Use the PolicyRule statement to specify characteristics of IP packets that are used to map to a corresponding policy action. It defines a set of IP datagrams that should receive a particular service.
>>-PolicyRule--name--| Place Braces and Parameters on Separate Lines |->< Place Braces and Parameters on Separate Lines |--+-{-------------------------+--------------------------------| +-| PolicyRule Parameters |-+ '-}-------------------------' PolicyRule Parameters |--+------------------------+-----------------------------------> '-PolicyRulePriority --n-' .-SourceAddressRange all---------------. >--+--------------------------------------+---------------------> '-SourceAddressRange --address address-' .-DestinationAddressRange all---------------. >--+-------------------------------------------+----------------> '-DestinationAddressRange --address address-' .-SourcePortRange --all-. .-DestinationPortRange --all-. >--+-----------------------+--+----------------------------+----> '-SourcePortRange --n n ' '-DestinationPortRange --n n ' .-ProtocolNumberRange --all-. .-InboundInterface --all-. >--+---------------------------+--+------------------------+----> '-ProtocolNumberRange --n---' '-InboundInterface --n---' .-OutboundInterface --all-. .-ApplicationName --all--. >--+-------------------------+--+------------------------+------> '-OutboundInterface --n---' '-ApplicationName --name-' >--+--------------------------+--+-------------------------+----> '-ApplicationData --string-' '-ApplicationPriority --n-' >--+----------------------------+-------------------------------> '-ConditionTimeRange --range-' .-MonthOfYearMask --111111111111-. >--+--------------------------------+---------------------------> '-MonthOfYearMask --n------------' .-DayOfMonthMask --31 n's-. .-DayOfWeekMask --1111111-. >--+-------------------------+--+-------------------------+-----> '-DayOfMonthMask --62 n's-' '-DayOfWeekMask --n-------' .-TimeOfDayRange --0-24-. >--+-----------------------+------------------------------------> '-TimeOfDayRange --n-m--' >--+----------------------------------+-------------------------> | .------------------------------. | | V | | '---PolicyActionReference --name-+-' .-ForLoadDistribution --FALSE-----. >--+---------------------------------+--------------------------| '-ForLoadDistribution --+-------+-' +-TRUE--+ '-FALSE-'
When the source address range is specified on an LDAP server using the syntax that means all local addresses, loopback and loopback-like traffic (for example, otracert from and to a local address), are not mapped due to performance reasons. However, the interface attribute can be specified in addition to the source address to accomplish this mapping.
When the destination address range is specified on an LDAP server using the syntax that means all local addresses, loopback and loopback-like traffic (for example, otracert from and to a local address), it are not mapped due to performance reasons. However, the interface attribute can be specified in addition to the destination address to accomplish this mapping.
Rule: Include a blank, a colon (:), or a dash (-) as a delimiter.
Rule: Include a blank, a colon (:), or a dash (-) as a delimiter.
Rule: Include a blank, a colon (:), or a dash (-) as a delimiter.
The default is all applications.
This parameter is matched against a token provided by application programs. This token might be implicitly provided by users of the Fast Response Cache Accelerator (FRCA) function, in which case the token is a web URI. It might also be explicitly provided by applications using the sendmsg() function with QoS classification ancillary data. See z/OS Communications Server: IP Programmer's Guide and Reference for more details on this support.
Tip: The specified character string can be a subset of the application-defined token. Specified URIs should begin with the first character of the path component of the URL.
ibm-ApplicationData = /account/order.html
ibm-ApplicationData = /account
This
specification would match all URLs beginning with /account (for example,
/account/order/info.html).Restriction: ApplicationPriority is used to select traffic with a matching application-specified priority value. It does not assign a QoS service level to the traffic. That function is provided by the corresponding PolicyAction.
For more information about providing classification data for differentiated services policies from an application, see z/OS Communications Server: IP Programmer's Guide and Reference.
For example, 20010101080000:20010131120000 is January 1, 2001, 0800 through January 31, 2001, noon.
The default is every day of the month.
TimeOfDayRange 0-8:30, 17:30-24
TimeOfDayRange 17:30-8:30
A maximum of four action references can be specified.
Table 1 provides mapping of the PolicyRule statement parameters to LDAP object classes and attributes.
PolicyRuleStatement parameter | LDAP object class | LDAP attribute |
---|---|---|
PolicyRulePriority | ibm-policyRule | ibm-policyRulePriority |
PolicyActionReference | ibm-policyRule | ibm-policyRuleActionList |
Not applicable | ibm-policyRule | ibm-policyRuleEnabled |
Not applicable | ibm-policyRule | ibm-policyRuleConditionListType |
Not applicable | ibm-policyRule | ibm-policyRuleConditionList
or ibm-policyRuleConditionListDN |
Not applicable | ibm-policyRule | ibm-policyRuleValidityPeriodList |
Not applicable | ibm-policyRule | ibm-policyRuleSequenceActions |
Not applicable | ibm-policyRule | ibm-policyRoles |
ForLoadDistribution | ibm-policyGroupLoadDistribution AuxClass | ibm-policyGroupForLoadDistribution |
SourceAddressRange | ibm-hostConditionAuxClass | ibm-sourceIPAddressRange |
DestinationAddress Range | ibm-hostConditionAuxClass | ibm-destinationIPAddressRange |
SourcePortRange | ibm-applicationConditionAuxClass | ibm-sourcePortRange |
DestinationPortRange | ibm-applicationConditionAuxClass | ibm-destinationPortRange |
ProtocolNumberRange | ibm-applicationConditionAuxClass | ibm-protocolNumberRange |
InboundInterface | ibm-routeConditionAuxClass | ibm-interface |
OutboundInterface | ibm-routeConditionAuxClass | ibm-interface |
ApplicationName | ibm-applicationConditionAuxClass | ibm-applicationName |
ApplicationData | ibm-applicationConditionAuxClass | ibm-applicationData |
ApplicationPriority | ibm-applicationConditionAuxClass | ibm-applicationPriority |
Not applicable | ibm-idsIPAttackConditionAuxClass | ibm-idsIPOptionRange |
Not applicable | ibm-idsTransportConditionAuxClass | ibm-idsLocalPortRange |
Not applicable | ibm-idsTransportConditonAuxClass | ibm-idsRemotePortRange |
Not applicable | ibm-idsTransportConditonAuxClass | ibm-idsProtocolRange |
Not applicable | ibm-idsHostConditionAuxClass | ibm-idsLocalHostIPAddress |
Not applicable | ibm-idsHostConditionAuxClass | ibm-idsRemoteHostIPAddress |
ConditionTimeRange | ibm-policyTimePeriodConditionAuxClass | ibm-ptpConditionTime |
MonthOfYearMask | ibm-policyTimePeriodConditionAuxClass | ibm-ptpConditionMonthOfYearMask |
DayOfMonthMask | ibm-policyTimePeriodConditionAuxClass | ibm-ptpConditionDayOfMonthMask |
DayOfWeekMask | ibm-policyTimePeriodConditionAuxClass | ibm-ptpConditionDayOfWeekMask |
TimeOfDayRange | ibm-policyTimePeriodConditionAuxClass | ibm-ptpConditionTimeOfDayMask |
Not applicable | ibm-policyTimePeriodConditionAuxClass | ibm-ptpConditionTimeZone |
Not applicable | ibm-policyTimePeriodConditionAuxClass | ibm-ptpConditionLocalOrUtcTime |
Also, for more information about policy schema definition files, see Intrusion detection services policy.
For an example of the PolicyRule statement, see /usr/lpp/tcpip/samples/pagent.conf.