Versions Compared

Old Version 46

changes.mady.by.user Edgars P.

Saved on

compared with

New Version 47

changes.mady.by.user Edgars P.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

Certain bridge and Ethernet port properties are directly related to switch chip settings, changing such properties can trigger a switch chip reset, that will temporarily disable all Ethernet ports that are on the switch chip for the settings to have an effect, this must be taken into account whenever changing properties on production environments. Such properties are DHCP Snooping, IGMP Snooping, VLAN filtering, L2MTU, Flow Control, and others (exact settings that can trigger a switch chip reset depends on the device's model).

...

VLAN Example - Trunk and Access Ports

Image RemovedImage Added

Create a bridge with disabled vlan-filtering to avoid losing access to the device before VLANs are completely configured.

...

VLAN Example - Trunk and Hybrid Ports

Image RemovedImage Added

Create a bridge with disabled vlan-filtering to avoid losing access to the router before VLANs are completely configured.

...

VLAN Example - InterVLAN Routing by Bridge

Image RemovedImage Added

Create a bridge with disabled vlan-filtering to avoid losing access to the router before VLANs are completely configured:

...

PropertyDescription
802.3-sap (integer; Default: )DSAP (Destination Service Access Point) and SSAP (Source Service Access Point) are 2 one-byte fields, which identify the network protocol entities which use the link-layer service. These bytes are always equal. Two hexadecimal digits may be specified here to match an SAP byte.
802.3-type (integer; Default: )Ethernet protocol type, placed after the IEEE 802.2 frame header. Works only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example, AppleTalk can be indicated by the SAP code of 0xAA followed by a SNAP type code of 0x809B.
action (accept | drop | jump | log | mark-packet | passthrough | return | set-priority; Default: )Action to take if the packet is matched by the rule:
  • accept - accept the packet. The packet is not passed to the next firewall rule
  • drop - silently drop the packet
  • jump - jump to the user-defined chain specified by the value of jump-target parameter
  • log - add a message to the system log containing the following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After the packet is matched it is passed to the next rule in the list, similar as passthrough
  • mark-packet - place a mark specified by the new-packet-mark parameter on a packet that matches the rule
  • passthrough - if the packet is matched by the rule, increase counter and go to next rule (useful for statistics)
  • return - passes control back to the chain from where the jump took place
  • set-priority - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). Read more>
arp-dst-address (IP address; Default: )ARP destination IP address.
arp-dst-mac-address (MAC address; Default: )ARP destination MAC address.
arp-gratuitous (yes | no; Default: )Matches ARP gratuitous packets.
arp-hardware-type (integer; Default: 1)ARP hardware type. This is normally Ethernet (Type 1).
arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request | inarp-reply | inarp-request | reply | reply-reverse | request | request-reverse; Default: )ARP opcode (packet type)
  • arp-nak - negative ARP reply (rarely used, mostly in ATM networks)
  • drarp-error - Dynamic RARP error code, saying that an IP address for the given MAC address can not be allocated
  • drarp-reply - Dynamic RARP reply, with a temporary IP address assignment for a host
  • drarp-request - Dynamic RARP request to assign a temporary IP address for the given MAC address
  • inarp-reply - InverseARP Reply
  • inarp-request - InverseARP Request
  • reply - standard ARP reply with a MAC address
  • reply-reverse - reverse ARP (RARP) reply with an IP address assigned
  • request - standard ARP request to a known IP address to find out unknown MAC address
  • request-reverse - reverse ARP (RARP) request to a known MAC address to find out the unknown IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP service)
arp-packet-type (integer 0..65535 | hex 0x0000-0xffff; Default: )ARP Packet Type.
arp-src-address (IP address; Default: )ARP source IP address.
arp-src-mac-address (MAC addres; Default: )ARP source MAC address.
chain (text; Default: )Bridge firewall chain, which the filter is functioning in (either a built-in one, or a user-defined one).
dst-address (IP address; Default: )Destination IP address (only if MAC protocol is set to IP).
dst-mac-address (MAC address; Default: )Destination MAC address.
dst-port (integer 0..65535; Default: )Destination port number or range (only for TCP or UDP protocols).
in-bridge (name; Default: )Bridge interface through which the packet is coming in.
in-interface (name; Default: )Physical interface (i.e., bridge port) through which the packet is coming in.
in-interface-list (name; Default: )Set of interfaces defined in interface list. Works the same as in-interface.
ingress-priority (integer 0..63; Default: )Matches the priority of an ingress packet. Priority may be derived from VLAN, WMM, DSCP or MPLS EXP bit. read more»
ip-protocol (dccp | ddp | egp | encap | etherip | ggp | gre | hmp | icmp | icmpv6 | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | ipv6 | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | iso-tp4 | l2tp | ospf | pim | pup | rdp | rspf | rsvp | sctp | st | tcp | udp | udp-lite | vmtp | vrrp | xns-idp | xtp; Default: )IP protocol (only if MAC protocol is set to IPv4)
  • dccp - Datagram Congestion Control Protocol
  • ddp - Datagram Delivery Protocol
  • egp - Exterior Gateway Protocol
  • encap - Encapsulation Header
  • etherip - Ethernet-within-IP Encapsulation
  • ggp - Gateway-to-Gateway Protocol
  • gre - Generic Routing Encapsulation
  • hmp - Host Monitoring Protocol
  • icmp - IPv4 Internet Control Message Protocol
  • icmpv6 - IPv6 Internet Control Message Protocol
  • idpr-cmtp - Inter-Domain Policy Routing Control Message Transport Protocol
  • igmp - Internet Group Management Protocol
  • ipencap - IP in IP (encapsulation)
  • ipip - IP-within-IP Encapsulation Protocol
  • ipsec-ah - IPsec Authentication Header
  • ipsec-esp - IPsec Encapsulating Security Payload
  • ipv6 - Internet Protocol version 6
  • ipv6-frag - Fragment Header for IPv6
  • ipv6-nonxt - No Next Header for IPv6
  • ipv6-opts - Destination Options for IPv6
  • ipv6-route - Routing Header for IPv6
  • iso-tp4 - ISO Transport Protocol Class 4
  • l2tp - Layer Two Tunneling Protocol
  • ospf - Open Shortest Path First
  • pim - Protocol Independent Multicast
  • pup - PARC Universal Packet
  • rdp - Reliable Data Protocol
  • rspf - Radio Shortest Path First
  • rsvp - Reservation Protocol
  • sctp - Stream Control Transmission Protocol
  • st - Internet Stream Protocol
  • tcp - Transmission Control Protocol
  • udp - User Datagram Protocol
  • udp-lite - Lightweight User Datagram Protocol
  • vmtp - Versatile Message Transaction Protocol
  • vrrp - Virtual Router Redundancy Protocol
  • xns-idp - Xerox Network Systems Internet Datagram Protocol
  • xtp - Xpress Transport Protocol
jump-target (name; Default: )If action=jump specified, then specifies the user-defined firewall chain to process the packet.
limit (integer/time,integer; Default: )Restricts packet match rate to a given limit.
  • count - maximum average packet rate, measured in packets per second (pps), unless followed by Time option
  • time - specifies the time interval over which the packet rate is measured
  • burst - number of packets to match in a burst
log-prefix (text; Default: )Defines the prefix to be printed before the logging information.
mac-protocol (802.2 | arp | homeplug-av | ip | ipv6 | ipx | length | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan | integer 0..65535 | hex 0x0000-0xffff; Default: )Ethernet payload type (MAC-level protocol). To match protocol type for VLAN encapsulated frames (0x8100 or 0x88a8), a vlan-encap property should be used.
  • 802.2 - 802.2 Frames (0x0004)
  • arp - Address Resolution Protocol (0x0806)
  • homeplug-av - HomePlug AV MME (0x88E1)
  • ip - Internet Protocol version 4 (0x0800)
  • ipv6 - Internet Protocol Version 6 (0x86DD)
  • ipx - Internetwork Packet Exchange (0x8137)
  • length - Packets with length field (0x0000-0x05DC)
  • lldp - Link Layer Discovery Protocol (0x88CC)
  • loop-protect - Loop Protect Protocol (0x9003)
  • mpls-multicast - MPLS multicast (0x8848)
  • mpls-unicast - MPLS unicast (0x8847)
  • packing-compr - Encapsulated packets with compressed IP packing (0x9001)
  • packing-simple - Encapsulated packets with simple IP packing (0x9000)
  • pppoe - PPPoE Session Stage (0x8864)
  • pppoe-discovery - PPPoE Discovery Stage (0x8863)
  • rarp - Reverse Address Resolution Protocol (0x8035)
  • service-vlan - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)
  • vlan - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)
out-bridge (name; Default: )Outgoing bridge interface.
out-interface (name; Default: )Interface that the packet is leaving the bridge through.
out-interface-list (name; Default: )Set of interfaces defined in interface list. Works the same as out-interface.
packet-mark (name; Default: )Match packets with a certain packet mark.
packet-type (broadcast | host | multicast | other-host; Default: )MAC frame type:
  • broadcast - broadcast MAC packet
  • host - packet is destined to the bridge itself
  • multicast - multicast MAC packet
  • other-host - packet is destined to some other unicast address, not to the bridge itself
src-address (IP address; Default: )Source IP address (only if MAC protocol is set to IPv4).
src-mac-address (MAC address; Default: )Source MAC address.
src-port (integer 0..65535; Default: )Source port number or range (only for TCP or UDP protocols).
stp-flags (topology-change | topology-change-ack; Default: )The BPDU (Bridge Protocol Data Unit) flags. Bridge exchange configuration messages named BPDU periodically for preventing loops
  • topology-change - topology change flag is set when a bridge detects port state change, to force all other bridges to drop their host tables and recalculate network topology
  • topology-change-ack - topology change acknowledgment flag is sent in replies to the notification packets
stp-forward-delay (integer 0..65535; Default: )Forward delay timer.
stp-hello-time (integer 0..65535; Default: )STP hello packets time.
stp-max-age (integer 0..65535; Default: )Maximal STP message age.
stp-msg-age (integer 0..65535; Default: )STP message age.
stp-port (integer 0..65535; Default: )STP port identifier.
stp-root-address (MAC address; Default: )Root bridge MAC address.
stp-root-cost (integer 0..65535; Default: )Root bridge cost.
stp-root-priority (integer 0..65535; Default: )Root bridge priority.
stp-sender-address (MAC address; Default: )STP message sender MAC address.
stp-sender-priority (integer 0..65535; Default: )STP sender priority.
stp-type (config | tcn; Default: )The BPDU type:
  • config - configuration BPDU
  • tcn - topology change notification
tls-host (string; Default: )Allows matching https traffic based on TLS SNI hostname. Accepts GLOB syntax for wildcard matching. Note that matcher will not be able to match hostname if the TLS handshake frame is fragmented into multiple TCP segments (packets).
vlan-encap (802.2 | arp | ip | ipv6 | ipx | length | mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp | vlan | integer 0..65535 | hex 0x0000-0xffff; Default: )Matches the MAC protocol type encapsulated in the VLAN frame.
vlan-id (integer 0..4095; Default: )Matches the VLAN identifier field.
vlan-priority (integer 0..7; Default: )Matches the VLAN priority (priority code point)

...