term Format

The following tokens are supported:

  • for common keys see the common section above.

  • counter:

  • destination-exclude:
  • destination-prefix: this should resolve to a configured field-set in traffic-policy format.
  • fragment-offset:
  • icmp-type:
  • logging:
  • packet-length:
  • source-exclude:
  • source-prefix: this should resolve to a configured field-set in traffic-policy format.
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • reject
  • reject-with-tcp-rst

The fully supported actions are: accept, and deny. Use of reject, or reject-with-tcp-rst will result in the generation of deny actions in the rendered traffic policy.

Note, within traffic-policies not configuring an explicit deny action (or reject variant) will result in an implicit allow for a term.

Counter

  • If counter are specified in a term, a traffic-policy named-counter stanza will be generated in the rendered output.
  • Counter names should not contain a (.). If a (.) is embedded in a counter name it will be replaced w/ a dash (-).

(source|destination)-address-exclude

Currently, (as of Jan-2021), EOS does not support the use of 'except' inline within match statements. If an exclude/except token is used, a traffic-policy field-set will be generated and referenced in the match-term output. This field-set will be named <direction>-<term.name> where direction is either src or dst depending on the direction of the token in use.

If the filter type is mixed, both address-families will have the respective field-sets generated. The field-set for the ipv4 address family will have the field-set generated with no prefix, while the ipv6 field-set will have ipv6 inserted into the field-set name after the direction and before the name. (form: src|dst-ipv6-term_name)

Option

option: {established|tcp-established|initial|rst|first-fragment}
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024-65535 for udp if destination port is not defined.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • initial
  • rst
  • first-fragment: this will be rendered as a fragment match.

Ports

In EOS traffic-policies, ports can be configured using:

  • source [ all | port-list | field-set ]
  • destination [ all | port-list | field-set ]

Currently, all and field-sets are not supported for ports. Only port-lists are supported.

default-terms

EOS has (2) default terms per traffic-policy, one for each address family:

  • ipv4-default-all
  • ipv6-default-all

If there is no match criteria associated with a term and the term name in the policy begins with default-, the contents will be rendered into the default terms for the appropriate address family.

Empty match criteria

If there is no match criteria specified, and the term name does not start with default- the term will not be rendered and a warning will be logged.

Documentation

The official documentation for traffic-policies can be found at the following URL.

Arista

Header Format

The arista header designation has the following format:

targets:
    arista: [filter name] {standard|extended|object-group|inet6} {noverbose}
  • filter name: defines the name of the arista filter.
  • standard: specifies that the output should be a standard access list
  • extended: specifies that the output should be an extended access list
  • object-group: specifies this is a arista extended access list, and that object-groups should be used for ports and addresses.
  • inet6: specifies the output be for IPv6 only filters.
  • noverbose: omit additional term and address comments. (optional)
  • mixed: #TODO: does this exist on all Cisco inherited platforms?
  • enable_dsmo: #TODO: does this exist on all Cisco inherited platforms?

Term Format

  • for common keys see the common section above.

  • address: One or more network address tokens, matches source or destination.

  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • dscp-match: Match a DSCP number.
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • owner: Owner of the term, used for organizational purposes.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

option: {established|is-fragment|tcp-established}
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024-65535 for udp if destination port is not defined.
  • is-fragment: Matches on if a packet is a fragment.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.

Aruba

Header Format

The aruba header designation has the following format:

targets:
    aruba: [filter name] {ipv6}
  • filter name: defines the name of the arista filter.
  • ipv6: specifies the output be for IPv6 only filters.

Term Format

  • for common keys see the common section above.

  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny

Option

  • destination-is-user: Aruba option to specify that the destination should be a user.
  • negate: Used with DSM summarizer, negates the DSM.
  • source-is-user: Aruba option to specify that the source should be a user.

Brocade

Header Format

The brocade header designation has the following format:

targets:
    brocade: [filter name] {extended|standard|object-group|inet6|mixed} {enable_dsmo}

See cisco for details.

Term Format

See cisco for details.

Sub Tokens

Actions

See cisco for details.

Option

See cisco for details.

Cisco

Header Format

The cisco header designation has the following format:

targets:
    cisco: [filter name] {extended|standard|object-group|inet6|mixed} {enable_dsmo} {noverbose}
  • filter name: defines the name or number of the cisco filter.
  • extended: specifies that the output should be an extended access list, and the filter name should be non-numeric. This is the default option.
  • standard: specifies that the output should be a standard access list, and the filter name should be numeric and in the range of 1-99.
  • object-group: specifies this is a cisco extended access list, and that object-groups should be used for ports and addresses.
  • inet6: specifies the output be for IPv6 only filters.
  • noverbose: omit additional term and address comments. (optional)
  • mixed: specifies output will include both IPv6 and IPv4 filters.
  • enable_dsmo: Enable discontinuous subnet mask summarization. When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses. The default format is inet4, and is implied if not other argument is given.

Term Format

  • for common keys see the common section above.

  • address: One or more network address tokens, matches source or destination.

  • restrict-address-family: Only include the term in the matching address family filter (eg. for mixed filters).
  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • dscp-match: Match a DSCP number.
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • owner: Owner of the term, used for organizational purposes.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • is-fragment: Matches on if a packet is a fragment.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial: Only match initial packet for TCP protocol.

CiscoASA

Header Format

The ciscoasa header designation has the following format:

targets:
    ciscoasa: [filter name]

Term Format

  • for common keys see the common section above.

  • destination-exclude: Exclude one or more address tokens from the specified destination-address

  • logging: Specify that this packet should be logged via syslog.
  • owner: Owner of the term, used for organizational purposes.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.

CiscoNX

Header Format

The cisconx header designation has the following format:

targets:
    cisconx: [filter name] {extended|object-group|inet6|mixed} {enable_dsmo} {noverbose}
  • filter name: defines the name or number of the cisconx filter.
  • extended: specifies that the output should be an extended access list, and the filter name should be non-numeric. This is the default option.
  • object-group: specifies this is a cisconx extended access list, and that object-groups should be used for ports and addresses.
  • inet6: specifies the output be for IPv6 only filters.
  • noverbose: omit additional term and address comments. (optional)
  • mixed: specifies output will include both IPv6 and IPv4 filters.
  • enable_dsmo: Enable discontinuous subnet mask summarization. When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses. The default format is inet4, and is implied if not other argument is given.

Term Format

  • for common keys see the common section above.

  • address: One or more network address tokens, matches source or destination.

  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • dscp-match: Match a DSCP number.
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • owner: Owner of the term, used for organizational purposes.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • is-fragment: Matches on if a packet is a fragment.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial: Only match initial packet for TCP protocol.

CiscoXR

Header Format

The ciscoxr header designation has the following format:

targets:
    ciscoxr: [filter name] {inet6} {noverbose}
  • filter name: defines the name or number of the cisco filter.
  • inet6: specifies the output be for IPv6 only filters.
  • noverbose: omit additional term and address comments. (optional)

Term Format

  • for common keys see the common section above.

  • address: One or more network address tokens, matches source or destination.

  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • dscp-match: Match a DSCP number.
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • next_ip: next hop (address token -> single IP) for ACL based forwarding
  • owner: Owner of the term, used for organizational purposes.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • is-fragment: Matches on if a packet is a fragment.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial: Only match initial packet for TCP protocol.

GCE

Header Format

The GCE header designation has the following format:

targets:
    gce: [filter name] [direction]
  • filter name: defines the name of the gce filter.
  • direction: defines the direction, valid inputs are INGRESS and EGRESS (default:INGRESS)

Term Format

  • for common keys see the common section above.

  • destination-exclude: Exclude one or more address tokens from the specified destination-address

  • destination-tag: Tag name to be used for destination filtering.
  • owner: Owner of the term, used for organizational purposes.
  • priority Relative priority of rules when evaluated on the platform.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • source-tag: Tag name used for source filtering.

Sub Tokens

Actions

  • accept
  • deny

Ipset

Ipset is a system inside the Linux kernel, which can very efficiently store and match IPv4 and IPv6 addresses. This can be used to dramatically increase performance of iptables firewall.

Header Format

The Ipset header designation follows the Iptables format above, but uses the target platform of 'ipset':

targets:
    ipset: [INPUT|OUTPUT|FORWARD|custom] {ACCEPT|DROP} {truncatenames} {nostate} {inet|inet6}

Term Format

  • for common keys see the common section above.

  • counter: Update a counter for matching packets

  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • destination-interface: Specify specific interface a term should apply to (e.g. destination-interface:: eth3)
  • destination-prefix: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
  • fragement-offset: specify a fragment offset of a fragmented packet
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • owner: Owner of the term, used for organizational purposes.
  • packet-length: specify packet length.
  • routing-instance: specify routing instance for matching packets.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • source-interface: specify specific interface a term should apply to (e.g. source-interface:: eth3).
  • source-prefix: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • ack: Match on ACK flag being present.
  • all: Matches all protocols.
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • fin: Match on FIN flag being present.
  • first-fragment: Only match on first fragment of a fragmented pakcet.
  • initial: Only matches on initial packet.
  • is-fragment: Matches on if a packet is a fragment.
  • none: Matches none.
  • psh: Match on PSH flag being present.
  • rst: Match on RST flag being present.
  • sample: Samples traffic for netflow.
  • syn: Match on SYN flag being present.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial: Only match initial packet for TCP protocol.
  • urg: Match on URG flag being present.

IpTables

NOTE: Iptables produces output that must be passed, line by line, to the 'iptables/ip6tables' command line. For 'iptables-restore' compatible output, please use the Speedway generator.

Header Format

The Iptables header designation has the following format:

targets:
    iptables: [INPUT|OUTPUT|FORWARD|custom] {ACCEPT|DROP} {truncatenames} {nostate} {inet|inet6}
  • INPUT: apply the terms to the input filter.
  • OUTPUT: apply the terms to the output filter.
  • FORWARD: apply the terms to the forwarding filter.
  • custom: create the terms under a custom filter name, which must then be linked/jumped to from one of the default filters (e.g. iptables -A input -j custom)
  • ACCEPT: specifies that the default policy on the filter should be 'accept'.
  • DROP: specifies that the default policy on the filter should be to 'drop'.
  • inet: specifies that the resulting filter should only render IPv4 addresses.
  • inet6: specifies that the resulting filter should only render IPv6 addresses.
  • truncatenames: specifies to abbreviate term names if necessary (see lib/iptables.py:_CheckTerMLength for abbreviation table)
  • nostate: specifies to produce 'stateless' filter output (e.g. no connection tracking)

Term Format

  • for common keys see the common section above.

  • counter: Update a counter for matching packets

  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • destination-interface: Specify specific interface a term should apply to (e.g. destination-interface:: eth3)
  • destination-prefix: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
  • fragement-offset: specify a fragment offset of a fragmented packet
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • owner: Owner of the term, used for organizational purposes.
  • packet-length: specify packet length.
  • routing-instance: specify routing instance for matching packets.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • source-interface: specify specific interface a term should apply to (e.g. source-interface:: eth3).
  • source-prefix: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • ack: Match on ACK flag being present.
  • all: Matches all protocols.
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • fin: Match on FIN flag being present.
  • first-fragment: Only match on first fragment of a fragmented pakcet.
  • initial: Only matches on initial packet.
  • is-fragment: Matches on if a packet is a fragment.
  • none: Matches none.
  • psh: Match on PSH flag being present.
  • rst: Match on RST flag being present.
  • sample: Samples traffic for netflow.
  • syn: Match on SYN flag being present.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial: Only match initial packet for TCP protocol.
  • urg: Match on URG flag being present.

Juniper

Header Format

The Juniper header designation has the following format:

targets:
    juniper: [filter name] {inet|inet6|bridge} {dsmo} {not-interface-specific}
  • filter name: defines the name of the Juniper filter.
  • inet: specifies the output should be for IPv4 only filters. This is the default format.
  • inet6: specifies the output be for IPv6 only filters.
  • bridge: specifies the output should render a Juniper bridge filter.
  • dsmo: Enable discontinuous subnet mask summarization.
  • not-interface-specific: Toggles "interface-specific" inside of a term.
  • direction: The direction of the filter on an interface (optional). Use when a term needs this signal.
  • interface: The type of interface on which the filter will be applied (optional). Use when a term needs this signal.

When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses. The default format is inet4, and is implied if not other argument is given.

Term Format

  • for common keys see the common section above.

  • address: One or more network address tokens, matches source or destination.

  • restrict-address-family: Only include the term in the matching address family filter (eg. for mixed filters).
  • counter: Update a counter for matching packets
  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • destination-prefix: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
  • destination-prefix-except: Specify destination-prefix exception(TODO:cmas Fill in more).
  • dscp-except: Do not match the DSCP number.
  • dscp-match: Match a DSCP number.
  • dscp-set: Match a DSCP set.
  • ether-type: Match EtherType field.
  • filter-term: Include another filter
  • flexible-match-range: Filter based on flexible match options.
  • forwarding-class: Specify the forwarding class to match.
  • forwarding-class-except: Do not match the specified forwarding classes.
  • fragement-offset: specify a fragment offset of a fragmented packet
  • hop-limit: Match the hop limit to the specified hop limit or set of hop limits.
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • loss-priority: Specify loss priority.
  • next-ip: Used in filter based forwarding.
  • owner: Owner of the term, used for organizational purposes.
  • packet-length: specify packet length.
  • policer: specify which policer to apply to matching packets.
  • port: Matches on source or destination ports. Takes a service token.
  • port-mirror: Sends copies of the packets to a remote port, boolean value is used to render this config.
  • precedence: specify precedence of range 0-7. May be a single integer, or a space separated list.
  • protocol-except: allow all protocol "except" specified.
  • qos: apply quality of service classification to matching packets (e.g. qos:: af4)
  • routing-instance: specify routing instance for matching packets.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • source-prefix: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
  • source-prefix-except: specify destination-prefix exception(TODO:cmas Fill in more).
  • traffic-class-count:
  • traffic-type: specify traffic-type
  • ttl: Matches on TTL.
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • .*: wat
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • first-fragment: Only match on first fragment of a fragmented pakcet.
  • sample: Samples traffic for netflow.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial: Only match initial packet for TCP protocol.

Juniper EVO

Header Format

The Juniper EVO header designation has the following format:

targets:
    juniperevo: [filter name] {inet|inet6|bridge} {dsmo} {not-interface-specific} {direction} {interface}
  • filter name: defines the name of the Juniper EVO filter.
  • inet: specifies the output should be for IPv4 only filters. This is the default format.
  • inet6: specifies the output be for IPv6 only filters.
  • bridge: specifies the output should render a Juniper EVO bridge filter.
  • dsmo: Enable discontinuous subnet mask summarization.
  • direction: The direction of the filter on an interface. Must be specified.
  • interface: The type of interface on which the filter will be applied. Default in physical (non-loopback) interface.

When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses. The default format is inet4, and is implied if not other argument is given.

Term Format

  • for common keys see the common section above.

  • address: One or more network address tokens, matches source or destination.

  • restrict-address-family: Only include the term in the matching address family filter (eg. for mixed filters).
  • counter: Update a counter for matching packets
  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • destination-prefix: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
  • destination-prefix-except: Specify destination-prefix exception(TODO:cmas Fill in more).
  • dscp-except: Do not match the DSCP number.
  • dscp-match: Match a DSCP number.
  • dscp-set: Match a DSCP set.
  • ether-type: Match EtherType field.
  • filter-term: Include another filter
  • flexible-match-range: Filter based on flexible match options.
  • forwarding-class: Specify the forwarding class to match.
  • forwarding-class-except: Do not match the specified forwarding classes.
  • fragement-offset: specify a fragment offset of a fragmented packet
  • hop-limit: Match the hop limit to the specified hop limit or set of hop limits.
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • loss-priority: Specify loss priority.
  • next-ip: Used in filter based forwarding.
  • owner: Owner of the term, used for organizational purposes.
  • packet-length: specify packet length.
  • policer: specify which policer to apply to matching packets.
  • port: Matches on source or destination ports. Takes a service token.
  • port-mirror: Sends copies of the packets to a remote port, boolean value is used to render this config.
  • precedence: specify precedence of range 0-7. May be a single integer, or a space separated list.
  • protocol-except: allow all protocol "except" specified.
  • qos: apply quality of service classification to matching packets (e.g. qos:: af4)
  • routing-instance: specify routing instance for matching packets.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • source-prefix: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
  • source-prefix-except: specify destination-prefix exception(TODO:cmas Fill in more).
  • traffic-class-count:
  • traffic-type: specify traffic-type
  • ttl: Matches on TTL.
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • .*: wat
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • first-fragment: Only match on first fragment of a fragmented pakcet.
  • sample: Samples traffic for netflow.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial: Only match initial packet for TCP protocol.

IPv6 Protocol Match

For Juniper EVO, the direction of the filter on an interface and the interface type determines the syntax to use; either next-header or payload-protocol. The syntax usage is sumarized below for the extension headers as well as the payload header.

  • Ingress (Physical): next-header hop-by-hop | next-header fragment | next-header routing | payload-protocol tcp|udp|ah|esp|icmpv6
  • Ingress (Loopback): payload-protocol 0 | payload-protocol 44 | payload-protocol 43 | payload-protocol tcp|udp|ah|esp|icmpv6
  • Egress (Physical): payload-protocol 0 | payload-protocol 44 | payload-protocol 43 | payload-protocol tcp|udp|ah|esp|icmpv6
  • Egress (Loopback): payload-protocol 0 | payload-protocol 44 | payload-protocol 43 | payload-protocol tcp|udp|ah|esp|icmpv6

Juniper MSMPC

Header Format

The Juniper MSMPC header designation has the following format:

targets:
    msmpc: [filter name] {inet|inet6|mixed} {noverbose} {ingress|egress} [no-apply-groups]
  • filter name: defines the name of the Juniper msmpc filter.
  • inet6: specifies the output be for IPv6 only filters.
  • mixed: specifies the output be for IPv4 and IPv6 filters. This is the default format.
  • noverbose: omit additional term and address comments. (optional)
  • ingress: filter will be applied in the input direction.
  • egress: filter will be appliced in the output direction.
  • no-apply-groups: generate configuration without apply-groups (optional)

When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses.

When neither ingress or egress is specified, the filter will be applied in both (input-output) directions. This is the default.

Term Format

TBD

Sub Tokens

Actions

  • accept
  • deny
  • reject

JuniperSRX

Header Format

targets:
    srx: from-zone [zone name] to-zone [zone name] {inet}
  • from-zone: static keyword, followed by user specified zone
  • to-zone: static keyword, followed by user specified zone
  • inet: Address family (only IPv4 tested at this time)

NOTE: For generating global policies use from-zone all to-zone all {inet}.

Term Format

  • for common keys see the common section above.

  • destination-exclude: Exclude one or more address tokens from the specified destination-address

  • destination-zone: one or more destination zones tokens. Only supported by global policy
  • dscp-except: Do not match the DSCP number.
  • dscp-match: Match a DSCP number.
  • dscp-set: Match a DSCP set.
  • logging: Specify that these packets should be logged.

    • Based on the input value the resulting logging actions will follow this logic:

      • action is 'accept':

        • logging is 'true': resulting SRX output will be 'log { session-close; }'
        • logging is 'log-both': resulting SRX output will be 'log { session-init; session-close; }' * action is 'deny':
        • logging is 'true': resulting SRX output will be 'log { session-init; }'
        • logging is 'log-both': resulting SRX output will be 'log { session-init; session-close; }' * See here for explanation.
        • owner: Owner of the term, used for organizational purposes.
        • source-exclude: exclude one or more address tokens from the specified source-address.
        • source-zone: one or more source zones tokens. Only supported by global policy
        • timeout: specify application timeout. (default 60)
        • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.
        • vpn: Encapsulate outgoing IP packets and decapsulate incomfing IP packets.

Sub Tokens

Actions

  • accept
  • count
  • deny
  • dscp
  • log
  • reject

K8s

Header Format

The K8s header designation has the following format:

targets:
    k8s: [direction]
  • direction: defines the direction, valid inputs are INGRESS and EGRESS (default:INGRESS)

Term Format

  • for common keys see the common section above.

  • destination-exclude: Exclude one or more address tokens from the specified destination-address

  • owner: Owner of the term, used for organizational purposes.
  • source-exclude: exclude one or more address tokens from the specified source-address.

Sub Tokens

Actions

  • accept
  • deny: Only permitted for a default deny

Nftables

Header Format

The NFTables header designation has the following format:

targets:
    newnftables: [nf_address_family] [nf_hook] {default_policy_override} {int: base chain priority} {noverbose}

Unless otherwise stated, all fields are required unless they're marked optional.

  • nf_address_family: defines the IP address family for the policies. (inet, inet6, mixed)
  • nf_hook: defines the traffic direction and the nftables hook for the rules. (input, output)
  • default_policy_override: OPTIONAL defines the default action (ACCEPT, DROP) for non-matching packets. Default behavior is DROP.
  • priority: OPTIONAL By default, this generator creates base chains with a starting priority of 0. Defining an integer value will override this behavior.
  • noverbose: OPTIONAL Disable header and term comments in final ACL output. Default behavior is verbose.

Important: stateful firewall only

This NFTables ACL generator generates stateful policies via conntrack. Each NFTables base chain will accept valid return packets via (ct state established,related accept).

When a non-deny term is processed for ACL generation, the ct state new is added to the resulting policy to ensure only valid incoming connections for that term is accepted. This means invalid state packets are dropped by default.

An implementation design for this generator is that terms with options 'established', 'tcp-established' will not rendered in the final NFT configuration.

Reporting bugs

When reporting bugs about this generator ensure to include:

  1. Example policy (.pol file)
  2. Observed output (.nft file)
  3. Expected (correct) output in Nftables syntax (.nft syntax)

Term Format

  • for common keys see the common section above.

  • logging: NFTables system logging (host-based).

  • counter: NFTables counter for specific term.

Sub-tokens

Actions

  • accept
  • drop

Logging

  • disable no packets will be logged on syslog.

All of the below values are accepted, but outcome is exactly the same.

  • true
  • syslog
  • local

Counter

Any string sub-token in counter is accepted. Do note this generator does not implement NFTables named counters - this is primarily due to original design decisions to keep each Term into its own chain structure, any support of named counters would simply make the configuration .nft file longer without any additional benefit with the possible exception of the ability to use a single counter-name for multiple terms.

ICMP Types

This generator normalizes certain aerleon policy.py string types to NFTables semantically correct values. The below tables summarize the supported ICMP type codes, the policy.py parent class definition and the NFtables specific value for the same type.

IPv4

| ICMPv4 type code | Aerleon (policy.py)  | NFtables manual         |
|------------------|----------------------|-------------------------|
| 0                | echo-reply           | echo-reply              |
| 3                | unreachable          | destination-unreachable |
| 4                | source-quench        | source-quench           |
| 5                | redirect             | redirect                |
| 6                | alternate-address    |                         |
| 8                | echo-request         | echo-request            |
| 9                | router-advertisement | router-advertisement    |
| 10               | router-solicitation  | router-solicitation     |
| 11               | time-exceeded        | time-exceeded           |
| 12               | parameter-problem    | parameter-problem       |
| 13               | timestamp-request    | timestamp-request       |
| 14               | timestamp-reply      | timestamp-reply         |
| 15               | information-request  | info-request            |
| 16               | information-reply    | info-reply              |
| 17               | mask-request         | address-mask-request    |
| 18               | mask-reply           | address-mask-reply      |
| 31               | conversion-error     |                         |
| 32               | mobile-redirect      |                         |

IPv6

| ICMPv6 type code | Aerleon (policy.py)                      | NFtables manual                             |
|------------------|------------------------------------------|---------------------------------------------|
| 1                | destination-unreachable                  | destination-unreachable                     |
| 2                | packet-too-big                           | packet-too-big                              |
| 3                | time-exceeded                            | time-exceeded                               |
| 4                | parameter-problem                        | parameter-problem                           |
| 128              | echo-request                             | echo-request                                |
| 129              | echo-reply                               | echo-reply                                  |
| 130              | multicast-listener-query                 | mld-listener-query                          |
| 131              | multicast-listener-report                | mld-listener-report                         |
| 132              | multicast-listener-done                  | mld-listener-done OR mld-listener-reduction |
| 133              | router-solicit                           | nd-router-solicit                           |
| 134              | router-advertisement                     | nd-router-advert                            |
| 135              | neighbor-solicit                         | nd-neighbor-solicit                         |
| 136              | neighbor-advertisement                   | nd-neighbor-advert                          |
| 137              | redirect-message                         | nd-redirect                                 |
| 138              | router-renumbering                       | router-renumbering                          |
| 139              | icmp-node-information-query              |                                             |
| 140              | icmp-node-information-response           |                                             |
| 141              | inverse-neighbor-discovery-solicitation  | ind-neighbor-solicit                        |
| 142              | inverse-neighbor-discovery-advertisement | ind-neighbor-advert                         |
| 143              | version-2-multicast-listener-report      | mld2-listener-report                        |
| 144              | home-agent-address-discovery-request     |                                             |
| 145              | home-agent-address-discovery-reply       |                                             |
| 146              | mobile-prefix-solicitation               |                                             |
| 147              | mobile-prefix-advertisement              |                                             |
| 148              | certification-path-solicitation          |                                             |
| 149              | certification-path-advertisement         |                                             |
| 151              | multicast-router-advertisement           |                                             |
| 152              | multicast-router-solicitation            |                                             |
| 153              | multicast-router-termination             |                                             |

source: https://www.netfilter.org/projects/nftables/manpage.html

Option

  • tcp-established and established will cause the term to not be rendered in the final NFT configuration. See 'Important' section above.

NSXv

Header Format

The nsx header designation has the following format:

targets:
    nsxv: {section_name} {inet|inet6|mixed} section-id securitygroup securitygroupId
  • section_name: specifies the name of the section all terms in this header apply to.
  • inet: specifies that the resulting filter should only render IPv4 addresses.
  • inet6: specifies that the resulting filter should only render IPv6 addresses.
  • mixed: specifies that the resulting filter should render both IPv4 and IPv6 addresses.
  • section-id: specifies the id for the section (optional)
  • securitygroup: specifies that the appliedTo should be security group (optional)
  • securitygroupId: specifies the Id of the security group (mandatory if securitygroup is given)

(Required keywords option and verbatim are not supported in NSX)

Term Format

  • for common keys see the common section above.

  • destination-exclude: Exclude one or more address tokens from the specified destination-address

  • logging: Specify that this packet should be logged via syslog.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • reject
  • reject-with-tcp-rst

NSXT

The nsx header designation has the following format:

target:: nsxt {section_name} {inet|inet6|mixed} section-id securitygroup securitygroupId
section_name: specifies the name of the section all terms in this header apply to.
inet: specifies that the resulting filter should only render IPv4 addresses.
inet6: specifies that the resulting filter should only render IPv6 addresses.
mixed: specifies that the resulting filter should render both IPv4 and IPv6 addresses.
sectionId: specifies the Id for the section [optional]
securitygroup: specifies that the appliedTo should be security group [optional]
securitygroupId: specifies the Id of the security group [mandatory if securitygroup is given]
(Required keywords option and verbatim are not supported in NSX)

Nsxt

The nsxt header designation has the following format: 

targets:
    nsxt: {section_name} {inet|inet6|mixed} section-id securitygroup securitygroupId
* section_name: specifies the name of the dfw rule all terms in this header apply to. [mandatory field] * inet: specifies the output should be for IPv4 only filters. This is the default format. * inet6: specifies the output be for IPv6 only filters. * mixed: specifies that the resulting filter should render both IPv4 and IPv6 addresses. * sectionId: specifies the Id for the section [optional] * securitygroup: specifies that the appliedTo should be security group [optional] * securitygroupId: specifies the Id of the security group [mandatory if securitygroup is given] (Required keywords option and verbatim are not supported in NSX)

Term Format

  • action:: The action to take when matched. See Actions section for valid options.
  • comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
  • destination-address:: One or more destination address tokens
  • destination-exclude:: Exclude one or more address tokens from the specified destination-address
  • destination-port:: One or more service definition tokens
  • expiration:: stop rendering this term after specified date. YYYY-MM-DD
  • icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
  • logging:: Specify that this packet should be logged via syslog.
  • name:: Name of the term.
  • option:: See platforms supported Options section.
  • platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
  • protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
  • source-address:: one or more source address tokens.
  • source-exclude:: exclude one or more address tokens from the specified source-address.
  • source-port:: one or more service definition tokens.
  • verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • reject
  • reject-with-tcp-rst

PacketFilter

Header Format

targets:
    packetfilter: filter-name {inet|inet6|mixed} {in|out} {nostate}
  • filter-name: a short, descriptive policy identifier
  • inet: specifies that the resulting filter should only render IPv4 addresses.
  • inet6: specifies that the resulting filter should only render IPv6 addresses.
  • mixed: specifies that the resulting filter should only render IPv4 and IPv6 addresses (default).
  • in: match ingoing packets (default: both directions).
  • out: match outgoing packets (default: both directions).
  • nostate: do not keep state on connections (default: keep state).

Term Format

  • for common keys see the common section above.

  • destination-exclude: Exclude one or more address tokens from the specified destination-address

  • destination-interface: Specify the destination interface. Implicitly changes the term direction to out for this term. Mutually exclusive with source-interface:.
  • source-interface: Specify the source interface. Implicitly changes the term direction to in for this term. Mutually exclusive with destination-interface:.
  • logging: Specify that this packet should be logged via syslog.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject

Option

  • ack: Match on ACK flag being present.
  • all: Matches all protocols.
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • fin: Match on FIN flag being present.
  • is-fragment: Matches on if a packet is a fragment.
  • psh: Match on PSH flag being present.
  • rst: Match on RST flag being present.
  • syn: Match on SYN flag being present.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • urg: Match on URG flag being present.

PaloAltoFW

Header Format

The paloalto header designation has the following format:

targets:
    paloalto: from-zone [zone name] to-zone [zone name] [address family] [address objects]
  • from-zone: static keyword, followed by the source zone
  • to-zone: static keyword, followed by the destination zone
  • address family: specifies the address family for the resulting filter
    • inet: the filter should only render IPv4 addresses (default)
    • inet6: the filter should only render IPv6 addresses
    • mixed: the filter should render IPv4 and IPv6 addresses
  • address objects: specifies whether custom address objects or network/mask definitions are used in security policy source and destination fields
    • addr-obj: specifies address groups are used in the security policy source and destination fields (default)
    • no-addr-obj: specifies network/mask definitions are used in the security policy source and destination fields
  • unique-term-prefixes: specifies whether each term name should be generated with unique prefixes. The unique prefix is a hexdigest of from_zone and to_zone fields.

Term Format

  • for common keys see the common section above.

  • logging: Specify that this packet should be logged via syslog.

  • owner: Owner of the term, used for organizational purposes.
  • timeout: specify application timeout. (default 60)

Sub Tokens

Actions

  • accept
  • count
  • deny
  • log
  • reject

Terms Section

Optionally Supported Keywords

  • pan-application:: paloalto target only. Specify applications for the security policy which can be predefined applications (https://applipedia.paloaltonetworks.com/) and custom application objects.

    • Security Policy Service Setting

      • When no protocol is specified in the term, the service will be application-default.
      • When protocol is tcp or udp, and no source-port or destination-port is specified, the service will be custom service objects for the protocols and all ports (0-65535).
      • When protocol is tcp or udp, and a source-port or destination-port is specified, the service will be custom service objects for the protocols and ports.
      • pan-application can only be used when no protocol is specified in the term, or the protocols tcp and udp.

PcapFilter

Header Format

FILL ME IN

Term Format

  • for common keys see the common section above.

  • destination-exclude: Exclude one or more address tokens from the specified destination-address

  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • source-exclude: exclude one or more address tokens from the specified source-address.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject

Option

  • ack: Match on ACK flag being present.
  • all: Matches all protocols.
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • fin: Match on FIN flag being present.
  • is-fragment: Matches on if a packet is a fragment.
  • none: Matches none.
  • psh: Match on PSH flag being present.
  • rst: Match on RST flag being present.
  • syn: Match on SYN flag being present.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • urg: Match on URG flag being present.

Speedway

NOTE: Speedway produces Iptables filtering output that is suitable for passing to the 'iptables-restore' command.

Header Format

The Speedway header designation has the following format:

targets:
    speedway: [INPUT|OUTPUT|FORWARD|custom] {ACCEPT|DROP} {truncatenames} {nostate} {inet|inet6}
  • INPUT: apply the terms to the input filter.
  • OUTPUT: apply the terms to the output filter.
  • FORWARD: apply the terms to the forwarding filter.
  • custom: create the terms under a custom filter name, which must then be linked/jumped to from one of the default filters (e.g. iptables -A input -j custom)
  • ACCEPT: specifies that the default policy on the filter should be 'accept'.
  • DROP: specifies that the default policy on the filter should be to 'drop'.
  • inet: specifies that the resulting filter should only render IPv4 addresses.
  • inet6: specifies that the resulting filter should only render IPv6 addresses.
  • truncatenames: specifies to abbreviate term names if necessary (see lib/iptables.py: CheckTermLength for abbreviation table)
  • nostate: specifies to produce 'stateless' filter output (e.g. no connection tracking)

Term Format

  • for common keys see the common section above.

  • counter: Update a counter for matching packets

  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • destination-interface: Specify specific interface a term should apply to (e.g. destination-interface:: eth3)
  • destination-prefix: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
  • fragement-offset: specify a fragment offset of a fragmented packet
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • owner: Owner of the term, used for organizational purposes.
  • packet-length: specify packet length.
  • routing-instance: specify routing instance for matching packets.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • source-interface: specify specific interface a term should apply to (e.g. source-interface:: eth3).
  • source-prefix: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • ack: Match on ACK flag being present.
  • all: Matches all protocols.
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • fin: Match on FIN flag being present.
  • first-fragment: Only match on first fragment of a fragmented pakcet.
  • initial: Only matches on initial packet.
  • is-fragment: Matches on if a packet is a fragment.
  • none: Matches none.
  • psh: Match on PSH flag being present.
  • rst: Match on RST flag being present.
  • sample: Samples traffic for netflow.
  • syn: Match on SYN flag being present.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial: Only match initial packet for TCP protocol.
  • urg: Match on URG flag being present.

SRXlo

SRX Loopback is a stateless Juniper ACL with minor changes. Please see code for changes.

Header Format

The Juniper header designation has the following format:

targets:
    srxlo: [filter name] {inet|inet6|bridge} {dsmo} {not-interface-specific}
  • filter name: defines the name of the Juniper filter.
  • inet: specifies the output should be for IPv4 only filters. This is the default format.
  • inet6: specifies the output be for IPv6 only filters.
  • bridge: specifies the output should render a Juniper bridge filter.
  • dsmo: Enable discontinuous subnet mask summarization.
  • not-interface-specific: Toggles "interface-specific" inside of a term.
  • direction: The direction of the filter on an interface (optional). Use when a term needs this signal.
  • interface: The type of interface on which the filter will be applied (optional). Use when a term needs this signal.

When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses. The default format is inet4, and is implied if not other argument is given.

Term Format

  • for common keys see the common section above.

  • address: One or more network address tokens, matches source or destination.

  • counter: Update a counter for matching packets
  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • destination-prefix: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
  • destination-prefix-except: Specify destination-prefix exception(TODO:cmas Fill in more).
  • dscp-except: Do not match the DSCP number.
  • dscp-match: Match a DSCP number.
  • dscp-set: Match a DSCP set.
  • ether-type: Match EtherType field.
  • forwarding-class: Specify the forwarding class to match.
  • forwarding-class-except: Do not match the specified forwarding classes.
  • fragement-offset: specify a fragment offset of a fragmented packet
  • hop-limit: Match the hop limit to the specified hop limit or set of hop limits.
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • loss-priority: Specify loss priority.
  • next-ip: Used in filter based forwarding.
  • owner: Owner of the term, used for organizational purposes.
  • packet-length: specify packet length.
  • policer: specify which policer to apply to matching packets.
  • port: Matches on source or destination ports. Takes a service token.
  • precedence: specify precedence of range 0-7. May be a single integer, or a space separated list.
  • protocol-except: allow all protocol "except" specified.
  • qos: apply quality of service classification to matching packets (e.g. qos:: af4)
  • routing-instance: specify routing instance for matching packets.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • source-prefix: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
  • source-prefix-except: specify destination-prefix exception(TODO:cmas Fill in more).
  • traffic-class-count:
  • traffic-type: specify traffic-type
  • ttl: Matches on TTL.
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • .*: wat
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • first-fragment: Only match on first fragment of a fragmented pakcet.
  • sample: Samples traffic for netflow.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial: Only match initial packet for TCP protocol.

Windows Advanced Firewall

Header Format

The Windows Advanced Firewall header designation has the following format:

targets:
    windows_advfirewall: {out|in} {inet|inet6|mixed}
  • out: Specifies that the direction of packet flow is out. (default)
  • in: Specifies that the direction of packet flow is in.
  • inet: specifies that the resulting filter should only render IPv4 addresses.
  • inet6: specifies that the resulting filter should only render IPv6 addresses.

Term Format

  • for common keys see the common section above.

  • destination-exclude: Exclude one or more address tokens from the specified destination-address

  • source-exclude: exclude one or more address tokens from the specified source-address.

Sub Tokens

Actions

  • accept
  • deny

WindowsIPSec

Header Format

The Windows IPSec header designation has the following format:

targets:
    windows_ipsec: [filter_name]
  • filter name: defines the name of the Windows IPSec filter.

Term Format

  • for common keys see the common section above.
  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • source-exclude: exclude one or more address tokens from the specified source-address.

Sub Tokens

Actions

  • accept
  • deny

ICMP Types

IPv4

  • echo-reply
  • unreachable
  • source-quench
  • redirect
  • alternate-address
  • echo-request
  • router-advertisement
  • router-solicitation
  • time-exceeded
  • parameter-problem
  • timestamp-request
  • timestamp-reply
  • information-request
  • information-reply
  • mask-request
  • mask-reply
  • conversion-error
  • mobile-redirect

IPv6

  • destination-unreachable
  • packet-too-big
  • time-exceeded
  • parameter-problem
  • echo-request
  • echo-reply
  • multicast-listener-query
  • multicast-listener-report
  • multicast-listener-done
  • router-solicit
  • router-advertisement
  • neighbor-solicit
  • neighbor-advertisement
  • redirect-message
  • router-renumbering
  • icmp-node-information-query
  • icmp-node-information-response
  • inverse-neighbor-discovery-solicitation
  • inverse-neighbor-discovery-advertisement
  • version-2-multicast-listener-report
  • home-agent-address-discovery-request
  • home-agent-address-discovery-reply
  • mobile-prefix-solicitation
  • mobile-prefix-advertisement
  • certification-path-solicitation
  • certification-path-advertisement
  • multicast-router-advertisement
  • multicast-router-solicitation
  • multicast-router-termination