This article describes the issue of the “dfwc_bitfield: “82” is an invalid option error message being generated, when a specific numeric value is committed as a match condition in a firewall filter.
If you try to commit a specific numeric value, such as 82, as a match condition in a firewall filter, the following error message is generated:
p57024@r1a5# commit check dfwc: dfwc_bitfield: "82" is an invalid option error: configuration check-out failed lab# show firewall family inet { filter gre_ingress { term block-new-traceroute { from { ip-options 82; } then { log; syslog; discard; } }
The ability to match by numerical value in ip-options has been removed from Junos 10.1 or later. Only the following options can be defined:
lab# set firewall filter test term 1 from ip-options ? Possible completions: <range> Range of values [ Open a set of values any Any IP option loose-source-route Loose source route route-record Route record router-alert Router alert security Security stream-id Stream ID strict-source-route Strict source route timestamp Timestamp
The ability to match by numerical value in ip-options has been removed from Junos 10.1 or later. It was observed that although prior to JUNOS 10.1, it was possible to configure to match on ip-option 82, it was actually matching on any ip-option. So, instead of matching the specific ip-option defined in the filter, it was matching all the packets.
The removal of the ip-option 82 keyword did not actually remove any pre-existing functionality from Junos.