Example 1, Example 2, and Example 3 show individual IP filter rules. A complete IP filter policy contains any number of IP filter rules, configured in much the same manner. It is important to remember that IP filter rules in an IP filter policy are searched in the order listed. Because it is possible for a packet to match more than one rule, a search for a matching filter rule stops after the first match is found, even if there are additional matches further down in the list. Use the ipsec command traffic test option (ipsec -t) as an aid in determining which IP filter rule an IP packet matches.
The command-line arguments to the ipsec -t command are a set of characteristics that describe a particular IP packet. The existing set of filter rules are searched for potential matches. Unlike normal filter processing, which stops the search after a match is found, the ipsec -t command displays all matching filter rules. Input to the ipsec -t command does not have to specify all possible filtering criteria from an IP packet. The output of the ipsec -t command must be inspected to determine which of the returned rules match for a given case.
For instance, an IP filter rule for ICMP can be configured for a specific type and code value, while the traffic test does not provide ICMP type and code as inputs. If more than one IP filter rule matches on the ICMP protocol, they are all displayed. You must determine, from among those listed, which rule applies for a specific IP packet.
For a complete description of the ipsec command, including the ipsec -t option, see z/OS Communications Server: IP System Administrator's Commands.