Route Policy
Route and IPv6 route policies are defined in this section. This route policies can then be associated to interfaces.
Configuration
Route
Set match criteria based on destination address, where <match_criteria> could be:
<x.x.x.x>: IP address to match.
<x.x.x.x/x>: Subnet to match.
<x.x.x.x>-<x.x.x.x>: IP range to match.
!<x.x.x.x>: Match everything except the specified address.
!<x.x.x.x/x>: Match everything except the specified subnet.
!<x.x.x.x>-<x.x.x.x>: Match everything except the specified range.
Set destination match criteria based on groups, where <text> would be the group name/identifier.
Set match criteria based on destination port, where <match_criteria> could be:
<port name>: Named port (any name in /etc/services, e.g., http).
<1-65535>: Numbered port.
<start>-<end>: Numbered port range (e.g., 1001-1005).
Multiple destination ports can be specified as a comma-separated list. The whole list can also be “negated” using ‘!’. For example: ‘!22,telnet,http,123,1001-1005’
Set IP fragment match, where:
match-frag: Second and further fragments of fragmented packets.
match-non-frag: Head fragments or unfragmented packets.
Set ICMP match criterias, based on code and/or types. Types could be referenced by number or by name.
Set IPSec inbound match criterias, where:
match-ipsec: match inbound IPsec packets.
match-none: match inbound non-IPsec packets.
Set maximum number of packets to alow in excess of rate
Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, hour or day.For example 1/second implies rule to be matched at an average of once per second.
Option to enable or disable log matching rule.
Set protocol to match. Protocol name in /etc/protocols or protocol number, or “tcp_udp” or “all”. Also, protocol could be denied by using !.
Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than <1-255> times) and/or time (source address seen in the last <0-4294967295> seconds).
Set packet modifications: Packet Differentiated Services Codepoint (DSCP)
Set packet modifications: Routing table to forward packet with.
Set packet modifications: Explicitly set TCP Maximum segment size value.
Set match criteria based on source address, where <match_criteria> could be:
<x.x.x.x>: IP address to match.
<x.x.x.x/x>: Subnet to match.
<x.x.x.x>-<x.x.x.x>: IP range to match.
!<x.x.x.x>: Match everything except the specified address.
!<x.x.x.x/x>: Match everything except the specified subnet.
!<x.x.x.x>-<x.x.x.x>: Match everything except the specified range.
Set source match criteria based on groups, where <text> would be the group name/identifier.
Set match criteria based on source port, where <match_criteria> could be:
<port name>: Named port (any name in /etc/services, e.g., http).
<1-65535>: Numbered port.
<start>-<end>: Numbered port range (e.g., 1001-1005).
Multiple source ports can be specified as a comma-separated list. The whole list can also be “negated” using ‘!’. For example: ‘!22,telnet,http,123,1001-1005’
Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL. When specifying more than one flag, flags should be comma-separated. For example : value of ‘SYN,!ACK,!FIN,!RST’ will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
Set monthdays to match rule on. Format for monthdays: 2,12,21. To negate add ! at the front eg. !2,12,21
Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append ‘T’ to date followed by time in 24 hour notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00.
Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation.
Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append ‘T’ to date followed by time in 24 hour notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00.
Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation.
Interpret times for startdate, stopdate, starttime and stoptime to be UTC.
IPv6 Route
Set match criteria based on destination IPv6 address, where <match_criteria> could be:
<h:h:h:h:h:h:h:h>: IPv6 address to match.
<h:h:h:h:h:h:h:h/x>: IPv6 prefix to match.
<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match.
!<h:h:h:h:h:h:h:h>: Match everything except the specified address.
!<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix.
!<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the specified range.
Set match criteria based on destination port, where <match_criteria> could be:
<port name>: Named port (any name in /etc/services, e.g., http).
<1-65535>: Numbered port.
<start>-<end>: Numbered port range (e.g., 1001-1005).
Multiple destination ports can be specified as a comma-separated list. The whole list can also be “negated” using ‘!’. For example: ‘!22,telnet,http,123,1001-1005’.
Set ICMPv6 match criterias, based on ICMPv6 type/code name.
Set IPSec inbound match criterias, where:
match-ipsec: match inbound IPsec packets.
match-none: match inbound non-IPsec packets.
Set maximum number of packets to alow in excess of rate
Set maximum average matching rate. Format for rate: integer/time_unit, where time_unit could be any one of second, minute, hour or day.For example 1/second implies rule to be matched at an average of once per second.
Option to enable or disable log matching rule.
Set IPv6 protocol to match. IPv6 protocol name from /etc/protocols or protocol number, or “tcp_udp” or “all”. Also, protocol could be denied by using !.
Set parameters for matching recently seen sources. This match could be used by seeting count (source address seen more than <1-255> times) and/or time (source address seen in the last <0-4294967295> seconds).
Set packet modifications: Packet Differentiated Services Codepoint (DSCP)
Set packet modifications: Routing table to forward packet with.
Set packet modifications: pmtu option automatically set to Path Maximum Transfer Unit minus 60 bytes. Otherwise, expliicitly set TCP MSS value from 500 to 1460.
Set match criteria based on IPv6 source address, where <match_criteria> could be:
<h:h:h:h:h:h:h:h>: IPv6 address to match
<h:h:h:h:h:h:h:h/x>: IPv6 prefix to match
<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: IPv6 range to match
!<h:h:h:h:h:h:h:h>: Match everything except the specified address
!<h:h:h:h:h:h:h:h/x>: Match everything except the specified prefix
!<h:h:h:h:h:h:h:h>-<h:h:h:h:h:h:h:h>: Match everything except the specified range
Set source match criteria based on MAC address. Declare specific MAC address to match, or match everything except the specified MAC.
Set match criteria based on source port, where <match_criteria> could be:
<port name>: Named port (any name in /etc/services, e.g., http).
<1-65535>: Numbered port.
<start>-<end>: Numbered port range (e.g., 1001-1005).
Multiple source ports can be specified as a comma-separated list. The whole list can also be “negated” using ‘!’. For example: ‘!22,telnet,http,123,1001-1005’.
Set match criteria based on tcp flags. Allowed values for TCP flags: SYN ACK FIN RST URG PSH ALL. When specifying more than one flag, flags should be comma-separated. For example : value of ‘SYN,!ACK,!FIN,!RST’ will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
Set monthdays to match rule on. Format for monthdays: 2,12,21. To negate add ! at the front eg. !2,12,21
Set date to start matching rule. Format for date: yyyy-mm-dd. To specify time of date with startdate, append ‘T’ to date followed by time in 24 hour notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00.
Set time of day to start matching rule. Format of time: hh:mm:ss using 24 hours notation.
Set date to stop matching rule. Format for date: yyyy-mm-dd. To specify time of date with stopdate, append ‘T’ to date followed by time in 24 hour notation hh:mm:ss. For eg startdate value of 2009-01-21T13:30:00 refers to 21st Jan 2009 with time 13:30:00.
Set time of day to stop matching rule. Format of time: hh:mm:ss using 24 hours notation.
Interpret times for startdate, stopdate, starttime and stoptime to be UTC.