This section describes the IPv4 and IPv6 match criteria supported by SR OS. The criteria are evaluated against the outer IPv4 or IPv6 header and a Layer 4 header that follows (if applicable). Support for match criteria may depend on hardware or filter direction. Nokia recommends not configuring a filter in a direction or on hardware where a match criterion is not supported because this may lead to unwanted behavior. Some match criteria may be grouped in match lists and may be auto-generated based on the router configuration; see Filter policy advanced topics for more information.
IPv4 and IPv6 filter policies support three different filter type with normal, src-mac and packet-length each supporting different set of match criteria.
The match criteria available using the normal filter type are defined in this section. Layer 3 match criteria include:
dscp
Match the specified DSCP value against the Differentiated Services Code Point/Traffic Class field in the IPv4 or IPv6 packet header.
src-ip, dst-ip, or ip
Match the specified source or destination IPv4 or IPv6 address prefix against the IP address field in the IPv4 or IPv6 packet header. The operator can optionally configure a mask to be used in a match. The ip command can be used to configure a single filter-policy entry that provides non-directional matching of either the source or destination (logical OR).
flow-label
Match the specified flow label against the Flow label field in IPv6 packets. The operator can optionally configure a mask to be used in a match. This operation is supported on ingress filters.
protocol
Match the specified protocol against the Protocol field in the IPv4 packet header (for example, TCP, UDP, IGMP) of the outer IPv4. ‟*” can be used to specify TCP or UDP upper-layer protocol match (Logical OR).
next-header
Match the specified upper-layer protocol (such as, TCP, UDP, IGMPv6) against the Next Header field of the IPv6 packet header. ‟*” can be used to specify TCP or UDP upper-layer protocol match (Logical OR). When config>system>ip>ipv6-eh max is configured, the next-header value is the last next header field in the last extension header, up to six extension header are supported. When config>system>ip>ipv6-eh limited is configured, the next-header value is the next header field from the IPv6 header.
Fragmentation match criteria: fragment
Match for the presence of fragmented packet. For IPv4, match against the MF bit or Fragment Offset field to determine whether the packet is a fragment. For IPv6, match against the Next Header Field for Fragment Extension Header value to determine whether the packet is a fragment. Up to six extension headers are matched against to find the Fragmentation Extension Header.
IPv4 and IPv6 filters support matching against initial fragment using first-only or non-initial fragment non-first-only.
IPv4 match fragment true or false criteria are supported on both ingress and egress.
IPv4 match fragment first-only or non-first-only are supported on ingress only.
Operational note for fragmented traffic
IP and IPv6 filters defined to match TCP, UDP, ICMP, or SCTP criteria (such as src-port, dst-port, port, tcp-ack, tcp-syn, icmp-type, and icmp-code) with values of zero or false also match non-first fragment packets if other match criteria within the same filer entry are also met. Non-initial fragment packets do not contain a UDP, TCP, ICMP or SCTP header.
IPv4 options match criteria:
ip-option
Matches the specified option value in the first option of the IPv4 packet. Operator can optionally configure a mask to be used in a match.
option-present
Matches the presence of IP options in the IPv4 packet. Padding and EOOL are also considered as IP options. Up to six IP options are matched against.
multiple-option
Matches the presence of multiple IP options in the IPv4 packet.
src-route-option
Matches the presence of IP Option 3 or 9 (Loose or Strict Source Route) in the first three IP options of the IPv4 packet. A packet also matches this rule if the packet has more than three IP options.
IPv6 Extension Header match criteria:
Up to six extension headers are matched against when config>system>ip>ipv6-eh max is configured. When config>system>ip>ipv6-eh limited is configured, the next header value of the IPv6 header is used instead.
ah-ext-header
Matches for the presence of the Authentication Header extension header in the IPv6 packet. This match criterion is supported on ingress only.
esp-ext-header
Matches for the presence of the Encapsulating Security Payload extension header in the IPv6 packet. This match criterion is supported on ingress only.
hop-by-hop-opt
Matches for the presence of hop-by-hop options extension header in the IPv6 packet. This match criterion is supported on ingress only.
routing-type0
Matches for the presence of Routing extension header type 0 in the IPv6 packet. This match criterion is supported on ingress only.
Upper-layer protocol match criteria:
icmp-code
Matches the specified value against the Code field of the ICMP/ICMPv6 header of the packet. This match is supported only for entries that also define protocol/next-header match for ‟ICMP”/”ICMPv6” protocol.
icmp-type
Matches the specified value against the Type field of the ICMP/ICMPv6 header of the packet. This match is supported only for entries that also define protocol/next-header match for ‟ICMP”/”ICMPv6” protocol.
src-port/dst-port/port
Matches the specified port value, port list, or port range against the Source Port Number/Destination Port Number of the UDP/TCP/SCTP packet header. An option to match either source or destination (Logical OR) using a single filter policy entry is supported by using a directionless ‟port” command. Source/destination match is supported only for entries that also define protocol/next-header match for ‟TCP”, ‟UDP”, ‟SCTP”, or ‟TCP or UDP” protocols. A non-initial fragment never matches an entry with non-zero port criteria specified. Match on SCTP src-port, dst-port, or port is supported on ingress filter policy.
tcp-ack/tcp-cwr/tcp-ece/tcp-fin/tcp-ns/tcp-psh/tcp-rst/tcp-syn/tcp-urg
Matches the presence or absence of the TCP flags defined in RFC 793/3168/3540 in the TCP header of the packet. This match criteria also requires defining the protocol/next-header match as TCP. tcp-cwr, tcp-ece, tcp-fin, tcp-ns, tcp-psh, tcp-rst, tcp-urg are supported on FP4-based line cards only. When configured on other line cards, the bit for the unsupported TCP flags is ignored.
For filter type match criteria:
Additional match criteria for src-mac, packet-length, and destination-class are available using different filter types. See Filter policy type for more information.