Use
the IpService statement to provide a coupling between IP transport
conditions, IP routing conditions, and actions.
Syntax
>>-IpService--+------+--| Put Braces and Parameter on Separate Lines |-><
'-name-'
Put Braces and Parameters on Separate Lines
|--+-{------------------------+---------------------------------|
+-| IpService Parameters |-+
'-}------------------------'
IpService Parameters
.-Protocol All------------------------------------.
|--+-------------------------------------------------+---------->
'-Protocol -+-+-Tcp-+--| PortSpecification |----+-'
| '-6---' |
+-+-Udp-+--| PortSpecification |----+
| '-17--' |
+-+-Icmp-+--| IcmpSpecification |---+
| '-1----' |
+-+-Icmpv6-+--| IcmpSpecification |-+
| '-58-----' |
+-+-Ospf-+--| OspfSpecification |---+
| '-89---' |
+-+-MIPv6-+--| MIPv6Specification |-+
| '-135---' |
+-+-Ip-+----------------------------+
| '-4--' |
+-+-Ipip-+--------------------------+
| '-94---' |
+-Ah--------------------------------+
+-Esp-------------------------------+
+-Igmp------------------------------+
+-All-------------------------------+
+-Opaque----------------------------+
'-n---------------------------------'
>--Direction--+-Inbound----------------------------+------------>
+-Outbound---------------------------+
'-Bidirectional--+-----------------+-'
+-InboundConnect--+
'-OutboundConnect-'
>--Routing--+-Local-----------------------------+--------------->
+-Routed--| FragmentSpecification |-+
'-Either----------------------------'
.-SecurityClass 0-.
>--+-----------------+------------------------------------------|
'-SecurityClass n-'
PortSpecification
.-SourcePortRange 0--------.
|--+--------------------------+--------------------------------->
'-SourcePortRange--+-n---+-'
'-n m-'
.-DestinationPortRange 0---------.
>--+--------------------------------+---------------------------|
'-DestinationPortRange --+-n---+-'
'-n m-'
IcmpSpecification
.-Type Any------. .-Code Any------.
|--+---------------+--+---------------+-------------------------|
'-Type--+-Any-+-' '-Code--+-Any-+-'
+-n---+ +-n---+
'-n m-' '-n m-'
MIPv6Specification
.-Type Any------.
|--+-Type--+-Any-+-+--------------------------------------------|
+-n---+
'-n m-'
OspfSpecification
.-Type Any------.
|--+---------------+--------------------------------------------|
'-Type--+-Any-+-'
'-n---'
FragmentSpecification
.-FragmentsOnly No-------.
|--+------------------------+-----------------------------------|
'-FragmentsOnly--+-No--+-'
'-Yes-'
Parameters
- name
- A string 1 - 32 characters in length specifying the name of this
IpService statement.
Rule: If this IpService statement
is not specified inline within another statement, a name value
must be provided.
If a name is not specified for an inline IpService,
a nonpersistent system name is created.
- Protocol
- Indicates the protocol that must be contained in an IP packet
for this rule's action to be performed. If an n value
is specified it identifies a protocol number. The value for n can
be in the range 0 - 255. If a value of All is specified, then
the rule applies to any protocol.
The value Opaque matches any
IPv6 packet for which the upper-layer protocol is not known as a result
of fragmentation. This parameter always matches non-initial fragments,
and it also matches initial fragments if the upper-layer protocol
value is not included in the first fragment. The Opaque value is
applicable only to routed fragments because, for all local traffic,
the stack applies IP filter rules only to fully assembled packets.
The
protocol name Ip maps to the value 4, representing IP in IP
encapsulation, for which IANA has assigned the name IP.
The
name Ipip maps to the value 94, representing IP within IP encapsulation,
for which IANA has assigned the name IPIP.
Restriction: The
values MIPv6 and Opaque are valid only for V1R10 and later releases.
See General syntax rules for Policy Agent for
details.
- SourcePortRange
- If a Protocol of TCP or UDP is specified, then a SourcePortRange
value can be specified. The SourcePortRange value indicates the applicable
source ports that must be contained in an IP packet for this rule's
action to be performed.
Valid values for n are
0 - 65 535. If 0 is specified for n,
then the rule applies to any source port. If n
is specified as the beginning value for a range, then 0 is not a valid
value.
If an m value is specified,
it must be greater than or equal to n and
less than 65 536.
- DestinationPortRange
- If a Protocol of TCP or UDP is specified, then a DestinationPortRange
value can be specified. The DestinationPortRange value indicates
the applicable destination ports that can be contained in an IP packet
for this rule's action to be performed.
Valid values for n are
in the range 0 - 65 535. If 0 is specified for n,
then the rule applies to any destination port. If n is
specified as the beginning value for a range, then 0 is not a valid
value.
If an m value is specified,
then it must be greater than or equal to n and
less than 65 536.
- Type
- If you specify Protocol ICMP or ICMPv6, then you can specify a
Type value or range. The Type value indicates the ICMP types that
must be contained in an IP packet for this rule's action to be performed.
Valid values for n are in the range 0 -
255. If you specify an m value, it must
be greater than or equal to n and less than
or equal to 255.
If you specify Protocol Ospf, then you can specify
Type. The Type value indicates the OSPF types that must be contained
in an IP packet for this rule's action to be performed. Valid values
for n are in the range 0 - 255.
If
you specify Protocol MIPv6, then you can specify a Type value or range.
The Type value indicates the mobility header types that must be contained
in an IP packet for this rule's action to be performed. Valid values
for n are in the range 0 - 255. If you
specify an m value, it must be greater than
or equal to n and less than or equal to
255.
Restrictions: - The use of a range of values for certain protocols is valid only
for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- ICMP, ICMPv6 and Mobility header Type specifications other than
Any are allowed for filter rules that reference an IpDynVpnAction
statement, but it is valid only when the SA is negotiated using IKE
version 2. Because the IKE version is not determined until IKE
negotiations begin, the IKE daemon fails an SA negotiation under such
a rule if the chosen KeyExchangeRule calls for IKE version 1.
- Code
- If you specify Protocol ICMP or ICMPv6, then you can specify a
Code value or range. The Code value indicates the ICMP codes that
must be contained in an IP packet for this rule's action to be performed.
Valid values for n are in the range 0 -
255. If an m value is specified, it must
be greater than or equal to n and less than
or equal to 255.
Restrictions: - The use of a range of values for certain protocols is valid only
for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- ICMP and ICMPv6 Code specifications other than Any are allowed
for filter rules that reference an IpDynVpnAction statement, but it
is valid only when the SA is negotiated using IKE version 2. Because
the IKE version is not determined until IKE negotiations begin, the
IKE daemon fails an SA negotiation under such a rule if the chosen
KeyExchangeRule calls for IKE version 1.
- Direction
- Specifies the direction a packet must take in order for the generated
IP filters to apply.
- Outbound
- This value generates one IP filter. The generated rule permits
or denies a packet with the specified source and destination to travel
outbound.
- Inbound
- This value generates one IP filter. The generated rule permits
or denies a packet with the specified source and destination to travel
inbound.
- Bidirectional
- This value generates two IP filters. The first generated rule
permits or denies a packet with the specified source and destination
IP address or port to travel outbound. The second generated rule
switches the source and destination specifications and permits or
denies a packet with the switched source and destination specification
to travel inbound.
- InboundConnect/OutboundConnect
- When Bidirectional is specified for Direction, an additional InboundConnect
or OutboundConnect keyword can also be specified. These values are
ignored if the protocol is not TCP. InboundConnect or OutboundConnect
controls the type of packet that can send the first packet of a TCP
connection (for example, the type of packet that can initiate a TCP
connection). If InboundConnect and Protocol TCP are specified, then
a TCP connection can be initiated only by an inbound packet. If OutboundConnect
and Protocol TCP are specified, then a TCP connection can be initiated
only by an outbound packet.
- Routing
- Specifies the type of packet that applies to this rule.
- Local
- Indicates that this rule applies to packets destined for this
stack.
- Routed
- Indicates that this rule applies to packets being forwarded by
this stack.
- Either
- Indicates that this rule applies to forwarded and non-forwarded
packets.
- SecurityClass
- An IP packet must traverse a physical interface with a SecurityClass
value of n to match the generated rule.
The interface security class is defined on the LINK, INTERFACE, or
DYNAMICXCF statement in the TCP/IP profile. Valid values for n
can be a value in the range 0 - 255. The value 0 indicates that any
interface is allowed. The SecurityClass parameter must be specified
as 0 if the IpService statement is referenced by an IpFilterRule statement
that also references an IpDynVpnAction statement.
- FragmentsOnly
- When this parameter is set to Yes, this rule matches only fragmented
packets. When this parameter is set to No, this rule matches both
fragments and non-fragments.
Restriction: This parameter
is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
Tip: Fragments
are only matched in routed traffic, because the TCP/IP stack applies
IP filter rules for local traffic only to fully reassembled packets.
Rule: An
FragmentsOnly specification of Yes is not allowed for filter rules
that reference an IpDynVpnAction statement.
Tip: To specify all ephemeral ports for
the SourcePortRange or DestinationPortRange keywords, you can specify
ports in the range 1 024 - 65 535.
Rules: - Filter rules that reference an IpManVpnAction statement or IpDynVpnAction
statement must have a Direction of Bidirectional specified on the
IpService parameter.
- A Routing specification of Routed or Either must have one of the
following:
- A SourcePortRange and DestinationPortRange specification defaulted
or configured to 0 (if applicable)
- A Type and Code specification defaulted or configured to Any (if
applicable)
This restriction is valid only for V1R10 and later releases.
See General syntax rules for Policy Agent for
details.
- Filter rules that reference an IpDynVpnAction must have a SecurityClass
value of 0 specified on the IpService statement.
- An ICMP or ICMPv6 Type and Code specification other than Any
is allowed for filter rules that reference an IpDynVpnAction statement
but it is valid only when the SA is negotiated using IKE version 2.
Because the IKE version is not determined until IKE negotiations
begin, the IKE daemon fails an SA negotiation under such a rule if
the chosen KeyExchangeRule calls for IKE version 1.
- The ICMP or ICMPv6 Code specification must be set to the Any value
if a range of ICMP or ICMPv6 Types is specified.
- An OSPF Type specification is not allowed for filter rules that
reference an IpDynVpnAction statement.
- A mobility header Type specification other than Any is allowed
for filter rules that reference an IpDynVpnAction statement, but it
is valid only when the SA is negotiated using IKE version 2. Because
the IKE version is not determined until IKE negotiations begin, the
IKE daemon fails an SA negotiation under such a rule if the chosen
KeyExchangeRule calls for IKE version 1.
- A protocol specification of Opaque can be used only in combination
with IPv6 addresses on an IpFilterRule.
- A protocol specification of Opaque is not allowed for filter rules
that reference an IpDynVpnAction statement.