[92] Nas-Filter-Rule and [26.6527.158] Alc-Nas-Filter-Rule-Shared
The format for [92] Nas-Filter-Rule and [26.6527.158] Alc-Nas-Filter-Rule-Shared is a string formatted as: action direction protocol from source to destination options. Table: [92] Nas-Filter-Rule attribute format provides details on the respective fields.
| Action or classifier | Value | Corresponding SR OS filter function | |
|---|---|---|---|
|
action |
deny |
action drop |
|
|
permit |
action forward |
||
|
direction |
in |
ingress |
|
|
out |
egress |
||
|
protocol |
ip |
protocol none |
|
|
any number [0 to 255] |
protocol [0 to 255] |
||
|
ip |
next-header none |
||
|
any number [1 to 42] |
next-header [1 to 42] |
||
|
any number [45 to 49] |
next-header [45 to 49] |
||
|
any number [52 to 59] |
next-header [52 to 59] |
||
|
any number [61 to 255] |
next-header [61 to 255] |
||
|
any number 43|44|50|51|60 |
not supported |
||
|
from source |
any |
100 |
ingress: src-ip = host-ip-address; src-port eq 100 egress: src-ip = 0.0.0.0/0 | ::/0; src-port eq 100 |
|
200 to 65535 |
ingress: src-ip = host-ip-address; src-port range 200 65535 egress: src-ip = 0.0.0.0/0 | ::/0; src-port range 200 65535 |
||
|
ip-prefix/length |
100 |
ingress: src-ip = host-ip-address; src-port eq 100 egress: src-ip = ip-prefix/length; src-port eq 100 |
|
|
200 to 65535 |
ingress: src-ip = host-ip-address; src-port range 200 65535 egress: src-ip = ip-prefix/length; src-port range 200 65535 |
||
|
to destination |
any |
100 |
ingress: dst-ip = 0.0.0.0/0 | ::/0; dst-port eq 100 egress: dst-ip = host-ip-address; dst-port eq 100 |
|
200 to 65535 |
ingress: dst-ip = 0.0.0.0/0 | ::/0; dst-port range 200 65535 egress: dst-ip = host-ip-address; dst-port range 200 65535 |
||
|
ip-prefix/length |
100 |
ingress: dst-ip = ip-prefix/length; dst-port eq 100 egress: dst-ip = host-ip-address; dst-port eq 100 |
|
|
200 to 65535 |
ingress: dst-ip = ip-prefix/length; dst-port range 200 65535 egress: dst-ip = host-ip-address; dst-port range 200 65535 |
||
|
options: frag |
frag |
fragment true (IPv4 only) |
|
|
options: ipoptions |
ssrr |
ip-option 9 / ip-mask 255 |
|
|
lsrr |
ip-option 3/ ip-mask 255 |
||
|
rr |
ip-option 7/ ip-mask 255 |
||
|
ts |
ip-option 4/ ip-mask 255 |
||
|
!ssrr |
— |
||
|
!lsrr |
— |
||
|
!rr |
— |
||
|
!ts |
— |
||
|
ssrr,lsrr,rr,ts |
— |
||
|
options: tcpoptions |
mss |
— |
|
|
window |
— |
||
|
sack |
— |
||
|
ts |
— |
||
|
!mss |
— |
||
|
!window |
— |
||
|
!sack |
— |
||
|
!ts |
— |
||
|
mss,window,sack,ts |
— |
||
|
options: established |
established |
— |
|
|
— |
|||
|
— |
|||
|
options: setup |
setup |
tcp-syn true |
|
|
tcp-ack false |
|||
|
protocol tcp |
|||
|
options: tcpflags |
syn |
tcp-syn true |
|
|
!syn |
tcp-syn false |
||
|
ack |
tcp-ack true |
||
|
!ack |
tcp-ack false |
||
|
fin |
— |
||
|
rst |
— |
||
|
psh |
— |
||
|
urg |
— |
||
|
options: icmptypesv4 |
echo reply |
protocol 1 / icmp-type 0 |
|
|
destination unreachable |
protocol 1 / icmp-type 3 |
||
|
source quench |
protocol 1 / icmp-type 4 |
||
|
redirect |
protocol 1 / icmp-type 5 |
||
|
echo request |
protocol 1 / icmp-type 8 |
||
|
router advertisement |
protocol 1 / icmp-type 9 |
||
|
router solicitation |
protocol 1 / icmp-type 10 |
||
|
time-to-live exceeded |
protocol 1 / icmp-type 11 |
||
|
IP header bad |
protocol 1 / icmp-type 12 |
||
|
timestamp request |
protocol 1 / icmp-type 13 |
||
|
timestamp reply |
protocol 1 / icmp-type 14 |
||
|
information request |
protocol 1 / icmp-type 15 |
||
|
information reply |
protocol 1 / icmp-type 16 |
||
|
address mask request |
protocol 1 / icmp-type 17 |
||
|
address mask reply |
protocol 1 / icmp-type 18 |
||
|
— |
protocol 1 / icmp-type [0 to 255] |
||
|
3-9 (range) |
— |
||
|
3,5,8,9 (comma separated) |
— |
||
|
options: icmptypesv6 |
destination unreachable |
icmp-type 1 |
|
|
time-to-live exceeded |
icmp-type 3 |
||
|
IP header bad |
icmp-type 4 |
||
|
echo request |
icmp-type 128 |
||
|
echo reply |
icmp-type129 |
||
|
router solicitation |
icmp-type 133 |
||
|
router advertisement |
icmp-type 134 |
||
|
redirect |
icmp-type 137 |
||
[26.529.242] Ascend-Data-Filter and [26.6527.159] Alc-Ascend-Data-Filter-Host-Spec
The format for [26.529.242] Ascend-Data-Filter and [26.6527.159] Alc-Ascend-Data-Filter-Host-Spec is an octet string with fixed length fields. Table: [26.529.242] Ascend-Data-Filter attribute format displays details on the respective fields.
| Field | Length | Value |
|---|---|---|
|
Type |
1 byte |
1 = IPv4 |
|
3 = IPv6 |
||
|
Filter or forward |
1 byte |
0 = drop |
|
1 = accept |
||
|
Indirection |
1 byte |
0 = egress |
|
1 = ingress |
||
|
Spare |
1 byte |
ignored |
|
Source IP address |
IPv4 = 4 bytes |
IP address of the source interface |
|
IPv6 = 16 bytes |
||
|
Destination IP address |
IPv4 = 4 bytes |
IP address of the destination interface |
|
IPv6 = 16 bytes |
||
|
Source IP prefix |
1 byte |
Number of bits in the network portion |
|
Destination IP prefix |
1 byte |
Number of bits in the network portion |
|
Protocol |
1 byte |
Protocol number. Note - Match the inner most header only for IPv6. |
|
Established |
1 byte |
ignored (not implemented) |
|
Source port |
2 bytes |
Port number of the source port |
|
Destination port |
2 bytes |
Port number of the destination port |
|
Source port qualifier |
1 byte |
0 = no compare |
|
1 = less than |
||
|
2 = equal to |
||
|
3 = greater than |
||
|
4 = not equal to (not supported) |
||
|
Destination port qualifier |
1 byte |
0 = no compare |
|
1 = less than |
||
|
2 = equal to |
||
|
3 = greater than |
||
|
4 = not equal to (not supported) |
||
|
Reserved |
2 bytes |
ignored |