Junos firewall configuration module
Version: 2019-01-01
module junos-es-conf-firewall { yang-version 1; namespace "http://yang.juniper.net/junos-es/conf/firewall"; prefix jc-firewall; import junos-common-ddl-extensions { prefix junos; revision-date "2019-01-01"; } import junos-common-types { prefix jt; revision-date "2019-01-01"; } import junos-es-conf-root { prefix jc; revision-date "2019-01-01"; } organization "Juniper Networks, Inc."; contact "yang-support@juniper.net"; description "Junos firewall configuration module"; revision "2019-01-01" { description "Junos: 21.3R1.9"; } augment /jc:configuration { uses firewall-group; } augment /jc:configuration/jc:groups { uses firewall-group; } grouping firewall-group { container firewall { description "Define a firewall configuration"; uses apply-advanced; container family { description "Protocol family"; container inet { description "Protocol family IPv4 for firewall filter"; uses apply-advanced; list dialer-filter { key "name"; ordered-by user; description "Define an IPv4 dialer filter"; uses inet_dialer_filter; } // list dialer-filter list prefix-action { key "name"; ordered-by user; description "Define a prefix action"; uses prefix_action; } // list prefix-action list filter { key "name"; description "Define an IPv4 firewall filter"; uses inet_filter; } // list filter list simple-filter { key "name"; description "Define an IPv4 firewall simple filter"; uses inet_simple_filter; } // list simple-filter list service-filter { key "name"; description "One or more IPv4 service filters"; uses inet_service_filter; } // list service-filter list fast-update-filter { key "name"; ordered-by user; description "One or more fast update filters"; uses inet_fuf; } // list fast-update-filter } // container inet container inet6 { description "Protocol family IPv6 for firewall filter"; uses apply-advanced; list dialer-filter { key "name"; ordered-by user; description "Define an IPv6 dialer filter"; uses inet6_dialer_filter; } // list dialer-filter list filter { key "name"; description "Define an IPv6 firewall filter"; uses inet6_filter; } // list filter list service-filter { key "name"; description "One or more IPv6 service filters"; uses inet6_service_filter; } // list service-filter list fast-update-filter { key "name"; ordered-by user; description "One or more fast update filters"; uses inet6_fuf; } // list fast-update-filter } // container inet6 container mpls { description "Protocol family MPLS for firewall filter"; uses apply-advanced; list dialer-filter { key "name"; ordered-by user; description "Define an mpls dialer filter"; uses mpls_dialer_filter; } // list dialer-filter list filter { key "name"; uses mpls_filter; } // list filter } // container mpls container vpls { description "Protocol family VPLS for firewall filter"; uses apply-advanced; list filter { key "name"; uses vpls_filter; } // list filter } // container vpls container evpn { description "Protocol family EVPN for firewall filter"; uses apply-advanced; list filter { key "name"; uses vpls_filter; } // list filter } // container evpn container bridge { description "Protocol family BRIDGE for firewall filter"; uses apply-advanced; list filter { key "name"; uses bridge_filter; } // list filter } // container bridge container ccc { description "Protocol family CCC for firewall filter"; uses apply-advanced; list filter { key "name"; uses ccc_filter; } // list filter } // container ccc container any { description "Protocol-independent filter"; uses apply-advanced; list filter { key "name"; description "Define a protocol independent filter"; uses any_filter; } // list filter } // container any container ethernet-switching { description "Protocol family Ethernet Switching for firewall filter"; uses apply-advanced; list filter { key "name"; description "Define an Ethernet Switching firewall filter"; uses es_filter; } // list filter } // container ethernet-switching } // container family list policer { key "name"; description "Policer template definition"; uses firewall_policer; } // list policer list flexible-match { key "name"; description "Flexible packet match template definition"; uses firewall_flexible_match; } // list flexible-match list tunnel-end-point { key "name"; description "Tunnel end-point template definition"; uses tunnel_end_point; } // list tunnel-end-point list interface-set { key "name"; description "Interface set definition"; uses interface_set_type; } // list interface-set list three-color-policer { key "name"; description "Three-color policer"; uses three-color-policer-type; } // list three-color-policer list filter { key "name"; description "Define an IPv4 firewall filter"; uses inet_filter; } // list filter } // container firewall } // grouping firewall-group grouping any_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object_oam; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice loss-priority_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice choice learn-vlan-1p-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice learn-vlan-1p-priority_choice choice user-vlan-1p-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice user-vlan-1p-priority_choice choice user-vlan-id_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice user-vlan-id_choice choice learn-vlan-id_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice learn-vlan-id_choice choice ether-type_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ether-type_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer case case_3 { } // case case_3 } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf service-accounting-deferred { junos:must "(!(".. service-accounting"))"; junos:must-message "Cannot be both 'service-accounting' and 'service-accounting-deferred'"; junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting-deferred' cannot coexist"; type empty; description "Count the packets for deferred service accounting"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Classify packet to loss-priority"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; type empty; description "Port-mirror the packet"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } choice designation { case case_1 { } // case case_1 leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation } // container then } // list term } // grouping any_filter grouping apply-advanced { description "Apply advanced configuration logic"; leaf-list apply-groups { type string; ordered-by user; description "Groups from which to inherit configuration data"; } leaf-list apply-groups-except { type string; ordered-by user; description "Don't inherit configuration data from these groups"; } list apply-macro { key "name"; ordered-by user; description "Macro and parameters for commit script expansion"; uses apply-macro-type; } // list apply-macro } // grouping apply-advanced grouping apply-macro-type { description "Macro data for commit-script expansion"; leaf name { type string; description "Name of the macro to be expanded"; } list data { key "name"; uses macro-data-type; } // list data } // grouping apply-macro-type grouping bridge_filter { description "Define a BRIDGE firewall filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "("firewall family bridge filter $$")"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice choice ether-type_choice { leaf-list ether-type { type string; ordered-by user; } leaf-list ether-type-except { type string; ordered-by user; } } // choice ether-type_choice choice vlan-ether-type_choice { leaf-list vlan-ether-type { type string; ordered-by user; } leaf-list vlan-ether-type-except { type string; ordered-by user; } } // choice vlan-ether-type_choice list destination-mac-address { key "name"; ordered-by user; description "Destination MAC address"; uses firewall_mac_addr_object; } // list destination-mac-address list source-mac-address { key "name"; ordered-by user; description "Source MAC address"; uses firewall_mac_addr_object; } // list source-mac-address choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice loss-priority_choice choice learn-vlan-id_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice learn-vlan-id_choice choice learn-vlan-1p-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice learn-vlan-1p-priority_choice choice user-vlan-id_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice user-vlan-id_choice choice user-vlan-1p-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice user-vlan-1p-priority_choice choice learn-vlan-dei_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice learn-vlan-dei_choice choice traffic-type_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice traffic-type_choice choice ip-protocol_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ip-protocol_choice choice dscp_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice dscp_choice choice ip-precedence_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ip-precedence_choice choice source-port_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice source-port_choice choice destination-port_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice destination-port_choice choice port_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice port_choice choice icmp-code_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice icmp-code_choice choice icmp-type_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice icmp-type_choice list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set choice ipv6-next-header_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ipv6-next-header_choice choice ipv6-payload-protocol_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ipv6-payload-protocol_choice choice ipv6-traffic-class_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ipv6-traffic-class_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice choice isid_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice isid_choice choice isid-priority-code-point_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice isid-priority-code-point_choice choice isid-dei_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice isid-dei_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer case case_3 { } // case case_3 } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; junos:must "("forwarding-options port-mirroring")"; junos:must-message "Configure 'port-mirroring' under 'forwarding-options'"; type empty; description "Port-mirror the packet"; } choice designation { leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation container forwarding-policy { description "Specify forwarding policy for extended port"; uses apply-advanced; leaf uplink-select { type string; description "Specify port group for uplink selection"; } } // container forwarding-policy } // container then } // list term } // grouping bridge_filter grouping ccc_filter { description "Define a CCC firewall filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf interface-specific { type empty; description "Any counters defined will be interface specific"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "("firewall family ccc filter $$")"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice choice packet-length_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice packet-length_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice loss-priority_choice choice learn-vlan-1p-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice learn-vlan-1p-priority_choice choice user-vlan-1p-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice user-vlan-1p-priority_choice choice dscp_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice dscp_choice choice ip-precedence_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ip-precedence_choice choice ip-protocol_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ip-protocol_choice choice icmp-type_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice icmp-type_choice choice icmp-code_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice icmp-code_choice choice source-port_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice source-port_choice choice destination-port_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice destination-port_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice choice user-vlan-id_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice user-vlan-id_choice choice ether-type_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ether-type_choice choice learn-vlan-id_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice learn-vlan-id_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer case case_3 { } // case case_3 } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to the specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; junos:must "("forwarding-options port-mirroring")"; junos:must-message "Configure 'port-mirroring' under 'forwarding-options'"; type empty; description "Port-mirror the packet"; } leaf packet-mode { type empty; description "Bypass flow mode for the packet"; } choice designation { case case_1 { } // case case_1 leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation } // container then } // list term } // grouping ccc_filter grouping es_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf interface-specific { type empty; description "Defined counters are interface specific"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list source-mac-address { key "name"; ordered-by user; description "Match MAC source address"; uses firewall_mac_addr_object; } // list source-mac-address list destination-mac-address { key "name"; ordered-by user; description "Match MAC destination address"; uses firewall_mac_addr_object; } // list destination-mac-address choice ether-type_choice { leaf-list ether-type { type string; ordered-by user; } leaf-list ether-type-except { type string; ordered-by user; } } // choice ether-type_choice choice l2-encap-type_choice { leaf-list l2-encap-type { type string; ordered-by user; } leaf-list l2-encap-type-except { type string; ordered-by user; } } // choice l2-encap-type_choice choice vlan_choice { leaf-list vlan { type string; ordered-by user; description "VLAN name or ID"; } leaf-list vlan-except { type string; ordered-by user; description "VLAN name or ID"; } } // choice vlan_choice choice dot1q-tag_choice { leaf-list dot1q-tag { type string { junos:posix-pattern "^([0-9]{1,3}|[1-3][0-9][0-9][0-9]|40[0-8][0-9]|409[0-5])(-([0-9]{1,3}|[1-3][0-9][0-9][0-9]|40[0-8][0-9]|409[0-5]))?$"; junos:pattern-message "Must be a numerical value or range between 0-4095"; } ordered-by user; description "Range of values"; } leaf-list dot1q-tag-except { type string { junos:posix-pattern "^([0-9]{1,3}|[1-3][0-9][0-9][0-9]|40[0-8][0-9]|409[0-5])(-([0-9]{1,3}|[1-3][0-9][0-9][0-9]|40[0-8][0-9]|409[0-5]))?$"; junos:pattern-message "Must be a numerical value or range between 0-4095"; } ordered-by user; description "Range of values"; } } // choice dot1q-tag_choice choice dot1q-user-priority_choice { leaf-list dot1q-user-priority { type string; ordered-by user; } leaf-list dot1q-user-priority-except { type string; ordered-by user; } } // choice dot1q-user-priority_choice list address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list address list source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list destination-address choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice precedence_choice { leaf-list precedence { type string; ordered-by user; } leaf-list precedence-except { type string; ordered-by user; } } // choice precedence_choice choice ip-options_choice { leaf-list ip-options { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } leaf-list ip-options-except { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } } // choice ip-options_choice leaf fragment-flags { type string; description "Match fragment flags (in symbolic or hex formats) - (Ingress only)"; } leaf is-fragment { type empty; description "Match if packet is a fragment"; } choice protocol_choice { leaf-list protocol { type string; ordered-by user; } leaf-list protocol-except { type string; ordered-by user; } } // choice protocol_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats)"; } leaf tcp-initial { type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list choice ip-protocol_choice { case case_1 { } // case case_1 leaf-list ip-protocol-except { type string; ordered-by user; } } // choice ip-protocol_choice choice ip-precedence_choice { case case_1 { } // case case_1 leaf-list ip-precedence-except { type string; ordered-by user; } } // choice ip-precedence_choice choice ipv6-next-header_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ipv6-next-header_choice choice ipv6-payload-protocol_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ipv6-payload-protocol_choice choice ipv6-traffic-class_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ipv6-traffic-class_choice choice interface-group_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice interface-group_choice choice vlan-ether-type_choice { leaf-list vlan-ether-type { type string; ordered-by user; } leaf-list vlan-ether-type-except { type string; ordered-by user; } } // choice vlan-ether-type_choice choice loss-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice loss-priority_choice choice learn-vlan-id_choice { leaf-list learn-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list learn-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice learn-vlan-id_choice choice learn-vlan-1p-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice learn-vlan-1p-priority_choice choice learn-vlan-dei_choice { leaf-list learn-vlan-dei { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } leaf-list learn-vlan-dei-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 1"; } } ordered-by user; description "DEI value 0-1"; } } // choice learn-vlan-dei_choice choice user-vlan-id_choice { leaf-list user-vlan-id { type string; ordered-by user; description "Range of values"; } leaf-list user-vlan-id-except { type string; ordered-by user; description "Range of values"; } } // choice user-vlan-id_choice choice user-vlan-1p-priority_choice { leaf-list user-vlan-1p-priority { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } leaf-list user-vlan-1p-priority-except { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } ordered-by user; description "802.1p priority value 0-7"; } } // choice user-vlan-1p-priority_choice choice traffic-type_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice traffic-type_choice choice isid_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice isid_choice choice isid-priority-code-point_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice isid-priority-code-point_choice choice isid-dei_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice isid-dei_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice arp-type_choice { case case_1 { } // case case_1 } // choice arp-type_choice container ip-version { description "Define IP version"; uses apply-advanced; container ipv4 { junos:must "(!(".. ipv6"))"; junos:must-message "Same term cannot have both IPv4 & IPv6 IP version"; description "Define L3/L4 match items to match IPv4 packets"; uses apply-advanced; list address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list address choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice precedence_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice precedence_choice choice ip-options_choice { leaf-list ip-options { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } leaf-list ip-options-except { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } } // choice ip-options_choice leaf fragment-flags { type string; description "Match fragment flags (in symbolic or hex formats) - (Ingress only)"; } leaf is-fragment { type empty; description "Match if packet is a fragment"; } choice protocol_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice protocol_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats) - (Ingress only)"; } leaf tcp-initial { type empty; description "Match initial packet of a TCP connection - (Ingress only)"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list choice ip-protocol_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ip-protocol_choice choice ip-precedence_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ip-precedence_choice } // container ipv4 container ipv6 { junos:must "(!(".. ipv4"))"; junos:must-message "Same term cannot have both IPv4 & IPv6 IP version"; description "Define L3/L4 match items to match IPv6 packets"; uses apply-advanced; choice traffic-class_choice { leaf-list traffic-class { type string; ordered-by user; } leaf-list traffic-class-except { type string; ordered-by user; } } // choice traffic-class_choice choice next-header_choice { leaf-list next-header { type string; ordered-by user; } leaf-list next-header-except { type string; ordered-by user; } } // choice next-header_choice choice payload-protocol_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice payload-protocol_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice choice extension-header_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice extension-header_choice leaf tcp-flags { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type string; description "Match TCP flags (in symbolic or hex formats)"; } leaf tcp-initial { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match packet of an established TCP connection"; } choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list } // container ipv6 } // container ip-version choice gbp-src-tag_choice { leaf-list gbp-src-tag { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice gbp-src-tag_choice choice gbp-dst-tag_choice { leaf-list gbp-dst-tag { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice gbp-dst-tag_choice choice packet-length_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice packet-length_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice designation { leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation leaf log { type empty; description "Log the packet"; } leaf pkt-trace { type empty; description "Trace the packet"; } leaf flood { type empty; description "Flood the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf packet-capture { type empty; description "Enable packet capture for telemetry"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf analyzer { junos:must "("ethernet-switching-options analyzer $$")"; junos:must-message "Named Analyzer must be set"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of analyzer - (Ingress only)"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; junos:must "("forwarding-options port-mirroring")"; junos:must-message "Configure 'port-mirroring' under 'forwarding-options'"; type empty; description "Port-mirror the packet"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer case case_3 { } // case case_3 } // choice policer-choice leaf vlan { junos:must "(("vlans $$" && !("vlans $$ vlan-range")))"; junos:must-message "Named or Non-range vlan must be set"; type string; description "Name of VLAN - (Ingress only)"; } leaf interface { type union { type jt:interface-unit; type string { pattern "<.*>|$.*"; } } description "Switch traffic to the specified interface by-passing switching lookup - (Ingress only)"; } leaf gbp-src-tag { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "Set GBP source tag"; } } // container then } // list term } // grouping es_filter grouping firewall_addr_object { leaf name { type jt:ipv4prefix; description "Prefix to match"; } leaf except { type empty; description "Match address not in this prefix"; } } // grouping firewall_addr_object grouping firewall_flexible_match { description "Define a flexible match"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Flex match template name"; } uses apply-advanced; leaf match-start { type enumeration { enum "layer-2" { value 0; description "Layer-2 match start"; } enum "layer-3" { value 1; description "Layer-3 match start"; } enum "layer-4" { value 2; description "Layer-4 match start"; } enum "payload" { value 3; description "Payload match start"; } } description "Start point to match in packet"; } leaf byte-offset { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Byte offset after the match start point"; } leaf bit-offset { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 7"; } } description "Bit offset after the (match-start + byte) offset"; } leaf bit-length { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Length of integer input (1..32 bits), Optional length of string input (1..128 bits)"; } } // grouping firewall_flexible_match grouping firewall_mac_addr_object { leaf name { type jt:mac-addr-prefix; description "MAC address to match"; } leaf except { type empty; description "Match MAC address not in this range"; } } // grouping firewall_mac_addr_object grouping firewall_policer { description "Define a policer"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policer name"; } uses apply-advanced; leaf filter-specific { type empty; description "Policer is filter-specific"; } leaf logical-interface-policer { type empty; description "Policer is logical interface policer"; } leaf physical-interface-policer { type empty; description "Policer is physical interface policer"; } choice exceeding { container if-exceeding { presence "enable if-exceeding"; description "Define rate limits"; uses apply-advanced; choice bandwidth { leaf bandwidth-limit { type string; units "bits per second"; description "Bandwidth limit"; } leaf bandwidth-percent { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "1 .. 100"; } } units "percent"; description "Bandwidth limit in percentage"; } } // choice bandwidth leaf burst-size-limit { type string; units "bytes"; description "Burst size limit"; } } // container if-exceeding case case_2 { } // case case_2 } // choice exceeding container then { description "Action to take if the rate limits are exceeded"; uses apply-advanced; leaf discard { type empty; description "Discard the packet"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf out-of-profile { type empty; description "Discard packets only if both congested and over threshold"; } } // container then } // grouping firewall_policer grouping firewall_prefix_list { leaf name { type string; description "Prefix list to match"; } leaf except { type empty; description "Match addresses not in this prefix list"; } } // grouping firewall_prefix_list grouping inet6_dialer_filter { description "Define an IPv6 dialer filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; list source-address { key "name"; ordered-by user; description "Match source address"; uses firewall_addr6_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match destination address"; uses firewall_addr6_object; } // list destination-address list address { key "name"; ordered-by user; description "Match source or destination address"; uses firewall_addr6_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice packet-length_choice { leaf-list packet-length { type string; ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string; ordered-by user; description "Range of values"; } } // choice packet-length_choice choice next-header_choice { leaf-list next-header { type string; ordered-by user; } leaf-list next-header-except { type string; ordered-by user; } } // choice next-header_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf log { type empty; description "Log the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf sample { type empty; description "Sample the packet"; } choice designation { leaf note { type empty; description "Interested ISDN packet"; } leaf ignore { type empty; description "Non-interested ISDN packet"; } } // choice designation } // container then } // list term } // grouping inet6_dialer_filter grouping firewall_addr6_object { leaf name { type jt:ipv6prefix; description "Prefix to match"; } leaf except { type empty; description "Match address not in this prefix"; } } // grouping firewall_addr6_object grouping inet6_filter { description "Define an IPv6 firewall filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "("firewall family inet6 filter $$")"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice destination-class_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice destination-class_choice choice source-class_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice source-class_choice choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice list source-address { key "name"; ordered-by user; description "Match source address"; uses firewall_addr6_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match destination address"; uses firewall_addr6_object; } // list destination-address list address { key "name"; ordered-by user; description "Match source or destination address"; uses firewall_addr6_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice next-header_choice { leaf-list next-header { type string; ordered-by user; } leaf-list next-header-except { type string; ordered-by user; } } // choice next-header_choice choice payload-protocol_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice payload-protocol_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice choice extension-header_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice extension-header_choice choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice choice traffic-class_choice { leaf-list traffic-class { type string; ordered-by user; } leaf-list traffic-class-except { type string; ordered-by user; } } // choice traffic-class_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice leaf tcp-initial { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type empty; description "Match packet of an established TCP connection"; } leaf tcp-flags { junos:must "((".. next-header tcp" || (".. next-header 6" || ".. payload-protocol tcp")))"; junos:must-message "next-header tcp or next-header 6 or payload-protocol tcp must be defined in the same clause"; type string; description "Match TCP flags (in symbolic or hex formats)"; } list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice loss-priority_choice leaf service-filter-hit { type empty; description "Match if service-filter-hit is set"; } choice hop-limit_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice hop-limit_choice choice gre-key_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice gre-key_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer case case_3 { } // case case_3 } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice choice inet6cnt { case case_1 { } // case case_1 leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } } // choice inet6cnt leaf service-accounting { junos:must "(!(".. service-accounting-deferred"))"; junos:must-message "'service-accounting-deferred' and 'service-accounting' cannot coexist"; junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting' cannot coexist"; type empty; description "Count the packets for service accounting"; } leaf service-accounting-deferred { junos:must "(!(".. service-accounting"))"; junos:must-message "Cannot be both 'service-accounting' and 'service-accounting-deferred'"; junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting-deferred' cannot coexist"; type empty; description "Count the packets for deferred service accounting"; } leaf log { type empty; description "Log the packet"; } leaf packet-mode { type empty; description "Bypass flow mode for the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf packet-capture { type empty; description "Enable packet capture for telemetry"; } leaf sample { junos:must "(("forwarding-options sampling family inet6" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet6")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; type empty; description "Sample the packet"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf skip-services { type empty; description "Skip the services"; } leaf service-filter-hit { type empty; description "Marked when packet processing by the current type of chained filters is done, the packet is directed to the next type of filters"; } choice designation { case case_1 { } // case case_1 case case_2 { } // case case_2 leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } case case_6 { } // case case_6 list logical-system { key "logical-system-name"; max-elements 1; ordered-by user; description "Packets are directed to specified logical system"; leaf logical-system-name { type string { junos:posix-pattern "^[a-zA-Z0-9_-]{1,63}$"; junos:pattern-message "Logical-system name is a string consisting of up to 63 letters, numbers, dashes and underscores"; } description "Name of logical system"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // list logical-system container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } case case_10 { } // case case_10 case case_11 { } // case case_11 container reject { presence "enable reject"; description "Reject the packet"; choice style { leaf no-route { type empty; description "Send ICMPv6 No Route message"; } leaf administratively-prohibited { type empty; description "Send ICMPv6 Administratively Prohibited message"; } leaf beyond-scope { type empty; description "Send ICMPv6 Beyond Scope of Source Address message"; } leaf address-unreachable { type empty; description "Send ICMPv6 Address Unreachable message"; } leaf port-unreachable { type empty; description "Send ICMPv6 Port Unreachable message"; } leaf policy-failed { type empty; description "Source address failed ingress/egress policy"; } leaf reject-route { type empty; description "Reject route to destination"; } leaf tcp-reset { type empty; description "Send TCP Reset message"; } leaf network-unreachable { type empty; status deprecated; description "Send ICMPv4 Network Unreachable message"; } leaf host-unreachable { type empty; status deprecated; description "Send ICMPv4 Host Unreachable message"; } leaf protocol-unreachable { type empty; status deprecated; description "Send ICMPv4 Protocol Unreachable message"; } leaf source-route-failed { type empty; status deprecated; description "Send ICMPv4 Source Route Failed message"; } leaf network-unknown { type empty; status deprecated; description "Send ICMPv4 Network Unknown message"; } leaf host-unknown { type empty; status deprecated; description "Send ICMPv4 Host Unknown message"; } leaf source-host-isolated { type empty; status deprecated; description "Send ICMPv4 Source Host Isolated message"; } leaf network-prohibited { type empty; status deprecated; description "Send ICMPv4 Network Prohibited message"; } leaf host-prohibited { type empty; status deprecated; description "Send ICMPv4 Host Prohibited message"; } leaf bad-network-tos { type empty; status deprecated; description "Send ICMPv4 Bad Network ToS message"; } leaf bad-host-tos { type empty; status deprecated; description "Send ICMPv4 Bad Host ToS message"; } leaf precedence-violation { type empty; status deprecated; description "Send ICMPv4 Precedence Violation message"; } leaf precedence-cutoff { type empty; status deprecated; description "Send ICMPv4 Precedence Cutoff message"; } } // choice style } // container reject } // choice designation } // container then } // list term } // grouping inet6_filter grouping inet6_fuf { leaf name { junos:must "(unique "firewall family <*> filter $$")"; junos:must-message "Fast update filter can not have the same name as firewall family filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of fast update filter"; } uses apply-advanced; leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf-list match-order { type enumeration { enum "next-header" { value 0; description "Include next header protocol in match set"; } enum "payload-protocol" { value 1; description "Include payload protocol in match set"; } enum "source-address" { value 2; description "Include source-address in match set"; } enum "destination-address" { value 3; description "Include destination-address in match set"; } enum "source-port" { value 4; description "Include source-port in match set"; } enum "destination-port" { value 5; description "Include destination-port in match set"; } enum "traffic-class" { value 6; description "Include traffic-class (DSCP) in match set"; } } ordered-by user; } list term { key "name"; ordered-by user; description "One or more firewall terms"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf only-at-create { type empty; description "Add term only when filter is first created."; } container from { description "Match criteria"; uses apply-advanced; container source-address { description "Match source IP address"; uses firewall_addr6_simple_object; } // container source-address container destination-address { description "Match destination IP address"; uses firewall_addr6_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match TCP/UDP source port"; uses match_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match TCP/UDP destination port"; uses match_simple_port_value; } // container destination-port } // choice destination-port_choice choice next-header_choice { container next-header { description "Match next header protocol type"; uses match_simple_protocol_value; } // container next-header } // choice next-header_choice choice traffic-class_choice { container traffic-class { description "Match Differentiated Services (DiffServ) code point"; uses match_simple_dscp_value; } // container traffic-class } // choice traffic-class_choice leaf match-terms { type string; description "Dynamically supplied list of match criteria"; } } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } } // choice policer-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf service-accounting { junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting' cannot coexist"; type empty; description "Count the packets for service accounting"; } leaf log { type empty; description "Log the packet"; } leaf port-mirror { type empty; description "Port-mirror the packet"; } leaf loss-priority { junos:must "(!(".. three-color-policer"))"; junos:must-message "Configuring loss-priority is incompatible with configuring three-color-policer"; type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf action-terms { type string; description "Dynamically supplied list of actions"; } choice designation { leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance } // choice designation } // container then } // list term } // grouping inet6_fuf grouping firewall_addr6_simple_object { uses apply-advanced; leaf address { type jt:ipv6prefix; description "Prefix to match"; } } // grouping firewall_addr6_simple_object grouping inet6_service_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; list term { key "name"; ordered-by user; description "Service filter term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice list source-address { key "name"; ordered-by user; description "Match source address"; uses firewall_addr6_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match destination address"; uses firewall_addr6_object; } // list destination-address list address { key "name"; ordered-by user; description "Match source or destination address"; uses firewall_addr6_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice next-header_choice { leaf-list next-header { type string; ordered-by user; } leaf-list next-header-except { type string; ordered-by user; } } // choice next-header_choice choice payload-protocol_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice payload-protocol_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice choice extension-header_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice extension-header_choice choice esp-spi_choice { leaf-list esp-spi { type string; ordered-by user; description "Range of values"; } leaf-list esp-spi-except { type string; ordered-by user; description "Range of values"; } } // choice esp-spi_choice choice ah-spi_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ah-spi_choice leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats)"; } choice loss-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice loss-priority_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf log { type empty; description "Log the packet"; } leaf sample { type empty; description "Sample the packet"; } leaf port-mirror { type empty; description "Port-mirror the packet"; } choice designation { leaf service { type empty; description "Forward packets to service processing"; } leaf skip { type empty; description "Skip service processing"; } case case_3 { } // case case_3 } // choice designation } // container then } // list term } // grouping inet6_service_filter grouping inet_dialer_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; list source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list destination-address list address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice choice precedence_choice { leaf-list precedence { type string; ordered-by user; } leaf-list precedence-except { type string; ordered-by user; } } // choice precedence_choice choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice ip-options_choice { leaf-list ip-options { type string; ordered-by user; } leaf-list ip-options-except { type string; ordered-by user; } } // choice ip-options_choice leaf is-fragment { type empty; description "Match if packet is a fragment"; } leaf first-fragment { type empty; description "Match if packet is the first fragment"; } choice fragment-offset_choice { leaf-list fragment-offset { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } leaf-list fragment-offset-except { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } } // choice fragment-offset_choice leaf fragment-flags { type string; description "Match fragment flags"; } choice protocol_choice { leaf-list protocol { type string; ordered-by user; } leaf-list protocol-except { type string; ordered-by user; } } // choice protocol_choice choice ttl_choice { leaf-list ttl { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } leaf-list ttl-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } } // choice ttl_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice leaf tcp-initial { type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats)"; } choice esp-spi_choice { leaf-list esp-spi { type string; ordered-by user; description "Range of values"; } leaf-list esp-spi-except { type string; ordered-by user; description "Range of values"; } } // choice esp-spi_choice choice ah-spi_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ah-spi_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf log { type empty; description "Log the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf sample { type empty; description "Sample the packet"; } choice designation { leaf note { type empty; description "Interested ISDN packet"; } leaf ignore { type empty; description "Non-interested ISDN packet"; } } // choice designation } // container then } // list term } // grouping inet_dialer_filter grouping inet_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "(("firewall filter $$" || "firewall family inet filter $$"))"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice destination-class_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice destination-class_choice choice source-class_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice source-class_choice choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice list source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list destination-address list address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice packet-length_choice { leaf-list packet-length { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } leaf-list packet-length-except { type string { junos:posix-pattern "^([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f])(-([0-9]{1,4}|[1-5][0-9][0-9][0-9][0-9]|[6][0-4][0-9][0-9][0-9]|65[0-4][0-9][0-9]|655[0-2][0-9]|6553[0-5]|0x[0-f][0-f][0-f][0-f]|0x[0-f]|0x[0-f][0-f]|0x[0-f][0-f][0-f]))?$"; junos:pattern-message "Must be a numeric value or a range between 0-65535"; } ordered-by user; description "Range of values"; } } // choice packet-length_choice choice dscp_choice { leaf-list dscp { type string; ordered-by user; } leaf-list dscp-except { type string; ordered-by user; } } // choice dscp_choice choice precedence_choice { leaf-list precedence { type string; ordered-by user; } leaf-list precedence-except { type string; ordered-by user; } } // choice precedence_choice choice ip-options_choice { leaf-list ip-options { type string; ordered-by user; } leaf-list ip-options-except { type string; ordered-by user; } } // choice ip-options_choice leaf is-fragment { type empty; description "Match if packet is a fragment"; } leaf first-fragment { type empty; description "Match if packet is the first fragment"; } leaf service-filter-hit { type empty; description "Match if service-filter-hit is set"; } choice fragment-offset_choice { leaf-list fragment-offset { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } leaf-list fragment-offset-except { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } } // choice fragment-offset_choice leaf fragment-flags { type string; description "Match fragment flags (in symbolic or hex formats) - (Ingress only)"; } choice protocol_choice { leaf-list protocol { type string; ordered-by user; } leaf-list protocol-except { type string; ordered-by user; } } // choice protocol_choice choice ttl_choice { leaf-list ttl { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } leaf-list ttl-except { type string { junos:posix-pattern "^([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f])(-([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]|0x[0-f]|0x[0-f][0-f]))?$"; junos:pattern-message "Must be a numerical TTL value or range between 0-255"; } ordered-by user; description "Range of values"; } } // choice ttl_choice choice icmp-type_choice { leaf-list icmp-type { type string; ordered-by user; } leaf-list icmp-type-except { type string; ordered-by user; } } // choice icmp-type_choice choice icmp-code_choice { leaf-list icmp-code { type string; ordered-by user; } leaf-list icmp-code-except { type string; ordered-by user; } } // choice icmp-code_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice leaf tcp-initial { type empty; description "Match initial packet of a TCP connection"; } leaf tcp-established { type empty; description "Match packet of an established TCP connection"; } leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats)"; } choice esp-spi_choice { leaf-list esp-spi { type string; ordered-by user; description "Range of values"; } leaf-list esp-spi-except { type string; ordered-by user; description "Range of values"; } } // choice esp-spi_choice choice ah-spi_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ah-spi_choice list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice loss-priority_choice choice rat-type_choice { leaf-list rat-type { type string; ordered-by user; } leaf-list rat-type-except { type string; ordered-by user; } } // choice rat-type_choice choice redirect-reason_choice { leaf-list redirect-reason { type enumeration { enum "aoc" { value 0; description "Advice of Charge"; } enum "aolb" { value 1; description "Advice of Low Balance"; } enum "dpi" { value 2; description "Layer7 match required"; } } ordered-by user; } leaf-list redirect-reason-except { type enumeration { enum "aoc" { value 0; description "Advice of Charge"; } enum "aolb" { value 1; description "Advice of Low Balance"; } enum "dpi" { value 2; description "Layer7 match required"; } } ordered-by user; } } // choice redirect-reason_choice choice gre-key_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice gre-key_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer case case_3 { } // case case_3 } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice choice inetcnt { case case_1 { } // case case_1 leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } } // choice inetcnt leaf service-accounting { junos:must "(!(".. service-accounting-deferred"))"; junos:must-message "'service-accounting-deferred' and 'service-accounting' cannot coexist"; junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting' cannot coexist"; type empty; description "Count the packets for service accounting"; } leaf skip-services { type empty; description "Skip the services"; } leaf service-accounting-deferred { junos:must "(!(".. service-accounting"))"; junos:must-message "Cannot be both 'service-accounting' and 'service-accounting-deferred'"; junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting-deferred' cannot coexist"; type empty; description "Count the packets for deferred service accounting"; } leaf log { type empty; description "Log the packet"; } leaf packet-mode { type empty; description "Bypass flow mode for the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf packet-capture { type empty; description "Enable packet capture for telemetry"; } leaf sample { junos:must "(!(".. sampling-instance"))"; junos:must-message "'sampling' and 'sampling-instance' are mutually exclusive"; junos:must "(("forwarding-options sampling family inet" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family inet")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; type empty; description "Sample the packet"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; type empty; description "Port-mirror the packet"; } leaf loss-priority { junos:must "(!(".. three-color-policer"))"; junos:must-message "Configuring loss-priority is incompatible with configuring three-color-policer"; type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf service-filter-hit { type empty; description "Marked when packet processing by the current type of chained filters is done, the packet is directed to the next type of filters"; } leaf virtual-channel { junos:must "("class-of-service virtual-channels $$")"; junos:must-message "Referenced virtual channel is not defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Set the output interface virtual channel"; } choice designation { leaf accept { type empty; description "Accept the packet"; } container discard { presence "enable discard"; description "Discard the packet"; uses apply-advanced; leaf accounting { type string; description "Named discard collector for packet"; } } // container discard leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } list logical-system { key "logical-system-name"; max-elements 1; ordered-by user; description "Packets are directed to specified logical system"; leaf logical-system-name { type string { junos:posix-pattern "^[a-zA-Z0-9_-]{1,63}$"; junos:pattern-message "Logical-system name is a string consisting of up to 63 letters, numbers, dashes and underscores"; } description "Name of logical system"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // list logical-system container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } case case_7 { } // case case_7 case case_8 { } // case case_8 case case_9 { } // case case_9 case case_10 { } // case case_10 case case_11 { } // case case_11 case case_12 { } // case case_12 container reject { presence "enable reject"; description "Reject the packet"; choice style { leaf network-unreachable { type empty; description "Send ICMP Network Unreachable message"; } leaf host-unreachable { type empty; description "Send ICMP Host Unreachable message"; } leaf protocol-unreachable { type empty; description "Send ICMP Protocol Unreachable message"; } leaf port-unreachable { type empty; description "Send ICMP Port Unreachable message"; } leaf fragmentation-needed { type empty; description "Send ICMP Fragmentation Needed message"; } leaf source-route-failed { type empty; description "Send ICMP Source Route Failed message"; } leaf network-unknown { type empty; description "Send ICMP Network Unknown message"; } leaf host-unknown { type empty; description "Send ICMP Host Unknown message"; } leaf source-host-isolated { type empty; description "Send ICMP Source Host Isolated message"; } leaf network-prohibited { type empty; description "Send ICMP Network Prohibited message"; } leaf host-prohibited { type empty; description "Send ICMP Host Prohibited message"; } leaf bad-network-tos { type empty; description "Send ICMP Bad Network ToS message"; } leaf bad-host-tos { type empty; description "Send ICMP Bad Host ToS message"; } leaf administratively-prohibited { type empty; description "Send ICMP Administratively Prohibited message"; } leaf precedence-violation { type empty; description "Send ICMP Precedence Violation message"; } leaf precedence-cutoff { type empty; description "Send ICMP Precedence Cutoff message"; } leaf tcp-reset { type empty; description "Send TCP Reset message"; } } // choice style } // container reject case case_14 { } // case case_14 } // choice designation leaf prefix-action { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Police or count packets using named prefix action"; } } // container then } // list term } // grouping inet_filter grouping inet_fuf { leaf name { junos:must "(unique "firewall family <*> filter $$")"; junos:must-message "Fast update filter can not have the same name as firewall family filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of fast update filter"; } uses apply-advanced; leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf-list match-order { type enumeration { enum "protocol" { value 0; description "Include IP protocol in match set"; } enum "source-address" { value 1; description "Include source-address in match set"; } enum "destination-address" { value 2; description "Include destination-address in match set"; } enum "source-port" { value 3; description "Include source-port in match set"; } enum "destination-port" { value 4; description "Include destination-port in match set"; } enum "dscp" { value 5; description "Include Differentiated Services (DiffServ) code point in match set"; } } ordered-by user; } list term { key "name"; ordered-by user; description "One or more firewall terms"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf only-at-create { type empty; description "Add term only when filter is first created."; } container from { description "Match criteria"; uses apply-advanced; container source-address { description "Match source IP address"; uses firewall_addr_simple_object; } // container source-address container destination-address { description "Match destination IP address"; uses firewall_addr_simple_object; } // container destination-address choice source-port_choice { container source-port { description "Match TCP/UDP source port"; uses match_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match TCP/UDP destination port"; uses match_simple_port_value; } // container destination-port } // choice destination-port_choice choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_simple_protocol_value; } // container protocol } // choice protocol_choice choice dscp_choice { container dscp { description "Match Differentiated Services (DiffServ) code point"; uses match_simple_dscp_value; } // container dscp } // choice dscp_choice leaf match-terms { type string; description "Dynamically supplied list of match criteria"; } } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } } // choice policer-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf service-accounting { junos:must "(!(".. count"))"; junos:must-message "'count' and 'service-accounting' cannot coexist"; type empty; description "Count the packets for service accounting"; } leaf log { type empty; description "Log the packet"; } leaf port-mirror { type empty; description "Port-mirror the packet"; } leaf loss-priority { junos:must "(!(".. three-color-policer"))"; junos:must-message "Configuring loss-priority is incompatible with configuring three-color-policer"; type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf action-terms { type string; description "Dynamically supplied list of actions"; } choice designation { leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } container routing-instance { description "Packets are directed to specified routing instance"; leaf routing-instance-name { type string { junos:posix-pattern "!^((__.*__)|(all)|(.*[ ].*)|("")|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less with no spaces."; } description "Name of routing instance"; } leaf topology { type string { junos:posix-pattern "!^((.*:.*)|(.{129,}))$"; junos:pattern-message "Must be a non-reserved string of 128 characters or less"; } description "Packets are directed to specified topology"; } } // container routing-instance } // choice designation } // container then } // list term } // grouping inet_fuf grouping firewall_addr_simple_object { uses apply-advanced; leaf address { type jt:ipv4prefix; description "Prefix to match"; } } // grouping firewall_addr_simple_object grouping inet_service_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; list term { key "name"; ordered-by user; description "Service filter term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice list source-address { key "name"; ordered-by user; description "Match IP source address"; uses firewall_addr_object; } // list source-address list destination-address { key "name"; ordered-by user; description "Match IP destination address"; uses firewall_addr_object; } // list destination-address list address { key "name"; ordered-by user; description "Match IP source or destination address"; uses firewall_addr_object; } // list address list source-prefix-list { key "name"; ordered-by user; description "Match IP source prefixes in named list"; uses firewall_prefix_list; } // list source-prefix-list list destination-prefix-list { key "name"; ordered-by user; description "Match IP destination prefixes in named list"; uses firewall_prefix_list; } // list destination-prefix-list list prefix-list { key "name"; ordered-by user; description "Match IP source or destination prefixes in named list"; uses firewall_prefix_list; } // list prefix-list choice protocol_choice { leaf-list protocol { type string; ordered-by user; } leaf-list protocol-except { type string; ordered-by user; } } // choice protocol_choice choice ip-options_choice { leaf-list ip-options { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } leaf-list ip-options-except { type enumeration { enum "any" { value 0; description "Any IP option"; } } ordered-by user; } } // choice ip-options_choice choice source-port_choice { leaf-list source-port { type string; ordered-by user; } leaf-list source-port-except { type string; ordered-by user; } } // choice source-port_choice choice destination-port_choice { leaf-list destination-port { type string; ordered-by user; } leaf-list destination-port-except { type string; ordered-by user; } } // choice destination-port_choice choice port_choice { leaf-list port { type string; ordered-by user; } leaf-list port-except { type string; ordered-by user; } } // choice port_choice choice esp-spi_choice { leaf-list esp-spi { type string; ordered-by user; description "Range of values"; } leaf-list esp-spi-except { type string; ordered-by user; description "Range of values"; } } // choice esp-spi_choice leaf is-fragment { type empty; description "Match if packet is a fragment"; } leaf first-fragment { type empty; description "Match if packet is the first fragment"; } choice fragment-offset_choice { leaf-list fragment-offset { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } leaf-list fragment-offset-except { type string { junos:posix-pattern "^[[:digit:]]+(-[[:digit:]]+)?$"; junos:pattern-message "Must be a in form of number or a range in the form '<minimum-value>-<maximum-value>'"; } ordered-by user; description "Range of values"; } } // choice fragment-offset_choice leaf fragment-flags { type string; description "Match fragment flags"; } leaf tcp-flags { type string; description "Match TCP flags (in symbolic or hex formats)"; } choice ah-spi_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ah-spi_choice choice loss-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice loss-priority_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice redirect-reason_choice { leaf-list redirect-reason { type enumeration { enum "aoc" { value 0; description "Advice of Charge"; } enum "aolb" { value 1; description "Advice of Low Balance"; } enum "dpi" { value 2; description "Layer7 match required"; } } ordered-by user; } leaf-list redirect-reason-except { type enumeration { enum "aoc" { value 0; description "Advice of Charge"; } enum "aolb" { value 1; description "Advice of Low Balance"; } enum "dpi" { value 2; description "Layer7 match required"; } } ordered-by user; } } // choice redirect-reason_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf log { type empty; description "Log the packet"; } leaf sample { type empty; description "Sample the packet"; } leaf port-mirror { type empty; description "Port-mirror the packet"; } choice designation { leaf service { type empty; description "Forward packets to service processing"; } leaf skip { type empty; description "Skip service processing"; } case case_3 { } // case case_3 } // choice designation } // container then } // list term } // grouping inet_service_filter grouping inet_simple_filter { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of simple filter"; } uses apply-advanced; leaf interface-specific { type empty; status deprecated; description "Defined counters are interface specific"; } list term { key "name"; ordered-by user; description "One or more firewall terms"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Match criteria"; uses apply-advanced; container source-address { description "Source IP address"; uses firewall_addr_simple_object; } // container source-address container destination-address { description "Destination IP address"; uses firewall_addr_simple_object; } // container destination-address choice protocol_choice { container protocol { description "Match IP protocol type"; uses match_simple_protocol_value; } // container protocol } // choice protocol_choice choice source-port_choice { container source-port { description "Match TCP/UDP source port"; uses match_simple_port_value; } // container source-port } // choice source-port_choice choice destination-port_choice { container destination-port { description "Match TCP/UDP destination port"; uses match_simple_port_value; } // container destination-port } // choice destination-port_choice choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer } // choice policer-choice leaf loss-priority { type enumeration { enum "low" { value 0; description "Low loss priority"; } enum "medium-high" { value 1; description "Medium-high loss priority"; } enum "medium-low" { value 2; description "Medium-low loss priority"; } enum "high" { value 3; description "High loss priority"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf discard { type empty; description "Discard the packet"; } leaf accept { type empty; description "Accept the packet"; } } // container then } // list term } // grouping inet_simple_filter grouping interface_set_type { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Interface set name"; } uses apply-advanced; list interface-list { key "name"; ordered-by user; description "Interface list"; leaf name { type union { type jt:interface-wildcard; type string { pattern "<.*>|$.*"; } } description "Interface name"; } uses apply-advanced; } // list interface-list } // grouping interface_set_type grouping macro-data-type { leaf name { type string; description "Keyword part of the keyword-value pair"; } leaf value { type string; description "Value part of the keyword-value pair"; } } // grouping macro-data-type grouping match_interface_object { leaf name { type union { type jt:interface-wildcard; type string { pattern "<.*>|$.*"; } } description "Interface to match"; } } // grouping match_interface_object grouping match_interface_object_oam { leaf name { type union { type jt:interface-wildcard; type string { pattern "<.*>|$.*"; } } description "Interface to match"; } } // grouping match_interface_object_oam grouping match_interface_set_object { leaf name { type string; description "Interface set to match"; } } // grouping match_interface_set_object grouping match_simple_dscp_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_simple_dscp_value grouping match_simple_port_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_simple_port_value grouping match_simple_protocol_value { uses apply-advanced; leaf value_keyword { type string; } } // grouping match_simple_protocol_value grouping mpls_dialer_filter { description "Define an MPLS DIALER filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; container from { description "Define match criteria"; uses apply-advanced; choice exp_choice { leaf-list exp { type string; ordered-by user; description "Range of values"; } leaf-list exp-except { type string; ordered-by user; description "Range of values"; } } // choice exp_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; leaf log { type empty; description "Log the packet"; } leaf syslog { type empty; description "System log (syslog) information about the packet"; } leaf sample { type empty; description "Sample the packet"; } choice designation { leaf note { type empty; description "Interested ISDN packet"; } leaf ignore { type empty; description "Non-interested ISDN packet"; } } // choice designation } // container then } // list term } // grouping mpls_dialer_filter grouping mpls_filter { description "Define an MPLS firewall filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "("firewall family mpls filter $$")"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice choice exp_choice { leaf-list exp { type string; ordered-by user; description "Range of values between 0 and 7 in decimal, binary or hex"; } leaf-list exp-except { type string; ordered-by user; description "Range of values between 0 and 7 in decimal, binary or hex"; } } // choice exp_choice choice ttl_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ttl_choice choice exp0_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice exp0_choice list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice ttl0_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ttl0_choice choice loss-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice loss-priority_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice choice exp1_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice exp1_choice choice ttl1_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ttl1_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer case case_3 { } // case case_3 } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice choice mplscnt { case case_1 { } // case case_1 leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } } // choice mplscnt leaf sample { junos:must "(("forwarding-options sampling family mpls" || ("forwarding-options packet-capture" || any "forwarding-options sampling instance <*> family mpls")))"; junos:must-message "Requires forwarding-options sampling or packet-capture config"; type empty; description "Sample the packet"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Classify packet to loss-priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf packet-mode { type empty; description "Bypass flow mode for the packet"; } choice designation { case case_1 { } // case case_1 leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation } // container then } // list term } // grouping mpls_filter grouping prefix_action { leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Prefix action name"; } uses apply-advanced; leaf policer { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Police the packet using a set of named policer"; } leaf count { type empty; description "Enable counters"; } leaf filter-specific { type empty; description "Filter specific, else term specific"; } leaf subnet-prefix-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 32"; } } description "Prefix length for the total address range"; } choice source_or_dest { leaf source-prefix-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 32"; } } description "Source prefix range"; } leaf destination-prefix-length { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 32"; } } description "Destination prefix range"; } } // choice source_or_dest } // grouping prefix_action grouping three-color-policer-type { description "Three-color policer"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policer name"; } uses apply-advanced; leaf filter-specific { type empty; description "Three color policer is filter-specific"; } leaf physical-interface-policer { type empty; description "Policer is physical interface policer"; } container action { description "Action for three-color policer"; uses apply-advanced; list loss-priority { key "name"; ordered-by user; description "Loss priority for packet"; uses three-color-policer-action; } // list loss-priority } // container action choice rate-type-choice { container single-rate { description "Single-rate policer"; uses apply-advanced; choice mode-choice { leaf color-blind { type empty; description "Color-blind mode"; } leaf color-aware { type empty; description "Color-aware mode"; } } // choice mode-choice leaf committed-information-rate { type string; units "bits per second"; description "Bandwidth allowed for committed traffic"; } leaf committed-burst-size { type string; units "bytes"; description "Burst size allowed for committed traffic"; } leaf excess-burst-size { type string; units "bytes"; description "Burst size allowed for excess traffic"; } } // container single-rate case case_2 { } // case case_2 container two-rate { presence "enable two-rate"; description "Two-rate policer"; uses apply-advanced; choice mode-choice { leaf color-blind { type empty; description "Color-blind mode"; } leaf color-aware { type empty; description "Color-aware mode"; } } // choice mode-choice leaf committed-information-rate { type string; units "bits per second"; description "Bandwidth allowed for committed traffic"; } leaf committed-burst-size { type string; units "bytes"; description "Burst size allowed for committed traffic "; } leaf peak-information-rate { type string; units "bits per second"; description "Bandwidth allowed for peak traffic"; } leaf peak-burst-size { type string; units "bytes"; description "Burst size allowed for peak traffic "; } container aggregate-policing { presence "enable aggregate-policing"; description "Configure Aggregate Policer"; uses apply-advanced; list policer { key "name"; max-elements 1; ordered-by user; description "Two-color policer to be used as aggregate"; leaf name { junos:must "("firewall policer $$")"; junos:must-message "Referenced aggregate policer is not defined"; type string; description "Name of two-color policer to use to aggregate police"; } uses apply-advanced; leaf aggregate-sharing-mode { type enumeration { enum "hybrid" { value 0; description "Child policer CIR rates are guaranteed rates and PIR rate are peak rates for member flow"; } } description "Hierarchical Metering model"; } } // list policer } // container aggregate-policing } // container two-rate case case_4 { } // case case_4 } // choice rate-type-choice } // grouping three-color-policer-type grouping three-color-policer-action { description "Action for three-color policer"; leaf name { type enumeration { enum "high" { value 0; description "High loss priority"; } } description "Loss priority for packet"; } uses apply-advanced; container then { description "Action to take if the rate limits are exceeded"; uses apply-advanced; leaf discard { type empty; description "Discard the packet"; } } // container then } // grouping three-color-policer-action grouping tunnel_end_point { description "Define a tunnel end point"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Tunnel end-point identifier (ASCII string)"; } uses apply-advanced; choice l3-protocol { container ipv6 { presence "enable ipv6"; description "Enter an IPv6 tunnel"; uses apply-advanced; leaf source-address { type jt:ipv6addr; description "Tunnel source address"; } leaf destination-address { type jt:ipv6prefix; description "Tunnel destination address"; } } // container ipv6 container ipv4 { presence "enable ipv4"; description "Enter an IPv4 tunnel"; uses apply-advanced; leaf source-address { type jt:ipv4addr; description "Tunnel source address"; } leaf destination-address { type jt:ipv4prefix; description "Tunnel destination address"; } } // container ipv4 } // choice l3-protocol choice tunnel-protocol { container gre { presence "enable gre"; description "Tunnel is GRE"; uses apply-advanced; leaf key { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "Key for authentication"; } } // container gre container gre-in-udp { presence "enable gre-in-udp"; description "Tunnel is GRE-in-UDP"; uses apply-advanced; leaf source-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "UDP source port"; } leaf destination-port { type union { type string { pattern "<.*>|$.*"; } type uint32 { range "0 .. 65535"; } } description "UDP destination port"; } leaf key { type union { type uint32; type string { pattern "<.*>|$.*"; } } description "GRE key for authentication"; } } // container gre-in-udp } // choice tunnel-protocol } // grouping tunnel_end_point grouping vpls_filter { description "Define an VPLS firewall filter"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter name"; } uses apply-advanced; leaf-list accounting-profile { junos:must "("accounting-options filter-profile")"; junos:must-message "referenced accounting profile must be defined"; type string; ordered-by user; description "Accounting profile name"; } leaf interface-specific { type empty; description "Defined counters are interface specific"; } leaf physical-interface-filter { type empty; description "Filter is physical interface filter"; } list term { key "name"; ordered-by user; description "Define a firewall term"; leaf name { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Term name"; } uses apply-advanced; leaf filter { junos:must "("firewall family vpls filter $$")"; junos:must-message "Referenced filter is not defined"; junos:must "((!(".. from") && !(".. then")))"; junos:must-message "Not compatible with 'from or then'"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Filter to include"; } container from { description "Define match criteria"; uses apply-advanced; choice interface-group_choice { leaf-list interface-group { type string; ordered-by user; description "Range of values"; } leaf-list interface-group-except { type string; ordered-by user; description "Range of values"; } } // choice interface-group_choice choice ether-type_choice { leaf-list ether-type { type string; ordered-by user; } leaf-list ether-type-except { type string; ordered-by user; } } // choice ether-type_choice choice vlan-ether-type_choice { leaf-list vlan-ether-type { type string; ordered-by user; } leaf-list vlan-ether-type-except { type string; ordered-by user; } } // choice vlan-ether-type_choice list destination-mac-address { key "name"; ordered-by user; description "Destination MAC address"; uses firewall_mac_addr_object; } // list destination-mac-address list source-mac-address { key "name"; ordered-by user; description "Source MAC address"; uses firewall_mac_addr_object; } // list source-mac-address choice forwarding-class_choice { leaf-list forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } leaf-list forwarding-class-except { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } ordered-by user; description "String name"; } } // choice forwarding-class_choice choice loss-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice loss-priority_choice choice learn-vlan-id_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice learn-vlan-id_choice choice learn-vlan-1p-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice learn-vlan-1p-priority_choice choice user-vlan-id_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice user-vlan-id_choice choice user-vlan-1p-priority_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice user-vlan-1p-priority_choice choice learn-vlan-dei_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice learn-vlan-dei_choice choice traffic-type_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice traffic-type_choice choice ip-protocol_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ip-protocol_choice choice dscp_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice dscp_choice choice ip-precedence_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ip-precedence_choice choice source-port_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice source-port_choice choice destination-port_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice destination-port_choice choice port_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice port_choice choice icmp-code_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice icmp-code_choice choice icmp-type_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice icmp-type_choice list interface { key "name"; ordered-by user; description "Match interface name"; uses match_interface_object; } // list interface list interface-set { key "name"; ordered-by user; description "Match interface in set"; uses match_interface_set_object; } // list interface-set choice ipv6-next-header_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ipv6-next-header_choice choice ipv6-payload-protocol_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ipv6-payload-protocol_choice choice ipv6-traffic-class_choice { case case_1 { } // case case_1 case case_2 { } // case case_2 } // choice ipv6-traffic-class_choice choice policy-map_choice { leaf-list policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } leaf-list policy-map-except { junos:must "("class-of-service policy-map $$")"; junos:must-message "Undefined policy-map instance"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; length "1 .. 64"; } ordered-by user; description "String name"; } } // choice policy-map_choice } // container from container then { description "Action to take if the 'from' condition is matched"; uses apply-advanced; choice policer-choice { leaf policer { junos:must "(!("firewall policer $$ aggregate"))"; junos:must-message "Cannot attach a aggregate policer to filter"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of policer to use to rate-limit traffic"; } container three-color-policer { description "Police the packet using a three-color-policer"; uses apply-advanced; choice type-choice { leaf single-rate { junos:must "("firewall three-color-policer $$ single-rate")"; junos:must-message "Referenced single-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-rate three-color policer to use to rate-limit traffic"; } leaf single-packet-rate { junos:must "("firewall three-color-policer $$ single-packet-rate")"; junos:must-message "Referenced single-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of single-packet-rate three-color policer to use to rate-limit traffic"; } leaf two-rate { junos:must "("firewall three-color-policer $$ two-rate")"; junos:must-message "Referenced two-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-rate three-color policer to use to rate-limit traffic"; } leaf two-packet-rate { junos:must "("firewall three-color-policer $$ two-packet-rate")"; junos:must-message "Referenced two-packet-rate policer does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Name of two-packet-rate three-color policer to use to rate-limit traffic"; } } // choice type-choice } // container three-color-policer case case_3 { } // case case_3 } // choice policer-choice choice policy-map-choice { leaf clear-policy-map { type empty; description "Clear the policy marking"; } leaf policy-map { junos:must "("class-of-service policy-map $$")"; junos:must-message "referenced policy map must be defined"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Policy map action"; } } // choice policy-map-choice leaf count { type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Count the packet in the named counter"; } leaf loss-priority { type enumeration { enum "low" { value 0; description "Loss priority low"; } enum "high" { value 1; description "Loss priority high"; } enum "medium-low" { value 2; description "Loss priority medium-low"; } enum "medium-high" { value 3; description "Loss priority medium-high"; } } description "Packet's loss priority"; } leaf forwarding-class { type string { junos:posix-pattern "^.{1,64}$"; junos:pattern-message "Must be string of 64 characters or less"; } description "Classify packet to forwarding class"; } leaf port-mirror-instance { junos:must "("forwarding-options port-mirroring instance $$")"; junos:must-message "Referenced port-mirroring instance does not exist"; type string { junos:posix-pattern "!^((__.*)|(.{65,}))$"; junos:pattern-message "Must be a non-reserved string of 64 characters or less"; } description "Port-mirror the packet to specified instance"; } leaf port-mirror { junos:must "(!(".. port-mirror-instance"))"; junos:must-message "'port-mirror' and 'port-mirror-instance' are mutually exclusive"; junos:must "("forwarding-options port-mirroring")"; junos:must-message "Configure 'port-mirroring' under 'forwarding-options'"; type empty; description "Port-mirror the packet"; } choice designation { leaf accept { type empty; description "Accept the packet"; } leaf discard { type empty; description "Discard the packet"; } leaf next { type enumeration { enum "term" { value 0; description "Continue to next term in a filter"; } } description "Continue to next term in a filter"; } } // choice designation } // container then } // list term } // grouping vpls_filter } // module junos-es-conf-firewall
© 2023 YumaWorks, Inc. All rights reserved.