Junos firewall configuration module
Version: 2019-01-01
module junos-conf-firewall { yang-version 1; namespace "http://yang.juniper.net/junos/conf/firewall"; prefix jc-firewall; import junos-common-ddl-extensions { prefix junos; revision-date "2019-01-01"; } import junos-common-types { prefix jt; revision-date "2019-01-01"; } import junos-conf-root { prefix jc; revision-date "2019-01-01"; } organization "Juniper Networks, Inc."; contact "yang-support@juniper.net"; description "Junos firewall configuration module"; revision "2019-01-01" { description "Junos: 21.3R1.9"; } augment /jc:configuration { uses firewall-group; } augment /jc:configuration/jc:groups { uses firewall-group; } grouping firewall-group { container firewall { description "Define a firewall configuration"; uses apply-advanced; container family { description "Protocol family"; container inet { description "Protocol family IPv4 for firewall filter"; uses apply-advanced; list dialer-filter { key "name"; ordered-by user; description "Define an IPv4 dialer filter"; uses inet_dialer_filter; } // list dialer-filter list prefix-action { key "name"; ordered-by user; description "Define a prefix action"; uses prefix_action; } // list prefix-action list filter { key "name"; description "Define an IPv4 firewall filter"; uses inet_filter; } // list filter list simple-filter { key "name"; description "Define an IPv4 firewall simple filter"; uses inet_simple_filter; } // list simple-filter list service-filter { key "name"; description "One or more IPv4 service filters"; uses inet_service_filter; } // list service-filter list fast-update-filter { key "name"; ordered-by user; description "One or more fast update filters"; uses inet_fuf; } // list fast-update-filter } // container inet container inet6 { description "Protocol family IPv6 for firewall filter"; uses apply-advanced; list dialer-filter { key "name"; ordered-by user; description "Define an IPv6 dialer filter"; uses inet6_dialer_filter; } // list dialer-filter list filter { key "name"; description "Define an IPv6 firewall filter"; uses inet6_filter; } // list filter list service-filter { key "name"; description "One or more IPv6 service filters"; uses inet6_service_filter; } // list service-filter list fast-update-filter { key "name"; ordered-by user; description "One or more fast update filters"; uses inet6_fuf; } // list fast-update-filter } // container inet6 container mpls { description "Protocol family MPLS for firewall filter"; uses apply-advanced; list dialer-filter { key "name"; ordered-by user; description "Define an mpls dialer filter"; uses mpls_dialer_filter; } // list dialer-filter list filter { key "name"; uses mpls_filter; } // list filter } // container mpls container vpls { description "Protocol family VPLS for firewall filter"; uses apply-advanced; list filter { key "name"; uses vpls_filter; } // list filter } // container vpls container evpn { description "Protocol family EVPN for firewall filter"; uses apply-advanced; list filter { key "name"; uses vpls_filter; } // list filter } // container evpn container bridge { description "Protocol family BRIDGE for firewall filter"; uses apply-advanced; list filter { key "name"; uses bridge_filter; } // list filter } // container bridge container ccc { description "Protocol family CCC for firewall filter"; uses apply-advanced; list filter { key "name"; uses ccc_filter; } // list filter } // container ccc container any { description "Protocol-independent filter"; uses apply-advanced; list filter { key "name"; description "Define a protocol independent filter"; uses any_filter; } // list filter } // container any container ethernet-switching { description "Protocol family Ethernet Switching for firewall filter"; uses apply-advanced; list filter { key "name"; description "Define an Ethernet Switching firewall filter"; uses es_filter; } // list filter } // container ethernet-switching } // container family list policer { key "name"; description "Policer template definition"; uses firewall_policer; } // list policer list flexible-match { key "name"; description "Flexible packet match template definition"; uses firewall_flexible_match; } // list flexible-match list tunnel-end-point { key "name"; description "Tunnel end-point template definition"; uses tunnel_end_point; } // list tunnel-end-point list hierarchical-policer { key "name"; description "Hierarchical policer template definition"; uses firewall_hierpolicer; } // list hierarchical-policer list interface-set { key "name"; description "Interface set definition"; uses interface_set_type; } // list interface-set list load-balance-group { key "name"; ordered-by user; description "Load-balance group definition"; uses firewall_load_balance_group; } // list load-balance-group list atm-policer { key "name"; description "Atm policer"; uses atm-policer-type; } // list atm-policer list three-color-policer { key "name"; description "Three-color policer"; uses three-color-policer-type; } // list three-color-policer list filter { key "name"; description "Define an IPv4 firewall filter"; uses inet_filter; } // list filter } // container firewall } // grouping firewall-group grouping any_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf interface-shared { junos:must "(!(".. interface-specific"))"; junos:must-message "Cannot be both interface-specific and interface-shared"; type empty; description "Filter is interface-shared"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object_oam; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { leaf-list loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } leaf-list loss-priority-except { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } } // choice loss-priority_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice leaf service-filter-hit { type empty; description "Match if service-filter-hit is set"; } choice learn-vlan-1p-priority_choice { leaf-list learn-vlan-1p-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list learn-vlan-1p-priority-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice learn-vlan-1p-priority_choice choice user-vlan-1p-priority_choice { leaf-list user-vlan-1p-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list user-vlan-1p-priority-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice user-vlan-1p-priority_choice list destination-mac-address { key "name"; ordered-by user; description "Destination MAC address"; uses firewall_mac_addr_object; } // list destination-mac-address list source-mac-address { key "name"; ordered-by user; description "Source MAC address"; uses firewall_mac_addr_object; } // list source-mac-address choice user-vlan-id_choice { leaf-list user-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list user-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice user-vlan-id_choice choice learn-vlan-id_choice { leaf-list learn-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list learn-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice learn-vlan-id_choice choice ether-type_choice { leaf-list ether-type { type string; ordered-by user; } leaf-list ether-type-except { type string; ordered-by user; } } // choice ether-type_choice container ip-version { description "Define IP version"; uses apply-advanced; container ipv4 { junos:must "(!(".. ipv6"))"; junos:must-message "Same term cannot have both IPv4 & IPv6 IP version"; description "Define L3/L4 match items to match IPv4 packets"; uses apply-advanced; choice ip-protocol_choice { leaf-list ip-protocol { type string; ordered-by user; } leaf-list ip-protocol-except { type string; ordered-by user; } } // choice ip-protocol_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice ip-precedence_choice { leaf-list ip-precedence { type string; ordered-by user; } leaf-list ip-precedence-except { type string; ordered-by user; } } // choice ip-precedence_choice choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice list ip-source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list ip-source-address list ip-destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list ip-destination-address list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats) - (Ingress only)"; } leaf tcp-initial { type empty; description "Match initial packet of a TCP connection - (Ingress only)"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } leaf is-fragment { type empty; description "Match if packet is a fragment"; } } // container ipv4 container ipv6 { junos:must "(!(".. ipv4"))"; junos:must-message "Same term cannot have both IPv4 & IPv6 IP version"; description "Define L3/L4 match items to match IPv6 packets"; uses apply-advanced; list ip6-source-address { key "name"; ordered-by user; description "Match source address"; uses firewall_addr6_object; } // list ip6-source-address list ip6-destination-address { key "name"; ordered-by user; description "Match destination address"; uses firewall_addr6_object; } // list ip6-destination-address choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list choice next-header_choice { leaf-list next-header { type string; ordered-by user; } leaf-list next-header-except { type string; ordered-by user; } } // choice next-header_choice choice traffic-class_choice { leaf-list traffic-class { type string; ordered-by user; } leaf-list traffic-class-except { type string; ordered-by user; } } // choice traffic-class_choice leaf tcp-flags { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type string; description "Match TCP flags (in symbolic or hex formats)"; } leaf tcp-initial { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match packet of an established TCP connection"; } } // container ipv6 } // container ip-version } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer leaf hierarchical-policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of hierarchical policer to use to rate-limit traffic"; } } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf service-accounting { junos:must "(!(".. service-accounting-deferred"))"; junos:must-message "'service-accounting-deferred' and 'service-accounting' cannot coexist"; junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting' cannot coexist"; type empty; description "Count the packets for service accounting"; } leaf service-accounting-deferred { junos:must "(!(".. service-accounting"))"; junos:must-message "Cannot be both 'service-accounting' and 'service-accounting-deferred'"; junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting-deferred' cannot coexist"; type empty; description "Count the packets for deferred service accounting"; } leaf service-filter-hit { type empty; description "Signal subsequent filters in the chain that packet was processed"; } leaf force-premium { type empty; description "Process packets as premium traffic by subsequent hierarchical policers"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Classify packet to loss-priority"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; type empty; description "Port-mirror the packet"; } leaf inline-monitoring-instance { junos:must "("services inline-monitoring instance $$")"; junos:must-message "Configure 'inline-monitoring instance'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Inline monitoring to specified instance"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } choice designation { container encapsulate { presence "enable encapsulate"; description "Send to a tunnel"; leaf tunnel-end-point { junos:must "("firewall tunnel-end-point $$")"; junos:must-message "referenced firewall tunnel-end-point must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of the tunnel end point"; } } // container encapsulate leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation } // container then } // list term } // grouping any_filter grouping apply-advanced { description "Apply advanced configuration logic"; leaf-list apply-groups { type string; ordered-by user; description "Groups from which to inherit configuration data"; } leaf-list apply-groups-except { type string; ordered-by user; description "Don't inherit configuration data from these groups"; } list apply-macro { key "name"; ordered-by user; description "Macro and parameters for commit script expansion"; uses apply-macro-type; } // list apply-macro } // grouping apply-advanced grouping apply-macro-type { description "Macro data for commit-script expansion"; leaf name { type string; description "Name of the macro to be expanded"; } list data { key "name"; uses macro-data-type; } // list data } // grouping apply-macro-type grouping atm-policer-type { description "Atm policer"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policer name"; } uses apply-advanced; leaf logical-interface-policer { type empty; description "Policer is logical interface policer"; } leaf atm-service { type enumeration { enum "cbr" { value 0; description "Constant bit rate"; } enum "rtvbr" { value 1; description "Real-time variable bit rate"; } enum "nrtvbr" { value 2; description "Non-real-time variable bit rate"; } enum "ubr" { value 3; description "Unspecified bit rate"; } } description "ATM service category"; } leaf peak-rate { type string; units "cps"; description "ATM Peak Cell Rate (PCR)"; } leaf sustained-rate { type string; units "cps"; description "ATM Sustained Cell Rate (SCR)"; } leaf max-burst-size { type union { type string { pattern "<.*>|$.*"; } type uint64 { range "1 .. 4000"; } } units "cells"; description "ATM Maximum Burst Size (MBS)"; } leaf cdvt { type string; units "microseconds"; description "Cell Delay Variation Tolerance"; } leaf policing-action { type enumeration { enum "count" { value 0; description "Update counters"; } enum "discard" { value 1; description "Discard non-conforming cells (CBR.1/VBR.1/UBR.1)"; } enum "discard-tag" { value 2; description "Discard PCR non-conforming and tag SCR non-conforming cells (VBR.3/UBR.2)"; } } description "Policing action"; } } // grouping atm-policer-type grouping bridge_filter { description "Define a BRIDGE firewall filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } leaf instance-shared { junos:must "("chassis network-services enhanced-ip")"; junos:must-message "instance-shared filter available only in enhanced-ip mode"; junos:must "(!(".. physical-interface-filter"))"; junos:must-message "Cannot be both physical-interface-filter and instance-shared"; junos:must "(!(".. interface-specific"))"; junos:must-message "Cannot be both interface-specific and instance-shared"; type empty; description "Filter is routing-instance shared"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "("firewall family bridge filter $$")"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice choice ether-type_choice { leaf-list ether-type { type string; ordered-by user; } leaf-list ether-type-except { type string; ordered-by user; } } // choice ether-type_choice choice vlan-ether-type_choice { leaf-list vlan-ether-type { type string; ordered-by user; } leaf-list vlan-ether-type-except { type string; ordered-by user; } } // choice vlan-ether-type_choice list destination-mac-address { key "name"; ordered-by user; description "Destination MAC address"; uses firewall_mac_addr_object; } // list destination-mac-address list source-mac-address { key "name"; ordered-by user; description "Source MAC address"; uses firewall_mac_addr_object; } // list source-mac-address choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { leaf-list loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } leaf-list loss-priority-except { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } } // choice loss-priority_choice choice learn-vlan-id_choice { leaf-list learn-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list learn-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice learn-vlan-id_choice choice learn-vlan-1p-priority_choice { leaf-list learn-vlan-1p-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list learn-vlan-1p-priority-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice learn-vlan-1p-priority_choice choice user-vlan-id_choice { leaf-list user-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list user-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice user-vlan-id_choice choice user-vlan-1p-priority_choice { leaf-list user-vlan-1p-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list user-vlan-1p-priority-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice user-vlan-1p-priority_choice choice learn-vlan-dei_choice { leaf-list learn-vlan-dei { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } leaf-list learn-vlan-dei-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } } // choice learn-vlan-dei_choice choice traffic-type_choice { leaf-list traffic-type { type enumeration { enum "broadcast" { value 0; description "Packets with broadcast ethernet address"; } enum "multicast" { value 1; description "Packets with multicast ethernet address"; } enum "unknown-unicast" { value 2; description "Packets for which destination ethernet address has not been learnt"; } enum "known-unicast" { value 3; description "Packets for which destination ethernet address has been learnt"; } } ordered-by user; } leaf-list traffic-type-except { type enumeration { enum "broadcast" { value 0; description "Packets with broadcast ethernet address"; } enum "multicast" { value 1; description "Packets with multicast ethernet address"; } enum "unknown-unicast" { value 2; description "Packets for which destination ethernet address has not been learnt"; } enum "known-unicast" { value 3; description "Packets for which destination ethernet address has been learnt"; } } ordered-by user; } } // choice traffic-type_choice list ip-source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list ip-source-address list ip-destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list ip-destination-address list ip-address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list ip-address choice ip-protocol_choice { leaf-list ip-protocol { type string; ordered-by user; } leaf-list ip-protocol-except { type string; ordered-by user; } } // choice ip-protocol_choice choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice ip-precedence_choice { leaf-list ip-precedence { type string; ordered-by user; } leaf-list ip-precedence-except { type string; ordered-by user; } } // choice ip-precedence_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice leaf tcp-flags { type string; description "Match TCP flags"; } choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list list ipv6-destination-address { key "name"; ordered-by user; description "Match IPv6 destination address"; uses firewall_addr6_object; } // list ipv6-destination-address list ipv6-source-address { key "name"; ordered-by user; description "Match IPv6 source address"; uses firewall_addr6_object; } // list ipv6-source-address list ipv6-address { key "name"; ordered-by user; description "Match IPv6 address"; uses firewall_addr6_object; } // list ipv6-address choice ipv6-next-header_choice { leaf-list ipv6-next-header { type string; ordered-by user; } leaf-list ipv6-next-header-except { type string; ordered-by user; } } // choice ipv6-next-header_choice choice ipv6-payload-protocol_choice { leaf-list ipv6-payload-protocol { type string; ordered-by user; } leaf-list ipv6-payload-protocol-except { type string; ordered-by user; } } // choice ipv6-payload-protocol_choice choice ipv6-traffic-class_choice { leaf-list ipv6-traffic-class { type string; ordered-by user; } leaf-list ipv6-traffic-class-except { type string; ordered-by user; } } // choice ipv6-traffic-class_choice list ipv6-source-prefix-list { key "name"; ordered-by user; description "Match IPV6 source prefixes in named list"; uses firewall_prefix_list; } // list ipv6-source-prefix-list list ipv6-destination-prefix-list { key "name"; ordered-by user; description "Match IPV6 destination prefixes in named list"; uses firewall_prefix_list; } // list ipv6-destination-prefix-list list ipv6-prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list ipv6-prefix-list choice flex-mask_choice { container flexible-match-mask { presence "enable flexible-match-mask"; description "Match flexible mask"; uses match_L2_flexible_mask; } // container flexible-match-mask } // choice flex-mask_choice choice flex-range_choice { container flexible-match-range { presence "enable flexible-match-range"; description "Match flexible range"; uses match_L2_flexible_range; } // container flexible-match-range } // choice flex-range_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice choice isid_choice { leaf-list isid { type string; ordered-by user; description "Range of values"; } leaf-list isid-except { type string; ordered-by user; description "Range of values"; } } // choice isid_choice choice isid-priority-code-point_choice { leaf-list isid-priority-code-point { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list isid-priority-code-point-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice isid-priority-code-point_choice choice isid-dei_choice { leaf-list isid-dei { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } leaf-list isid-dei-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } } // choice isid-dei_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer leaf hierarchical-policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of hierarchical policer to use to rate-limit traffic"; } } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; junos:must "("forwarding-options port-mirroring")"; junos:must-message "Configure 'port-mirroring' under 'forwarding-options'"; type empty; description "Port-mirror the packet"; } leaf inline-monitoring-instance { junos:must "("services inline-monitoring instance $$")"; junos:must-message "Configure 'inline-monitoring instance'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Inline monitoring to specified instance"; } choice designation { leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation leaf next-hop-group { type string; description "Use specified next-hop group"; } leaf sample { junos:must "(any "forwarding-options sampling instance <*> family bridge")"; junos:must-message "Configure family bridge under forwarding-options sampling"; type empty; description "Sample the packet"; } leaf log { type empty; description "Log the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } container forwarding-policy { description "Specify forwarding policy for extended port"; uses apply-advanced; leaf uplink-select { type string; description "Specify port group for uplink selection"; } } // container forwarding-policy } // container then } // list term } // grouping bridge_filter grouping ccc_filter { description "Define a CCC firewall filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf interface-specific { type empty; description "Any counters defined will be interface specific"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "("firewall family ccc filter $$")"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { leaf-list loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } leaf-list loss-priority-except { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } } // choice loss-priority_choice choice learn-vlan-1p-priority_choice { leaf-list learn-vlan-1p-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list learn-vlan-1p-priority-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice learn-vlan-1p-priority_choice choice user-vlan-1p-priority_choice { leaf-list user-vlan-1p-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list user-vlan-1p-priority-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice user-vlan-1p-priority_choice list destination-mac-address { key "name"; ordered-by user; description "Destination MAC address"; uses firewall_mac_addr_object; } // list destination-mac-address leaf is-host-packet { type empty; description "Match if packet is host generated"; } list source-mac-address { key "name"; ordered-by user; description "Source MAC address"; uses firewall_mac_addr_object; } // list source-mac-address list ip-source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list ip-source-address list ip-destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list ip-destination-address choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice ip-precedence_choice { leaf-list ip-precedence { type string; ordered-by user; } leaf-list ip-precedence-except { type string; ordered-by user; } } // choice ip-precedence_choice choice ip-protocol_choice { leaf-list ip-protocol { type string; ordered-by user; } leaf-list ip-protocol-except { type string; ordered-by user; } } // choice ip-protocol_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice choice flex-mask_choice { container flexible-match-mask { presence "enable flexible-match-mask"; description "Match flexible mask"; uses match_L2_flexible_mask; } // container flexible-match-mask } // choice flex-mask_choice choice flex-range_choice { container flexible-match-range { presence "enable flexible-match-range"; description "Match flexible range"; uses match_L2_flexible_range; } // container flexible-match-range } // choice flex-range_choice choice user-vlan-id_choice { leaf-list user-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list user-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice user-vlan-id_choice choice ether-type_choice { leaf-list ether-type { type string; ordered-by user; } leaf-list ether-type-except { type string; ordered-by user; } } // choice ether-type_choice choice learn-vlan-id_choice { leaf-list learn-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list learn-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice learn-vlan-id_choice container ip-version { description "Define IP version"; uses apply-advanced; container ipv4 { junos:must "(!(".. ipv6"))"; junos:must-message "Same term cannot have both IPv4 & IPv6 IP version"; description "Define L3/L4 match items to match IPv4 packets"; uses apply-advanced; choice ip-protocol_choice { leaf-list ip-protocol { type string; ordered-by user; } leaf-list ip-protocol-except { type string; ordered-by user; } } // choice ip-protocol_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice ip-precedence_choice { leaf-list ip-precedence { type string; ordered-by user; } } // choice ip-precedence_choice choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice traffic-class_choice { leaf-list traffic-class { type string; ordered-by user; } leaf-list traffic-class-except { type string; ordered-by user; } } // choice traffic-class_choice list ip-source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list ip-source-address list ip-destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list ip-destination-address list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats) - (Ingress only)"; } leaf tcp-initial { type empty; description "Match initial packet of a TCP connection - (Ingress only)"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } leaf is-fragment { type empty; description "Match if packet is a fragment"; } } // container ipv4 container ipv6 { junos:must "(!(".. ipv4"))"; junos:must-message "Same term cannot have both IPv4 & IPv6 IP version"; description "Define L3/L4 match items to match IPv6 packets"; uses apply-advanced; list ip6-source-address { key "name"; ordered-by user; description "Match source address"; uses firewall_addr6_object; } // list ip6-source-address list ip6-destination-address { key "name"; ordered-by user; description "Match destination address"; uses firewall_addr6_object; } // list ip6-destination-address choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list choice next-header_choice { leaf-list next-header { type string; ordered-by user; } leaf-list next-header-except { type string; ordered-by user; } } // choice next-header_choice choice traffic-class_choice { leaf-list traffic-class { type string; ordered-by user; } leaf-list traffic-class-except { type string; ordered-by user; } } // choice traffic-class_choice leaf tcp-flags { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type string; description "Match TCP flags (in symbolic or hex formats)"; } leaf tcp-initial { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match packet of an established TCP connection"; } } // container ipv6 } // container ip-version } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer leaf hierarchical-policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of hierarchical policer to use to rate-limit traffic"; } } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to the specified instance"; } leaf next-hop-group { type string; description "Use specified next-hop group"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; junos:must "("forwarding-options port-mirroring")"; junos:must-message "Configure 'port-mirroring' under 'forwarding-options'"; type empty; description "Port-mirror the packet"; } leaf inline-monitoring-instance { junos:must "("services inline-monitoring instance $$")"; junos:must-message "Configure 'inline-monitoring instance'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Inline monitoring to specified instance"; } leaf packet-mode { type empty; description "Bypass flow mode for the packet"; } leaf force-premium { type empty; description "Convert traffic-class to premium"; } leaf log { type empty; description "Log the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } choice designation { container encapsulate { presence "enable encapsulate"; description "Send to a tunnel"; leaf tunnel-end-point { junos:must "("firewall tunnel-end-point $$")"; junos:must-message "referenced firewall tunnel-end-point must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of the tunnel end point"; } } // container encapsulate leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation } // container then } // list term } // grouping ccc_filter grouping es_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } leaf instance-specific { junos:must "(!(".. physical-interface-filter"))"; junos:must-message "Cannot be both physical-interface-filter and instance-specific"; junos:must "(!(".. interface-specific"))"; junos:must-message "Cannot be both interface-specific and instance-specific"; type empty; description "Filter is instance specific"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list source-mac-address { key "name"; ordered-by user; description "Match MAC source address"; uses firewall_mac_addr_object; } // list source-mac-address list destination-mac-address { key "name"; ordered-by user; description "Match MAC destination address"; uses firewall_mac_addr_object; } // list destination-mac-address choice ether-type_choice { leaf-list ether-type { type string; ordered-by user; } leaf-list ether-type-except { type string; ordered-by user; } } // choice ether-type_choice choice l2-encap-type_choice { leaf-list l2-encap-type { type string; ordered-by user; } leaf-list l2-encap-type-except { type string; ordered-by user; } } // choice l2-encap-type_choice choice vlan_choice { leaf-list vlan { type string; ordered-by user; description "VLAN name or ID"; } leaf-list vlan-except { type string; ordered-by user; description "VLAN name or ID"; } } // choice vlan_choice choice dot1q-tag_choice { leaf-list dot1q-tag { type string { junos:posix-pattern "^([0-9]{1,3}|[1-3][0-9][0-9][0-9]|40[0-8][0-9]|409[0-5])(-([0-9]{1,3}|[1-3][0-9][0-9][0-9]|40[0-8][0-9]|409[0-5]))?$"; junos:pattern-message "Must be a numerical value or range between 0-4095"; } ordered-by user; description "Range of values"; } leaf-list dot1q-tag-except { type string { junos:posix-pattern "^([0-9]{1,3}|[1-3][0-9][0-9][0-9]|40[0-8][0-9]|409[0-5])(-([0-9]{1,3}|[1-3][0-9][0-9][0-9]|40[0-8][0-9]|409[0-5]))?$"; junos:pattern-message "Must be a numerical value or range between 0-4095"; } ordered-by user; description "Range of values"; } } // choice dot1q-tag_choice choice dot1q-user-priority_choice { leaf-list dot1q-user-priority { type string; ordered-by user; } leaf-list dot1q-user-priority-except { type string; ordered-by user; } } // choice dot1q-user-priority_choice list address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list address list source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list destination-address choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice precedence_choice { leaf-list precedence { type string; ordered-by user; } leaf-list precedence-except { type string; ordered-by user; } } // choice precedence_choice choice ip-options_choice { leaf-list ip-options { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } leaf-list ip-options-except { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } } // choice ip-options_choice leaf fragment-flags { type string; description "Match fragment flags (in symbolic or hex formats) - (Ingress only)"; } leaf is-fragment { type empty; description "Match if packet is a fragment"; } choice protocol_choice { leaf-list protocol { type string; ordered-by user; } leaf-list protocol-except { type string; ordered-by user; } } // choice protocol_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats)"; } leaf tcp-initial { type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list ip-source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list ip-source-address list ip-destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list ip-destination-address choice ip-protocol_choice { leaf-list ip-protocol { type string; ordered-by user; } leaf-list ip-protocol-except { type string; ordered-by user; } } // choice ip-protocol_choice choice ip-precedence_choice { leaf-list ip-precedence { type string; ordered-by user; } leaf-list ip-precedence-except { type string; ordered-by user; } } // choice ip-precedence_choice list ipv6-destination-address { key "name"; ordered-by user; description "Match IPv6 destination address"; uses firewall_addr6_object; } // list ipv6-destination-address list ipv6-source-address { key "name"; ordered-by user; description "Match IPv6 source address"; uses firewall_addr6_object; } // list ipv6-source-address list ipv6-address { key "name"; ordered-by user; description "Match IPv6 address"; uses firewall_addr6_object; } // list ipv6-address choice ipv6-next-header_choice { leaf-list ipv6-next-header { type string; ordered-by user; } leaf-list ipv6-next-header-except { type string; ordered-by user; } } // choice ipv6-next-header_choice choice ipv6-payload-protocol_choice { leaf-list ipv6-payload-protocol { type string; ordered-by user; } leaf-list ipv6-payload-protocol-except { type string; ordered-by user; } } // choice ipv6-payload-protocol_choice choice ipv6-traffic-class_choice { leaf-list ipv6-traffic-class { type string; ordered-by user; } leaf-list ipv6-traffic-class-except { type string; ordered-by user; } } // choice ipv6-traffic-class_choice list ipv6-source-prefix-list { key "name"; ordered-by user; description "Match IPV6 source prefixes in named list"; uses firewall_prefix_list; } // list ipv6-source-prefix-list list ipv6-destination-prefix-list { key "name"; ordered-by user; description "Match IPV6 destination prefixes in named list"; uses firewall_prefix_list; } // list ipv6-destination-prefix-list list ipv6-prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list ipv6-prefix-list choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice choice vlan-ether-type_choice { leaf-list vlan-ether-type { type string; ordered-by user; } leaf-list vlan-ether-type-except { type string; ordered-by user; } } // choice vlan-ether-type_choice choice loss-priority_choice { leaf-list loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } leaf-list loss-priority-except { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } } // choice loss-priority_choice choice learn-vlan-id_choice { leaf-list learn-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list learn-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice learn-vlan-id_choice choice learn-vlan-1p-priority_choice { leaf-list learn-vlan-1p-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list learn-vlan-1p-priority-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice learn-vlan-1p-priority_choice choice learn-vlan-dei_choice { leaf-list learn-vlan-dei { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } leaf-list learn-vlan-dei-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } } // choice learn-vlan-dei_choice choice user-vlan-id_choice { leaf-list user-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list user-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice user-vlan-id_choice choice user-vlan-1p-priority_choice { leaf-list user-vlan-1p-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list user-vlan-1p-priority-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice user-vlan-1p-priority_choice choice traffic-type_choice { leaf-list traffic-type { type enumeration { enum "broadcast" { value 0; description "Packets with broadcast ethernet address"; } enum "multicast" { value 1; description "Packets with multicast ethernet address"; } enum "unknown-unicast" { value 2; description "Packets for which destination ethernet address has not been learnt"; } enum "known-unicast" { value 3; description "Packets for which destination ethernet address has been learnt"; } } ordered-by user; } leaf-list traffic-type-except { type enumeration { enum "broadcast" { value 0; description "Packets with broadcast ethernet address"; } enum "multicast" { value 1; description "Packets with multicast ethernet address"; } enum "unknown-unicast" { value 2; description "Packets for which destination ethernet address has not been learnt"; } enum "known-unicast" { value 3; description "Packets for which destination ethernet address has been learnt"; } } ordered-by user; } } // choice traffic-type_choice list ip-address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list ip-address list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set list prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice isid_choice { leaf-list isid { type string; ordered-by user; description "Range of values"; } leaf-list isid-except { type string; ordered-by user; description "Range of values"; } } // choice isid_choice choice isid-priority-code-point_choice { leaf-list isid-priority-code-point { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list isid-priority-code-point-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice isid-priority-code-point_choice choice isid-dei_choice { leaf-list isid-dei { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } leaf-list isid-dei-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } } // choice isid-dei_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice arp-type_choice { leaf-list arp-type { type string; ordered-by user; } } // choice arp-type_choice choice flex-mask_choice { container flexible-match-mask { presence "enable flexible-match-mask"; description "Match flexible mask"; uses match_L2_flexible_mask; } // container flexible-match-mask } // choice flex-mask_choice choice flex-range_choice { container flexible-match-range { presence "enable flexible-match-range"; description "Match flexible range"; uses match_L2_flexible_range; } // container flexible-match-range } // choice flex-range_choice container ip-version { description "Define IP version"; uses apply-advanced; container ipv4 { junos:must "(!(".. ipv6"))"; junos:must-message "Same term cannot have both IPv4 & IPv6 IP version"; description "Define L3/L4 match items to match IPv4 packets"; uses apply-advanced; list address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list address choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice precedence_choice { case case_1 { } // case case_1 leaf-list precedence-except { type string; ordered-by user; } } // choice precedence_choice choice ip-options_choice { leaf-list ip-options { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } leaf-list ip-options-except { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } } // choice ip-options_choice leaf fragment-flags { type string; description "Match fragment flags (in symbolic or hex formats) - (Ingress only)"; } leaf is-fragment { type empty; description "Match if packet is a fragment"; } choice protocol_choice { case case_1 { } // case case_1 leaf-list protocol-except { type string; ordered-by user; } } // choice protocol_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats) - (Ingress only)"; } leaf tcp-initial { type empty; description "Match initial packet of a TCP connection - (Ingress only)"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list ip-source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list ip-source-address list ip-destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list ip-destination-address choice ip-protocol_choice { leaf-list ip-protocol { type string; ordered-by user; } leaf-list ip-protocol-except { type string; ordered-by user; } } // choice ip-protocol_choice choice ip-precedence_choice { leaf-list ip-precedence { type string; ordered-by user; } leaf-list ip-precedence-except { type string; ordered-by user; } } // choice ip-precedence_choice } // container ipv4 container ipv6 { junos:must "(!(".. ipv4"))"; junos:must-message "Same term cannot have both IPv4 & IPv6 IP version"; description "Define L3/L4 match items to match IPv6 packets"; uses apply-advanced; choice traffic-class_choice { leaf-list traffic-class { type string; ordered-by user; } leaf-list traffic-class-except { type string; ordered-by user; } } // choice traffic-class_choice choice next-header_choice { leaf-list next-header { type string; ordered-by user; } leaf-list next-header-except { type string; ordered-by user; } } // choice next-header_choice choice payload-protocol_choice { leaf-list payload-protocol { type string; ordered-by user; } leaf-list payload-protocol-except { type string; ordered-by user; } } // choice payload-protocol_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice choice extension-header_choice { leaf-list extension-header { type string; ordered-by user; } leaf-list extension-header-except { type string; ordered-by user; } } // choice extension-header_choice leaf tcp-flags { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type string; description "Match TCP flags (in symbolic or hex formats)"; } leaf tcp-initial { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match packet of an established TCP connection"; } choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list ip6-source-address { key "name"; ordered-by user; description "Match source address"; uses firewall_addr6_object; } // list ip6-source-address list ip6-destination-address { key "name"; ordered-by user; description "Match destination address"; uses firewall_addr6_object; } // list ip6-destination-address } // container ipv6 } // container ip-version container vxlan { description "Define vxlan match items"; uses apply-advanced; choice vni_choice { leaf-list vni { type string { junos:posix-pattern "^([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-16777215"; } ordered-by user; description "Range of values"; } leaf-list vni-except { type string { junos:posix-pattern "^([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-16777215"; } ordered-by user; description "Range of values"; } } // choice vni_choice choice rsvd1_choice { leaf-list rsvd1 { type string { junos:posix-pattern "^([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-16777215"; } ordered-by user; description "Range of values"; } leaf-list rsvd1-except { type string { junos:posix-pattern "^([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-16777215"; } ordered-by user; description "Range of values"; } } // choice rsvd1_choice choice rsvd2_choice { leaf-list rsvd2 { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-255"; } ordered-by user; description "Range of values"; } leaf-list rsvd2-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-255"; } ordered-by user; description "Range of values"; } } // choice rsvd2_choice container flags { description "Match VXlan flag field"; uses match_flags_value; } // container flags } // container vxlan choice gbp-src-tag_choice { leaf-list gbp-src-tag { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice gbp-src-tag_choice choice gbp-dst-tag_choice { leaf-list gbp-dst-tag { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice gbp-dst-tag_choice choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice designation { leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation leaf log { type empty; description "Log the packet"; } leaf pkt-trace { type empty; description "Trace the packet"; } leaf flood { type empty; description "Flood the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf packet-capture { type empty; description "Enable packet capture for telemetry"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf analyzer { junos:must "("ethernet-switching-options analyzer $$")"; junos:must-message "Named Analyzer must be set"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of analyzer - (Ingress only)"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; junos:must "("forwarding-options port-mirroring")"; junos:must-message "Configure 'port-mirroring' under 'forwarding-options'"; type empty; description "Port-mirror the packet"; } leaf next-hop-group { junos:must "("forwarding-options next-hop-group $$")"; junos:must-message "Referenced next-hop group is not defined"; type string; description "Use specified next-hop group"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer leaf hierarchical-policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of hierarchical policer to use to rate-limit traffic"; } } // choice policer-choice leaf vlan { junos:must "(("vlans $$" && !("vlans $$ vlan-range")))"; junos:must-message "Named or Non-range vlan must be set"; type string; description "Name of VLAN - (Ingress only)"; } leaf interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Switch traffic to the specified interface by-passing switching lookup - (Ingress only)"; } container vxlan { description "Vxlan related data"; uses apply-advanced; leaf flags { type string { junos:posix-pattern "^([8-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[8-f]|0x0[8-f]|0x[1-f][0-f])(-([8-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[8-f]|0x0[8-f]|0x[1-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 8-255"; } description "Set vxlan flags value (8..255 or 0x08..0xFF)"; } leaf rsvd1 { type string { junos:posix-pattern "^([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-16777215"; } description "Set vxlan reserved-1 value"; } leaf rsvd2 { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-255"; } description "Set vxlan reserved-2 value"; } } // container vxlan leaf gbp-src-tag { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Set GBP source tag"; } } // container then } // list term } // grouping es_filter grouping firewall_addr6_object { leaf name { type jt:ipv6prefix; description "Prefix to match"; } leaf except { type empty; description "Match address not in this prefix"; } } // grouping firewall_addr6_object grouping firewall_addr_object { leaf name { type jt:ipv4prefix; description "Prefix to match"; } leaf except { type empty; description "Match address not in this prefix"; } } // grouping firewall_addr_object grouping firewall_flexible_match { description "Define a flexible match"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Flex match template name"; } uses apply-advanced; leaf match-start { type enumeration { enum "layer-2" { value 0; description "Layer-2 match start"; } enum "layer-3" { value 1; description "Layer-3 match start"; } enum "layer-4" { value 2; description "Layer-4 match start"; } enum "payload" { value 3; description "Payload match start"; } } description "Start point to match in packet"; } leaf byte-offset { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Byte offset after the match start point"; } leaf bit-offset { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Bit offset after the (match-start + byte) offset"; } leaf bit-length { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Length of integer input (1..32 bits), Optional length of string input (1..128 bits)"; } } // grouping firewall_flexible_match grouping firewall_hierpolicer { description "Define a hierarchical policer"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Hierarchical Policer name"; } choice sharing { leaf logical-interface-policer { type empty; description "Hierarchical policer is a logical interface policer"; } leaf physical-interface-policer { type empty; description "Hierarchical policer is a physical interface policer"; } } // choice sharing leaf shared-bandwidth-policer { type empty; description "Share policer bandwidth among bundle links"; } leaf filter-specific { type empty; description "Hierarchical policer is filter-specific"; } container aggregate { presence "enable aggregate"; description "Aggregate definition"; uses hierarchical-policer-aggregate-bucket; } // container aggregate container premium { presence "enable premium"; description "Premium definition"; uses hierarchical-policer-premium-bucket; } // container premium } // grouping firewall_hierpolicer grouping firewall_load_balance_group { description "Define group of destinations for load balancing"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Load balance group name"; } uses apply-advanced; leaf-list next-hop-group { type string; ordered-by user; description "Use specified next-hop group"; } } // grouping firewall_load_balance_group grouping firewall_mac_addr_object { leaf name { type jt:mac-addr-prefix; description "MAC address to match"; } leaf except { type empty; description "Match MAC address not in this range"; } } // grouping firewall_mac_addr_object grouping firewall_policer { description "Define a policer"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policer name"; } uses apply-advanced; leaf filter-specific { type empty; description "Policer is filter-specific"; } leaf logical-interface-policer { type empty; description "Policer is logical interface policer"; } leaf physical-interface-policer { type empty; description "Policer is physical interface policer"; } leaf logical-bandwidth-policer { type empty; description "Policer uses logical interface bandwidth"; } leaf shared-bandwidth-policer { type empty; description "Share policer bandwidth among bundle links"; } choice exceeding { container if-exceeding { presence "enable if-exceeding"; description "Define rate limits"; uses apply-advanced; choice bandwidth { leaf bandwidth-limit { type string; units "bits per second"; description "Bandwidth limit"; } leaf bandwidth-percent { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } units "percent"; description "Bandwidth limit in percentage"; } } // choice bandwidth leaf burst-size-limit { type string; units "bytes"; description "Burst size limit"; } container aggregate-policing { presence "enable aggregate-policing"; description "Configure Aggregate Policer"; uses apply-advanced; list policer { key "name"; max-elements 1; ordered-by user; description "Two-color policer to be used as aggregate"; leaf name { junos:must "("firewall policer $$ aggregate")"; junos:must-message "Referenced policer must be of type 'aggregate'"; junos:must "("firewall policer $$")"; junos:must-message "Referenced aggregate policer is not defined"; type string; description "Name of two-color policer to use to aggregate police"; } uses apply-advanced; leaf aggregate-sharing-mode { type enumeration { enum "guarantee" { value 0; description "Child policer rates are guaranteed rates for member flow"; } enum "peak" { value 1; description "Child policer rates are peak rates for member flow"; } } description "Hierarchical Metering model"; } } // list policer } // container aggregate-policing } // container if-exceeding container if-exceeding-pps { presence "enable if-exceeding-pps"; description "Define pps limits"; uses apply-advanced; choice pps { leaf pps-limit { type string; units "packets per second"; description "PPS limit"; } } // choice pps leaf packet-burst { type string; units "packets"; description "PPS burst size limit"; } } // container if-exceeding-pps } // choice exceeding container then { description "Action to take if the rate limits are exceeded"; uses apply-advanced; leaf discard { type empty; description "Discard the packet"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf out-of-profile { type empty; description "Discard packets only if both congested and over threshold"; } } // container then container aggregate { junos:must "(!(".. if-exceeding aggregate-policing"))"; junos:must-message "Cannot use same template as both child and parent policer"; junos:must "(!(".. filter-specific"))"; junos:must-message "'filter-specific' not valid for aggregate policers; Use 'aggregate instantiation' "; presence "enable aggregate"; description "Aggregate policer used in Extended Hierarchical Policers"; uses apply-advanced; leaf instantiation { type enumeration { enum "global" { value 0; description "Single global instance of aggregate policer"; } } description "Specify instantiation semantics of aggregate policer"; } } // container aggregate } // grouping firewall_policer grouping firewall_prefix_list { leaf name { type string; description "Prefix list to match"; } leaf except { type empty; description "Match addresses not in this prefix list"; } } // grouping firewall_prefix_list grouping hierarchical-policer-aggregate-bucket { uses apply-advanced; choice hp-aggregate-exceeding { container if-exceeding { presence "enable if-exceeding"; description "Define rate limits"; uses apply-advanced; choice bandwidth { leaf bandwidth-limit { type string; units "bits per second"; description "Bandwidth limit"; } } // choice bandwidth leaf burst-size-limit { type string; units "bytes"; description "Burst size limit"; } } // container if-exceeding container if-exceeding-pps { presence "enable if-exceeding-pps"; description "Define pps limits"; uses apply-advanced; choice pps { leaf pps-limit { type string; units "packets per second"; description "PPS limit"; } } // choice pps leaf packet-burst { type string; units "packets"; description "PPS burst size limit"; } } // container if-exceeding-pps } // choice hp-aggregate-exceeding container then { description "Action to take if the rate limits are exceeded"; uses apply-advanced; choice hierarchical-policer-action { leaf discard { type empty; description "Discard the packet"; } leaf loss-priority { junos:must "(!(".. forwarding-class"))"; junos:must-message "Cannot configure loss-priority with forwarding-class"; type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { junos:must "(!(".. loss-priority"))"; junos:must-message "Cannot configure forwarding-class with loss-priority"; type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } } // choice hierarchical-policer-action } // container then } // grouping hierarchical-policer-aggregate-bucket grouping hierarchical-policer-premium-bucket { uses apply-advanced; choice hp-premium-exceeding { container if-exceeding { presence "enable if-exceeding"; description "Define rate limits"; uses apply-advanced; choice bandwidth { leaf bandwidth-limit { type string; units "bits per second"; description "Bandwidth limit"; } } // choice bandwidth leaf burst-size-limit { type string; units "bytes"; description "Burst size limit"; } } // container if-exceeding container if-exceeding-pps { presence "enable if-exceeding-pps"; description "Define pps limits"; uses apply-advanced; choice pps { leaf pps-limit { type string; units "packets per second"; description "PPS limit"; } } // choice pps leaf packet-burst { type string; units "packets"; description "PPS burst size limit"; } } // container if-exceeding-pps } // choice hp-premium-exceeding container then { description "Action to take if the rate limits are exceeded"; uses apply-advanced; choice hierarchical-policer-action { leaf discard { type empty; description "Discard the packet"; } } // choice hierarchical-policer-action } // container then } // grouping hierarchical-policer-premium-bucket grouping inet6_dialer_filter { description "Define an IPv6 dialer filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; list source-address { key "name"; ordered-by user; description "Match source address"; uses firewall_addr6_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match destination address"; uses firewall_addr6_object; } // list destination-address list address { key "name"; ordered-by user; description "Match source or destination address"; uses firewall_addr6_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice packet-length_choice { leaf-list packet-length { type string; ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string; ordered-by user; description "Range of values"; } } // choice packet-length_choice choice next-header_choice { leaf-list next-header { type string; ordered-by user; } leaf-list next-header-except { type string; ordered-by user; } } // choice next-header_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf log { type empty; description "Log the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf sample { type empty; description "Sample the packet"; } choice designation { leaf note { type empty; description "Interested ISDN packet"; } leaf ignore { type empty; description "Non-interested ISDN packet"; } } // choice designation } // container then } // list term } // grouping inet6_dialer_filter grouping inet6_filter { description "Define an IPv6 firewall filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf promote { type enumeration { enum "gre-key" { value 0; description "Promote GRE Key to PFM"; } enum "traffic-class" { value 1; description "Promote traffic-class to PFM"; } } description "Promote a firewall match to PFM"; } leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf scale-optimized { type empty; description "Improve filter prefix scale"; } leaf enhanced-mode { junos:must "(!(".. enhanced-mode-override"))"; junos:must-message "Cannot configure filter for both enhanced-mode and enhanced-mode-override"; type empty; description "Define filter for chassis network-services enhanced mode"; } leaf interface-shared { junos:must "(!(".. physical-interface-filter"))"; junos:must-message "Cannot be both physical-interface-filter and interface-shared"; junos:must "(!(".. interface-specific"))"; junos:must-message "Cannot be both interface-specific and interface-shared"; type empty; description "Filter is interface-shared"; } leaf enhanced-mode-override { junos:must "(!(".. enhanced-mode"))"; junos:must-message "Cannot configure filter for both enhanced-mode-override and enhanced-mode"; type empty; description "Override the default chassis network-services enhanced mode for dynamic filter"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } leaf fast-lookup-filter { type empty; description "Configure filter in the fast lookup hardware block"; } leaf instance-shared { junos:must "("chassis network-services enhanced-ip")"; junos:must-message "instance-shared filter available only in enhanced-ip mode"; junos:must "(!(".. physical-interface-filter"))"; junos:must-message "Cannot be both physical-interface-filter and instance-shared"; junos:must "(!(".. interface-specific"))"; junos:must-message "Cannot be both interface-specific and instance-shared"; type empty; description "Filter is routing-instance shared"; } leaf instance-specific { junos:must "(!(".. physical-interface-filter"))"; junos:must-message "Cannot be both physical-interface-filter and instance-specific"; junos:must "(!(".. interface-specific"))"; junos:must-message "Cannot be both interface-specific and instance-specific"; type empty; description "Filter is instance specific"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "("firewall family inet6 filter $$")"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice destination-class_choice { leaf-list destination-class { type string; ordered-by user; description "String name"; } leaf-list destination-class-except { type string; ordered-by user; description "String name"; } } // choice destination-class_choice choice source-class_choice { leaf-list source-class { type string; ordered-by user; description "String name"; } leaf-list source-class-except { type string; ordered-by user; description "String name"; } } // choice source-class_choice choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice list source-address { key "name"; ordered-by user; description "Match source address"; uses firewall_addr6_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match destination address"; uses firewall_addr6_object; } // list destination-address list address { key "name"; ordered-by user; description "Match source or destination address"; uses firewall_addr6_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice next-header_choice { leaf-list next-header { type string; ordered-by user; } leaf-list next-header-except { type string; ordered-by user; } } // choice next-header_choice choice payload-protocol_choice { leaf-list payload-protocol { type string; ordered-by user; } leaf-list payload-protocol-except { type string; ordered-by user; } } // choice payload-protocol_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice choice extension-header_choice { leaf-list extension-header { type string; ordered-by user; } leaf-list extension-header-except { type string; ordered-by user; } } // choice extension-header_choice choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice choice traffic-class_choice { leaf-list traffic-class { type string; ordered-by user; } leaf-list traffic-class-except { type string; ordered-by user; } } // choice traffic-class_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice leaf tcp-initial { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match packet of an established TCP connection"; } leaf tcp-flags { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type string; description "Match TCP flags (in symbolic or hex formats)"; } list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { leaf-list loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } leaf-list loss-priority-except { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } } // choice loss-priority_choice leaf service-filter-hit { type empty; description "Match if service-filter-hit is set"; } choice hop-limit_choice { leaf-list hop-limit { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical hop-limit value or range between 0-255"; } ordered-by user; description "Range of values"; } leaf-list hop-limit-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical hop-limit value or range between 0-255"; } ordered-by user; description "Range of values"; } } // choice hop-limit_choice leaf is-fragment { type empty; description "Match if packet is a fragment"; } leaf first-fragment { type empty; description "Match if packet is first fragment"; } leaf last-fragment { type empty; description "Match if packet is last fragment"; } choice flex-mask_choice { container flexible-match-mask { presence "enable flexible-match-mask"; description "Match flexible mask"; uses match_L3_flexible_mask; } // container flexible-match-mask } // choice flex-mask_choice choice flex-range_choice { container flexible-match-range { presence "enable flexible-match-range"; description "Match flexible range"; uses match_L3_flexible_range; } // container flexible-match-range } // choice flex-range_choice choice gre-key_choice { leaf-list gre-key { type string; ordered-by user; description "Range of values"; } leaf-list gre-key-except { type string; ordered-by user; description "Range of values"; } } // choice gre-key_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer leaf hierarchical-policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of hierarchical policer to use to rate-limit traffic"; } } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice choice inet6cnt { leaf traffic-class-count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named traffic-class counter"; } leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } } // choice inet6cnt leaf service-accounting { junos:must "(!(".. service-accounting-deferred"))"; junos:must-message "'service-accounting-deferred' and 'service-accounting' cannot coexist"; junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting' cannot coexist"; type empty; description "Count the packets for service accounting"; } leaf service-accounting-deferred { junos:must "(!(".. service-accounting"))"; junos:must-message "Cannot be both 'service-accounting' and 'service-accounting-deferred'"; junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting-deferred' cannot coexist"; type empty; description "Count the packets for deferred service accounting"; } leaf log { type empty; description "Log the packet"; } leaf packet-mode { type empty; description "Bypass flow mode for the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf packet-capture { type empty; description "Enable packet capture for telemetry"; } leaf sample { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; type empty; description "Sample the packet"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; type empty; description "Port-mirror the packet"; } leaf inline-monitoring-instance { junos:must "("services inline-monitoring instance $$")"; junos:must-message "Configure 'inline-monitoring instance'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Inline monitoring to specified instance"; } leaf l2-mirror { junos:must "((".. port-mirror-instance" || ".. port-mirror"))"; junos:must-message "'port-mirror' or 'port-mirror-instance' need to be configured for l2-mirror"; type empty; description "L2 mirror the packet"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf traffic-class { type string; description "Set traffic-class code point"; } leaf skip-services { type empty; description "Skip the services"; } leaf service-filter-hit { type empty; description "Marked when packet processing by the current type of chained filters is done, the packet is directed to the next type of filters"; } leaf force-premium { type empty; description "When this bit is marked, traffic is considered as premium by the following hierarchical policer"; } leaf exclude-accounting { type empty; description "When this is marked, traffic is excluded from accurate accounting"; } choice designation { container decapsulate { presence "enable decapsulate"; description "Terminate a tunnel"; choice tunnel-protocol { container gre { presence "enable gre"; description "GRE protocol"; uses apply-advanced; leaf-list sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; type enumeration { enum "inet" { junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 0; description "IPV4 protocol"; } enum "inet6" { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 1; description "IPV6 protocol"; } enum "mpls" { junos:must "(!(".. .. sample mpls-ipvx-payload"))"; junos:must-message "Cannot configure both sample mpls and sample mpls-ipvx-payload"; junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 2; description "MPLS protocol"; } } ordered-by user; description "Sample the packet"; } leaf no-decrement-ttl { type empty; description "Do not decrement TTL"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf interface-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Set the interface group"; } choice destination { container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } } // container routing-instance } // choice destination } // container gre container gre-in-udp { presence "enable gre-in-udp"; description "GRE-in-UDP protocol"; uses apply-advanced; leaf-list sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; type enumeration { enum "inet" { junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 0; description "IPV4 protocol"; } enum "inet6" { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 1; description "IPV6 protocol"; } enum "mpls" { junos:must "(!(".. .. sample mpls-ipvx-payload"))"; junos:must-message "Cannot configure both sample mpls and sample mpls-ipvx-payload"; junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 2; description "MPLS protocol"; } } ordered-by user; description "Sample the packet"; } leaf no-decrement-ttl { type empty; description "Do not decrement TTL"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf interface-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Set the interface group"; } choice destination { container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } } // container routing-instance } // choice destination } // container gre-in-udp container mpls-in-udp { presence "enable mpls-in-udp"; description "MPLS-in-UDP protocol"; uses apply-advanced; leaf-list sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; type enumeration { enum "inet" { junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 0; description "IPV4 protocol"; } enum "inet6" { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 1; description "IPV6 protocol"; } enum "mpls" { junos:must "(!(".. .. sample mpls-ipvx-payload"))"; junos:must-message "Cannot configure both sample mpls and sample mpls-ipvx-payload"; junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 2; description "MPLS protocol"; } } ordered-by user; description "Sample the packet"; } leaf no-decrement-ttl { type empty; description "Do not decrement TTL"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf interface-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Set the interface group"; } choice destination { container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } } // container routing-instance } // choice destination } // container mpls-in-udp container l2tp { description "L2TP protocol"; uses apply-advanced; leaf-list sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; type enumeration { enum "inet" { junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 0; description "IPV4 protocol"; } enum "inet6" { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 1; description "IPV6 protocol"; } enum "mpls" { junos:must "(!(".. .. sample mpls-ipvx-payload"))"; junos:must-message "Cannot configure both sample mpls and sample mpls-ipvx-payload"; junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 2; description "MPLS protocol"; } } ordered-by user; description "Sample the packet"; } leaf no-decrement-ttl { type empty; description "Do not decrement TTL"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf interface-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Set the interface group"; } leaf-list cookie { type string { length "1 .. 32"; } ordered-by user; description "L2TPv3 cookie"; } choice destination { leaf output-interface { junos:must "("interfaces $$")"; junos:must-message "Interface must be defined in the interfaces hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Interface name"; } } // choice destination } // container l2tp container ipip { presence "enable ipip"; description "IPIP protocol"; uses apply-advanced; leaf-list sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; type enumeration { enum "inet" { junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 0; description "IPV4 protocol"; } enum "inet6" { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 1; description "IPV6 protocol"; } enum "mpls" { junos:must "(!(".. .. sample mpls-ipvx-payload"))"; junos:must-message "Cannot configure both sample mpls and sample mpls-ipvx-payload"; junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 2; description "MPLS protocol"; } } ordered-by user; description "Sample the packet"; } leaf no-decrement-ttl { type empty; description "Do not decrement TTL"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf interface-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Set the interface group"; } choice destination { container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } } // container routing-instance } // choice destination } // container ipip } // choice tunnel-protocol } // container decapsulate container encapsulate { presence "enable encapsulate"; description "Send to a tunnel"; leaf tunnel-end-point { junos:must "("firewall tunnel-end-point $$")"; junos:must-message "referenced firewall tunnel-end-point must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of the tunnel end point"; } } // container encapsulate leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } leaf next-hop-group { type string; description "Use specified next-hop group"; } list logical-system { key "logical-system-name"; max-elements 1; ordered-by user; description "Packets are directed to specified logical system"; leaf logical-system-name { type string { junos:posix-pattern "^[a-zA-Z0-9_-]{1,63}$"; junos:pattern-message "Logical-system name is a string consisting of up to 63 letters, numbers, dashes and underscores"; } description "Name of logical system"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // list logical-system container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } container next-ip6 { description "Packets are directed to specified the specified ipv6 address"; leaf address { type jt:ipv6prefix; description "Address to route"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance } // container next-ip6 container next-interface { presence "enable next-interface"; description "Packets are to be routed through the specified interface"; uses apply-advanced; leaf interface-name { type string { junos:posix-pattern "^((ge-)|(mge-)|(xe-)|(et-)|(gr-)|(ae)|(irb))"; junos:pattern-message "Only ge, mge, xe, et, ae, irb and point-to-point gr tunnel intefaces are supported"; length "1 .. 127"; } description "Interface name"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance choice designation { leaf accept { type empty; description "Accept the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation } // container next-interface container reject { presence "enable reject"; description "Reject the packet"; choice style { leaf no-route { type empty; description "Send ICMPv6 No Route message"; } leaf administratively-prohibited { type empty; description "Send ICMPv6 Administratively Prohibited message"; } leaf beyond-scope { type empty; description "Send ICMPv6 Beyond Scope of Source Address message"; } leaf address-unreachable { type empty; description "Send ICMPv6 Address Unreachable message"; } leaf port-unreachable { type empty; description "Send ICMPv6 Port Unreachable message"; } leaf policy-failed { type empty; description "Source address failed ingress/egress policy"; } leaf reject-route { type empty; description "Reject route to destination"; } leaf tcp-reset { type empty; description "Send TCP Reset message"; } leaf network-unreachable { type empty; status deprecated; description "Send ICMPv4 Network Unreachable message"; } leaf host-unreachable { type empty; status deprecated; description "Send ICMPv4 Host Unreachable message"; } leaf protocol-unreachable { type empty; status deprecated; description "Send ICMPv4 Protocol Unreachable message"; } leaf source-route-failed { type empty; status deprecated; description "Send ICMPv4 Source Route Failed message"; } leaf network-unknown { type empty; status deprecated; description "Send ICMPv4 Network Unknown message"; } leaf host-unknown { type empty; status deprecated; description "Send ICMPv4 Host Unknown message"; } leaf source-host-isolated { type empty; status deprecated; description "Send ICMPv4 Source Host Isolated message"; } leaf network-prohibited { type empty; status deprecated; description "Send ICMPv4 Network Prohibited message"; } leaf host-prohibited { type empty; status deprecated; description "Send ICMPv4 Host Prohibited message"; } leaf bad-network-tos { type empty; status deprecated; description "Send ICMPv4 Bad Network ToS message"; } leaf bad-host-tos { type empty; status deprecated; description "Send ICMPv4 Bad Host ToS message"; } leaf precedence-violation { type empty; status deprecated; description "Send ICMPv4 Precedence Violation message"; } leaf precedence-cutoff { type empty; status deprecated; description "Send ICMPv4 Precedence Cutoff message"; } } // choice style } // container reject } // choice designation } // container then } // list term } // grouping inet6_filter grouping inet6_fuf { leaf name { junos:must "(unique "firewall family <*> filter $$")"; junos:must-message "Fast update filter can not have the same name as firewall family filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of fast update filter"; } uses apply-advanced; leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf-list match-order { type enumeration { enum "next-header" { value 0; description "Include next header protocol in match set"; } enum "payload-protocol" { value 1; description "Include payload protocol in match set"; } enum "source-address" { value 2; description "Include source-address in match set"; } enum "destination-address" { value 3; description "Include destination-address in match set"; } enum "source-port" { value 4; description "Include source-port in match set"; } enum "destination-port" { value 5; description "Include destination-port in match set"; } enum "traffic-class" { value 6; description "Include traffic-class (DSCP) in match set"; } } ordered-by user; } list term { key "name"; ordered-by user; description "One or more firewall terms"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf only-at-create { type empty; description "Add term only when filter is first created."; } container from { description "Match criteria"; uses apply-advanced; container source-address { description "Match source IP address"; uses firewall_addr6_simple_object; } // container source-address container destination-address { description "Match destination IP address"; uses firewall_addr6_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match TCP/UDP source port"; uses match_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match TCP/UDP destination port"; uses match_simple_port_value; } // container destination-port } // choice destination-port_choice choice next-header_choice { container next-header { description "Match next header protocol type"; uses match_simple_protocol_value; } // container next-header } // choice next-header_choice choice payload-protocol_choice { container payload-protocol { description "Match payload protocol type"; uses match_simple_payload_protocol_value; } // container payload-protocol } // choice payload-protocol_choice choice traffic-class_choice { container traffic-class { description "Match Differentiated Services (DiffServ) code point"; uses match_simple_dscp_value; } // container traffic-class } // choice traffic-class_choice leaf match-terms { type string; description "Dynamically supplied list of match criteria"; } } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } } // choice policer-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf service-accounting { junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting' cannot coexist"; type empty; description "Count the packets for service accounting"; } leaf log { type empty; description "Log the packet"; } leaf port-mirror { type empty; description "Port-mirror the packet"; } leaf loss-priority { junos:must "(!(".. three-color-policer"))"; junos:must-message "Configuring loss-priority is incompatible with configuring three-color-policer"; type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf action-terms { type string; description "Dynamically supplied list of actions"; } choice designation { leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance } // choice designation } // container then } // list term } // grouping inet6_fuf grouping firewall_addr6_simple_object { uses apply-advanced; leaf address { type jt:ipv6prefix; description "Prefix to match"; } } // grouping firewall_addr6_simple_object grouping inet6_service_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; list term { key "name"; ordered-by user; description "Service filter term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice list source-address { key "name"; ordered-by user; description "Match source address"; uses firewall_addr6_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match destination address"; uses firewall_addr6_object; } // list destination-address list address { key "name"; ordered-by user; description "Match source or destination address"; uses firewall_addr6_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice next-header_choice { leaf-list next-header { type string; ordered-by user; } leaf-list next-header-except { type string; ordered-by user; } } // choice next-header_choice choice payload-protocol_choice { leaf-list payload-protocol { type string; ordered-by user; } leaf-list payload-protocol-except { type string; ordered-by user; } } // choice payload-protocol_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice choice extension-header_choice { leaf-list extension-header { type string; ordered-by user; } leaf-list extension-header-except { type string; ordered-by user; } } // choice extension-header_choice choice esp-spi_choice { leaf-list esp-spi { type string; ordered-by user; description "Range of values"; } leaf-list esp-spi-except { type string; ordered-by user; description "Range of values"; } } // choice esp-spi_choice choice ah-spi_choice { leaf-list ah-spi { type string; ordered-by user; description "Range of values"; } leaf-list ah-spi-except { type string; ordered-by user; description "Range of values"; } } // choice ah-spi_choice leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats)"; } choice loss-priority_choice { leaf-list loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } leaf-list loss-priority-except { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } } // choice loss-priority_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf log { type empty; description "Log the packet"; } leaf sample { type empty; description "Sample the packet"; } leaf port-mirror { type empty; description "Port-mirror the packet"; } choice designation { leaf service { type empty; description "Forward packets to service processing"; } leaf skip { type empty; description "Skip service processing"; } leaf accept { type empty; description "Accept the packet"; } } // choice designation } // container then } // list term } // grouping inet6_service_filter grouping inet_dialer_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; list source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list destination-address list address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice choice precedence_choice { leaf-list precedence { type string; ordered-by user; } leaf-list precedence-except { type string; ordered-by user; } } // choice precedence_choice choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice ip-options_choice { leaf-list ip-options { type string; ordered-by user; } leaf-list ip-options-except { type string; ordered-by user; } } // choice ip-options_choice leaf is-fragment { type empty; description "Match if packet is a fragment"; } leaf first-fragment { type empty; description "Match if packet is the first fragment"; } choice fragment-offset_choice { leaf-list fragment-offset { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } leaf-list fragment-offset-except { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } } // choice fragment-offset_choice leaf fragment-flags { type string; description "Match fragment flags"; } choice protocol_choice { leaf-list protocol { type string; ordered-by user; } leaf-list protocol-except { type string; ordered-by user; } } // choice protocol_choice choice ttl_choice { leaf-list ttl { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } leaf-list ttl-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } } // choice ttl_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice leaf tcp-initial { type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats)"; } choice esp-spi_choice { leaf-list esp-spi { type string; ordered-by user; description "Range of values"; } leaf-list esp-spi-except { type string; ordered-by user; description "Range of values"; } } // choice esp-spi_choice choice ah-spi_choice { leaf-list ah-spi { type string; ordered-by user; description "Range of values"; } leaf-list ah-spi-except { type string; ordered-by user; description "Range of values"; } } // choice ah-spi_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf log { type empty; description "Log the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf sample { type empty; description "Sample the packet"; } choice designation { leaf note { type empty; description "Interested ISDN packet"; } leaf ignore { type empty; description "Non-interested ISDN packet"; } } // choice designation } // container then } // list term } // grouping inet_dialer_filter grouping inet_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf promote { type enumeration { enum "gre-key" { value 0; description "Promote GRE Key to PFM"; } enum "dscp" { value 1; description "Promote DSCP to PFM"; } enum "vni" { value 2; description "Promote VNI to PFM"; } } description "Promote a firewall match to PFM"; } leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf scale-optimized { type empty; description "Improve filter prefix scale"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } leaf enhanced-mode { junos:must "(!(".. enhanced-mode-override"))"; junos:must-message "Cannot configure filter for both enhanced-mode and enhanced-mode-override"; type empty; description "Define filter for chassis network-services enhanced mode"; } leaf interface-shared { junos:must "(!(".. physical-interface-filter"))"; junos:must-message "Cannot be both physical-interface-filter and interface-shared"; junos:must "(!(".. interface-specific"))"; junos:must-message "Cannot be both interface-specific and interface-shared"; type empty; description "Filter is interface-shared"; } leaf enhanced-mode-override { junos:must "(!(".. enhanced-mode"))"; junos:must-message "Cannot configure filter for both enhanced-mode-override and enhanced-mode"; type empty; description "Override the default chassis network-services enhanced mode for dynamic filter"; } leaf instance-shared { junos:must "("chassis network-services enhanced-ip")"; junos:must-message "instance-shared filter available only in enhanced-ip mode"; junos:must "(!(".. physical-interface-filter"))"; junos:must-message "Cannot be both physical-interface-filter and instance-shared"; junos:must "(!(".. interface-specific"))"; junos:must-message "Cannot be both interface-specific and instance-shared"; type empty; description "Filter is routing-instance shared"; } leaf instance-specific { junos:must "(!(".. physical-interface-filter"))"; junos:must-message "Cannot be both physical-interface-filter and instance-specific"; junos:must "(!(".. interface-specific"))"; junos:must-message "Cannot be both interface-specific and instance-specific"; type empty; description "Filter is instance specific"; } leaf fast-lookup-filter { type empty; description "Configure filter in the fast lookup hardware block"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "(("firewall filter $$" || "firewall family inet filter $$"))"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice destination-class_choice { leaf-list destination-class { type string; ordered-by user; description "String name"; } leaf-list destination-class-except { type string; ordered-by user; description "String name"; } } // choice destination-class_choice choice source-class_choice { leaf-list source-class { type string; ordered-by user; description "String name"; } leaf-list source-class-except { type string; ordered-by user; description "String name"; } } // choice source-class_choice choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice list source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list destination-address list address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice precedence_choice { leaf-list precedence { type string; ordered-by user; } leaf-list precedence-except { type string; ordered-by user; } } // choice precedence_choice choice ip-options_choice { leaf-list ip-options { type string; ordered-by user; } leaf-list ip-options-except { type string; ordered-by user; } } // choice ip-options_choice leaf is-fragment { type empty; description "Match if packet is a fragment"; } leaf first-fragment { type empty; description "Match if packet is the first fragment"; } leaf service-filter-hit { type empty; description "Match if service-filter-hit is set"; } choice fragment-offset_choice { leaf-list fragment-offset { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } leaf-list fragment-offset-except { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } } // choice fragment-offset_choice leaf fragment-flags { type string; description "Match fragment flags (in symbolic or hex formats) - (Ingress only)"; } choice protocol_choice { leaf-list protocol { type string; ordered-by user; } leaf-list protocol-except { type string; ordered-by user; } } // choice protocol_choice choice ttl_choice { leaf-list ttl { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } leaf-list ttl-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } } // choice ttl_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice leaf tcp-initial { type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats)"; } choice esp-spi_choice { leaf-list esp-spi { type string; ordered-by user; description "Range of values"; } leaf-list esp-spi-except { type string; ordered-by user; description "Range of values"; } } // choice esp-spi_choice choice ah-spi_choice { leaf-list ah-spi { type string; ordered-by user; description "Range of values"; } leaf-list ah-spi-except { type string; ordered-by user; description "Range of values"; } } // choice ah-spi_choice list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { leaf-list loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } leaf-list loss-priority-except { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } } // choice loss-priority_choice choice rat-type_choice { leaf-list rat-type { type string; ordered-by user; } leaf-list rat-type-except { type string; ordered-by user; } } // choice rat-type_choice choice redirect-reason_choice { leaf-list redirect-reason { type enumeration { enum "aoc" { value 0; description "Advice of Charge"; } enum "aolb" { value 1; description "Advice of Low Balance"; } enum "dpi" { value 2; description "Layer7 match required"; } } ordered-by user; } leaf-list redirect-reason-except { type enumeration { enum "aoc" { value 0; description "Advice of Charge"; } enum "aolb" { value 1; description "Advice of Low Balance"; } enum "dpi" { value 2; description "Layer7 match required"; } } ordered-by user; } } // choice redirect-reason_choice choice gre-key_choice { leaf-list gre-key { type string; ordered-by user; description "Range of values"; } leaf-list gre-key-except { type string; ordered-by user; description "Range of values"; } } // choice gre-key_choice choice flex-mask_choice { container flexible-match-mask { presence "enable flexible-match-mask"; description "Match flexible mask"; uses match_L3_flexible_mask; } // container flexible-match-mask } // choice flex-mask_choice choice flex-range_choice { container flexible-match-range { presence "enable flexible-match-range"; description "Match flexible range"; uses match_L3_flexible_range; } // container flexible-match-range } // choice flex-range_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice container vxlan { description "Define vxlan match items"; uses apply-advanced; choice vni_choice { leaf-list vni { type string { junos:posix-pattern "^([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-16777215"; } ordered-by user; description "Range of values"; } leaf-list vni-except { type string { junos:posix-pattern "^([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-16777215"; } ordered-by user; description "Range of values"; } } // choice vni_choice choice rsvd1_choice { leaf-list rsvd1 { type string { junos:posix-pattern "^([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-16777215"; } ordered-by user; description "Range of values"; } leaf-list rsvd1-except { type string { junos:posix-pattern "^([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,7}|1[0-5][0-9][0-9][0-9][0-9][0-9][0-9]|16[0-6][0-9][0-9][0-9][0-9][0-9]|167[0-6][0-9][0-9][0-9][0-9]|1677[0-6][0-9]0-9][0-9]|16777[0-1][0-9][0-9]|1677721[0-5]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-16777215"; } ordered-by user; description "Range of values"; } } // choice rsvd1_choice choice rsvd2_choice { leaf-list rsvd2 { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-255"; } ordered-by user; description "Range of values"; } leaf-list rsvd2-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-255"; } ordered-by user; description "Range of values"; } } // choice rsvd2_choice container flags { description "Match VXlan flag field"; uses match_flags_value; } // container flags } // container vxlan } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer leaf hierarchical-policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of hierarchical policer to use to rate-limit traffic"; } } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice choice inetcnt { leaf traffic-class-count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named traffic-class counter"; } leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } } // choice inetcnt leaf service-accounting { junos:must "(!(".. service-accounting-deferred"))"; junos:must-message "'service-accounting-deferred' and 'service-accounting' cannot coexist"; junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting' cannot coexist"; type empty; description "Count the packets for service accounting"; } leaf skip-services { type empty; description "Skip the services"; } leaf service-accounting-deferred { junos:must "(!(".. service-accounting"))"; junos:must-message "Cannot be both 'service-accounting' and 'service-accounting-deferred'"; junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting-deferred' cannot coexist"; type empty; description "Count the packets for deferred service accounting"; } leaf log { type empty; description "Log the packet"; } leaf packet-mode { type empty; description "Bypass flow mode for the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf packet-capture { type empty; description "Enable packet capture for telemetry"; } leaf sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; type empty; description "Sample the packet"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; type empty; description "Port-mirror the packet"; } leaf inline-monitoring-instance { junos:must "("services inline-monitoring instance $$")"; junos:must-message "Configure 'inline-monitoring instance'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Inline monitoring to specified instance"; } leaf l2-mirror { junos:must "((".. port-mirror-instance" || ".. port-mirror"))"; junos:must-message "'port-mirror' or 'port-mirror-instance' need to be configured for l2-mirror"; type empty; description "L2 mirror the packet"; } leaf loss-priority { junos:must "(!(".. three-color-policer"))"; junos:must-message "Configuring loss-priority is incompatible with configuring three-color-policer"; type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf service-filter-hit { type empty; description "Marked when packet processing by the current type of chained filters is done, the packet is directed to the next type of filters"; } leaf force-premium { type empty; description "When this bit is marked, traffic is considered as premium by the following hierarchical policer"; } leaf exclude-accounting { type empty; description "When this is marked, traffic is excluded from accurate accounting"; } leaf virtual-channel { junos:must "("class-of-service virtual-channels $$")"; junos:must-message "Referenced virtual channel is not defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Set the output interface virtual channel"; } choice designation { leaf accept { type empty; description "Accept the packet"; } container discard { presence "enable discard"; description "Discard the packet"; uses apply-advanced; leaf accounting { type string; description "Named discard collector for packet"; } } // container discard leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } list logical-system { key "logical-system-name"; max-elements 1; ordered-by user; description "Packets are directed to specified logical system"; leaf logical-system-name { type string { junos:posix-pattern "^[a-zA-Z0-9_-]{1,63}$"; junos:pattern-message "Logical-system name is a string consisting of up to 63 letters, numbers, dashes and underscores"; } description "Name of logical system"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // list logical-system container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } container next-ip { description "Packets are directed to specified the specified ipv4 address"; leaf address { type jt:ipv4prefix; description "Address to route"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance } // container next-ip container next-interface { presence "enable next-interface"; description "Packets are to be routed through the specified interface"; uses apply-advanced; leaf interface-name { type string { junos:posix-pattern "^((ge-)|(mge-)|(xe-)|(et-)|(gr-)|(ae)|(irb))"; junos:pattern-message "Only ge, mge, xe, et, ae, irb and point-to-point gr tunnel intefaces are supported"; length "1 .. 127"; } description "Interface name"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance choice designation { leaf accept { type empty; description "Accept the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation } // container next-interface leaf ipsec-sa { type string; description "Use specified IPSec security association"; } leaf next-hop-group { type string; description "Use specified next-hop group"; } container decapsulate { presence "enable decapsulate"; description "Terminate a tunnel"; choice tunnel-protocol { container gre { presence "enable gre"; description "GRE protocol"; uses apply-advanced; leaf-list sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; type enumeration { enum "inet" { junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 0; description "IPV4 protocol"; } enum "inet6" { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 1; description "IPV6 protocol"; } enum "mpls" { junos:must "(!(".. .. sample mpls-ipvx-payload"))"; junos:must-message "Cannot configure both sample mpls and sample mpls-ipvx-payload"; junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 2; description "MPLS protocol"; } } ordered-by user; description "Sample the packet"; } leaf no-decrement-ttl { type empty; description "Do not decrement TTL"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf interface-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Set the interface group"; } choice destination { container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } } // container routing-instance } // choice destination } // container gre container gre-in-udp { presence "enable gre-in-udp"; description "GRE-in-UDP protocol"; uses apply-advanced; leaf-list sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; type enumeration { enum "inet" { junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 0; description "IPV4 protocol"; } enum "inet6" { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 1; description "IPV6 protocol"; } enum "mpls" { junos:must "(!(".. .. sample mpls-ipvx-payload"))"; junos:must-message "Cannot configure both sample mpls and sample mpls-ipvx-payload"; junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 2; description "MPLS protocol"; } } ordered-by user; description "Sample the packet"; } leaf no-decrement-ttl { type empty; description "Do not decrement TTL"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf interface-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Set the interface group"; } choice destination { container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } } // container routing-instance } // choice destination } // container gre-in-udp container mpls-in-udp { presence "enable mpls-in-udp"; description "MPLS-in-UDP protocol"; uses apply-advanced; leaf-list sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; type enumeration { enum "inet" { junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 0; description "IPV4 protocol"; } enum "inet6" { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 1; description "IPV6 protocol"; } enum "mpls" { junos:must "(!(".. .. sample mpls-ipvx-payload"))"; junos:must-message "Cannot configure both sample mpls and sample mpls-ipvx-payload"; junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 2; description "MPLS protocol"; } } ordered-by user; description "Sample the packet"; } leaf no-decrement-ttl { type empty; description "Do not decrement TTL"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf interface-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Set the interface group"; } choice destination { container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } } // container routing-instance } // choice destination } // container mpls-in-udp container l2tp { description "L2TP protocol"; uses apply-advanced; leaf-list sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; type enumeration { enum "inet" { junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 0; description "IPV4 protocol"; } enum "inet6" { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 1; description "IPV6 protocol"; } enum "mpls" { junos:must "(!(".. .. sample mpls-ipvx-payload"))"; junos:must-message "Cannot configure both sample mpls and sample mpls-ipvx-payload"; junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 2; description "MPLS protocol"; } } ordered-by user; description "Sample the packet"; } leaf no-decrement-ttl { type empty; description "Do not decrement TTL"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf interface-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Set the interface group"; } leaf-list cookie { type string { length "1 .. 32"; } ordered-by user; description "L2TPv3 cookie"; } choice destination { leaf output-interface { junos:must "("interfaces $$")"; junos:must-message "Interface must be defined in the interfaces hierarchy"; type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Interface name"; } } // choice destination } // container l2tp container ipip { presence "enable ipip"; description "IPIP protocol"; uses apply-advanced; leaf-list sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; type enumeration { enum "inet" { junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 0; description "IPV4 protocol"; } enum "inet6" { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 1; description "IPV6 protocol"; } enum "mpls" { junos:must "(!(".. .. sample mpls-ipvx-payload"))"; junos:must-message "Cannot configure both sample mpls and sample mpls-ipvx-payload"; junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; value 2; description "MPLS protocol"; } } ordered-by user; description "Sample the packet"; } leaf no-decrement-ttl { type empty; description "Do not decrement TTL"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf interface-group { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 255"; } } description "Set the interface group"; } choice destination { container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { junos:must "("routing-instances $$")"; junos:must-message "referenced routing instance must be defined"; type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } } // container routing-instance } // choice destination } // container ipip } // choice tunnel-protocol } // container decapsulate container encapsulate { presence "enable encapsulate"; description "Send to a tunnel"; leaf tunnel-end-point { junos:must "("firewall tunnel-end-point $$")"; junos:must-message "referenced firewall tunnel-end-point must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of the tunnel end point"; } } // container encapsulate container reject { presence "enable reject"; description "Reject the packet"; choice style { leaf network-unreachable { type empty; description "Send ICMP Network Unreachable message"; } leaf host-unreachable { type empty; description "Send ICMP Host Unreachable message"; } leaf protocol-unreachable { type empty; description "Send ICMP Protocol Unreachable message"; } leaf port-unreachable { type empty; description "Send ICMP Port Unreachable message"; } leaf fragmentation-needed { type empty; description "Send ICMP Fragmentation Needed message"; } leaf source-route-failed { type empty; description "Send ICMP Source Route Failed message"; } leaf network-unknown { type empty; description "Send ICMP Network Unknown message"; } leaf host-unknown { type empty; description "Send ICMP Host Unknown message"; } leaf source-host-isolated { type empty; description "Send ICMP Source Host Isolated message"; } leaf network-prohibited { type empty; description "Send ICMP Network Prohibited message"; } leaf host-prohibited { type empty; description "Send ICMP Host Prohibited message"; } leaf bad-network-tos { type empty; description "Send ICMP Bad Network ToS message"; } leaf bad-host-tos { type empty; description "Send ICMP Bad Host ToS message"; } leaf administratively-prohibited { type empty; description "Send ICMP Administratively Prohibited message"; } leaf precedence-violation { type empty; description "Send ICMP Precedence Violation message"; } leaf precedence-cutoff { type empty; description "Send ICMP Precedence Cutoff message"; } leaf tcp-reset { type empty; description "Send TCP Reset message"; } } // choice style } // container reject leaf load-balance { junos:must "("firewall load-balance-group $$")"; junos:must-message "Referenced load-balance group is not defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Use specified load balancing group"; } } // choice designation leaf dscp { type string; description "Set Differentiated Services (DiffServ) code point"; } leaf dont-fragment { type enumeration { enum "clear" { value 0; description "Clear DF bit flag"; } enum "set" { value 1; description "Set DF bit flag"; } } description "Set or clear the DF bit flag of the IP header (ingress only)"; } leaf prefix-action { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Police or count packets using named prefix action"; } } // container then } // list term } // grouping inet_filter grouping inet_fuf { leaf name { junos:must "(unique "firewall family <*> filter $$")"; junos:must-message "Fast update filter can not have the same name as firewall family filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of fast update filter"; } uses apply-advanced; leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf-list match-order { type enumeration { enum "protocol" { value 0; description "Include IP protocol in match set"; } enum "source-address" { value 1; description "Include source-address in match set"; } enum "destination-address" { value 2; description "Include destination-address in match set"; } enum "source-port" { value 3; description "Include source-port in match set"; } enum "destination-port" { value 4; description "Include destination-port in match set"; } enum "dscp" { value 5; description "Include Differentiated Services (DiffServ) code point in match set"; } } ordered-by user; } list term { key "name"; ordered-by user; description "One or more firewall terms"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf only-at-create { type empty; description "Add term only when filter is first created."; } container from { description "Match criteria"; uses apply-advanced; container source-address { description "Match source IP address"; uses firewall_addr_simple_object; } // container source-address container destination-address { description "Match destination IP address"; uses firewall_addr_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match TCP/UDP source port"; uses match_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match TCP/UDP destination port"; uses match_simple_port_value; } // container destination-port } // choice destination-port_choice choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_simple_protocol_value; } // container protocol } // choice protocol_choice choice dscp_choice { container dscp { description "Match Differentiated Services (DiffServ) code point"; uses match_simple_dscp_value; } // container dscp } // choice dscp_choice leaf match-terms { type string; description "Dynamically supplied list of match criteria"; } } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } } // choice policer-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf service-accounting { junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting' cannot coexist"; type empty; description "Count the packets for service accounting"; } leaf log { type empty; description "Log the packet"; } leaf port-mirror { type empty; description "Port-mirror the packet"; } leaf loss-priority { junos:must "(!(".. three-color-policer"))"; junos:must-message "Configuring loss-priority is incompatible with configuring three-color-policer"; type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf action-terms { type string; description "Dynamically supplied list of actions"; } choice designation { leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance } // choice designation } // container then } // list term } // grouping inet_fuf grouping firewall_addr_simple_object { uses apply-advanced; leaf address { type jt:ipv4prefix; description "Prefix to match"; } } // grouping firewall_addr_simple_object grouping inet_service_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; list term { key "name"; ordered-by user; description "Service filter term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice list source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list destination-address list address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice protocol_choice { leaf-list protocol { type string; ordered-by user; } leaf-list protocol-except { type string; ordered-by user; } } // choice protocol_choice choice ip-options_choice { leaf-list ip-options { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } leaf-list ip-options-except { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } } // choice ip-options_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice choice esp-spi_choice { leaf-list esp-spi { type string; ordered-by user; description "Range of values"; } leaf-list esp-spi-except { type string; ordered-by user; description "Range of values"; } } // choice esp-spi_choice leaf is-fragment { type empty; description "Match if packet is a fragment"; } leaf first-fragment { type empty; description "Match if packet is the first fragment"; } choice fragment-offset_choice { leaf-list fragment-offset { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } leaf-list fragment-offset-except { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } } // choice fragment-offset_choice leaf fragment-flags { type string; description "Match fragment flags"; } leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats)"; } choice ah-spi_choice { leaf-list ah-spi { type string; ordered-by user; description "Range of values"; } leaf-list ah-spi-except { type string; ordered-by user; description "Range of values"; } } // choice ah-spi_choice choice loss-priority_choice { leaf-list loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } leaf-list loss-priority-except { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } } // choice loss-priority_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice redirect-reason_choice { leaf-list redirect-reason { type enumeration { enum "aoc" { value 0; description "Advice of Charge"; } enum "aolb" { value 1; description "Advice of Low Balance"; } enum "dpi" { value 2; description "Layer7 match required"; } } ordered-by user; } leaf-list redirect-reason-except { type enumeration { enum "aoc" { value 0; description "Advice of Charge"; } enum "aolb" { value 1; description "Advice of Low Balance"; } enum "dpi" { value 2; description "Layer7 match required"; } } ordered-by user; } } // choice redirect-reason_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf log { type empty; description "Log the packet"; } leaf sample { type empty; description "Sample the packet"; } leaf port-mirror { type empty; description "Port-mirror the packet"; } choice designation { leaf service { type empty; description "Forward packets to service processing"; } leaf skip { type empty; description "Skip service processing"; } leaf accept { type empty; description "Accept the packet"; } } // choice designation } // container then } // list term } // grouping inet_service_filter grouping inet_simple_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of simple filter"; } uses apply-advanced; leaf interface-specific { type empty; status deprecated; description "Defined counters are interface specific"; } list term { key "name"; ordered-by user; description "One or more firewall terms"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Match criteria"; uses apply-advanced; container source-address { description "Source IP address"; uses firewall_addr_simple_object; } // container source-address container destination-address { description "Destination IP address"; uses firewall_addr_simple_object; } // container destination-address choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_simple_protocol_value; } // container protocol } // choice protocol_choice choice source-port_choice { container source-port { description "Match TCP/UDP source port"; uses match_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match TCP/UDP destination port"; uses match_simple_port_value; } // container destination-port } // choice destination-port_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer } // choice policer-choice leaf loss-priority { type enumeration { enum "low" { value 0; description "Low loss priority"; } enum "medium-high" { value 1; description "Medium-high loss priority"; } enum "medium-low" { value 2; description "Medium-low loss priority"; } enum "high" { value 3; description "High loss priority"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf discard { type empty; description "Discard the packet"; } leaf accept { type empty; description "Accept the packet"; } } // container then } // list term } // grouping inet_simple_filter grouping interface_set_type { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Interface set name"; } uses apply-advanced; list interface-list { key "name"; ordered-by user; description "Interface list"; leaf name { type union { type jt:interface-wildcard; type string { pattern "<.*>|$.*"; } } description "Interface name"; } uses apply-advanced; } // list interface-list } // grouping interface_set_type grouping macro-data-type { leaf name { type string; description "Keyword part of the keyword-value pair"; } leaf value { type string; description "Value part of the keyword-value pair"; } } // grouping macro-data-type grouping match_L2_flexible_mask { description "Define a flexible match"; uses apply-advanced; leaf match-start { type enumeration { enum "layer-2" { value 0; description "Layer-2 match start"; } enum "layer-3" { value 1; description "Layer-3 match start"; } enum "layer-4" { value 2; description "Layer-4 match start"; } enum "payload" { value 3; description "Payload match start"; } } description "Start point to match in packet"; } leaf byte-offset { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Byte offset after the match start point"; } leaf bit-offset { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Bit offset after the (match-start + byte) offset"; } leaf bit-length { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Length of integer input (1..32 bits), Optional length of string input (1..128 bits)"; } leaf mask-in-hex { type string { junos:posix-pattern "(^(0[xX])?[A-Fa-f0-9]{0,8}$)"; } description "Mask out bits in the packet data to be matched"; } leaf prefix { junos:must "((".. flexible-mask-name" || ".. match-start"))"; junos:must-message "To configure prefix, 'flexible-mask-name' or 'match-start' must be configured"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Value data/string to be matched"; } leaf flexible-mask-name { junos:must "((!(".. byte-offset") && (!(".. bit-offset") && (!(".. bit-length") && !(".. match-start")))))"; junos:must-message "To refer configured template, only prefix or prefix along with mask can be configured"; type string; description "Select a flexible match from predefined template field"; } } // grouping match_L2_flexible_mask grouping match_L2_flexible_range { description "Define a flexible match"; uses apply-advanced; leaf match-start { type enumeration { enum "layer-2" { value 0; description "Layer-2 match start"; } enum "layer-3" { value 1; description "Layer-3 match start"; } enum "layer-4" { value 2; description "Layer-4 match start"; } enum "payload" { value 3; description "Payload match start"; } } description "Start point to match in packet"; } leaf byte-offset { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Byte offset after the match start point"; } leaf bit-offset { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Bit offset after the (match-start + byte) offset"; } leaf bit-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } description "Length of the data to be matched in bits"; } choice range_choice { leaf range { junos:must "((".. flexible-range-name" || (".. match-start" && ".. bit-length")))"; junos:must-message "To configure range, 'flexible-range-name' or 'match-start & bit-length' must be configured"; type string; description "Range of values to be matched"; } leaf range-except { junos:must "((".. flexible-range-name" || (".. match-start" && ".. bit-length")))"; junos:must-message "To configure range-except, 'flexible-range-name' or 'match-start & bit-length' must be configured"; type string; description "Range of values to be not matched"; } } // choice range_choice leaf flexible-range-name { junos:must "((!(".. byte-offset") && (!(".. bit-offset") && (!(".. bit-length") && !(".. match-start")))))"; junos:must-message "To refer configured template, only range or range-except can be configured"; type string; description "Select a flexible match from predefined template field"; } } // grouping match_L2_flexible_range grouping match_L3_flexible_mask { description "Define a flexible match"; uses apply-advanced; leaf match-start { type enumeration { enum "layer-3" { value 0; description "Layer-3 match start"; } enum "layer-4" { value 1; description "Layer-4 match start"; } enum "payload" { value 2; description "Payload match start"; } } description "Start point to match in packet"; } leaf byte-offset { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Byte offset after the match start point"; } leaf bit-offset { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Bit offset after the (match-start + byte) offset"; } leaf bit-length { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Length of integer input (1..32 bits), Optional length of string input (1..128 bits)"; } leaf mask-in-hex { type string { junos:posix-pattern "(^(0[xX])?[A-Fa-f0-9]{0,8}$)"; } description "Mask out bits in the packet data to be matched"; } leaf prefix { junos:must "((".. flexible-mask-name" || ".. match-start"))"; junos:must-message "To configure prefix, 'flexible-mask-name' or 'match-start' must be configured"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Value data/string to be matched"; } leaf flexible-mask-name { junos:must "((!(".. byte-offset") && (!(".. bit-offset") && (!(".. bit-length") && !(".. match-start")))))"; junos:must-message "To refer configured template, only prefix or prefix along with mask can be configured"; type string; description "Select a flexible match from predefined template field"; } } // grouping match_L3_flexible_mask grouping match_L3_flexible_range { description "Define a flexible match"; uses apply-advanced; leaf match-start { type enumeration { enum "layer-3" { value 0; description "Layer-3 match start"; } enum "layer-4" { value 1; description "Layer-4 match start"; } enum "payload" { value 2; description "Payload match start"; } } description "Start point to match in packet"; } leaf byte-offset { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Byte offset after the match start point"; } leaf bit-offset { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Bit offset after the (match-start + byte) offset"; } leaf bit-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } description "Length of the data to be matched in bits"; } choice range_choice { leaf range { junos:must "((".. flexible-range-name" || (".. match-start" && ".. bit-length")))"; junos:must-message "To configure range, 'flexible-range-name' or 'match-start & bit-length' must be configured"; type string; description "Range of values to be matched"; } leaf range-except { junos:must "((".. flexible-range-name" || (".. match-start" && ".. bit-length")))"; junos:must-message "To configure range-except, 'flexible-range-name' or 'match-start & bit-length' must be configured"; type string; description "Range of values to be not matched"; } } // choice range_choice leaf flexible-range-name { junos:must "((!(".. byte-offset") && (!(".. bit-offset") && (!(".. bit-length") && !(".. match-start")))))"; junos:must-message "To refer configured template, only range or range-except can be configured"; type string; description "Select a flexible match from predefined template field"; } } // grouping match_L3_flexible_range grouping match_flags_value { description "Define a vxlan flag"; uses apply-advanced; leaf value { junos:must "(".. mask-in-hex")"; junos:must-message "mask-in-hex must be set for vxlan flag"; type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])$"; junos:pattern-message "Must be a numeric value"; } description "Value data to be matched"; } leaf mask-in-hex { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])$"; junos:pattern-message "Must be a numeric value"; } description "Mask out bits in the packet data to be matched"; } } // grouping match_flags_value grouping match_interface_object { leaf name { type union { type jt:interface-wildcard; type string { pattern "<.*>|$.*"; } } description "Interface to match"; } } // grouping match_interface_object grouping match_interface_object_oam { leaf name { type union { type jt:interface-wildcard; type string { pattern "<.*>|$.*"; } } description "Interface to match"; } } // grouping match_interface_object_oam grouping match_interface_set_object { leaf name { type string; description "Interface set to match"; } } // grouping match_interface_set_object grouping match_simple_dscp_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_simple_dscp_value grouping match_simple_payload_protocol_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_simple_payload_protocol_value grouping match_simple_port_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_simple_port_value grouping match_simple_protocol_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_simple_protocol_value grouping mpls_dialer_filter { description "Define an MPLS DIALER filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; choice exp_choice { leaf-list exp { type string; ordered-by user; description "Range of values"; } leaf-list exp-except { type string; ordered-by user; description "Range of values"; } } // choice exp_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf log { type empty; description "Log the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf sample { type empty; description "Sample the packet"; } choice designation { leaf note { type empty; description "Interested ISDN packet"; } leaf ignore { type empty; description "Non-interested ISDN packet"; } } // choice designation } // container then } // list term } // grouping mpls_dialer_filter grouping mpls_filter { description "Define an MPLS firewall filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf fast-lookup-filter { type empty; description "Configure filter in the fast lookup hardware block"; } leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } leaf instance-shared { junos:must "("chassis network-services enhanced-ip")"; junos:must-message "instance-shared filter available only in enhanced-ip mode"; junos:must "(!(".. physical-interface-filter"))"; junos:must-message "Cannot be both physical-interface-filter and instance-shared"; junos:must "(!(".. interface-specific"))"; junos:must-message "Cannot be both interface-specific and instance-shared"; type empty; description "Filter is routing-instance shared"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "("firewall family mpls filter $$")"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice container ip-version { description "Specify inner IP version"; uses apply-advanced; container ipv4 { junos:must "(!(".. ipv6"))"; junos:must-message "Same term cannot have both IPv4 & IPv6 IP version"; presence "enable ipv4"; description "Define L4 match items to match IPv4 packets"; uses apply-advanced; list protocol { key "name"; max-elements 1; ordered-by user; description "Specify inner IPv4 protocol"; leaf name { type string; description "IP protocol choices"; } uses apply-advanced; choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice } // list protocol choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice list source-address { key "name"; ordered-by user; description "Match IPv4 source address"; uses firewall_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IPv4 destination address"; uses firewall_addr_object; } // list destination-address list ip-address { key "name"; ordered-by user; description "Match IPv4 source or destination addres"; uses firewall_addr_object; } // list ip-address list ip-source-address { key "name"; ordered-by user; description "Match IPv4 source address"; uses firewall_addr_object; } // list ip-source-address list ip-destination-address { key "name"; ordered-by user; description "Match IPv4 destination address"; uses firewall_addr_object; } // list ip-destination-address list source-prefix-list { key "name"; ordered-by user; description "Match IPv4 source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IPv4 destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice leaf first-fragment { type empty; description "Match if packet is the first fragment"; } leaf fragment-flags { type string; description "Match fragment flags (in symbolic or hex formats) - (Ingress only)"; } choice fragment-offset_choice { leaf-list fragment-offset { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } leaf-list fragment-offset-except { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } } // choice fragment-offset_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice leaf is-fragment { type empty; description "Match if packet is a fragment"; } choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice leaf tcp-initial { type empty; description "Match initial packet of a TCP connection"; } leaf tcp-flags { type string; description "Match TCP flags"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } choice ttl_choice { leaf-list ttl { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } leaf-list ttl-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } } // choice ttl_choice choice ip-options_choice { leaf-list ip-options { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } leaf-list ip-options-except { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } } // choice ip-options_choice choice ip-protocol_choice { leaf-list ip-protocol { type string; ordered-by user; } leaf-list ip-protocol-except { type string; ordered-by user; } } // choice ip-protocol_choice } // container ipv4 container ipv6 { junos:must "(!(".. ipv4"))"; junos:must-message "Same term cannot have both IPv4 & IPv6 IP version"; presence "enable ipv6"; description "Define L3/L4 match items to match IPv6 packets"; uses apply-advanced; list protocol { key "name"; max-elements 1; ordered-by user; description "Specify inner IPv6 next-header"; leaf name { type string; description "IP protocol choices"; } uses apply-advanced; choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice } // list protocol choice next-header_choice { leaf-list next-header { type string; ordered-by user; } leaf-list next-header-except { type string; ordered-by user; } } // choice next-header_choice list ip6-source-address { key "name"; ordered-by user; description "Match IPv6 source address"; uses firewall_addr6_object; } // list ip6-source-address list ip6-destination-address { key "name"; ordered-by user; description "Match IPv6 destination address"; uses firewall_addr6_object; } // list ip6-destination-address list ip6-address { key "name"; ordered-by user; description "Match IPv6 source or destination address"; uses firewall_addr6_object; } // list ip6-address list source-address { key "name"; ordered-by user; description "Match IPv6 source address"; uses firewall_addr6_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IPv6 destination address"; uses firewall_addr6_object; } // list destination-address list source-prefix-list { key "name"; ordered-by user; description "Match IPv4 source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IPv4 destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list choice hop-limit_choice { leaf-list hop-limit { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical hop-limit value or range between 0-255"; } ordered-by user; description "Range of values"; } leaf-list hop-limit-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical hop-limit value or range between 0-255"; } ordered-by user; description "Range of values"; } } // choice hop-limit_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice list prefix-list { key "name"; ordered-by user; description "Match source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list leaf tcp-initial { type empty; description "Match initial packet of a TCP connection"; } leaf tcp-flags { type string; description "Match TCP flags"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } choice traffic-class_choice { leaf-list traffic-class { type string; ordered-by user; } leaf-list traffic-class-except { type string; ordered-by user; } } // choice traffic-class_choice } // container ipv6 } // container ip-version list label0 { key "name"; ordered-by user; description "MPLS label bits at Top Of Stack"; leaf name { type string { junos:posix-pattern "^([0-9]{1,6}|10[0-3][0-9][0-9][0-9][0-9]|104[0-7][0-9][0-9][0-9]|1048[0-4][0-9][0-9]|10485[0-6][0-9]|104857[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,6}|10[0-3][0-9][0-9][0-9][0-9]|104[0-7][0-9][0-9][0-9]|1048[0-4][0-9][0-9]|10485[0-6][0-9]|104857[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numerical value or range between 0-1048575"; } description "Range of values between 0 and 1048575 in decimal or hexadecimal"; } uses apply-advanced; } // list label0 list label0-except { key "name"; ordered-by user; description "MPLS label bits at Top Of Stack"; leaf name { type string { junos:posix-pattern "^([0-9]{1,6}|10[0-3][0-9][0-9][0-9][0-9]|104[0-7][0-9][0-9][0-9]|1048[0-4][0-9][0-9]|10485[0-6][0-9]|104857[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,6}|10[0-3][0-9][0-9][0-9][0-9]|104[0-7][0-9][0-9][0-9]|1048[0-4][0-9][0-9]|10485[0-6][0-9]|104857[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numerical value or range between 0-1048575"; } description "Range of values between 0 and 1048575 in decimal or hexadecimal"; } uses apply-advanced; } // list label0-except list label1 { key "name"; ordered-by user; description "Match MPLS label bits at Next 1 from Top Of Stack"; leaf name { type string { junos:posix-pattern "^([0-9]{1,6}|10[0-3][0-9][0-9][0-9][0-9]|104[0-7][0-9][0-9][0-9]|1048[0-4][0-9][0-9]|10485[0-6][0-9]|104857[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,6}|10[0-3][0-9][0-9][0-9][0-9]|104[0-7][0-9][0-9][0-9]|1048[0-4][0-9][0-9]|10485[0-6][0-9]|104857[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numerical value or range between 0-1048575"; } description "Range of values between 0 and 1048575 in decimal or hexadecimal"; } uses apply-advanced; } // list label1 list label1-except { key "name"; ordered-by user; description "Match MPLS label bits at Next 1 from Top Of Stack"; leaf name { type string { junos:posix-pattern "^([0-9]{1,6}|10[0-3][0-9][0-9][0-9][0-9]|104[0-7][0-9][0-9][0-9]|1048[0-4][0-9][0-9]|10485[0-6][0-9]|104857[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f])(-([0-9]{1,6}|10[0-3][0-9][0-9][0-9][0-9]|104[0-7][0-9][0-9][0-9]|1048[0-4][0-9][0-9]|10485[0-6][0-9]|104857[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f]|0x[0-f][0-f][0-f][0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numerical value or range between 0-1048575"; } description "Range of values between 0 and 1048575 in decimal or hexadecimal"; } uses apply-advanced; } // list label1-except choice exp_choice { leaf-list exp { type string; ordered-by user; description "Range of values between 0 and 7 in decimal, binary or hex"; } leaf-list exp-except { type string; ordered-by user; description "Range of values between 0 and 7 in decimal, binary or hex"; } } // choice exp_choice choice ttl_choice { case case_1 { } // case case_1 leaf-list ttl-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } } // choice ttl_choice choice exp0_choice { leaf-list exp0 { type string; ordered-by user; description "Range of values between 0 and 7 in decimal, binary or hex"; } leaf-list exp0-except { type string; ordered-by user; description "Range of values between 0 and 7 in decimal, binary or hex"; } } // choice exp0_choice list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice ttl0_choice { leaf-list ttl0 { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } leaf-list ttl0-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } } // choice ttl0_choice choice loss-priority_choice { leaf-list loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } leaf-list loss-priority-except { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } } // choice loss-priority_choice choice flex-mask_choice { container flexible-match-mask { presence "enable flexible-match-mask"; description "Match flexible mask"; uses match_mpls_flexible_mask; } // container flexible-match-mask } // choice flex-mask_choice choice flex-range_choice { container flexible-match-range { presence "enable flexible-match-range"; description "Match flexible range"; uses match_mpls_flexible_range; } // container flexible-match-range } // choice flex-range_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice choice exp1_choice { leaf-list exp1 { type string; ordered-by user; description "Range of values between 0 and 7 in decimal, binary or hex"; } leaf-list exp1-except { type string; ordered-by user; description "Range of values between 0 and 7 in decimal, binary or hex"; } } // choice exp1_choice choice ttl1_choice { leaf-list ttl1 { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } leaf-list ttl1-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } } // choice ttl1_choice leaf bottom-of-stack0 { type empty; description "Match MPLS BottomOfStack bit at Top Of Stack"; } leaf bottom-of-stack1 { type empty; description "Match MPLS BottomOfStack bit at Next 1 from Top Of Stack"; } } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer leaf hierarchical-policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of hierarchical policer to use to rate-limit traffic"; } } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance choice mplscnt { leaf traffic-class-count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named traffic-class counter"; } leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } } // choice mplscnt leaf sample { junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; type empty; description "Sample the packet"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Classify packet to loss-priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; junos:must "("forwarding-options port-mirroring")"; junos:must-message "Configure 'port-mirroring' under 'forwarding-options'"; type empty; description "Port-mirror the packet"; } leaf inline-monitoring-instance { junos:must "("services inline-monitoring instance $$")"; junos:must-message "Configure 'inline-monitoring instance'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Inline monitoring to specified instance"; } leaf packet-mode { type empty; description "Bypass flow mode for the packet"; } choice designation { container encapsulate { presence "enable encapsulate"; description "Send to a tunnel"; leaf tunnel-end-point { junos:must "("firewall tunnel-end-point $$")"; junos:must-message "referenced firewall tunnel-end-point must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of the tunnel end point"; } } // container encapsulate leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation } // container then } // list term } // grouping mpls_filter grouping match_mpls_flexible_mask { description "Define a flexible match"; uses apply-advanced; leaf match-start { type enumeration { enum "layer-3" { value 0; description "Layer-3 match start"; } enum "payload" { value 1; description "Payload match start"; } } description "Start point to match in packet"; } leaf byte-offset { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Byte offset after the match start point"; } leaf bit-offset { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Bit offset after the (match-start + byte) offset"; } leaf bit-length { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Length of integer input (1..32 bits), Optional length of string input (1..128 bits)"; } leaf mask-in-hex { type string { junos:posix-pattern "(^(0[xX])?[A-Fa-f0-9]{0,8}$)"; } description "Mask out bits in the packet data to be matched"; } leaf prefix { junos:must "((".. flexible-mask-name" || ".. match-start"))"; junos:must-message "To configure prefix, 'flexible-mask-name' or 'match-start' must be configured"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Value data/string to be matched"; } leaf flexible-mask-name { junos:must "((!(".. byte-offset") && (!(".. bit-offset") && (!(".. bit-length") && !(".. match-start")))))"; junos:must-message "To refer configured template, only prefix or prefix along with mask can be configured"; type string; description "Select a flexible match from predefined template field"; } } // grouping match_mpls_flexible_mask grouping match_mpls_flexible_range { description "Define a flexible match"; uses apply-advanced; leaf match-start { type enumeration { enum "layer-3" { value 0; description "Layer-3 match start"; } enum "payload" { value 1; description "Payload match start"; } } description "Start point to match in packet"; } leaf byte-offset { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Byte offset after the match start point"; } leaf bit-offset { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Bit offset after the (match-start + byte) offset"; } leaf bit-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 32"; } } description "Length of the data to be matched in bits"; } choice range_choice { leaf range { junos:must "((".. flexible-range-name" || (".. match-start" && ".. bit-length")))"; junos:must-message "To configure range, 'flexible-range-name' or 'match-start & bit-length' must be configured"; type string; description "Range of values to be matched"; } leaf range-except { junos:must "((".. flexible-range-name" || (".. match-start" && ".. bit-length")))"; junos:must-message "To configure range-except, 'flexible-range-name' or 'match-start & bit-length' must be configured"; type string; description "Range of values to be not matched"; } } // choice range_choice leaf flexible-range-name { junos:must "((!(".. byte-offset") && (!(".. bit-offset") && (!(".. bit-length") && !(".. match-start")))))"; junos:must-message "To refer configured template, only range or range-except can be configured"; type string; description "Select a flexible match from predefined template field"; } } // grouping match_mpls_flexible_range grouping prefix_action { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Prefix action name"; } uses apply-advanced; leaf policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Police the packet using a set of named policer"; } leaf count { type empty; description "Enable counters"; } leaf filter-specific { type empty; description "Filter specific, else term specific"; } leaf subnet-prefix-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 32"; } } description "Prefix length for the total address range"; } choice source_or_dest { leaf source-prefix-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 32"; } } description "Source prefix range"; } leaf destination-prefix-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 32"; } } description "Destination prefix range"; } } // choice source_or_dest } // grouping prefix_action grouping three-color-policer-type { description "Three-color policer"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policer name"; } uses apply-advanced; leaf filter-specific { type empty; description "Three color policer is filter-specific"; } leaf logical-interface-policer { type empty; description "Policer is logical interface policer"; } leaf physical-interface-policer { type empty; description "Policer is physical interface policer"; } leaf shared-bandwidth-policer { type empty; description "Share policer bandwidth among bundle links"; } container action { description "Action for three-color policer"; uses apply-advanced; list loss-priority { key "name"; ordered-by user; description "Loss priority for packet"; uses three-color-policer-action; } // list loss-priority } // container action choice rate-type-choice { container single-rate { description "Single-rate policer"; uses apply-advanced; choice mode-choice { leaf color-blind { type empty; description "Color-blind mode"; } leaf color-aware { type empty; description "Color-aware mode"; } } // choice mode-choice leaf committed-information-rate { type string; units "bits per second"; description "Bandwidth allowed for committed traffic"; } leaf committed-burst-size { type string; units "bytes"; description "Burst size allowed for committed traffic"; } leaf excess-burst-size { type string; units "bytes"; description "Burst size allowed for excess traffic"; } } // container single-rate container single-packet-rate { presence "enable single-packet-rate"; description "Single-rate packet policer"; uses apply-advanced; choice mode-choice { leaf color-blind { type empty; description "Color-blind mode"; } leaf color-aware { type empty; description "Color-aware mode"; } } // choice mode-choice leaf committed-information-pps { type string; units "packets per second"; description "PPS allowed for committed traffic"; } leaf committed-packet-burst { type string; units "packets"; description "Packet burst allowed for committed traffic"; } leaf excess-packet-burst { type string; units "packets"; description "Packet burst allowed for excess traffic"; } } // container single-packet-rate container two-rate { presence "enable two-rate"; description "Two-rate policer"; uses apply-advanced; choice mode-choice { leaf color-blind { type empty; description "Color-blind mode"; } leaf color-aware { type empty; description "Color-aware mode"; } } // choice mode-choice leaf committed-information-rate { type string; units "bits per second"; description "Bandwidth allowed for committed traffic"; } leaf committed-burst-size { type string; units "bytes"; description "Burst size allowed for committed traffic "; } leaf peak-information-rate { type string; units "bits per second"; description "Bandwidth allowed for peak traffic"; } leaf peak-burst-size { type string; units "bytes"; description "Burst size allowed for peak traffic "; } container aggregate-policing { presence "enable aggregate-policing"; description "Configure Aggregate Policer"; uses apply-advanced; list policer { key "name"; max-elements 1; ordered-by user; description "Two-color policer to be used as aggregate"; leaf name { junos:must "("firewall policer $$")"; junos:must-message "Referenced aggregate policer is not defined"; type string; description "Name of two-color policer to use to aggregate police"; } uses apply-advanced; leaf aggregate-sharing-mode { type enumeration { enum "hybrid" { value 0; description "Child policer CIR rates are guaranteed rates and PIR rate are peak rates for member flow"; } } description "Hierarchical Metering model"; } } // list policer } // container aggregate-policing } // container two-rate container two-packet-rate { presence "enable two-packet-rate"; description "Two-rate packet policer"; uses apply-advanced; choice mode-choice { leaf color-blind { type empty; description "Color-blind mode"; } leaf color-aware { type empty; description "Color-aware mode"; } } // choice mode-choice leaf committed-information-pps { type string; units "packets per second"; description "PPS allowed for committed traffic"; } leaf committed-packet-burst { type string; units "packets"; description "Packet burst allowed for committed traffic "; } leaf peak-information-pps { type string; units "packets per second"; description "PPS allowed for peak traffic"; } leaf peak-packet-burst { type string; units "packets"; description "Packet burst allowed for peak traffic "; } } // container two-packet-rate } // choice rate-type-choice } // grouping three-color-policer-type grouping three-color-policer-action { description "Action for three-color policer"; leaf name { type enumeration { enum "high" { value 0; description "High loss priority"; } } description "Loss priority for packet"; } uses apply-advanced; container then { description "Action to take if the rate limits are exceeded"; uses apply-advanced; leaf discard { type empty; description "Discard the packet"; } } // container then } // grouping three-color-policer-action grouping tunnel_end_point { description "Define a tunnel end point"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Tunnel end-point identifier (ASCII string)"; } uses apply-advanced; choice l3-protocol { container ipv6 { presence "enable ipv6"; description "Enter an IPv6 tunnel"; uses apply-advanced; leaf source-address { type jt:ipv6addr; description "Tunnel source address"; } leaf destination-address { type jt:ipv6prefix; description "Tunnel destination address"; } } // container ipv6 container ipv4 { presence "enable ipv4"; description "Enter an IPv4 tunnel"; uses apply-advanced; leaf source-address { type jt:ipv4addr; description "Tunnel source address"; } leaf destination-address { type jt:ipv4prefix; description "Tunnel destination address"; } } // container ipv4 } // choice l3-protocol choice tunnel-protocol { container gre { presence "enable gre"; description "Tunnel is GRE"; uses apply-advanced; leaf key { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Key for authentication"; } } // container gre container gre-in-udp { presence "enable gre-in-udp"; description "Tunnel is GRE-in-UDP"; uses apply-advanced; leaf source-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "UDP source port"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "UDP destination port"; } leaf key { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "GRE key for authentication"; } } // container gre-in-udp } // choice tunnel-protocol } // grouping tunnel_end_point grouping vpls_filter { description "Define an VPLS firewall filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } leaf instance-shared { junos:must "("chassis network-services enhanced-ip")"; junos:must-message "instance-shared filter available only in enhanced-ip mode"; junos:must "(!(".. physical-interface-filter"))"; junos:must-message "Cannot be both physical-interface-filter and instance-shared"; junos:must "(!(".. interface-specific"))"; junos:must-message "Cannot be both interface-specific and instance-shared"; type empty; description "Filter is routing-instance shared"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "("firewall family vpls filter $$")"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice choice ether-type_choice { leaf-list ether-type { type string; ordered-by user; } leaf-list ether-type-except { type string; ordered-by user; } } // choice ether-type_choice choice vlan-ether-type_choice { leaf-list vlan-ether-type { type string; ordered-by user; } leaf-list vlan-ether-type-except { type string; ordered-by user; } } // choice vlan-ether-type_choice list destination-mac-address { key "name"; ordered-by user; description "Destination MAC address"; uses firewall_mac_addr_object; } // list destination-mac-address list source-mac-address { key "name"; ordered-by user; description "Source MAC address"; uses firewall_mac_addr_object; } // list source-mac-address choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { leaf-list loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } leaf-list loss-priority-except { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } ordered-by user; } } // choice loss-priority_choice choice learn-vlan-id_choice { leaf-list learn-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list learn-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice learn-vlan-id_choice choice learn-vlan-1p-priority_choice { leaf-list learn-vlan-1p-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list learn-vlan-1p-priority-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice learn-vlan-1p-priority_choice choice user-vlan-id_choice { leaf-list user-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list user-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice user-vlan-id_choice choice user-vlan-1p-priority_choice { leaf-list user-vlan-1p-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list user-vlan-1p-priority-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice user-vlan-1p-priority_choice choice learn-vlan-dei_choice { leaf-list learn-vlan-dei { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } leaf-list learn-vlan-dei-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } } // choice learn-vlan-dei_choice choice traffic-type_choice { leaf-list traffic-type { type enumeration { enum "broadcast" { value 0; description "Packets with broadcast ethernet address"; } enum "multicast" { value 1; description "Packets with multicast ethernet address"; } enum "unknown-unicast" { value 2; description "Packets for which destination ethernet address has not been learnt"; } enum "known-unicast" { value 3; description "Packets for which destination ethernet address has been learnt"; } } ordered-by user; } leaf-list traffic-type-except { type enumeration { enum "broadcast" { value 0; description "Packets with broadcast ethernet address"; } enum "multicast" { value 1; description "Packets with multicast ethernet address"; } enum "unknown-unicast" { value 2; description "Packets for which destination ethernet address has not been learnt"; } enum "known-unicast" { value 3; description "Packets for which destination ethernet address has been learnt"; } } ordered-by user; } } // choice traffic-type_choice list ip-source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list ip-source-address list ip-destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list ip-destination-address list ip-address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list ip-address choice ip-protocol_choice { leaf-list ip-protocol { type string; ordered-by user; } leaf-list ip-protocol-except { type string; ordered-by user; } } // choice ip-protocol_choice choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice ip-precedence_choice { leaf-list ip-precedence { type string; ordered-by user; } leaf-list ip-precedence-except { type string; ordered-by user; } } // choice ip-precedence_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice leaf tcp-flags { type string; description "Match TCP flags"; } choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list list ipv6-destination-address { key "name"; ordered-by user; description "Match IPv6 destination address"; uses firewall_addr6_object; } // list ipv6-destination-address list ipv6-source-address { key "name"; ordered-by user; description "Match IPv6 source address"; uses firewall_addr6_object; } // list ipv6-source-address list ipv6-address { key "name"; ordered-by user; description "Match IPv6 address"; uses firewall_addr6_object; } // list ipv6-address choice ipv6-next-header_choice { leaf-list ipv6-next-header { type string; ordered-by user; } leaf-list ipv6-next-header-except { type string; ordered-by user; } } // choice ipv6-next-header_choice choice ipv6-payload-protocol_choice { leaf-list ipv6-payload-protocol { type string; ordered-by user; } leaf-list ipv6-payload-protocol-except { type string; ordered-by user; } } // choice ipv6-payload-protocol_choice choice ipv6-traffic-class_choice { leaf-list ipv6-traffic-class { type string; ordered-by user; } leaf-list ipv6-traffic-class-except { type string; ordered-by user; } } // choice ipv6-traffic-class_choice list ipv6-source-prefix-list { key "name"; ordered-by user; description "Match IPV6 source prefixes in named list"; uses firewall_prefix_list; } // list ipv6-source-prefix-list list ipv6-destination-prefix-list { key "name"; ordered-by user; description "Match IPV6 destination prefixes in named list"; uses firewall_prefix_list; } // list ipv6-destination-prefix-list list ipv6-prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list ipv6-prefix-list choice flex-mask_choice { container flexible-match-mask { presence "enable flexible-match-mask"; description "Match flexible mask"; uses match_L2_flexible_mask; } // container flexible-match-mask } // choice flex-mask_choice choice flex-range_choice { container flexible-match-range { presence "enable flexible-match-range"; description "Match flexible range"; uses match_L2_flexible_range; } // container flexible-match-range } // choice flex-range_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer leaf hierarchical-policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of hierarchical policer to use to rate-limit traffic"; } } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; junos:must "("forwarding-options port-mirroring")"; junos:must-message "Configure 'port-mirroring' under 'forwarding-options'"; type empty; description "Port-mirror the packet"; } leaf inline-monitoring-instance { junos:must "("services inline-monitoring instance $$")"; junos:must-message "Configure 'inline-monitoring instance'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Inline monitoring to specified instance"; } choice designation { leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation leaf next-hop-group { type string; description "Use specified next-hop group"; } leaf sample { junos:must "((any "forwarding-options sampling instance <*> family vpls" || any "forwarding-options sampling instance <*> family bridge"))"; junos:must-message "Configure family either vpls or bridge under forwarding-options sampling"; type empty; description "Sample the packet"; } leaf log { type empty; description "Log the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } } // container then } // list term } // grouping vpls_filter } // module junos-conf-firewall
© 2023 YumaWorks, Inc. All rights reserved.