security packet-filter policy
security packet-filter policy(BIG-IP TMSH Manusecurity packet-filter policy(1)
NAME
policy - Configures packet-filter policy.
MODULE
security packet-filter
SYNTAX
Modify the policy component within the security packet-filter module
using the syntax shown in the following sections.
CREATE/MODIFY
create policy [name]
modify policy [name]
options:
description [string]
rules [add | delete | modify | replace-all-with] {
[name] {
options:
action [accept | drop]
description [string]
ipv6-extension-headers [add | delete | replace-all-with] {
[ah | esp | hopopt | ipv6-frag | ipv6-nonxt | ipv6-opts | ipv6-route | mh] {
values [add | delete | replace-all-with] {
[ [value] | [value1-value2] ]
}
}
}
log [no | yes]
status [disabled | enabled]
}
}
rules none
edit policy
options:
all-properties
non-default-properties
DISPLAY
list policy
DESCRIPTION
You can use the policy component to configure a shareable and reusable
set of security packet-filter rules which can be associated with a
number of configuration objects of the following types: security
packet-filter default-rules, net route-domain.
EXAMPLES
modify policy policy1 rules add {
drop-frags {
action drop
ipv6-extension-headers replace-all-with { ipv6-frag }
} }
Creates a rule entry that drops all IPv6 packets specifying Fragment
Header.
modify policy policy1 rules delete drop-frags
Removes the rule drop-frags from the list of rules.
create policy xyz rules add { r1 { action drop ipv6-extension-headers
replace-all-with { hopopt { values replace-all-with { 0 } } } } }
Creates a policy with a single rule that drops all packets specifying
Hop-by-Hop Header with option 0. Packets specifying Hop-by-Hop Header,
but without option 0, will not be dropped.
create policy xyz rules add { r1 { action drop ipv6-extension-headers
replace-all-with { hopopt } } }
Creates a policy with a single rule that drops all packets specifying
Hop-by-Hop Header with or without any options.
list policy
Displays the current list of policy rules.
OPTIONS
description
User defined description.
rules
Adds, deletes, or replaces a packet-filter rule.
action
Specifies the action that the system takes when a rule is
matched.
accept
Specifies that the current packet should be accepted.
drop Specifies that the current packet should be silently
dropped. Nothing is sent back to the packet source. The
packet is still compared to any other rules, so other
rule counters may be incremented.
description
User defined description.
ipv6-extension-headers
Specifies a list of IPv6 Extension Header types (only one
item per list is currently supported), against which the
packet will be compared
values
Specifies a list of IPv6 Extension Header options or
option ranges against which the packet will be compared.
Specifying values is supported only for some of the IPv6
Extension Header types: hopopt - values match Hop-by-Hop
Options; ipv6-opts - values match Destination Options;
ipv6-route - values match Routing type. If values are
omitted - no values are required in packet to match the
rule, so it's enough for a packet to include the IPv6
Extension Header of the type specified in a rule for
rule to match.
log Specifies whether the packet will be logged if it matches the
rule. Logging must also be enabled in security log profile
global-network. Note that the statistics counter is always
incremented when a packet matches a rule.
status
Specifies whether the rule is enabled or disabled. If a rule
is disabled it has no effect on data packets.
SEE ALSO
create, edit, list, modify, security log profile, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008, 2012-2018. All rights
reserved.
BIG-IP 2018-05-10 security packet-filter policy(1)