Policy format

Introduction

The access control policy describes the desired network security policy through the use of a high-level language that uses keywords and tokens. Tokens are derived from the naming libraries import of definition files.

Basic Policy File Format

A policy file consists of one or more filters, with each filter containing one or more terms. Each term specifies basic network filter information, such as addresses, ports, protocols and actions.

A policy file consists of one or more header sections, with each header section being followed by one or more terms.

A header section is typically used to specify a filter for a given direction, such as an INPUT filter on Iptables. A second header section will typically be included in the policy to specify the OUTPUT filter.

In addition, the policy language support "include files" which inject the text from the included file into the policy at the specified location. For more details, see the Includes section.

Header Section

Each filter is identified with a header section. The header section is used to define the type of filter, a descriptor or name, direction (if applicable) and format (ipv4/ipv6).

For example, the following simple header defines a filter that can generate output for 'juniper', 'cisco' and 'iptables' formats.

header {
  comment:: "Example header for juniper and iptables filter."
  target:: juniper edge-filter
  target:: speedway INPUT
  target:: iptables INPUT
  target:: cisco edge-filter
}

Notice that the first target has 2 arguments: "juniper" and "edge_filter". The first argument specifies that the filter can be rendered for Juniper JCLs, and that the output filter should be called "edge_filter".

The second target also has 2 arguments: "speedway" and "INPUT". Since Speedway/Iptables has specific inherent filters, such as INPUT, OUTPUT and FORWARD, the target specification for iptables usually points to one of these filters although a custom chain can be specified (usually for combining with other filters rules through the use of a jump from one of the default filters)

Likewise, the 4th target, "cisco" simply specifies the name of the access control list to be generated.

Each target platform may have different possible arguments, which are detailed in the following subsections.

Terms Section

Terms defines access control rules within a filter. Once the filter is defined in the header sections, it is followed by one or more terms. Terms are enclosed in brackets and use keywords to specify the functionality of a specific access control.

A term section begins with the keyword term, followed by a term name. Opening and closing brackets follow, which include the keywords and tokens to define the matching and action of the access control term.

The keywords fall into two categories, those are are required to be supported by all output generators, and those that are optionally supported by each generator. Optional keywords are intended to provide additional flexibility when developing policies on a single target platform.

WARNING: When developing filters that are intended to be rendered across multiple generators (cisco, iptables & juniper for example) it is strongly recommended to only use required keyword tokens in the policy terms. This will help ensure each platform's rendered filter will contain compatible security policies.

Arista

The arista header designation has the following format:

target:: arista [filter name] {standard|extended|object-group|inet6}

• filter name: defines the name of the arista filter.
• standard: specifies that the output should be a standard access list
• extended: specifies that the output should be an extended access list
• object-group: specifies this is a arista extended access list, and that object-groups should be used for ports and addresses.
• inet6: specifies the output be for IPv6 only filters.

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• address:: One or more network address tokens, matches source or destination.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• dscp_match:: Match a DSCP number.
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-code:: Specifies the ICMP code to filter on.
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Option

• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• is-fragment:: Matches on if a packet is a fragment.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• tcp-initial:: Only match initial packet for TCP protocol.

Aruba

The aruba header designation has the following format:

target:: aruba [filter name] {ipv6}

• filter name: defines the name of the arista filter.
• ipv6: specifies the output be for IPv6 only filters.

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-port:: One or more service definition tokens
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• name:: Name of the term.
• option:: See platforms supported Options section.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny

Option

• destination-is-user:: Aruba option to specify that the destination should be a user.
• negate:: Used with DSM summarizer, negates the DSM.
• source-is-user:: Aruba option to specify that the source should be a user.

Brocade

See Cisco

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• address:: One or more network address tokens, matches source or destination.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• dscp_match:: Match a DSCP number.
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-code:: Specifies the ICMP code to filter on.
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Option

• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• is-fragment:: Matches on if a packet is a fragment.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• tcp-initial:: Only match initial packet for TCP protocol.

Cisco

The cisco header designation has the following format:

target:: cisco [filter name] {extended|standard|object-group|inet6|mixed} {dsmo}

• filter name: defines the name or number of the cisco filter.
• extended: specifies that the output should be an extended access list, and the filter name should be non-numeric. This is the default option.
• standard: specifies that the output should be a standard access list, and the filter name should be numeric and in the range of 1-99.
• object-group: specifies this is a cisco extended access list, and that object-groups should be used for ports and addresses.
• inet6: specifies the output be for IPv6 only filters.
• mixed: specifies output will include both IPv6 and IPv4 filters.
• dsmo: Enable discontinuous subnet mask summarization.

When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses.

The default format is inet4, and is implied if not other argument is given.

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• address:: One or more network address tokens, matches source or destination.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• dscp_match:: Match a DSCP number.
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-code:: Specifies the ICMP code to filter on.
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Option

• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• is-fragment:: Matches on if a packet is a fragment.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• tcp-initial:: Only match initial packet for TCP protocol.

CiscoASA

The ciscoasa header designation has the following format:

target:: ciscoasa [filter name]

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Option

• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.

CiscoXR

See Cisco

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• address:: One or more network address tokens, matches source or destination.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• dscp_match:: Match a DSCP number.
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-code:: Specifies the ICMP code to filter on.
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Option

• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• is-fragment:: Matches on if a packet is a fragment.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• tcp-initial:: Only match initial packet for TCP protocol.

GCE

The GCE header designation has the following format:

target:: gce [filter name] [direction]

• filter name: defines the name of the gce filter.
• direction: defines the direction, valid inputs are INGRESS and EGRESS (default:INGRESS)

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• destination_tag:: Tag name to be used for destination filtering.
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• name:: Name of the term.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• priority Relative priority of rules when evaluated on the platform.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• source-tag:: Tag name used for source filtering.

Sub Tokens

Actions

• accept
• deny

Ipset

Ipset is a system inside the Linux kernel, which can very efficiently store and match IPv4 and IPv6 addresses. This can be used to dramatically increase performance of iptables firewall.

The Ipset header designation follows the Iptables format above, but uses the target platform of 'ipset':

target:: ipset [INPUT|OUTPUT|FORWARD|custom] {ACCEPT|DROP} {truncatenames} {nostate} {inet|inet6}

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• counter:: Update a counter for matching packets
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-interface:: Specify specific interface a term should apply to (e.g. destination-interface:: eth3)
• destination-port:: One or more service definition tokens
• destination-prefix:: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• fragement-offset:: specify a fragment offset of a fragmented packet
• icmp-code:: Specifies the ICMP code to filter on.
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• packet-length:: specify packet length.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• routing-instance:: specify routing instance for matching packets.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-interface:: specify specific interface a term should apply to (e.g. source-interface:: eth3).
• source-port:: one or more service definition tokens.
• source-prefix:: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Option

• ack:: Match on ACK flag being present.
• all:: Matches all protocols.
• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• fin:: Match on FIN flag being present.
• first-fragment:: Only match on first fragment of a fragmented pakcet.
• initial:: Only matches on initial packet.
• is-fragment:: Matches on if a packet is a fragment.
• none:: Matches none.
• psh:: Match on PSH flag being present.
• rst:: Match on RST flag being present.
• sample:: Samples traffic for netflow.
• syn:: Match on SYN flag being present.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• tcp-initial:: Only match initial packet for TCP protocol.
• urg:: Match on URG flag being present.

Iptables

NOTE: Iptables produces output that must be passed, line by line, to the 'iptables/ip6tables' command line. For 'iptables-restore' compatible output, please use the Speedway generator.

The Iptables header designation has the following format:

target:: iptables [INPUT|OUTPUT|FORWARD|custom] {ACCEPT|DROP} {truncatenames} {nostate} {inet|inet6}

• INPUT: apply the terms to the input filter.
• OUTPUT: apply the terms to the output filter.
• FORWARD: apply the terms to the forwarding filter.
• custom: create the terms under a custom filter name, which must then be linked/jumped to from one of the default filters (e.g. iptables -A input -j custom)
• ACCEPT: specifies that the default policy on the filter should be 'accept'.
• DROP: specifies that the default policy on the filter should be to 'drop'.
• inet: specifies that the resulting filter should only render IPv4 addresses.
• inet6: specifies that the resulting filter should only render IPv6 addresses.
• truncatenames: specifies to abbreviate term names if necessary (see lib/iptables.py:CheckTerMLength for abbreviation table) *nostate: specifies to produce 'stateless' filter output (e.g. no connection tracking)

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• counter:: Update a counter for matching packets
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-interface:: Specify specific interface a term should apply to (e.g. destination-interface:: eth3)
• destination-port:: One or more service definition tokens
• destination-prefix:: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• fragement-offset:: specify a fragment offset of a fragmented packet
• icmp-code:: Specifies the ICMP code to filter on.
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• packet-length:: specify packet length.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• routing-instance:: specify routing instance for matching packets.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-interface:: specify specific interface a term should apply to (e.g. source-interface:: eth3).
• source-port:: one or more service definition tokens.
• source-prefix:: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Option

• ack:: Match on ACK flag being present.
• all:: Matches all protocols.
• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• fin:: Match on FIN flag being present.
• first-fragment:: Only match on first fragment of a fragmented pakcet.
• initial:: Only matches on initial packet.
• is-fragment:: Matches on if a packet is a fragment.
• none:: Matches none.
• psh:: Match on PSH flag being present.
• rst:: Match on RST flag being present.
• sample:: Samples traffic for netflow.
• syn:: Match on SYN flag being present.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• tcp-initial:: Only match initial packet for TCP protocol.
• urg:: Match on URG flag being present.

Juniper

The juniper header designation has the following format:

target:: juniper [filter name] {inet|inet6|bridge} {dsmo} {not-interface-specific}

• filter name: defines the name of the juniper filter.
• inet: specifies the output should be for IPv4 only filters. This is the default format.
• inet6: specifies the output be for IPv6 only filters.
• bridge: specifies the output should render a Juniper bridge filter.
• dsmo: Enable discontinuous subnet mask summarization.
• not-interface-specific: Toggles "interface-specific" inside of a term.

When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses.

The default format is inet4, and is implied if not other argument is given.

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• address:: One or more network address tokens, matches source or destination.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• counter:: Update a counter for matching packets
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• destination-prefix:: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
• destination-prefix_except:: Specify destination-prefix exception(TODO:cmas Fill in more).
• dscp_except:: Do not match the DSCP number.
• dscp_match:: Match a DSCP number.
• dscp_set:: Match a DSCP set.
• ether_type:: Match EtherType field.
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• _flexible-match-range Filter based on flexible match options.
• forwarding-class:: Specify the forwarding class to match.
• forwarding-class_except:: Do not match the specified forwarding classes.
• fragement-offset:: specify a fragment offset of a fragmented packet
• hop-limit:: Match the hop limit to the specified hop limit or set of hop limits.
• icmp-code:: Specifies the ICMP code to filter on.
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• loss-priority:: Specify loss priority.
• name:: Name of the term.
• next-ip:: Used in filter based forwarding.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• packet-length:: specify packet length.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• policer:: specify which policer to apply to matching packets.
• port:: Matches on source or destination ports. Takes a service token.
• precedence:: specify precedence of range 0-7. May be a single integer, or a space separated list.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• protocol_except:: allow all protocol "except" specified.
• qos:: apply quality of service classification to matching packets (e.g. qos:: af4)
• routing-instance:: specify routing instance for matching packets.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• source-prefix:: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
• source-prefix-except:: specify destination-prefix exception(TODO:cmas Fill in more).
• traffic-class-count::
• traffic-type:: specify traffic-type
• ttl:: Matches on TTL.
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Option

• .*:: wat
• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• first-fragment:: Only match on first fragment of a fragmented pakcet.
• sample:: Samples traffic for netflow.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• tcp-initial:: Only match initial packet for TCP protocol.

JuniperSRX

Note: The Juniper SRX generator is currently in beta testing.

target:: srx from-zone [zone name] to-zone [zone name] {inet}

• from-zone: static keyword, followed by user specified zone
• to-zone: static keyword, followed by user specified zone
• inet: Address family (only IPv4 tested at this time)

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• dscp_except:: Do not match the DSCP number.
• dscp_match:: Match a DSCP number.
• dscp_set:: Match a DSCP set.
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that these packets should be logged.
  • Based on the input value the resulting logging actions will follow this logic:
    • action is 'accept':
      • logging is 'true': resulting SRX output will be 'log { session-close; }'
      • logging is 'log-both': resulting SRX output will be 'log { session-init; session-close; }'
    • action is 'deny':
      • logging is 'true': resulting SRX output will be 'log { session-init; }'
      • logging is 'log-both': resulting SRX output will be 'log { session-init; session-close; }'
    • See here for explanation.
• name:: Name of the term.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• timeout:: specify application timeout. (default 60)
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.
• vpn:: Encapsulate outgoing IP packets and decapsulate incomfing IP packets.

Sub Tokens

Actions

• accept
• count
• deny
• dscp
• log
• reject

Nftables

The NFTables header designation has the following format:

target:: nftables [chain name] [filter name] [priority] [inet|inet6]

• chain name: defines the name of the nftables chain.
• filter name: defines the name of the nftables filter.
• priority: defines the integer of the nftables chain priority.
• inet: specifies that the resulting filter should only render IPv4 addresses.
• inet6: specifies that the resulting filter should only render IPv6 addresses.

NOTE: all of these fields are required.

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• counter:: Update a counter for matching packets
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• log-name:: Name of log to log to.
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Nsxv

The nsxv header designation has the following format:

target:: nsxv {section_name} {inet|inet6|mixed} section-id securitygroup securitygroupId

• section_name: specifies the name of the section all terms in this header apply to. [mandatory field]
• inet: specifies the output should be for IPv4 only filters. This is the default format.
• inet6: specifies the output be for IPv6 only filters.
• mixed: specifies that the resulting filter should render both IPv4 and IPv6 addresses.
• sectionId: specifies the Id for the section [optional]
• securitygroup: specifies that the appliedTo should be security group [optional]
• securitygroupId: specifies the Id of the security group [mandatory if securitygroup is given]

(Required keywords option and verbatim are not supported in NSX)

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• reject
• reject-with-tcp-rst

PacketFilter

Note: The PF generator is currently in alpha testing. The output should be compatible with OpenBSD v4.7 PF and later.

target:: packetfilter {inet|inet6|mixed}

• inet: specifies that the resulting filter should only render IPv4 addresses.
• inet6: specifies that the resulting filter should only render IPv6 addresses.
• mixed: specifies that the resulting filter should only render IPv4 and IPv6 addresses (default).

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject

Option

• ack:: Match on ACK flag being present.
• all:: Matches all protocols.
• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• fin:: Match on FIN flag being present.
• is-fragment:: Matches on if a packet is a fragment.
• psh:: Match on PSH flag being present.
• rst:: Match on RST flag being present.
• syn:: Match on SYN flag being present.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• urg:: Match on URG flag being present.

PaloAltoFW

target:: paloalto from-zone [zone name] to-zone [zone name]

• _from-zone: static keyword, followed by user specified zone
• _to-zone: static keyword, followed by user specified zone

Terms Section

Optionally Supported Keywords

• _pan-application:: paloalto only, specify a Palo Alto application.

The application needs to already be existing on the device.

If an "application" is defined, but no "service", service will default to "application-default".

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-port:: One or more service definition tokens
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• owner:: Owner of the term, used for organizational purposes.
• pan-application:: Specify a Palo Alto application. Application must be defined on device.
• platform:: one or more target platforms for which this term should ONLY be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-port:: one or more service definition tokens.
• timeout:: specify application timeout. (default 60)

Sub Tokens

Actions

• accept
• count
• deny
• log
• reject

PcapFilter

FILL ME IN

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-code:: Specifies the ICMP code to filter on.
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.

Sub Tokens

Actions

• accept
• deny
• next
• reject

Option

• ack:: Match on ACK flag being present.
• all:: Matches all protocols.
• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• fin:: Match on FIN flag being present.
• is-fragment:: Matches on if a packet is a fragment.
• none:: Matches none.
• psh:: Match on PSH flag being present.
• rst:: Match on RST flag being present.
• syn:: Match on SYN flag being present.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• urg:: Match on URG flag being present.

Speedway

NOTE: Speedway produces Iptables filtering output that is suitable for passing to the 'iptables-restore' command.

The Speedway header designation has the following format:

target:: speedway [INPUT|OUTPUT|FORWARD|custom] {ACCEPT|DROP} {truncatenames} {nostate} {inet|inet6}

• INPUT: apply the terms to the input filter.
• OUTPUT: apply the terms to the output filter.
• FORWARD: apply the terms to the forwarding filter.
• custom: create the terms under a custom filter name, which must then be linked/jumped to from one of the default filters (e.g. iptables -A input -j custom)
• ACCEPT: specifies that the default policy on the filter should be 'accept'.
• DROP: specifies that the default policy on the filter should be to 'drop'.
• inet: specifies that the resulting filter should only render IPv4 addresses.
• inet6: specifies that the resulting filter should only render IPv6 addresses.
• truncatenames: specifies to abbreviate term names if necessary (see lib/iptables.py: CheckTermLength for abbreviation table)
• nostate: specifies to produce 'stateless' filter output (e.g. no connection tracking)

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• counter:: Update a counter for matching packets
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-interface:: Specify specific interface a term should apply to (e.g. destination-interface:: eth3)
• destination-port:: One or more service definition tokens
• destination-prefix:: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• fragement-offset:: specify a fragment offset of a fragmented packet
• icmp-code:: Specifies the ICMP code to filter on.
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• name:: Name of the term.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• packet-length:: specify packet length.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• routing-instance:: specify routing instance for matching packets.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-interface:: specify specific interface a term should apply to (e.g. source-interface:: eth3).
• source-port:: one or more service definition tokens.
• source-prefix:: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Option

• ack:: Match on ACK flag being present.
• all:: Matches all protocols.
• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• fin:: Match on FIN flag being present.
• first-fragment:: Only match on first fragment of a fragmented pakcet.
• initial:: Only matches on initial packet.
• is-fragment:: Matches on if a packet is a fragment.
• none:: Matches none.
• psh:: Match on PSH flag being present.
• rst:: Match on RST flag being present.
• sample:: Samples traffic for netflow.
• syn:: Match on SYN flag being present.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• tcp-initial:: Only match initial packet for TCP protocol.
• urg:: Match on URG flag being present.

SRXlo

SRX Loopback is a stateless Juniper ACL with minor changes. Please see code for changes.

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• address:: One or more network address tokens, matches source or destination.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• counter:: Update a counter for matching packets
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• destination-prefix:: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
• destination-prefix_except:: Specify destination-prefix exception(TODO:cmas Fill in more).
• dscp_except:: Do not match the DSCP number.
• dscp_match:: Match a DSCP number.
• dscp_set:: Match a DSCP set.
• ether_type:: Match EtherType field.
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• forwarding-class:: Specify the forwarding class to match.
• forwarding-class_except:: Do not match the specified forwarding classes.
• fragement-offset:: specify a fragment offset of a fragmented packet
• hop-limit:: Match the hop limit to the specified hop limit or set of hop limits.
• icmp-code:: Specifies the ICMP code to filter on.
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• logging:: Specify that this packet should be logged via syslog.
• loss-priority:: Specify loss priority.
• name:: Name of the term.
• next-ip:: Used in filter based forwarding.
• option:: See platforms supported Options section.
• owner:: Owner of the term, used for organizational purposes.
• packet-length:: specify packet length.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• policer:: specify which policer to apply to matching packets.
• port:: Matches on source or destination ports. Takes a service token.
• precedence:: specify precedence of range 0-7. May be a single integer, or a space separated list.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• protocol_except:: allow all protocol "except" specified.
• qos:: apply quality of service classification to matching packets (e.g. qos:: af4)
• routing-instance:: specify routing instance for matching packets.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.
• source-prefix:: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
• source-prefix-except:: specify destination-prefix exception(TODO:cmas Fill in more).
• traffic-class-count::
• traffic-type:: specify traffic-type
• ttl:: Matches on TTL.
• verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

• accept
• deny
• next
• reject
• reject-with-tcp-rst

Option

• .*:: wat
• established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
• first-fragment:: Only match on first fragment of a fragmented pakcet.
• sample:: Samples traffic for netflow.
• tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
• tcp-initial:: Only match initial packet for TCP protocol.

WindowsAdvFirewall

The Windows Advanced Firewall header designation has the following format:

target:: windows_advfirewall {out|in} {inet|inet6|mixed}

• out: Specifies that the direction of packet flow is out. (default)
• in: Specifies that the direction of packet flow is in.
• inet: specifies that the resulting filter should only render IPv4 addresses.
• inet6: specifies that the resulting filter should only render IPv6 addresses.

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
• name:: Name of the term.
• option:: See platforms supported Options section.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.

Sub Tokens

Actions

• accept
• deny

WindowsIPSec

The Windows IPSec header designation has the following format:

target:: windows_advfirewall [filter_name]

• filter name: defines the name of the Windows IPSec filter.

Term Format

• action:: The action to take when matched. See Actions section for valid options.
• comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
• destination-address:: One or more destination address tokens
• destination-exclude:: Exclude one or more address tokens from the specified destination-address
• destination-port:: One or more service definition tokens
• expiration:: stop rendering this term after specified date. YYYY-MM-DD
• name:: Name of the term.
• option:: See platforms supported Options section.
• platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
• protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
• source-address:: one or more source address tokens.
• source-exclude:: exclude one or more address tokens from the specified source-address.
• source-port:: one or more service definition tokens.

Sub Tokens

Actions

• accept
• deny

Term Examples

The following are examples of how to construct a term, and assumes that naming definition tokens used have been defined in the definitions files.

Block incoming bogons and spoofed traffic

term block-bogons {
  source-address:: BOGONS RFC1918
  source-address:: COMPANY_INTERNAL
  action:: deny

Permit Public to Web Servers

term permit-to-web-servers {
  destination-address:: WEB_SERVERS
  destination-port:: HTTP
  protocol:: tcp
  action:: accept
}

Permit Replies to DNS Servers From Primaries

term permit-dns-tcp-replies {
  source-address:: DNS_PRIMARIES
  destination-address:: DNS_SECONDARIES
  source-address:: DNS
  protocol:: tcp
  option:: tcp-established
  action:: accept
}

Permit All Corporate Networks, Except New York, to FTP Server

This will "subtract" the CORP_NYC_NETBLOCK from the CORP_NETBLOCKS token. For example, assume CORP_NETBLOCKS includes 200.0.0.0/20, and CORP_NYC_NETBLOCK is defined as 200.2.0.0/24. The source-exclude will remove the NYC netblock from the permitted source addresses. If the excluded address is not contained with the source address, nothing is changed.

term allow-inbound-ftp-from-corp {
  source-address:: CORP_NETBLOCKS
  source-exclude:: CORP_NYC_NETBLOCK
  destination-port:: FTP
  protocol:: tcp
  action:: accept
}

Includes

The policy language supports the use of #include statements. An include can be used to avoid duplication of commonly used text, such as a group of terms that permit or block specific types of traffic.

An include directive will result in the contents of the included file being injected into the current policy at the exact location of the include directive.

The include directive has the following format:

...
#include 'policies/includes/untrusted-networks-blocking.inc'
...

The .inc file extension and "include" directory path are not required, but typically used to help differentiate from typical policy files.

Example Policy File

Below is an example policy file for a Juniper target platform. It contains two filters, each with a handful of terms. This examples assumes that the network and service naming definition tokens have been defined.

header {
  comment:: "edge input filter for sample network."
  target:: juniper edge-inbound
}
term discard-spoofs {
  source-address:: RFC1918
  action:: deny
}
term permit-ipsec-access {
  source-address:: REMOTE_OFFICES
  destination-address:: VPN_HUB
  protocol:: 50
  action:: accept
}
term permit-ike-access {
  source-address:: REMOTE_OFFICES
  destination-address:: VPN_HUB
  protocol:: udp
  destination-port:: IKE
  action:: accept
}
term permit-public-web-access {
  destination-address:: WEB_SERVERS
  destination-port:: HTTP HTTPS HTTP_8080
  protocol:: tcp
  action:: accept
}
term permit-tcp-replies {
  option:: tcp-established
  action:: accept
}
term default-deny {
  action:: deny
}

header {
  comment:: "edge output filter for sample network."
  target:: juniper edge-outbound
}
term drop-internal-sourced-outbound {
  destination-address:: INTERNAL
  destination-address:: RESERVED
  action:: deny
}
term reject-internal {
  source-address:: INTERNAL
  action:: reject
}
term default-accept {
  action:: accept
}

ICMP TYPES

The following are the list of icmp-type specifications which can be used with the 'icmp-type::' policy token.

IPv4

• echo-reply
• unreachable
• source-quench
• redirect
• alternate-address
• echo-request
• router-advertisement
• router-solicitation
• time-exceeded
• parameter-problem
• timestamp-request
• timestamp-reply
• information-request
• information-reply
• mask-request
• mask-reply
• conversion-error
• mobile-redirect

IPv6

• destination-unreachable
• packet-too-big
• time-exceeded
• parameter-problem
• echo-request
• echo-reply
• multicast-listener-query
• multicast-listener-report
• multicast-listener-done
• router-solicit
• router-advertisement
• neighbor-solicit
• neighbor-advertisement
• redirect-message
• router-renumbering
• icmp-node-information-query
• icmp-node-information-response
• inverse-neighbor-discovery-solicitation
• inverse-neighbor-discovery-advertisement
• version-2-multicast-listener-report
• home-agent-address-discovery-request
• home-agent-address-discovery-reply
• mobile-prefix-solicitation
• mobile-prefix-advertisement
• certification-path-solicitation
• certification-path-advertisement
• multicast-router-advertisement
• multicast-router-solicitation
• multicast-router-termination