diff options
Diffstat (limited to 'docs/configuration/policy')
| -rw-r--r-- | docs/configuration/policy/examples.rst | 39 | ||||
| -rw-r--r-- | docs/configuration/policy/route-map.rst | 144 | ||||
| -rw-r--r-- | docs/configuration/policy/route.rst | 435 |
3 files changed, 284 insertions, 334 deletions
diff --git a/docs/configuration/policy/examples.rst b/docs/configuration/policy/examples.rst index e4c4b9da..7c7b9c46 100644 --- a/docs/configuration/policy/examples.rst +++ b/docs/configuration/policy/examples.rst @@ -8,10 +8,10 @@ BGP Example # Create policy set policy route-map setmet rule 2 action 'permit' - set policy route-map setmet rule 2 set as-path-prepend '2 2 2' + set policy route-map setmet rule 2 set as-path prepend '2 2 2' # Apply policy to BGP - set protocols bgp local-as 1 + set protocols bgp system-as 1 set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast route-map import 'setmet' set protocols bgp neighbor 203.0.113.2 address-family ipv4-unicast soft-reconfiguration 'inbound' @@ -83,7 +83,7 @@ interface, we use: .. code-block:: none - set interfaces ethernet eth1 policy route FILTER-WEB + set policy route FILTER-WEB interface eth1 ################ Multiple Uplinks @@ -129,8 +129,8 @@ Apply routing policy to **inbound** direction of out VLAN interfaces .. code-block:: none - set interfaces ethernet eth0 vif 10 policy route 'PBR' - set interfaces ethernet eth0 vif 11 policy route 'PBR' + set policy route 'PBR' interface eth0.10 + set policy route 'PBR' interface eth0.11 **OPTIONAL:** Exclude Inter-VLAN traffic (between VLAN10 and VLAN11) @@ -182,3 +182,32 @@ Add multiple source IP in one rule with same priority set policy local-route rule 101 source '203.0.113.253' set policy local-route rule 101 source '198.51.100.0/24' +########################### +Clamp MSS for a specific IP +########################### + +This example shows how to target an MSS clamp (in our example to 1360 bytes) +to a specific destination IP. + +.. code-block:: none + + set policy route IP-MSS-CLAMP rule 10 description 'Clamp TCP session MSS to 1360 for 198.51.100.30' + set policy route IP-MSS-CLAMP rule 10 destination address '198.51.100.30/32' + set policy route IP-MSS-CLAMP rule 10 protocol 'tcp' + set policy route IP-MSS-CLAMP rule 10 set tcp-mss '1360' + set policy route IP-MSS-CLAMP rule 10 tcp flags 'SYN' + +To apply this policy to the correct interface, configure it on the +interface the inbound local host will send through to reach our +destined target host (in our example eth1). + +.. code-block:: none + + set policy route IP-MSS-CLAMP interface eth1 + +You can view that the policy is being correctly (or incorrectly) utilised +with the following command: + +.. code-block:: none + + show policy route statistics diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst index 792014bc..cc65d50c 100644 --- a/docs/configuration/policy/route-map.rst +++ b/docs/configuration/policy/route-map.rst @@ -69,16 +69,39 @@ Route Map IP address of route to match, based on prefix-list. +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip address + prefix-len <0-32> + + IP address of route to match, based on specified prefix-length. + Note that this can be used for kernel routes only. + Do not apply to the routes of dynamic routing protocols (e.g. BGP, + RIP, OSFP), as this can lead to unexpected results.. + .. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop access-list <1-2699> IP next-hop of route to match, based on access-list. .. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop + address <x.x.x.x> + + IP next-hop of route to match, based on ip address. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop + prefix-len <0-32> + + IP next-hop of route to match, based on prefix length. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop prefix-list <text> IP next-hop of route to match, based on prefix-list. +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ip nexthop + type <blackhole> + + IP next-hop of route to match, based on type. + .. cfgcmd:: set policy route-map <text> rule <1-65535> match ip route-source access-list <1-2699> @@ -99,6 +122,14 @@ Route Map IPv6 address of route to match, based on IPv6 prefix-list. +.. cfgcmd:: set policy route-map <text> rule <1-65535> match ipv6 address + prefix-len <0-128> + + IPv6 address of route to match, based on specified prefix-length. + Note that this can be used for kernel routes only. + Do not apply to the routes of dynamic routing protocols (e.g. BGP, + RIP, OSFP), as this can lead to unexpected results.. + .. cfgcmd:: set policy route-map <text> rule <1-65535> match ipv6 nexthop <h:h:h:h:h:h:h:h> @@ -149,52 +180,82 @@ Route Map BGP aggregator attribute: AS number or IP address of an aggregation. -.. cfgcmd:: set policy route-map <text> rule <1-65535> set as-path-exclude +.. cfgcmd:: set policy route-map <text> rule <1-65535> set as-path exclude <text> - Remove ASN(s) from a BGP AS-path attribute. For example "456 64500 45001". + Drop AS-NUMBER from the BGP AS path. -.. cfgcmd:: set policy route-map <text> rule <1-65535> set as-path-prepend +.. cfgcmd:: set policy route-map <text> rule <1-65535> set as-path prepend <text> - Prepend string for a BGP AS-path attribute. For example "64501 64501". + Prepend the given string of AS numbers to the AS_PATH of the BGP path's NLRI. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set as-path + prepend-last-as <n> + + Prepend the existing last AS number (the leftmost ASN) to the AS_PATH. .. cfgcmd:: set policy route-map <text> rule <1-65535> set atomic-aggregate BGP atomic aggregate attribute. -.. cfgcmd:: set policy route-map <text> rule <1-65535> set bgp-extcommunity-rt - <aa:nn> +.. cfgcmd:: set policy route-map <text> rule <1-65535> set community + <add|replace> <community> - Set route target value. ExtCommunity in format: asn:value. + Add or replace BGP community attribute in format ``<0-65535:0-65535>`` + or from well-known community list -.. cfgcmd:: set policy route-map <text> rule <1-65535> set comm-list comm-list - <text> +.. cfgcmd:: set policy route-map <text> rule <1-65535> set community none - BGP communities with a community-list. + Delete all BGP communities -.. cfgcmd:: set policy route-map <text> rule <1-65535> set comm-list delete +.. cfgcmd:: set policy route-map <text> rule <1-65535> set community delete + <text> Delete BGP communities matching the community-list. -.. cfgcmd:: set policy route-map <text> rule <1-65535> set community - <aa:bb|local-AS|no-advertise|no-export|internet|additive|none> +.. cfgcmd:: set policy route-map <text> rule <1-65535> set large-community + <add|replace> <GA:LDP1:LDP2> - Set BGP community attribute. + Add or replace BGP large-community attribute in format + ``<0-4294967295:0-4294967295:0-4294967295>`` -.. cfgcmd:: set policy route-map <text> rule <1-65535> set distance <0-255> +.. cfgcmd:: set policy route-map <text> rule <1-65535> set large-community none + + Delete all BGP large-communities - Locally significant administrative distance. +.. cfgcmd:: set policy route-map <text> rule <1-65535> set large-community delete + <text> + + Delete BGP communities matching the large-community-list. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity bandwidth + <1-25600|cumulative|num-multipaths> -.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity-rt + Set extcommunity bandwidth + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity bandwidth-non-transitive + + The link bandwidth extended community is encoded as non-transitive + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity rt <text> - Set route target value. + Set route target value in format ``<0-65535:0-4294967295>`` or ``<IP:0-65535>``. -.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity-soo +.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity soo <text> - Set site of origin value. + Set site of origin value in format ``<0-65535:0-4294967295>`` or ``<IP:0-65535>``. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set extcommunity none + + Clear all BGP extcommunities. + +.. cfgcmd:: set policy route-map <text> rule <1-65535> set distance <0-255> + + Locally significant administrative distance. + .. cfgcmd:: set policy route-map <text> rule <1-65535> set ip-next-hop <x.x.x.x> @@ -211,8 +272,8 @@ Route Map peer-address Set the BGP nexthop address to the address of the peer. For an incoming - route-map this means the ip address of our peer is used. For an - outgoing route-map this means the ip address of our self is used to + route-map this means the ip address of our peer is used. For an + outgoing route-map this means the ip address of our self is used to establish the peering with our neighbor. .. cfgcmd:: set policy route-map <text> rule <1-65535> set ipv6-next-hop @@ -224,21 +285,16 @@ Route Map peer-address Set the BGP nexthop address to the address of the peer. For an incoming - route-map this means the ip address of our peer is used. For an - outgoing route-map this means the ip address of our self is used to + route-map this means the ip address of our peer is used. For an + outgoing route-map this means the ip address of our self is used to establish the peering with our neighbor. - + .. cfgcmd:: set policy route-map <text> rule <1-65535> set ipv6-next-hop prefer-global - + For Incoming and Import Route-maps if we receive a v6 global and v6 LL address for the route, then prefer to use the global address as the nexthop. - -.. cfgcmd:: set policy route-map <text> rule <1-65535> set large-community - <text> - - Set BGP large community value. .. cfgcmd:: set policy route-map <text> rule <1-65535> set local-preference <0-4294967295> @@ -283,3 +339,29 @@ Route Map <0-4294967295> Set BGP weight attribute + +List of well-known communities +============================== + * ``local-as`` - Well-known communities value NO_EXPORT_SUBCONFED 0xFFFFFF03 + * ``no-advertise`` - Well-known communities value NO_ADVERTISE 0xFFFFFF02 + * ``no-export`` - Well-known communities value NO_EXPORT 0xFFFFFF01 + * ``internet`` - Well-known communities value 0 + * ``graceful-shutdown`` - Well-known communities value GRACEFUL_SHUTDOWN 0xFFFF0000 + * ``accept-own`` - Well-known communities value ACCEPT_OWN 0xFFFF0001 + * ``route-filter-translated-v4`` - Well-known communities value ROUTE_FILTER_TRANSLATED_v4 0xFFFF0002 + * ``route-filter-v4`` - Well-known communities value ROUTE_FILTER_v4 0xFFFF0003 + * ``route-filter-translated-v6`` - Well-known communities value ROUTE_FILTER_TRANSLATED_v6 0xFFFF0004 + * ``route-filter-v6`` - Well-known communities value ROUTE_FILTER_v6 0xFFFF0005 + * ``llgr-stale`` - Well-known communities value LLGR_STALE 0xFFFF0006 + * ``no-llgr`` - Well-known communities value NO_LLGR 0xFFFF0007 + * ``accept-own-nexthop`` - Well-known communities value accept-own-nexthop 0xFFFF0008 + * ``blackhole`` - Well-known communities value BLACKHOLE 0xFFFF029A + * ``no-peer`` - Well-known communities value NOPEER 0xFFFFFF04 + + + + + + + + diff --git a/docs/configuration/policy/route.rst b/docs/configuration/policy/route.rst index 0aa43232..a6330c57 100644 --- a/docs/configuration/policy/route.rst +++ b/docs/configuration/policy/route.rst @@ -1,43 +1,64 @@ -############ -Route Policy -############ +####################### +Route and Route6 Policy +####################### -Route and IPv6 route policies are defined in this section. This route policies -can then be associated to interfaces. +IPv4 route and IPv6 route policies are defined in this section. These route +policies can then be associated to interfaces. -************* -Configuration -************* +********* +Rule-Sets +********* -Route -===== - -.. cfgcmd:: set policy route <name> - - This command creates a new route policy, identified by <text>. +A rule-set is a named collection of rules that can be applied to an interface. +Each rule is numbered, has an action to apply if the rule is matched, and the +ability to specify the criteria to match. Data packets go through the rules +from 1 - 999999, at the first match the action of the rule will be executed. .. cfgcmd:: set policy route <name> description <text> +.. cfgcmd:: set policy route6 <name> description <text> - Set description for the route policy. + Provide a rule-set description. .. cfgcmd:: set policy route <name> enable-default-log +.. cfgcmd:: set policy route6 <name> enable-default-log Option to log packets hitting default-action. .. cfgcmd:: set policy route <name> rule <n> description <text> +.. cfgcmd:: set policy route6 <name> rule <n> description <text> - Set description for rule in route policy. + Provide a description for each rule. -.. cfgcmd:: set policy route <name> rule <n> action drop +.. cfgcmd:: set policy route <name> rule <n> log <enable|disable> +.. cfgcmd:: set policy route6 <name> rule <n> log <enable|disable> - Set rule action to drop. + Option to enable or disable log matching rule. + +Matching criteria +================= + +There are a lot of matching criteria options available, both for +``policy route`` and ``policy route6``. These options are listed +in this section. + +.. cfgcmd:: set policy route <name> rule <n> connection-mark <1-2147483647> +.. cfgcmd:: set policy route6 <name> rule <n> connection-mark <1-2147483647> + + Set match criteria based on connection mark. +.. cfgcmd:: set policy route <name> rule <n> source address + <match_criteria> .. cfgcmd:: set policy route <name> rule <n> destination address <match_criteria> +.. cfgcmd:: set policy route6 <name> rule <n> source address + <match_criteria> +.. cfgcmd:: set policy route6 <name> rule <n> destination address + <match_criteria> - Set match criteria based on destination address, where <match_criteria> - could be: + Set match criteria based on source or destination ipv4|ipv6 address, where + <match_criteria> could be: +For ipv4: * <x.x.x.x>: IP address to match. * <x.x.x.x/x>: Subnet to match. * <x.x.x.x>-<x.x.x.x>: IP range to match. @@ -45,14 +66,30 @@ Route * !<x.x.x.x/x>: Match everything except the specified subnet. * !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range. +And for ipv6: + * <h:h:h:h:h:h:h:h>: IPv6 address to match. + * <h:h:h:h:h:h:h:h/x>: IPv6 prefix to match. + * <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match. + * !<h:h:h:h:h:h:h:h>: Match everything except the specified address. + * !<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix. + * !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the + specified range. + +.. cfgcmd:: set policy route <name> rule <n> source group + <address-group|domain-group|mac-group|network-group|port-group> <text> .. cfgcmd:: set policy route <name> rule <n> destination group - <address-group|network-group|port-group> <text> + <address-group|domain-group|mac-group|network-group|port-group> <text> +.. cfgcmd:: set policy route6 <name> rule <n> source group + <address-group|domain-group|mac-group|network-group|port-group> <text> +.. cfgcmd:: set policy route6 <name> rule <n> destination group + <address-group|domain-group|mac-group|network-group|port-group> <text> - Set destination match criteria based on groups, where <text> would be the - group name/identifier. + Set match criteria based on source or destination groups, where <text> + would be the group name/identifier. Prepend character '!' for inverted + matching criteria. -.. cfgcmd:: set policy route <name> rule <n> destination port - <match_criteria> +.. cfgcmd:: set policy route <name> rule <n> destination port <match_criteria> +.. cfgcmd:: set policy route6 <name> rule <n> destination port <match_criteria> Set match criteria based on destination port, where <match_criteria> could be: @@ -66,24 +103,43 @@ Route '!22,telnet,http,123,1001-1005' .. cfgcmd:: set policy route <name> rule <n> disable +.. cfgcmd:: set policy route6 <name> rule <n> disable Option to disable rule. +.. cfgcmd:: set policy route <name> rule <n> dscp <text> +.. cfgcmd:: set policy route6 <name> rule <n> dscp <text> +.. cfgcmd:: set policy route <name> rule <n> dscp-exclude <text> +.. cfgcmd:: set policy route6 <name> rule <n> dscp-exclude <text> + + Match based on dscp value criteria. Multiple values from 0 to 63 + and ranges are supported. + .. cfgcmd:: set policy route <name> rule <n> fragment <match-grag|match-non-frag> +.. cfgcmd:: set policy route6 <name> rule <n> fragment + <match-grag|match-non-frag> Set IP fragment match, where: * match-frag: Second and further fragments of fragmented packets. * match-non-frag: Head fragments or unfragmented packets. -.. cfgcmd:: set policy route <name> rule <n> icmp <code|type|type-name> +.. cfgcmd:: set policy route <name> rule <n> icmp <code | type> +.. cfgcmd:: set policy route6 <name> rule <n> icmpv6 <code | type> - Set ICMP match criterias, based on code and/or types. Types could be - referenced by number or by name. + Match based on icmp|icmpv6 code and type. + +.. cfgcmd:: set policy route <name> rule <n> icmp type-name <text> +.. cfgcmd:: set policy route6 <name> rule <n> icmpv6 type-name <text> + + Match based on icmp|icmpv6 type-name criteria. Use tab for information + about what type-name criteria are supported. .. cfgcmd:: set policy route <name> rule <n> ipsec <match-ipsec|match-none> +.. cfgcmd:: set policy route6 <name> rule <n> ipsec + <match-ipsec|match-none> Set IPSec inbound match criterias, where: @@ -91,88 +147,45 @@ Route * match-none: match inbound non-IPsec packets. .. cfgcmd:: set policy route <name> rule <n> limit burst <0-4294967295> +.. cfgcmd:: set policy route6 <name> rule <n> limit burst <0-4294967295> - Set maximum number of packets to alow in excess of rate + Set maximum number of packets to alow in excess of rate. .. cfgcmd:: set policy route <name> rule <n> limit rate <text> +.. cfgcmd:: set policy route6 <name> rule <n> limit rate <text> Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, hour or day.For example 1/second implies rule to be matched at an average of once per second. -.. cfgcmd:: set policy route <name> rule <n> log <enable|disable> - - Option to enable or disable log matching rule. - -.. cfgcmd:: set policy route <name> rule <n> log <text> - - Option to log matching rule. - .. cfgcmd:: set policy route <name> rule <n> protocol - <text|0-255|tcp_udp|all|!protocol> + <text | 0-255 | tcp_udp | all > +.. cfgcmd:: set policy route6 <name> rule <n> protocol + <text | 0-255 | tcp_udp | all > - Set protocol to match. Protocol name in /etc/protocols or protocol number, - or "tcp_udp" or "all". Also, protocol could be denied by using !. + Match a protocol criteria. A protocol number or a name which is defined in: + ``/etc/protocols``. Special names are ``all`` for all protocols and + ``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected + protocol. -.. cfgcmd:: set policy route <name> rule <n> recent <count|time> - <1-255|0-4294967295> +.. cfgcmd:: set policy route <name> rule <n> recent count <1-255> +.. cfgcmd:: set policy route6 <name> rule <n> recent count <1-255> +.. cfgcmd:: set policy route <name> rule <n> recent time <1-4294967295> +.. cfgcmd:: set policy route6 <name> rule <n> recent time <1-4294967295> Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than <1-255> times) and/or time (source address seen in the last <0-4294967295> seconds). -.. cfgcmd:: set policy route <name> rule <n> set dscp <0-63> - - Set packet modifications: Packet Differentiated Services Codepoint (DSCP) - -.. cfgcmd:: set policy route <name> rule <n> set mark <1-2147483647> - - Set packet modifications: Packet marking - -.. cfgcmd:: set policy route <name> rule <n> set table <main|1-200> - - Set packet modifications: Routing table to forward packet with. - -.. cfgcmd:: set policy route <name> rule <n> set tcp-mss <500-1460> - - Set packet modifications: Explicitly set TCP Maximum segment size value. - -.. cfgcmd:: set policy route <name> rule <n> source address - <match_criteria> - - Set match criteria based on source address, where <match_criteria> could be: - - * <x.x.x.x>: IP address to match. - * <x.x.x.x/x>: Subnet to match. - * <x.x.x.x>-<x.x.x.x>: IP range to match. - * !<x.x.x.x>: Match everything except the specified address. - * !<x.x.x.x/x>: Match everything except the specified subnet. - * !<x.x.x.x>-<x.x.x.x>: Match everything except the specified range. - -.. cfgcmd:: set policy route <name> rule <n> source group - <address-group|network-group|port-group> <text> - - Set source match criteria based on groups, where <text> would be the group - name/identifier. - -.. cfgcmd:: set policy route <name> rule <n> source port <match_criteria> - - Set match criteria based on source port, where <match_criteria> could be: - - * <port name>: Named port (any name in /etc/services, e.g., http). - * <1-65535>: Numbered port. - * <start>-<end>: Numbered port range (e.g., 1001-1005). - - Multiple source ports can be specified as a comma-separated list. The whole - list can also be "negated" using '!'. For example: - '!22,telnet,http,123,1001-1005' - .. cfgcmd:: set policy route <name> rule <n> state - <established|invalid|new|related> <disable|enable> + <established | invalid | new | related> +.. cfgcmd:: set policy route6 <name> rule <n> state + <established | invalid | new | related> Set match criteria based on session state. .. cfgcmd:: set policy route <name> rule <n> tcp flags <text> +.. cfgcmd:: set policy route6 <name> rule <n> tcp flags <text> Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL. When specifying more than one flag, flags should be @@ -180,241 +193,67 @@ Route packets with the SYN flag set, and the ACK, FIN and RST flags unset. .. cfgcmd:: set policy route <name> rule <n> time monthdays <text> - - Set monthdays to match rule on. Format for monthdays: 2,12,21. - To negate add ! at the front eg. !2,12,21 - +.. cfgcmd:: set policy route6 <name> rule <n> time monthdays <text> .. cfgcmd:: set policy route <name> rule <n> time startdate <text> - - Set date to start matching rule. Format for date: yyyy-mm-dd. To specify - time of date with startdate, append 'T' to date followed by time in 24 hour - notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to - 21st Jan 2009 with time 13:30:00. - +.. cfgcmd:: set policy route6 <name> rule <n> time startdate <text> .. cfgcmd:: set policy route <name> rule <n> time starttime <text> - - Set time of day to start matching rule. Format of time: hh:mm:ss using 24 - hours notation. - +.. cfgcmd:: set policy route6 <name> rule <n> time starttime <text> .. cfgcmd:: set policy route <name> rule <n> time stopdate <text> - - Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time - of date with stopdate, append 'T' to date followed by time in 24 hour - notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to - 21st Jan 2009 with time 13:30:00. - +.. cfgcmd:: set policy route6 <name> rule <n> time stopdate <text> .. cfgcmd:: set policy route <name> rule <n> time stoptime <text> - - Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 - hours notation. - +.. cfgcmd:: set policy route6 <name> rule <n> time stoptime <text> +.. cfgcmd:: set policy route <name> rule <n> time weekdays <text> +.. cfgcmd:: set policy route6 <name> rule <n> time weekdays <text> .. cfgcmd:: set policy route <name> rule <n> time utc +.. cfgcmd:: set policy route6 <name> rule <n> time utc - Interpret times for startdate, stopdate, starttime and stoptime to be UTC. - -.. cfgcmd:: set policy route <name> rule <n> time weekdays - - Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! - at the front eg. !Mon,Thu,Sat. + Time to match the defined rule. +.. cfgcmd:: set policy route rule <n> ttl <eq | gt | lt> <0-255> -IPv6 Route -========== + Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. -.. cfgcmd:: set policy route6 <name> +.. cfgcmd:: set policy route6 rule <n> hop-limit <eq | gt | lt> <0-255> - This command creates a new IPv6 route policy, identified by <text>. + Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. -.. cfgcmd:: set policy route6 <name> description <text> +Actions +======= - Set description for the IPv6 route policy. - -.. cfgcmd:: set policy route6 <name> enable-default-log - - Option to log packets hitting default-action. +When mathcing all patterns defined in a rule, then different actions can +be made. This includes droping the packet, modifying certain data, or +setting a different routing table. +.. cfgcmd:: set policy route <name> rule <n> action drop .. cfgcmd:: set policy route6 <name> rule <n> action drop Set rule action to drop. -.. cfgcmd:: set policy route6 <name> rule <n> description <text> - - Set description for rule in IPv6 route policy. +.. cfgcmd:: set policy route <name> rule <n> set connection-mark + <1-2147483647> +.. cfgcmd:: set policy route6 <name> rule <n> set connection-mark + <1-2147483647> -.. cfgcmd:: set policy route6 <name> rule <n> destination address - <match_criteria> - - Set match criteria based on destination IPv6 address, where <match_criteria> - could be: - - * <h:h:h:h:h:h:h:h>: IPv6 address to match. - * <h:h:h:h:h:h:h:h/x>: IPv6 prefix to match. - * <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match. - * !<h:h:h:h:h:h:h:h>: Match everything except the specified address. - * !<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix. - * !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the - specified range. - -.. cfgcmd:: set policy route6 <name> rule <n> destination port <match_criteria> - - Set match criteria based on destination port, where <match_criteria> could - be: - - * <port name>: Named port (any name in /etc/services, e.g., http). - * <1-65535>: Numbered port. - * <start>-<end>: Numbered port range (e.g., 1001-1005). - - Multiple destination ports can be specified as a comma-separated list. The - whole list can also be "negated" using '!'. For example: - '!22,telnet,http,123,1001-1005'. - -.. cfgcmd:: set policy route6 <name> rule <n> disable - - Option to disable rule. - -.. cfgcmd:: set policy route6 <name> rule <n> icmpv6 type <icmpv6_typ> - - Set ICMPv6 match criterias, based on ICMPv6 type/code name. - -.. cfgcmd:: set policy route6 <name> rule <n> ipsec - <match-ipsec|match-none> - - Set IPSec inbound match criterias, where: - - * match-ipsec: match inbound IPsec packets. - * match-none: match inbound non-IPsec packets. - -.. cfgcmd:: set policy route6 <name> rule <n> limit burst - <0-4294967295> - - Set maximum number of packets to alow in excess of rate - -.. cfgcmd:: set policy route6 <name> rule <n> limit rate <text> - - Set maximum average matching rate. Format for rate: integer/time_unit, where - time_unit could be any one of second, minute, hour or day.For example - 1/second implies rule to be matched at an average of once per second. - -.. cfgcmd:: set policy route6 <name> rule <n> log <enable|disable> - - Option to enable or disable log matching rule. - -.. cfgcmd:: set policy route6 <name> rule <n> log <text> - - Option to log matching rule. - -.. cfgcmd:: set policy route6 <name> rule <n> protocol - <text|0-255|tcp_udp|all|!protocol> - - Set IPv6 protocol to match. IPv6 protocol name from /etc/protocols or - protocol number, or "tcp_udp" or "all". Also, protocol could be denied by - using !. - -.. cfgcmd:: set policy route6 <name> rule <n> recent <count|time> - <1-255|0-4294967295> - - Set parameters for matching recently seen sources. This match could be used - by seeting count (source address seen more than <1-255> times) and/or time - (source address seen in the last <0-4294967295> seconds). + Set a specific connection mark. +.. cfgcmd:: set policy route <name> rule <n> set dscp <0-63> .. cfgcmd:: set policy route6 <name> rule <n> set dscp <0-63> Set packet modifications: Packet Differentiated Services Codepoint (DSCP) +.. cfgcmd:: set policy route <name> rule <n> set mark <1-2147483647> .. cfgcmd:: set policy route6 <name> rule <n> set mark <1-2147483647> - Set packet modifications: Packet marking. - -.. cfgcmd:: set policy route6 <name> rule <n> set table <main|1-200> - - Set packet modifications: Routing table to forward packet with. - -.. cfgcmd:: set policy route6 <name> rule <n> set tcp-mss - <pmtu|500-1460> - - Set packet modifications: pmtu option automatically set to Path Maximum - Transfer Unit minus 60 bytes. Otherwise, expliicitly set TCP MSS value from - 500 to 1460. - -.. cfgcmd:: set policy route6 <name> rule <n> source address - <match_criteria> - - Set match criteria based on IPv6 source address, where <match_criteria> - could be: - - * <h:h:h:h:h:h:h:h>: IPv6 address to match - * <h:h:h:h:h:h:h:h/x>: IPv6 prefix to match - * <h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match - * !<h:h:h:h:h:h:h:h>: Match everything except the specified address - * !<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix - * !<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the - specified range - -.. cfgcmd:: set policy route6 <name> rule <n> source mac-address - <MAC_address|!MAC_address> - - Set source match criteria based on MAC address. Declare specific MAC address - to match, or match everything except the specified MAC. - -.. cfgcmd:: set policy route6 <name> rule <n> source port - <match_criteria> - - Set match criteria based on source port, where <match_criteria> could be: - - * <port name>: Named port (any name in /etc/services, e.g., http). - * <1-65535>: Numbered port. - * <start>-<end>: Numbered port range (e.g., 1001-1005). - - Multiple source ports can be specified as a comma-separated list. The whole - list can also be "negated" using '!'. For example: - '!22,telnet,http,123,1001-1005'. - -.. cfgcmd:: set policy route6 <name> rule <n> state - <established|invalid|new|related> <disable|enable> - - Set match criteria based on session state. - -.. cfgcmd:: set policy route6 <name> rule <n> tcp flags <text> - - Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK - FIN RST URG PSH ALL. When specifying more than one flag, flags should be - comma-separated. For example : value of 'SYN,!ACK,!FIN,!RST' will only match - packets with the SYN flag set, and the ACK, FIN and RST flags unset. + Set a specific packet mark. -.. cfgcmd:: set policy route6 <name> rule <n> time monthdays <text> - - Set monthdays to match rule on. Format for monthdays: 2,12,21. - To negate add ! at the front eg. !2,12,21 - -.. cfgcmd:: set policy route6 <name> rule <n> time startdate <text> +.. cfgcmd:: set policy route <name> rule <n> set table <main | 1-200> +.. cfgcmd:: set policy route6 <name> rule <n> set table <main | 1-200> - Set date to start matching rule. Format for date: yyyy-mm-dd. To specify - time of date with startdate, append 'T' to date followed by time in 24 hour - notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to - 21st Jan 2009 with time 13:30:00. + Set the routing table to forward packet with. -.. cfgcmd:: set policy route6 <name> rule <n> time starttime <text> - - Set time of day to start matching rule. Format of time: hh:mm:ss using 24 - hours notation. - -.. cfgcmd:: set policy route6 <name> rule <n> time stopdate <text> - - Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time - of date with stopdate, append 'T' to date followed by time in 24 hour - notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to - 21st Jan 2009 with time 13:30:00. - -.. cfgcmd:: set policy route6 <name> rule <n> time stoptime <text> - - Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 - hours notation. - -.. cfgcmd:: set policy route6 <name> rule <n> time utc - - Interpret times for startdate, stopdate, starttime and stoptime to be UTC. - -.. cfgcmd:: set policy route6 <name> rule <n> time weekdays +.. cfgcmd:: set policy route <name> rule <n> set tcp-mss <500-1460> +.. cfgcmd:: set policy route6 <name> rule <n> set tcp-mss <500-1460> - Weekdays to match rule on. Format for weekdays: Mon,Thu,Sat. To negate add ! - at the front eg. !Mon,Thu,Sat. + Set packet modifications: Explicitly set TCP Maximum segment size value.
\ No newline at end of file |