PolicyRule statement

Use the PolicyRule statement to specify characteristics of IP packets that are used to map to a corresponding policy action. It defines a set of IP datagrams that should receive a particular service.

Restriction: This statement defines a Version 2 policy rule.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-PolicyRule--name--| Place Braces and Parameters on Separate Lines |-><

Place Braces and Parameters on Separate Lines

|--+-{-------------------------+--------------------------------|
   +-| PolicyRule Parameters |-+   
   '-}-------------------------'   

PolicyRule Parameters

|--+------------------------+----------------------------------->
   '-PolicyRulePriority --n-'   

   .-SourceAddressRange all---------------.   
>--+--------------------------------------+--------------------->
   '-SourceAddressRange --address address-'   

   .-DestinationAddressRange all---------------.   
>--+-------------------------------------------+---------------->
   '-DestinationAddressRange --address address-'   

   .-SourcePortRange --all-.  .-DestinationPortRange --all-.   
>--+-----------------------+--+----------------------------+---->
   '-SourcePortRange --n n '  '-DestinationPortRange --n n '   

   .-ProtocolNumberRange --all-.  .-InboundInterface --all-.   
>--+---------------------------+--+------------------------+---->
   '-ProtocolNumberRange --n---'  '-InboundInterface --n---'   

   .-OutboundInterface --all-.  .-ApplicationName --all--.   
>--+-------------------------+--+------------------------+------>
   '-OutboundInterface --n---'  '-ApplicationName --name-'   

>--+--------------------------+--+-------------------------+---->
   '-ApplicationData --string-'  '-ApplicationPriority --n-'   

>--+----------------------------+------------------------------->
   '-ConditionTimeRange --range-'   

   .-MonthOfYearMask --111111111111-.   
>--+--------------------------------+--------------------------->
   '-MonthOfYearMask --n------------'   

   .-DayOfMonthMask --31 n's-.  .-DayOfWeekMask --1111111-.   
>--+-------------------------+--+-------------------------+----->
   '-DayOfMonthMask --62 n's-'  '-DayOfWeekMask --n-------'   

   .-TimeOfDayRange --0-24-.   
>--+-----------------------+------------------------------------>
   '-TimeOfDayRange --n-m--'   

>--+----------------------------------+------------------------->
   | .------------------------------. |   
   | V                              | |   
   '---PolicyActionReference --name-+-'   

   .-ForLoadDistribution --FALSE-----.   
>--+---------------------------------+--------------------------|
   '-ForLoadDistribution --+-------+-'   
                           +-TRUE--+     
                           '-FALSE-'     

Parameters

name
A string 1 - 32 characters in length specifying the name of this policy rule.
PolicyRulePriority
PolicyRulePriority specifies the location of the PolicyRule entry in the PolicyRule list. This is an integer type field. Rules are searched for a match starting at the highest priority, so if multiple rules could possibly be matched for a given set of traffic, the rule with the highest priority gets matched first. If multiple rules have the same priority, then the rule with the greatest number of attributes specified gets matched first. If the match criteria is equal, the rule that gets mapped is unpredictable. Only one policy is ever mapped, per PolicyScope attribute. The maximum value for this attribute is 2000000000. If this attribute is specified, the computed priority of the rule is the specified value plus 100. If this attribute is not specified, the computed priority of the rule is determined by the number of selection criteria specified, but is always less than 100. The higher the number defined, the higher the assigned priority.
SourceAddressRange
Specifies the source addresses of the sender of the traffic flow. The destination of the data can be the client or the server. For TCP connections, the destination of the connection is the client. For inbound connections or traffic, the source is the remote device. For outbound connections or traffic, the source is this host. Both IPv4 and IPv6 addresses can be specified.
Rules:
  • Include a blank or a dash (-) as a delimiter.
  • If the IP address is IPv6, it cannot be an IPv4-mapped IPv6 address (in hexadecimal or dotted decimal format) or an IPv6 address with the reserved prefix ::/96. If the IPv6 address is one of these two types, an error message is logged.
  • IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.

When the source address range is specified on an LDAP server using the syntax that means all local addresses, loopback and loopback-like traffic (for example, otracert from and to a local address), are not mapped due to performance reasons. However, the interface attribute can be specified in addition to the source address to accomplish this mapping.

DestinationAddressRange
Specifies the destination addresses of the receiver of the traffic flow. The destination of the data might be the client or the server. For inbound connections or traffic, the destination of the connection is this host. For outbound connections or traffic, the destination of the connection is the remote device. Both IPv4 and IPv6 addresses can be specified.
Rules:
  • Include a blank or a dash (-) as a delimiter.
  • If the IP address is IPv6, it cannot be an IPv4-mapped IPv6 address (in hexadecimal or dotted decimal format) or an IPv6 address with the reserved prefix ::/96. If the IPv6 address is one of these two types, an error message is logged.
  • IPv6 policy is installed but is not enforceable in a stack that is not IPv6 enabled.

When the destination address range is specified on an LDAP server using the syntax that means all local addresses, loopback and loopback-like traffic (for example, otracert from and to a local address), it are not mapped due to performance reasons. However, the interface attribute can be specified in addition to the destination address to accomplish this mapping.

SourcePortRange
The source port range. This field consists of two port numbers, separated by a space, where the first port number is less than or equal to the second port number. The default is 0, which is all inclusive. The source of the data can be the client or the server. For inbound connections or traffic, the source is the remote device. For outbound connections or traffic, the source is this host.

Rule: Include a blank, a colon (:), or a dash (-) as a delimiter.

DestinationPortRange
The destination port range. This field consists of two port numbers, separated by a space, where the first port number is less than or equal to the second port number. The default is 0, which is all inclusive. The destination of the data can be the client or the server. For inbound connections or traffic, the destination is this host. For outbound connections or traffic, the destination is the remote device.

Rule: Include a blank, a colon (:), or a dash (-) as a delimiter.

ProtocolNumberRange
This attribute specifies the protocol range for which this policy rule applies. The format is i1:i2, where i2 >=i1. The maximum value for this attribute is 255. The minimum value is 0, and the default is all protocols. The default and minimum value is 0 and designates all protocols.

Rule: Include a blank, a colon (:), or a dash (-) as a delimiter.

InboundInterface
This attribute specifies the inbound local IP subnet for which this policy rule applies. This can be an IPv4 address or an interface name. The default is all interfaces. If an interface name is specified, it must match a name specified on one of the following statements in the TCP/IP profile:
  • LINK statement for an IPv4 interface
  • INTERFACE statement for an IPv4 or IPv6 interface
Rules:
  • InboundInterface and OutboundInterface attributes should not be specified for the same rule, because that would imply a function that is provided by a router.
  • The IPv4 address or interface that is defined must be a physical IP address or a physical device, not a virtual device.
OutboundInterface
This attribute specifies the outbound local IP subnet for which this policy rule applies. This can be an IPv4 address or an interface name. The default is all interfaces. If an interface name is specified, it must match a name specified on one of the following statements in the TCP/IP profile:
  • LINK statement for an IPv4 interface
  • INTERFACE statement for an IPv4 or IPv6 interface
Rules:
  • InboundInterface and OutboundInterface attributes should not be specified for the same rule, because that would imply a function that is provided by a router.
  • The IPv4 address or interface that is defined must be a physical IP address or a physical device, not a virtual device.
ApplicationName
ApplicationName is a field of type string (up to eight characters) that specifies the job name of the application. Names longer than eight characters are truncated. A trailing asterisk indicates a wildcard specification. For example, if FTPD* is specified, job names of FTPD and FTPD1 match. The application name maps to the sending application for outbound data, and to the receiving application name for inbound data. The name specified here is not case sensitive, and is translated to uppercase before being compared to application names.

The default is all applications.

ApplicationData
This string field of up to 128 characters specifies the application selector data (for example, a URI for the Internet). Strings longer than 128 characters are truncated. Conceptually, this is a virtual URL or URL template that is used for selection; it is not necessarily the entire URL. The string specified here is case sensitive.

This parameter is matched against a token provided by application programs. This token might be implicitly provided by users of the Fast Response Cache Accelerator (FRCA) function, in which case the token is a web URI. It might also be explicitly provided by applications using the sendmsg() function with QoS classification ancillary data. See z/OS Communications Server: IP Programmer's Guide and Reference for more details on this support.

Tip: The specified character string can be a subset of the application-defined token. Specified URIs should begin with the first character of the path component of the URL.

For example, to select a URL of http://www.ibm.com:80/account/order.html, specify the following: 
 ibm-ApplicationData = /account/order.html
Granularity can be determined when defining policy rules based on application defined data. For example, if the installation wants to assign a service level for all URLs under the account path, specify: 
ibm-ApplicationData = /account
This specification would match all URLs beginning with /account (for example, /account/order/info.html).
Note:
  1. When URIs are specified for Web Server requests, they have an affect on both static and dynamic content (assuming that the corresponding Web Server support is installed).
  2. This parameter provides the ability to specify rules that match the application-defined token specified by any applications that are providing QoS application classification data. For more information, see z/OS Communications Server: IP Sockets Application Programming Interface Guide and Reference.
ApplicationPriority n
Specifies the QoS service level assigned for each application-specified priority and can have the following values:
0
Any application priority. This specification matches any application-specified priority value.
1
Specifies EXPIDITED priority.
2
Specifies HIGH priority.
3
Specifies MEDIUM priority.
4
Specifies LOW priority.
5
Specifies BESTEFFORT priority.

Restriction: ApplicationPriority is used to select traffic with a matching application-specified priority value. It does not assign a QoS service level to the traffic. That function is provided by the corresponding PolicyAction.

For more information about providing classification data for differentiated services policies from an application, see z/OS Communications Server: IP Programmer's Guide and Reference.

ConditionTimeRange
This field specifies an overall range of calendar dates and times over which a policy rule is valid. It is a string consisting of a start date and time, then a colon (:) followed by an end date and time. The first date indicates the beginning of the range, and the second date indicates the end of the range. Thus, the second date and time must be later than the first. Dates are expressed as substrings of the form yyyymmddhhmmss. Seconds are rounded to the nearest minute. Because all dates and times are converted internally to the Posix time format, do not specify dates and times before the start of the Posix epoch, which is January 1, 1970, 00:00:00 UTC.

For example, 20010101080000:20010131120000 is January 1, 2001, 0800 through January 31, 2001, noon.

Note:
  1. The internal Posix time format is expressed in terms of seconds since the epoch, which means the time wraps sometime early in the year 2038. Therefore, do not specify dates or times later than this.
  2. All dates and times refer to local time.
MonthOfYearMask
This string field specifies which months of the year the policy rule is valid. This attribute is formatted as a string containing 12 0’s and 1’s, where the 1’s identify the months (beginning with January) in which the policy rule is valid. The value 000010010000, for example, indicates that a policy rule is valid only in the months May and August. If this attribute is omitted, then the policy assumes that it is valid for all twelve months.
DayOfMonthMask
This string field specifies which days of the month the policy rule is valid. The day of month mask can be 31 or 62 bits. The second 31 bits specify the days of the month in reverse order. Bit 32 is the last day of the month, bit 33 is the second from last day of month, and so on. This attribute is formatted as a string containing 31 or 62 0’s and 1’s, where the 1’s identify the days of the month in which the policy rule is valid. The value 111000000000000000000000000000, for example, indicates that a policy rule is valid only on the first three days of each month. For months with less than 31 days, the digits corresponding to the missing days are ignored.

The default is every day of the month.

DayOfWeekMask
A mask of seven bits representing the days in a week (Sunday through Saturday) that this policy rule is active. For example, 0111110 represents weekdays. The default is all week.
TimeOfDayRange
A series of time intervals that indicate the time of day, expressed in local time, during which this policy rule is active. Separate intervals with a comma. You can specify hours and optional minutes, separated by a colon. The values 0 and 24 both indicate midnight. Each interval consists of two values separated by a dash. If the second value is smaller than or equal to the first value, then the interval spans midnight. For example, the following statement would result in this policy rule being active from 5:30 PM until 8:30 AM: 
TimeOfDayRange 0-8:30, 17:30-24
You can also configure the same time interval as follows: 
TimeOfDayRange 17:30-8:30
The default is 24 hours.
PolicyActionReference
Indicates the name of a policy action from a policy action statement (for example, interactive) that this policy rule uses.

A maximum of four action references can be specified.

ForLoadDistribution
Specifies whether or not the policy rule is intended for Sysplex Distribution. Valid values are TRUE and FALSE. The default is FALSE. When TRUE is specified, the policy rule is used on sysplex distributor distributing stacks to route connection requests inbound from the network to one or more target stacks.

Table 1 provides mapping of the PolicyRule statement parameters to LDAP object classes and attributes.

Table 1. PolicyRule mapping to LDAP
PolicyRuleStatement parameter LDAP object class LDAP attribute
PolicyRulePriority ibm-policyRule ibm-policyRulePriority
PolicyActionReference ibm-policyRule ibm-policyRuleActionList
Not applicable ibm-policyRule ibm-policyRuleEnabled
Not applicable ibm-policyRule ibm-policyRuleConditionListType
Not applicable ibm-policyRule ibm-policyRuleConditionList

or

ibm-policyRuleConditionListDN
Not applicable ibm-policyRule ibm-policyRuleValidityPeriodList
Not applicable ibm-policyRule ibm-policyRuleSequenceActions
Not applicable ibm-policyRule ibm-policyRoles
ForLoadDistribution ibm-policyGroupLoadDistribution

AuxClass		 ibm-policyGroupForLoadDistribution
SourceAddressRange ibm-hostConditionAuxClass ibm-sourceIPAddressRange
DestinationAddress

Range		 ibm-hostConditionAuxClass ibm-destinationIPAddressRange
SourcePortRange ibm-applicationConditionAuxClass ibm-sourcePortRange
DestinationPortRange ibm-applicationConditionAuxClass ibm-destinationPortRange
ProtocolNumberRange ibm-applicationConditionAuxClass ibm-protocolNumberRange
InboundInterface ibm-routeConditionAuxClass ibm-interface
OutboundInterface ibm-routeConditionAuxClass ibm-interface
ApplicationName ibm-applicationConditionAuxClass ibm-applicationName
ApplicationData ibm-applicationConditionAuxClass ibm-applicationData
ApplicationPriority ibm-applicationConditionAuxClass ibm-applicationPriority
Not applicable ibm-idsIPAttackConditionAuxClass ibm-idsIPOptionRange
Not applicable ibm-idsTransportConditionAuxClass ibm-idsLocalPortRange
Not applicable ibm-idsTransportConditonAuxClass ibm-idsRemotePortRange
Not applicable ibm-idsTransportConditonAuxClass ibm-idsProtocolRange
Not applicable ibm-idsHostConditionAuxClass ibm-idsLocalHostIPAddress
Not applicable ibm-idsHostConditionAuxClass ibm-idsRemoteHostIPAddress
ConditionTimeRange ibm-policyTimePeriodConditionAuxClass ibm-ptpConditionTime
MonthOfYearMask ibm-policyTimePeriodConditionAuxClass ibm-ptpConditionMonthOfYearMask
DayOfMonthMask ibm-policyTimePeriodConditionAuxClass ibm-ptpConditionDayOfMonthMask
DayOfWeekMask ibm-policyTimePeriodConditionAuxClass ibm-ptpConditionDayOfWeekMask
TimeOfDayRange ibm-policyTimePeriodConditionAuxClass ibm-ptpConditionTimeOfDayMask
Not applicable ibm-policyTimePeriodConditionAuxClass ibm-ptpConditionTimeZone
Not applicable ibm-policyTimePeriodConditionAuxClass ibm-ptpConditionLocalOrUtcTime

Also, for more information about policy schema definition files, see Intrusion detection services policy.

Examples

For an example of the PolicyRule statement, see /usr/lpp/tcpip/samples/pagent.conf.

Usage notes

If PolicyRulePriority is specified, the weight of PolicyRule is equal to the specified priority plus 100. Otherwise, the weight is determined by the number of parameters that are specified in the PolicyRule. The parameters that affect this weight are:
  • ApplicationName
  • ApplicationData
  • ApplicationPriority
  • SourceAddressRange
  • DestinationAddressRange
  • SourcePortRange
  • DestinationPortRange
  • InboundInterface
  • OutboundInterface
  • Direction not equal to BOTH
  • ProtocolNumberRange
Parent topic: QoS policy statements