Use the IpService statement to provide a coupling between IP transport conditions, IP routing conditions, and actions.
Syntax
>>-IpService--+------+--| Put Braces and Parameter on Separate Lines |->< '-name-' Put Braces and Parameters on Separate Lines |--+-{------------------------+---------------------------------| +-| IpService Parameters |-+ '-}------------------------' IpService Parameters .-Protocol All------------------------------------. |--+-------------------------------------------------+----------> '-Protocol -+-+-Tcp-+--| PortSpecification |----+-' | '-6---' | +-+-Udp-+--| PortSpecification |----+ | '-17--' | +-+-Icmp-+--| IcmpSpecification |---+ | '-1----' | +-+-Icmpv6-+--| IcmpSpecification |-+ | '-58-----' | +-+-Ospf-+--| OspfSpecification |---+ | '-89---' | +-+-MIPv6-+--| MIPv6Specification |-+ | '-135---' | +-+-Ip-+----------------------------+ | '-4--' | +-+-Ipip-+--------------------------+ | '-94---' | +-Ah--------------------------------+ +-Esp-------------------------------+ +-Igmp------------------------------+ +-All-------------------------------+ +-Opaque----------------------------+ '-n---------------------------------' >--Direction--+-Inbound----------------------------+------------> +-Outbound---------------------------+ '-Bidirectional--+-----------------+-' +-InboundConnect--+ '-OutboundConnect-' >--Routing--+-Local-----------------------------+---------------> +-Routed--| FragmentSpecification |-+ '-Either----------------------------' .-SecurityClass 0-. >--+-----------------+------------------------------------------| '-SecurityClass n-' PortSpecification .-SourcePortRange 0--------. |--+--------------------------+---------------------------------> '-SourcePortRange--+-n---+-' '-n m-' .-DestinationPortRange 0---------. >--+--------------------------------+---------------------------| '-DestinationPortRange --+-n---+-' '-n m-' IcmpSpecification .-Type Any------. .-Code Any------. |--+---------------+--+---------------+-------------------------| '-Type--+-Any-+-' '-Code--+-Any-+-' +-n---+ +-n---+ '-n m-' '-n m-' MIPv6Specification .-Type Any------. |--+-Type--+-Any-+-+--------------------------------------------| +-n---+ '-n m-' OspfSpecification .-Type Any------. |--+---------------+--------------------------------------------| '-Type--+-Any-+-' '-n---' FragmentSpecification .-FragmentsOnly No-------. |--+------------------------+-----------------------------------| '-FragmentsOnly--+-No--+-' '-Yes-'
Parameters
- name
- A string 1 - 32 characters in length specifying the name of this
IpService statement.
Rule: If this IpService statement is not specified inline within another statement, a name value must be provided.
If a name is not specified for an inline IpService, a nonpersistent system name is created. - Protocol
- Indicates the protocol that must be contained in an IP packet
for this rule's action to be performed. If an n value
is specified it identifies a protocol number. The value for n can
be in the range 0 - 255. If a value of All is specified, then
the rule applies to any protocol.
The value Opaque matches any IPv6 packet for which the upper-layer protocol is not known as a result of fragmentation. This parameter always matches non-initial fragments, and it also matches initial fragments if the upper-layer protocol value is not included in the first fragment. The Opaque value is applicable only to routed fragments because, for all local traffic, the stack applies IP filter rules only to fully assembled packets.
The protocol name Ip maps to the value 4, representing IP in IP encapsulation, for which IANA has assigned the name IP.
The name Ipip maps to the value 94, representing IP within IP encapsulation, for which IANA has assigned the name IPIP.
Restriction: The values MIPv6 and Opaque are valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- SourcePortRange
- If a Protocol of TCP or UDP is specified, then a SourcePortRange
value can be specified. The SourcePortRange value indicates the applicable
source ports that must be contained in an IP packet for this rule's
action to be performed.
Valid values for n are 0 - 65 535. If 0 is specified for n, then the rule applies to any source port. If n is specified as the beginning value for a range, then 0 is not a valid value.
If an m value is specified, it must be greater than or equal to n and less than 65 536.
- DestinationPortRange
- If a Protocol of TCP or UDP is specified, then a DestinationPortRange
value can be specified. The DestinationPortRange value indicates
the applicable destination ports that can be contained in an IP packet
for this rule's action to be performed.
Valid values for n are in the range 0 - 65 535. If 0 is specified for n, then the rule applies to any destination port. If n is specified as the beginning value for a range, then 0 is not a valid value.
If an m value is specified, then it must be greater than or equal to n and less than 65 536.
- Type
- If you specify Protocol ICMP or ICMPv6, then you can specify a
Type value or range. The Type value indicates the ICMP types that
must be contained in an IP packet for this rule's action to be performed.
Valid values for n are in the range 0 -
255. If you specify an m value, it must
be greater than or equal to n and less than
or equal to 255.
If you specify Protocol Ospf, then you can specify Type. The Type value indicates the OSPF types that must be contained in an IP packet for this rule's action to be performed. Valid values for n are in the range 0 - 255.
If you specify Protocol MIPv6, then you can specify a Type value or range. The Type value indicates the mobility header types that must be contained in an IP packet for this rule's action to be performed. Valid values for n are in the range 0 - 255. If you specify an m value, it must be greater than or equal to n and less than or equal to 255.
Restrictions:- The use of a range of values for certain protocols is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- ICMP, ICMPv6 and Mobility header Type specifications other than Any are allowed for filter rules that reference an IpDynVpnAction statement, but it is valid only when the SA is negotiated using IKE version 2. Because the IKE version is not determined until IKE negotiations begin, the IKE daemon fails an SA negotiation under such a rule if the chosen KeyExchangeRule calls for IKE version 1.
- Code
- If you specify Protocol ICMP or ICMPv6, then you can specify a
Code value or range. The Code value indicates the ICMP codes that
must be contained in an IP packet for this rule's action to be performed.
Valid values for n are in the range 0 -
255. If an m value is specified, it must
be greater than or equal to n and less than
or equal to 255. Restrictions:
- The use of a range of values for certain protocols is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- ICMP and ICMPv6 Code specifications other than Any are allowed for filter rules that reference an IpDynVpnAction statement, but it is valid only when the SA is negotiated using IKE version 2. Because the IKE version is not determined until IKE negotiations begin, the IKE daemon fails an SA negotiation under such a rule if the chosen KeyExchangeRule calls for IKE version 1.
- Direction
- Specifies the direction a packet must take in order for the generated
IP filters to apply.
- Outbound
- This value generates one IP filter. The generated rule permits or denies a packet with the specified source and destination to travel outbound.
- Inbound
- This value generates one IP filter. The generated rule permits or denies a packet with the specified source and destination to travel inbound.
- Bidirectional
- This value generates two IP filters. The first generated rule
permits or denies a packet with the specified source and destination
IP address or port to travel outbound. The second generated rule
switches the source and destination specifications and permits or
denies a packet with the switched source and destination specification
to travel inbound.
- InboundConnect/OutboundConnect
- When Bidirectional is specified for Direction, an additional InboundConnect or OutboundConnect keyword can also be specified. These values are ignored if the protocol is not TCP. InboundConnect or OutboundConnect controls the type of packet that can send the first packet of a TCP connection (for example, the type of packet that can initiate a TCP connection). If InboundConnect and Protocol TCP are specified, then a TCP connection can be initiated only by an inbound packet. If OutboundConnect and Protocol TCP are specified, then a TCP connection can be initiated only by an outbound packet.
- Routing
- Specifies the type of packet that applies to this rule.
- Local
- Indicates that this rule applies to packets destined for this stack.
- Routed
- Indicates that this rule applies to packets being forwarded by this stack.
- Either
- Indicates that this rule applies to forwarded and non-forwarded packets.
- SecurityClass
- An IP packet must traverse a physical interface with a SecurityClass value of n to match the generated rule. The interface security class is defined on the LINK, INTERFACE, or DYNAMICXCF statement in the TCP/IP profile. Valid values for n can be a value in the range 0 - 255. The value 0 indicates that any interface is allowed. The SecurityClass parameter must be specified as 0 if the IpService statement is referenced by an IpFilterRule statement that also references an IpDynVpnAction statement.
- FragmentsOnly
- When this parameter is set to Yes, this rule matches only fragmented
packets. When this parameter is set to No, this rule matches both
fragments and non-fragments.
Restriction: This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
Tip: Fragments are only matched in routed traffic, because the TCP/IP stack applies IP filter rules for local traffic only to fully reassembled packets.
Rule: An FragmentsOnly specification of Yes is not allowed for filter rules that reference an IpDynVpnAction statement.
Tip: To specify all ephemeral ports for the SourcePortRange or DestinationPortRange keywords, you can specify ports in the range 1 024 - 65 535.
- Filter rules that reference an IpManVpnAction statement or IpDynVpnAction statement must have a Direction of Bidirectional specified on the IpService parameter.
- A Routing specification of Routed or Either must have one of the
following:
- A SourcePortRange and DestinationPortRange specification defaulted or configured to 0 (if applicable)
- A Type and Code specification defaulted or configured to Any (if applicable)
- Filter rules that reference an IpDynVpnAction must have a SecurityClass value of 0 specified on the IpService statement.
- An ICMP or ICMPv6 Type and Code specification other than Any is allowed for filter rules that reference an IpDynVpnAction statement but it is valid only when the SA is negotiated using IKE version 2. Because the IKE version is not determined until IKE negotiations begin, the IKE daemon fails an SA negotiation under such a rule if the chosen KeyExchangeRule calls for IKE version 1.
- The ICMP or ICMPv6 Code specification must be set to the Any value if a range of ICMP or ICMPv6 Types is specified.
- An OSPF Type specification is not allowed for filter rules that reference an IpDynVpnAction statement.
- A mobility header Type specification other than Any is allowed for filter rules that reference an IpDynVpnAction statement, but it is valid only when the SA is negotiated using IKE version 2. Because the IKE version is not determined until IKE negotiations begin, the IKE daemon fails an SA negotiation under such a rule if the chosen KeyExchangeRule calls for IKE version 1.
- A protocol specification of Opaque can be used only in combination with IPv6 addresses on an IpFilterRule.
- A protocol specification of Opaque is not allowed for filter rules that reference an IpDynVpnAction statement.