if-match tcp-flags

Function

The if-match tcp-flags command configures a filtering rule based on the TCP flag value.

The undo if-match tcp-flags command deletes the filtering rule based on the TCP flag value.

By default, no filtering rule based on the TCP flag value is configured.

Format

if-match tcp-flags { not | match | any-match } tcp-flags-value

undo if-match tcp-flags

undo if-match tcp-flags { not | match | any-match } tcp-flags-value

Parameters

Parameter Description Value
not

If TCP packets match the result of the following AND operation, the matching succeeds: (data & tcp-flags-value) = 0, in which data indicates the TCP flag carried in the TCP packet header.

-
match

If TCP packets match the result of the following AND operation, the matching succeeds: (data & tcp-flags-value) == tcp-flags-value, in which data indicates the TCP flag carried in the TCP packet header.

-
any-match

If TCP packets match the result of the following AND operation, the matching succeeds: (data & tcp-flags-value) == TRUE (non-zero), in which data indicates the TCP flag carried in the TCP packet header.

-
tcp-flags-value

Specifies the TCP flag value.

The value is an integer ranging from 0 to 63.

Views

Flow-Route IPv6 VPN instance view, Flow-Route VPN instance view, Flow-Route-IPv6 view, Flow-Route view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
flow-route write

Usage Guidelines

Usage Scenario

Network attackers may send a large number of invalid TCP packets to attack network devices. To control invalid TCP packets to ensure communication security, configure a filtering rule based on the TCP flag for the BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route using the if-match tcp-flags command. Traffic matching the filtering rule will be controlled with the action specified by the apply clause.

Prerequisites

A static BGP (IPv6) Flow Specification route or BGP (IPv6) VPN Flow Specification route has been created using the flow-route command in the system view.

Precautions

If the values of tcp-flags-value specified in the if-match tcp-flags not, if-match tcp-flags match and if-match tcp-flags any-match commands are the same, the latter command configuration overrides the previous one.

A maximum of five filtering rules based on the TCP flag can be configured for a BGP Flow Specification route.

Example

# Configure a filtering rule that is based on the TCP flag value for the static BGP IPv6 Flow Specification route Rule 1.
<HUAWEI> system-view
[~HUAWEI] flow-route Rule1 ipv6
[*HUAWEI-flow-route-ipv6] if-match tcp-flags any-match 25
# Configure a filtering rule that is based on the TCP flag value for the static BGP Flow Specification route Rule 1.
<HUAWEI> system-view
[~HUAWEI] flow-route Rule1
[*HUAWEI-flow-route] if-match tcp-flags match 25
Parent Topic: BGP Flow Specification Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >