This KB addresses the issue as to why we get a commit failure when trying to add just any value to the ip-options filed.
Commit fails:
Lab_Router# commit check
dfwc: dfwc_bitfield: "82" is an invalid option
error: configuration check-out failed
This is caused by the fix for PR/516778. The goal of this fix was to remove inconsistant behavior. Before the fix, any value could be entered, but if it was not one of the supported values, it was silently ignored.
What is Ip-Options?
===============
IP Options are values that you provide within the IP Header that addresses some of the routing concerns when a packet is parsed by a router for example you can specify one of the following text synonyms (the field values are also listed): any, loose-source-route (131), record-route (7), router-alert (148), security (130), stream-id (136),strict-source-route (137), or timestamp (68).
All other options are deemed as malicious and are dropped by default no matter what options number they have.
What can we specify as an IP- Options Value?
====================================
To understand this issue better lets say we specify any value to the IP-Options field:
[edit firewall family inet]
Lab_Router# show
filter gre_ingress {
term tcp-syn-control {
from {
protocol tcp;
tcp-flags "(syn & !ack) | fin | rst";
}
then next term;
}
term block-frags {
from {
is-fragment;
protocol icmp;
}
then {
syslog;
discard;
}
}
term block-old-traceroute {
from {
protocol udp;
destination-port 33400-34400;
}
then {
log;
syslog;
discard;
}
}
term block-new-traceroute {
from {
ip-options 82; <<<<<<<<<<<<<<<<<<<<< 82 Value has been specified.
}
then {
log;
syslog;
discard;
}
}
term icmp-in-good {
from {
protocol icmp;
icmp-type [ echo-request echo-reply time-exceeded unreachable ];
}
then accept;
}
term block-icmp {
from {
protocol icmp;
}
then {
log;
syslog;
discard;
}
}
} IP-Options value 82 has not been specified as an accepted value hence we do not allow it to commit and it fails:
[edit firewall family inet filter gre_ingress term block-new-traceroute]
Lab_Router# commit check
dfwc: dfwc_bitfield: "82" is an invalid option
error: configuration check-out failed
Lab_Router#
The CLI commit failed with the message is correct as ip-options 82 is not one of the supported options. The CLI help message on the possible options below match the implementation of the code. This is a day one behavior. Also from the sample below:
Lab_Router# set firewall filter opt82 term t2 from ip-options ?
Possible completions:
Range of values
[ Open a set of values
any Any IP option
loose-source-route Loose source route
route-record Route record
router-alert Router alert
security Security
stream-id Stream ID
strict-source-route Strict source route
timestamp Timestamp
[edit]
Lab_Router# set firewall filter opt82 term t2 from ip-options
Hence we do not allow it to commit and it fails and for any value in the IP options, in place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): any, loose-source-route (131), record-route (7), router-alert (148), security (130), stream-id (136),strict-source-route (137), or timestamp (68).
Caveat
======
In JUNOS 9.3 and earlier releases we were allowing users to commit the config but we still discard the packets as they are deemed as malicious. But later we addressed this issue in PR/516778 which not only allowed the ip-options to be specified in numeric value as well as in a range and expression but also restricted commit for any values that had not been supported.