service-exclude protocol (nat policy rule view)
Function
The service-exclude protocol command excludes a TCP/UDP/SCTP port or IP-layer protocol from a policy rule, so that traffic with the port or IP-layer protocol does not match the policy.
The undo service-exclude protocol command deletes the excluded TCP/UDP/SCTP port or IP-layer protocol from the policy.
Format
# Exclude a TCP/UDP/SCTP port from a nat policy. If the port is not specified, the default value is TCP/UDP/SCTP.
service-exclude protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] *
# Delete the excluded TCP/UDP/SCTP port from a nat policy.
undo service-exclude protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] *
# Exclude the ICMP packet type from a nat policy.
service-exclude protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ]
# Delete the excluded ICMP packet type from a nat policy.
undo service-exclude protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ]
# Exclude the ICMPv6 packet type from a nat policy.
service-exclude protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ]
# Delete the excluded ICMPv6 packet type from a nat policy.
undo service-exclude protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ]
# Exclude 1-ICMP, 6-TCP, 17-UDP, 132-SCTP, and 58-ICMPv6 from a nat policy. For detailed mappings, refer to the standard IP-layer protocol number list.
service-exclude protocol protocol-number
# Delete the excluded 1-ICMP, 6-TCP, 17-UDP, 58-ICMPv6, and 132-SCTP from a nat policy.
undo service-exclude protocol protocol-number
Parameters
| Parameter | Description | Value |
|---|---|---|
| 17 | udp | Indicates UDP. | - |
| 6 | tcp | Indicates TCP. | - |
| 132 | sctp | Indicates SCTP. | - |
| source-port { source-port | start-source-port to end-source-port } &<1-64> | Specifies the source port or source port range. | The value is an integer ranging from 0 to 65535. A maximum number of 64 source ports or source port ranges can be added to or deleted from a nat policy rule at a time. |
| destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> | Specifies the destination port or destination port range. | The value is an integer ranging from 0 to 65535. A maximum number of 64 source ports or source port ranges can be added to or deleted from a nat policy rule at a time. |
| 1 | icmp | Indicates ICMP. | - |
| icmp-type | Indicates the ICMP packet type and message code. | - |
| icmp-name | Specifies the ICMP packet type name. | - |
| icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> | Specifies the ICMP packet type number and message code. | The value is an integer ranging from 0 to 255. A maximum of 64 groups of ICMP packet type numbers and message codes can be added to or deleted from a nat policy rule at a time. |
| 58 | icmpv6 | Indicates ICMPv6. | - |
| icmpv6-type | Indicates the ICMPv6 packet type and message code. | - |
| icmpv6-name | Specifies the ICMPv6 packet type name. | - |
| icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> | Specifies the ICMPv6 packet type number and message code. | The value is an integer ranging from 0 to 255. A maximum of 64 groups of ICMP packet type numbers and message codes can be added to or deleted from a nat policy rule at a time. |
| protocol-number | Specifies the protocol number except 1-ICMP, 6-TCP, 17-UDP, 58-ICMPv6, and 132-SCTP. | The value is an integer ranging from 01 to 255. |
Usage Guidelines
It is recommended that the configured command contain no more than 500 characters.
If you reference TCP/UDP/SCTP ports or IP-layer protocols in a policy, you can run the service-exclude protocol command to exclude a port or IP-layer protocol. After the configuration, traffic with the port number or IP-layer protocol will not match the policy.
Application Scenarios
When configuring a nat policy, you can reference the TCP/UDP/SCTP port or IP-layer protocols in the policy to implemented port-based NAT. For example, two services Service1 (TCP, source port 0 to 65535, and destination port 100 to 120) and Service2 (TCP, source port 0 to 65535, and destination port 100 to 200) are available. NAT needs to be disabled for traffic that belongs to Service1 but needs to be implemented for traffic that belongs to Service2, and NATed traffic needs to be permitted. You can use configuration method 1 in the following table to assign different actions to different ports. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the service-exclude protocol command to configure the policy. This method has the same effect as method 1 and does not need additional policies.
| Configuration Method | Command |
|---|---|
| Method 1 | <sysname> system-view [sysname] security-policy [sysname-policy-security] rule name policy_1 [sysname-policy-security-rule-policy_1] service protocol Service1 [sysname-policy-security-rule-policy_1] action no-nat [sysname-policy-security-rule-policy_1] quit [sysname-policy-security] rule name policy_permit [sysname-policy-security-rule-policy_2] service protocol Service2 [sysname-policy-security-rule-policy_2] action source-nat address-group group1 [sysname-policy-security-rule-policy_2] quit |
| Method 2 | <sysname> system-view [sysname] security-policy [sysname-policy-security] rule name policy_sec [sysname-policy-security-rule-policy_sec] service-exclude protocol Service1 [sysname-policy-security-rule-policy_sec] service protocol Service2 [sysname-policy-security-rule-policy_sec] action source-nat address-group group1 |