Date created: Saturday, June 15, 2024 1:04:49 PM. Last modified: Saturday, June 15, 2024 1:07:03 PM

MX Loopback0 Filter - From j-nsp mailing list

Reference: https://gist.github.com/tonusoo/efd9ab4fcf2bb5a45d34d5af5e3f3e0c

interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input-list [ discard-ip-options discard-frags accept-single-hop-bfd-v4 accept-multi-hop-bfd-v4 accept-bgp-v4 accept-ospf2 accept-vrrpv3-v4 accept-established-v4 accept-common-services-v4 discard-all-v4 ];
                }
            }
            family inet6 {
                filter {
                    input-list [ discard-extension-headers accept-single-hop-bfd-v6 accept-multi-hop-bfd-v6 accept-bgp-v6 accept-ospf3 accept-vrrpv3-v6 accept-established-v6 accept-common-services-v6 discard-all-v6 ];
                }
            }
        }
    }
}
policy-options {
    prefix-list ntp-servers-v4 {
        apply-path "system ntp server <*.*.*.*>";
    }
    prefix-list ntp-servers-v6 {
        apply-path "system ntp server <*:*>";
    }
    prefix-list ntp-peers-v4 {
        apply-path "system ntp peer <*.*.*.*>";
    }
    prefix-list ntp-peers-v6 {
        apply-path "system ntp peer <*:*>";
    }
    prefix-list dns-servers-v4 {
        apply-path "system name-server <*.*.*.*>";
    }
    prefix-list dns-servers-v6 {
        apply-path "system name-server <*:*>";
    }
    prefix-list snmp-client-lists-v4 {
        apply-path "snmp client-list <*> <*.*.*.*>";
    }
    prefix-list snmp-client-lists-v6 {
        apply-path "snmp client-list <*> <*:*>";
    }
    prefix-list snmp-community-clients-v4 {
        apply-path "snmp community <*> clients <*.*.*.*>";
    }
    prefix-list snmp-community-clients-v6 {
        apply-path "snmp community <*> clients <*:*>";
    }
    prefix-list mgnt-networks-v4 {
        10.5.5.0/24;
    }
    prefix-list mgnt-networks-v6 {
        fd1f:1605:8b9d:99::/64;
    }
    prefix-list bgp-neighbors-v4 {
        apply-path "protocols bgp group <*-v4> neighbor <*.*.*.*>";
    }
    prefix-list bgp-neighbors-v6 {
        apply-path "protocols bgp group <*-v6> neighbor <*:*>";
    }
    prefix-list router-v6 {
        apply-path "interfaces <*> unit <*> family inet6 address <*>";
    }
    prefix-list ipv6-link-local {
        fe80::/64;
    }
    prefix-list vrrpv3-v4 {
        224.0.0.18/32;
    }
    prefix-list vrrpv3-v6 {
        ff02::12/128;
    }
    prefix-list ospfv3 {
        /* ALLSPFRouters */
        ff02::5/128;
        /* ALLDRouters */
        ff02::6/128;
    }
    prefix-list loopback-v6 {
        ::1/128;
        apply-path "interfaces lo0 unit <*> family inet6 address <*>";
    }
    prefix-list router-v4 {
        apply-path "interfaces <*> unit <*> family inet address <*>";
    }
    prefix-list ospfv2 {
        /* ALLSPFRouters */
        224.0.0.5/32;
        /* ALLDRouters */
        224.0.0.6/32;
    }
    prefix-list loopback-v4 {
        127.0.0.1/32;
        apply-path "interfaces lo0 unit <*> family inet address <*>";
    }
}
firewall {
    family inet {
        filter accept-bgp-v4 {
            term accept-bgp-v4 {
                from {
                    source-prefix-list {
                        bgp-neighbors-v4;
                    }
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol tcp;
                    destination-port bgp;
                }
                then {
                    count accept-bgp-v4;
                    accept;
                }
            }
        }
        filter accept-common-services-v4 {
            /* ensures that traceroute traffic from trusted networks does not share a policer with traceroute traffic from untrusted networks */
            term accept-traceroute-v4-trusted {
                filter accept-traceroute-v4-trusted;
            }
            term accept-traceroute-v4-untrusted {
                filter accept-traceroute-v4-untrusted;
            }
            /* ensures that ICMP traffic from trusted networks does not share a policer with ICMP traffic from untrusted networks */
            term accept-icmp-trusted {
                filter accept-icmp-trusted;
            }
            term accept-icmp-untrusted {
                filter accept-icmp-untrusted;
            }
            term accept-snmp-v4 {
                filter accept-snmp-v4;
            }
            term accept-ntp-v4 {
                filter accept-ntp-v4;
            }
            term accept-dns-v4 {
                filter accept-dns-v4;
            }
            term accept-ssh-v4 {
                filter accept-ssh-v4;
            }
        }
        filter accept-dns-v4 {
            term accept-dns-v4 {
                from {
                    source-prefix-list {
                        dns-servers-v4;
                    }
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol [ udp tcp ];
                    source-port domain;
                    destination-port 49160-65535;
                }
                then {
                    policer re-protect-1m;
                    count accept-dns-v4;
                    accept;
                }
            }
        }
        filter accept-established-v4 {
            /* allows router to establish SSH sessions to management network */
            term accept-established-ssh-v4 {
                from {
                    source-prefix-list {
                        mgnt-networks-v4;
                    }
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol tcp;
                    source-port ssh;
                    destination-port 49160-65535;
                    tcp-established;
                }
                then {
                    policer re-protect-20m;
                    count accept-established-ssh-v4;
                    accept;
                }
            }
            /* allows router to establish BGP sessions with BGP neighbors */
            term accept-established-bgp-v4 {
                from {
                    source-prefix-list {
                        bgp-neighbors-v4;
                    }
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol tcp;
                    source-port bgp;
                    destination-port 49160-65535;
                    tcp-established;
                }
                then {
                    count accept-established-bgp-v4;
                    accept;
                }
            }
        }
        filter accept-icmp-trusted {
            term accept-echo-request-trusted {
                from {
                    source-prefix-list {
                        mgnt-networks-v4;
                    }
                    protocol icmp;
                    icmp-type echo-request;
                }
                then {
                    policer re-protect-1m;
                    count accept-echo-request-trusted;
                    accept;
                }
            }
            term accept-echo-reply-trusted {
                from {
                    source-prefix-list {
                        mgnt-networks-v4;
                    }
                    protocol icmp;
                    icmp-type echo-reply;
                }
                then {
                    policer re-protect-1m;
                    count accept-echo-reply-trusted;
                    accept;
                }
            }
            term accept-icmp-error-messages-trusted {
                from {
                    source-prefix-list {
                        mgnt-networks-v4;
                    }
                    protocol icmp;
                    icmp-type [ unreachable time-exceeded parameter-problem ];
                }
                then {
                    policer re-protect-1m;
                    count accept-icmp-error-messages-trusted;
                    accept;
                }
            }
        }
        filter accept-icmp-untrusted {
            term accept-echo-request-untrusted {
                from {
                    protocol icmp;
                    icmp-type echo-request;
                }
                then {
                    policer re-protect-1m;
                    count accept-echo-request-untrusted;
                    accept;
                }
            }
            term accept-echo-reply-untrusted {
                from {
                    protocol icmp;
                    icmp-type echo-reply;
                }
                then {
                    policer re-protect-1m;
                    count accept-echo-reply-untrusted;
                    accept;
                }
            }
            term accept-icmp-error-messages-untrusted {
                from {
                    protocol icmp;
                    icmp-type [ unreachable time-exceeded parameter-problem ];
                }
                then {
                    policer re-protect-1m;
                    count accept-icmp-error-messages-untrusted;
                    accept;
                }
            }
        }
        filter accept-multi-hop-bfd-v4 {
            term accept-multi-hop-bfd-v4 {
                from {
                    source-prefix-list {
                        bgp-neighbors-v4;
                    }
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol udp;
                    source-port 49152-65535;
                    destination-port 4784;
                }
                then {
                    count accept-multi-hop-bfd-v4;
                    accept;
                }
            }
        }
        filter accept-ntp-v4 {
            term accept-ntp-v4 {
                from {
                    source-prefix-list {
                        ntp-servers-v4;
                        ntp-peers-v4;
                    }
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol udp;
                    source-port ntp;
                    /* ntpd uses src port 123 for both the "client" and "symmetric active" type messages and thus the NTP server/peer replies to dst port 123 */
                    destination-port ntp;
                }
                then {
                    policer re-protect-1m;
                    count accept-ntp-v4;
                    accept;
                }
            }
            /* needed for "show ntp *" commands */
            term accept-ntp-internal-v4 {
                from {
                    source-prefix-list {
                        loopback-v4;
                    }
                    destination-prefix-list {
                        loopback-v4;
                    }
                    protocol udp;
                    port ntp;
                }
                then {
                    count accept-ntp-internal-v4;
                    accept;
                }
            }
        }
        filter accept-ospf2 {
            term accept-ospf2 {
                from {
                    source-prefix-list {
                        router-v4;
                    }
                    destination-prefix-list {
                        /* OSPF Database Description packets are sent to the unicast addresses if OSPF interface type is "LAN" */
                        router-v4;
                        ospfv2;
                    }
                    protocol ospf;
                }
                then {
                    count accept-ospf2;
                    accept;
                }
            }
        }
        filter accept-single-hop-bfd-v4 {
            term accept-single-hop-bfd-v4 {
                from {
                    source-prefix-list {
                        router-v4;
                    }
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol udp;
                    source-port 49152-65535;
                    destination-port 3784-3785;
                    /* RFC5881 5 */
                    ttl 255;
                }
                then {
                    count accept-single-hop-bfd-v4;
                    accept;
                }
            }
        }
        filter accept-snmp-v4 {
            term accept-snmp-v4 {
                from {
                    source-prefix-list {
                        snmp-client-lists-v4;
                        snmp-community-clients-v4;
                    }
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol udp;
                    destination-port snmp;
                }
                then {
                    policer re-protect-20m;
                    count accept-snmp-v4;
                    accept;
                }
            }
        }
        filter accept-ssh-v4 {
            term accept-ssh-v4 {
                from {
                    source-prefix-list {
                        mgnt-networks-v4;
                    }
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol tcp;
                    destination-port ssh;
                }
                then {
                    policer re-protect-20m;
                    count accept-ssh-v4;
                    accept;
                }
            }
        }
        filter accept-traceroute-v4-trusted {
            term accept-traceroute-udp-v4-trusted {
                from {
                    destination-prefix-list {
                        router-v4;
                    }
                    source-prefix-list {
                        mgnt-networks-v4;
                    }
                    protocol udp;
                    ttl 1;
                    destination-port 33434-33529;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-udp-v4-trusted;
                    accept;
                }
            }
            term accept-traceroute-icmp-trusted {
                from {
                    destination-prefix-list {
                        router-v4;
                    }
                    source-prefix-list {
                        mgnt-networks-v4;
                    }
                    protocol icmp;
                    ttl 1;
                    icmp-type echo-request;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-icmp-trusted;
                    accept;
                }
            }
            term accept-traceroute-tcp-v4-trusted {
                from {
                    destination-prefix-list {
                        router-v4;
                    }
                    source-prefix-list {
                        mgnt-networks-v4;
                    }
                    protocol tcp;
                    ttl 1;
                    /* default TCP traceroute port only */
                    destination-port http;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-tcp-v4-trusted;
                    accept;
                }
            }
        }
        filter accept-traceroute-v4-untrusted {
            term accept-traceroute-udp-v4-untrusted {
                from {
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol udp;
                    ttl 1;
                    destination-port 33434-33529;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-udp-v4-untrusted;
                    accept;
                }
            }
            term accept-traceroute-icmp-untrusted {
                from {
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol icmp;
                    ttl 1;
                    icmp-type echo-request;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-icmp-untrusted;
                    accept;
                }
            }
            term accept-traceroute-tcp-v4-untrusted {
                from {
                    destination-prefix-list {
                        router-v4;
                    }
                    protocol tcp;
                    ttl 1;
                    /* default TCP traceroute port only */
                    destination-port http;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-tcp-v4-untrusted;
                    accept;
                }
            }
        }
        filter accept-vrrpv3-v4 {
            term accept-vrrpv3-v4 {
                from {
                    source-prefix-list {
                        router-v4;
                    }
                    destination-prefix-list {
                        vrrpv3-v4;
                    }
                    protocol vrrp;
                    /* RFC5798 5.1.1.3 */
                    ttl 255;
                }
                then {
                    count accept-vrrpv3-v4;
                    accept;
                }
            }
        }
        filter discard-all-v4 {
            term discard-all-v4 {
                then {
                    count discard-all-v4;
                    log;
                    discard;
                }
            }
        }
        filter discard-frags {
            term deny-first-frags {
                from {
                    first-fragment;
                }
                then {
                    count deny-first-frags;
                    discard;
                }
            }
            term deny-other-frags {
                from {
                    is-fragment;
                }
                then {
                    count deny-other-frags;
                    discard;
                }
            }
        }
        /* On modern Trio platforms, the filter below will discard both the transit and RE-addressed packets with IP options header field - KB30719 */
        filter discard-ip-options {
            term discard-ip-options {
                from {
                    ip-options any;
                }
                then {
                    count discard-ip-options;
                    discard;
                }
            }
        }
    }
    family inet6 {
        filter accept-bgp-v6 {
            term accept-bgp-v6 {
                from {
                    source-prefix-list {
                        bgp-neighbors-v6;
                    }
                    destination-prefix-list {
                        router-v6;
                    }
                    next-header tcp;
                    destination-port bgp;
                }
                then {
                    count accept-bgp-v6;
                    accept;
                }
            }
        }
        filter accept-common-services-v6 {
            /* ensures that traceroute traffic from trusted networks does not share a policer with traceroute traffic from untrusted networks */
            term accept-traceroute-v6-trusted {
                filter accept-traceroute-v6-trusted;
            }
            term accept-traceroute-v6-untrusted {
                filter accept-traceroute-v6-untrusted;
            }
            /* ensures that ICMP6 traffic from trusted networks does not share a policer with ICMP6 traffic from untrusted networks */
            term accept-icmp6-trusted {
                filter accept-icmp6-trusted;
            }
            term accept-icmp6-untrusted {
                filter accept-icmp6-untrusted;
            }
            term accept-snmp-v6 {
                filter accept-snmp-v6;
            }
            term accept-ntp-v6 {
                filter accept-ntp-v6;
            }
            term accept-dns-v6 {
                filter accept-dns-v6;
            }
            term accept-ssh-v6 {
                filter accept-ssh-v6;
            }
        }
        filter accept-dns-v6 {
            term accept-dns-v6 {
                from {
                    source-prefix-list {
                        dns-servers-v6;
                    }
                    destination-prefix-list {
                        router-v6;
                    }
                    next-header [ udp tcp ];
                    source-port domain;
                    destination-port 49160-65535;
                }
                then {
                    policer re-protect-1m;
                    count accept-dns-v6;
                    accept;
                }
            }
        }
        filter accept-established-v6 {
            /* allows router to establish SSH sessions to management network */
            term accept-established-ssh-v6 {
                from {
                    source-prefix-list {
                        mgnt-networks-v6;
                    }
                    destination-prefix-list {
                        router-v6;
                    }
                    next-header tcp;
                    source-port ssh;
                    destination-port 49160-65535;
                    tcp-established;
                }
                then {
                    policer re-protect-20m;
                    count accept-established-ssh-v6;
                    accept;
                }
            }
            /* allows router to establish BGP sessions with BGP neighbors */
            term accept-established-bgp-v6 {
                from {
                    source-prefix-list {
                        bgp-neighbors-v6;
                    }
                    destination-prefix-list {
                        router-v6;
                    }
                    next-header tcp;
                    source-port bgp;
                    destination-port 49160-65535;
                    tcp-established;
                }
                then {
                    count accept-established-bgp-v6;
                    accept;
                }
            }
        }
        filter accept-icmp6-trusted {
            term accept-neighbor-discovery-trusted {
                from {
                    next-header icmp6;
                    icmp-type [ router-solicit router-advertisement neighbor-solicit neighbor-advertisement ];
                    /* ignore ND packets received from off-link senders - RFC4861 11.2 */
                    hop-limit 255;
                }
                then {
                    policer re-protect-1m;
                    count accept-neighbor-discovery-trusted;
                    accept;
                }
            }
            term accept-echo-request-trusted {
                from {
                    source-prefix-list {
                        mgnt-networks-v6;
                    }
                    next-header icmp6;
                    icmp-type echo-request;
                }
                then {
                    policer re-protect-1m;
                    count accept-echo-request-trusted;
                    accept;
                }
            }
            term accept-echo-reply-trusted {
                from {
                    source-prefix-list {
                        mgnt-networks-v6;
                    }
                    next-header icmp6;
                    icmp-type echo-reply;
                }
                then {
                    policer re-protect-1m;
                    count accept-echo-reply-trusted;
                    accept;
                }
            }
            term accept-icmp6-error-messages-trusted {
                from {
                    source-prefix-list {
                        mgnt-networks-v6;
                    }
                    next-header icmp6;
                    icmp-type [ destination-unreachable packet-too-big time-exceeded parameter-problem ];
                }
                then {
                    policer re-protect-1m;
                    count accept-icmp6-error-messages-trusted;
                    accept;
                }
            }
        }
        filter accept-icmp6-untrusted {
            term accept-echo-request-untrusted {
                from {
                    next-header icmp6;
                    icmp-type echo-request;
                }
                then {
                    policer re-protect-1m;
                    count accept-echo-request-untrusted;
                    accept;
                }
            }
            term accept-echo-reply-untrusted {
                from {
                    next-header icmp6;
                    icmp-type echo-reply;
                }
                then {
                    policer re-protect-1m;
                    count accept-echo-reply-untrusted;
                    accept;
                }
            }
            term accept-icmp6-error-messages-untrusted {
                from {
                    next-header icmp6;
                    icmp-type [ destination-unreachable packet-too-big time-exceeded parameter-problem ];
                }
                then {
                    policer re-protect-1m;
                    count accept-icmp6-error-messages-untrusted;
                    accept;
                }
            }
        }
        filter accept-multi-hop-bfd-v6 {
            term accept-multi-hop-bfd-v6 {
                from {
                    source-prefix-list {
                        bgp-neighbors-v6;
                    }
                    destination-prefix-list {
                        router-v6;
                    }
                    next-header udp;
                    source-port 49152-65535;
                    destination-port 4784;
                }
                then {
                    count accept-multi-hop-bfd-v6;
                    accept;
                }
            }
        }
        filter accept-ntp-v6 {
            term accept-ntp-v6 {
                from {
                    source-prefix-list {
                        ntp-servers-v6;
                        ntp-peers-v6;
                    }
                    destination-prefix-list {
                        router-v6;
                    }
                    next-header udp;
                    source-port ntp;
                    /* ntpd uses src port 123 for both the "client" and "symmetric active" type messages and thus the NTP server/peer replies to dst port 123 */
                    destination-port ntp;
                }
                then {
                    policer re-protect-1m;
                    count accept-ntp-v6;
                    accept;
                }
            }
            term accept-ntp-internal-v6 {
                from {
                    source-prefix-list {
                        loopback-v6;
                    }
                    destination-prefix-list {
                        loopback-v6;
                    }
                    next-header udp;
                    port ntp;
                }
                then {
                    count accept-ntp-internal-v6;
                    accept;
                }
            }
        }
        filter accept-ospf3 {
            term accept-ospf3 {
                from {
                    /* RFC5340 2.5 */
                    source-prefix-list {
                        ipv6-link-local;
                    }
                    /* RFC5340 4.2.1 */
                    destination-prefix-list {
                        ospfv3;
                        ipv6-link-local;
                    }
                    next-header ospf;
                }
                then {
                    count accept-ospf3;
                    accept;
                }
            }
        }
        filter accept-single-hop-bfd-v6 {
            term accept-single-hop-bfd-v6 {
                from {
                    source-prefix-list {
                        router-v6;
                        ipv6-link-local;
                    }
                    destination-prefix-list {
                        router-v6;
                        ipv6-link-local;
                    }
                    next-header udp;
                    source-port 49152-65535;
                    destination-port 3784-3785;
                    /* RFC5881 5 */
                    hop-limit 255;
                }
                then {
                    count accept-single-hop-bfd-v6;
                    accept;
                }
            }
        }
        filter accept-snmp-v6 {
            term accept-snmp-v6 {
                from {
                    source-prefix-list {
                        snmp-client-lists-v6;
                        snmp-community-clients-v6;
                    }
                    destination-prefix-list {
                        router-v6;
                    }
                    next-header udp;
                    destination-port snmp;
                }
                then {
                    policer re-protect-20m;
                    count accept-snmp-v6;
                    accept;
                }
            }
        }
        filter accept-ssh-v6 {
            term accept-ssh-v6 {
                from {
                    source-prefix-list {
                        mgnt-networks-v6;
                    }
                    destination-prefix-list {
                        router-v6;
                    }
                    next-header tcp;
                    destination-port ssh;
                }
                then {
                    policer re-protect-20m;
                    count accept-ssh-v6;
                    accept;
                }
            }
        }
        filter accept-traceroute-v6-trusted {
            term accept-traceroute-udp-v6-trusted {
                from {
                    destination-prefix-list {
                        router-v6;
                    }
                    source-prefix-list {
                        mgnt-networks-v6;
                    }
                    next-header udp;
                    destination-port 33434-33529;
                    hop-limit 1;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-udp-v6-trusted;
                    accept;
                }
            }
            term accept-traceroute-icmp6-trusted {
                from {
                    destination-prefix-list {
                        router-v6;
                    }
                    source-prefix-list {
                        mgnt-networks-v6;
                    }
                    next-header icmp6;
                    icmp-type echo-request;
                    hop-limit 1;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-icmp6-trusted;
                    accept;
                }
            }
            term accept-traceroute-tcp-v6-trusted {
                from {
                    destination-prefix-list {
                        router-v6;
                    }
                    source-prefix-list {
                        mgnt-networks-v6;
                    }
                    next-header tcp;
                    hop-limit 1;
                    /* default TCP traceroute port only */
                    destination-port http;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-tcp-v6-trusted;
                    accept;
                }
            }
        }
        filter accept-traceroute-v6-untrusted {
            term accept-traceroute-udp-v6-untrusted {
                from {
                    destination-prefix-list {
                        router-v6;
                    }
                    next-header udp;
                    destination-port 33434-33529;
                    hop-limit 1;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-udp-v6-untrusted;
                    accept;
                }
            }
            term accept-traceroute-icmp6-untrusted {
                from {
                    destination-prefix-list {
                        router-v6;
                    }
                    next-header icmp6;
                    icmp-type echo-request;
                    hop-limit 1;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-icmp6-untrusted;
                    accept;
                }
            }
            term accept-traceroute-tcp-v6-untrusted {
                from {
                    destination-prefix-list {
                        router-v6;
                    }
                    next-header tcp;
                    hop-limit 1;
                    /* default TCP traceroute port only */
                    destination-port http;
                }
                then {
                    policer re-protect-1m;
                    count accept-traceroute-tcp-v6-untrusted;
                    accept;
                }
            }
        }
        filter accept-vrrpv3-v6 {
            term accept-vrrpv3-v6 {
                from {
                    /* RFC5798 5.1.2.1 */
                    source-prefix-list {
                        ipv6-link-local;
                    }
                    /* RFC5798 5.1.2.2 */
                    destination-prefix-list {
                        vrrpv3-v6;
                    }
                    next-header vrrp;
                    /* RFC5798 5.1.2.3 */
                    hop-limit 255;
                }
                then {
                    count accept-vrrpv3-v6;
                    accept;
                }
            }
        }
        filter discard-all-v6 {
            term discard-all-v6 {
                then {
                    count discard-all-v6;
                    log;
                    discard;
                }
            }
        }
        filter discard-extension-headers {
            term discard-extension-headers {
                from {
                    next-header-except [ icmp6 ospf tcp udp vrrp ];
                }
                then {
                    count discard-extension-headers;
                    discard;
                }
            }
        }
    }
    policer re-protect-1m {
        if-exceeding {
            bandwidth-limit 1m;
            burst-size-limit 625k;
        }
        then discard;
    }
    policer re-protect-20m {
        if-exceeding {
            bandwidth-limit 20m;
            burst-size-limit 625k;
        }
        then discard;
    }
}