Alcatel-Lucent OmniSwitch 9900 Series Network Configuration Manual page 698

Configuring QoS
An ACL can also be defined using the tcpflags parameter to examine and qualify specific TCP flags
individually or in combination with other flags. This parameter can be used to prevent specific DOS
attacks, such as the christmas tree.
The following example use the tcpflags condition parameter to determine if the F (fin) and S (syn) TCP
flag bits are set to one and the A (ack) bit is set to zero:
-> policy condition c1 tcpflags all f s mask f s a
In this example, a match must occur on all the flags or the packet is not allowed. If the optional command
keyword any was used, then a match need only occur on any one of the flags. For example, the following
condition specifies that either the A (ack) bit or the R (rst) bit must equal one:
-> policy condition c1 tcpflags any a r mask a r
Note that if a flag is specified on the command line after the any or all keyword, then the match value is
one. If the flag only appears as part of the mask, then the match value is zero. See the
tcpflags command page in the OmniSwitch AOS Release 8 CLI Reference Guide for more information.
OmniSwitch AOS Release 8 Network Configuration Guide December 2017
Using Access Control Lists
policy condition
page 26-70