The z/OS UNIX ipsec command target options

-p stackname

Indicates that the defensive filter or filters are stack-specific filters that are associated with the local TCP/IP stack specified by the stackname value. The stackname parameter specifies the name of the TCP/IP address space. If neither the -p nor the -G is specified, the default stack is selected. The default stack is the default TCP/IP address space that is specified on the TCPIPJOBNAME statement in the resolver configuration data set.

Results: To successfully add a stack-specific defensive filter, the following conditions must be met:

There must be a DmStackConfig statement for stack stackname in the DMD configuration file with a mode of Active or Simulate.
The stack must support IP security.

-G

Indicates that the defensive filter or filters are global filters that apply to all TCP/IP stacks that are listed in the DMD configuration file and that support IP security on the local system.

Results:

When you add a global defensive filter, the DMD maintains a copy of the global filter. A stack-specific copy is generated from the global filter and installed in each local TCP/IP stack that is listed in the DMD configuration file and that supports IP security.
When you display global defensive filters, the global copy of the defensive filters is displayed. The global copy of the filter does not contain any accumulated counts that are kept by each TCP/IP stack. Issue the command with the -p stackname option to display the accumulated counts for a specific stack.
When you update a global defensive filter, the update is applied to the global filter and to each of the generated stack-specific copies.
When you delete global defensive filters, the global filter or filters and each of the stack-specific copies that are generated are deleted.
When a stack-specific copy of a global filter is updated with -p (stack specific) option, only that copy of the filter is updated. If you make a subsequent update to the global filter with the -G option, all copies of the filter are updated, including the one that was previously updated with the -p stackname option. The last update always remains in effect.
When you delete a stack-specific copy of a global filter or it expires, that copy is no longer affected by updates to the global filter.
When a global filter expires before one or more of its stack-specific copies expires, you can still perform global update and delete operations. The expired global filter is retained to allow the global update and delete operations. Stack-specific copies of the expired global filter are not installed in new stacks that start up. The expired global copy is removed completely when all stack-specific copies expire or are deleted.
An expired global filter is displayed with the State value Pending Inactive and the LifetimeExpires value Expired while one or more of its stack-specific copies is still active.