SRX Loopback is a stateless Juniper ACL with minor changes. Please see code for changes.
- action:: The action to take when matched. See Actions section for valid options.
- address:: One or more network address tokens, matches source or destination.
- comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
- counter:: Update a counter for matching packets
- destination-address:: One or more destination address tokens
- destination-exclude:: Exclude one or more address tokens from the specified destination-address
- destination-port:: One or more service definition tokens
- destination-prefix:: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
- destination-prefix_except:: Specify destination-prefix exception(TODO:cmas Fill in more).
- dscp_except:: Do not match the DSCP number.
- dscp_match:: Match a DSCP number.
- dscp_set:: Match a DSCP set.
- ether_type:: Match EtherType field.
- expiration:: stop rendering this term after specified date. YYYY-MM-DD
- forwarding-class:: Specify the forwarding class to match.
- forwarding-class_except:: Do not match the specified forwarding classes.
- fragement-offset:: specify a fragment offset of a fragmented packet
- hop-limit:: Match the hop limit to the specified hop limit or set of hop limits.
- icmp-code:: Specifies the ICMP code to filter on.
- icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
- logging:: Specify that this packet should be logged via syslog.
- loss-priority:: Specify loss priority.
- name:: Name of the term.
- next-ip:: Used in filter based forwarding.
- option:: See platforms supported Options section.
- owner:: Owner of the term, used for organizational purposes.
- packet-length:: specify packet length.
- platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
- policer:: specify which policer to apply to matching packets.
- port:: Matches on source or destination ports. Takes a service token.
- precedence:: specify precedence of range 0-7. May be a single integer, or a space separated list.
- protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
- protocol_except:: allow all protocol "except" specified.
- qos:: apply quality of service classification to matching packets (e.g. qos:: af4)
- routing-instance:: specify routing instance for matching packets.
- source-address:: one or more source address tokens.
- source-exclude:: exclude one or more address tokens from the specified source-address.
- source-port:: one or more service definition tokens.
- source-prefix:: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
- source-prefix-except:: specify destination-prefix exception(TODO:cmas Fill in more).
- traffic-class-count::
- traffic-type:: specify traffic-type
- ttl:: Matches on TTL.
- verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.
- accept
- deny
- next
- reject
- reject-with-tcp-rst
- .*:: wat
- established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
- first-fragment:: Only match on first fragment of a fragmented pakcet.
- sample:: Samples traffic for netflow.
- tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
- tcp-initial:: Only match initial packet for TCP protocol.