service-exclude protocol (traffic policy rule view)

Function

The service-exclude protocol command excludes a TCP/UDP/SCTP port or IP-layer protocol from a policy rule, so that traffic with the port or IP-layer protocol does not match the policy.

The undo service-exclude protocol command deletes the excluded TCP/UDP/SCTP port or IP-layer protocol from the policy.

Format

# Exclude a TCP/UDP/SCTP port from a traffic policy. If the port is not specified, the default value is TCP/UDP/SCTP.

service-exclude protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] ^*

# Delete the excluded TCP/UDP/SCTP port from a traffic policy.

undo service-exclude protocol { { 17 | udp } | { 6 | tcp } | { 132 | sctp } } [ source-port { source-port | start-source-port to end-source-port } &<1-64> | destination-port { destination-port | start-destination-port to end-destination-port } &<1-64> ] ^*

# Exclude the ICMP packet type from a traffic policy.

service-exclude protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ]

# Delete the excluded ICMP packet type from a traffic policy.

undo service-exclude protocol { 1 | icmp } [ icmp-type { icmp-name | icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64> } ]

# Exclude the ICMPv6 packet type from a traffic policy.

service-exclude protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ]

# Delete the excluded ICMPv6 packet type from a traffic policy.

undo service-exclude protocol { 58 | icmpv6 } [ icmpv6-type { icmpv6-name | icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64> } ]

# Exclude 1-ICMP, 6-TCP, 17-UDP, 58-ICMPv6, and 132-SCTP from a traffic policy. For detailed mappings, refer to the standard IP-layer protocol number list.

service-exclude protocol protocol-number

# Delete the excluded 1-ICMP, 6-TCP, 17-UDP, 58-ICMPv6, and 132-SCTP from a traffic policy.

undo service-exclude protocol protocol-number

Parameters

Parameter	Description	Value
17 \| udp	Indicates UDP.	-
6 \| tcp	Indicates TCP.	-
132 \| sctp	Indicates SCTP.	-
source-port { source-port \| start-source-port to end-source-port } &<1-64>	Specifies the source port or source port range.	The value is an integer ranging from 0 to 65535. A maximum number of 64 source ports or source port ranges can be added to or deleted from a traffic policy rule at a time.
destination-port { destination-port \| start-destination-port to end-destination-port } &<1-64>	Specifies the destination port or destination port range.	The value is an integer ranging from 0 to 65535. A maximum number of 64 source ports or source port ranges can be added to or deleted from a traffic policy rule at a time.
1 \| icmp	Indicates ICMP.	-
icmp-type	Indicates the ICMP packet type and message code.	-
icmp-name	Specifies the ICMP packet type name.	-
icmp-type-number { icmp-code-number [ to icmp-code-number ] } &<1-64>	Specifies the ICMP packet type number and message code.	The value is an integer ranging from 0 to 255. A maximum of 64 groups of ICMP packet type numbers and message codes can be added to or deleted from a traffic policy rule at a time.
58 \| icmpv6	Indicates ICMPv6.	-
icmpv6-type	Indicates the ICMPv6 packet type and message code.	-
icmpv6-name	Specifies the ICMPv6 packet type name.	-
icmpv6-type-number { icmpv6-code-number [ to icmpv6-code-number ] } &<1-64>	Specifies the ICMPv6 packet type number and message code.	The value is an integer ranging from 0 to 255. A maximum of 64 groups of ICMP packet type numbers and message codes can be added to or deleted from a traffic policy rule at a time.
protocol-number	Specifies the protocol number except 1-ICMP, 6-TCP, 17-UDP, 58-ICMPv6, and 132-SCTP	The value is an integer ranging from 0 to 255.

Views

Traffic policy rule view

Default Level

2: Configuration level

Usage Guidelines

If you reference TCP/UDP/SCTP ports or IP-layer protocols in a policy, you can run the service-exclude protocol command to exclude a port or IP-layer protocol. After the configuration, traffic with the port number or IP-layer protocol will not match the policy.

Application Scenarios

When configuring a policy, you can reference TCP/UDP/SCTP ports or IP-layer protocols for port-based access control. For example, there are services Service1 (TCP, source ports 0-65535, and destination ports 100-120) and Service2 (TCP, source ports 0-65535, and destination ports 100-200). The user wants to configure a policy to block traffic with Service1 but permit traffic with Service2. You can use configuration method 1 in the following table to assign different actions to different ports. This method increases policies as well as policy maintenance workloads. Alternatively, you can use configuration method 2 to run the service-exclude protocol command to configure the policy. This method has the same effect as method 1 and does not need additional policies.

It is recommended that the configured command contain no more than 500 characters.

Example

# Exclude UDP source port 1024 in the traffic policy as a policy matching condition.

<sysname> system-view
[sysname] traffic-policy
[sysname-policy-traffic] rule name traffic_rule
[sysname-policy-traffic-rule-traffic_rule] service-exclude protocol udp source-port 1024