The source-address-exclude command excludes specific source addresses from a DNS transparent proxy policy rule.
The undo source-address-exclude command deletes the source addresses excluded from a DNS transparent proxy policy rule.
source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range ipv4-start-address ipv4-end-address } [ description description ]
undo source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range ipv4-start-address ipv4-end-address } [ description ]
| Parameter | Description | Value |
|---|---|---|
| address-set address-set-name &<1-6> | Specifies the name of an address or address group. | The specified address or address group must exist. You can add or delete a maximum of six addresses or address groups at a time. |
| ipv4-address | Specifies an IPv4 address. | The value is in dotted decimal notation. |
| ipv4-mask-length | Specifies the mask of an IPv4 address. | The value is an integer ranging from 1 to 32. |
| mask mask-address | Specifies the mask of an IPv4 address. | The value is in dotted decimal notation. The wildcard in binary format can be noncontiguous 1s, such as 255.0.255.0 (11111111 00000000 11111111 00000000). Only digits 1 in the binary format are matched, whereas digits 0 are not. For example, IP address 192.168.1.1/255.0.255.0 matches the IP addresses in 192.*.1.* format. |
| wildcard | Specifies a wildcard for the IPv4 address. | The value is in dotted decimal notation. The wildcard in binary format can be noncontiguous 1s, such as 0.255.0.255 (00000000 11111111 00000000 11111111). Only digits 0 in the binary format are matched, whereas digits 1 are not. For example, IP address 192.168.1.1/0.255.0.255 matches the IP addresses in 192.*.1.* format. |
| range | Indicates an address range. | - |
| ipv4-start-address | Specifies the start address of the IPv4 address range. | The value is in dotted decimal notation. |
| ipv4-end-address | Specifies the end address of the IPv4 address range. | The value is in dotted decimal notation. |
| description description | Specifies the description of a single IPv4 address or address range. | The value is a string of 1 to 128 characters. |
When the source address of a flow is excluded by a rule of the configured DNS transparent proxy policy, the flow is not subject to the policy.
Application Scenario
For example, a user wants to implement DNS transparent proxy for traffic whose source address is within network segment 10.1.1.0/24, but not for the traffic whose source address (excluded source address) is in the range of 10.1.1.40 to 10.1.1.50 on the network segment. Two DNS transparent proxy policy configuration schemes are available to meet the requirement. In configuration scheme 1, two policies are configured to take different actions on two flows. This scheme increases policies, which makes it difficult to maintain policies. In configuration scheme 2, only one policy needs to be configured. Excluding source addresses from a rule of the policy has the same function as configuration scheme 1, which reduces the policy maintenance workload and facilitates the configuration.
| Configuration Scheme | Command |
|---|---|
| Configuration scheme 1 | <sysname> system-view [sysname] dns-transparent-policy [sysname-policy-dns] rule name policy_deny [sysname-policy-dns-rule-policy_deny] source-address range 10.1.1.40 10.1.1.50 [sysname-policy-dns-rule-policy_deny] action no-tpdns [sysname-policy-dns-rule-policy_deny] quit [sysname-policy-dns] rule name policy_permit [sysname-policy-dns-rule-policy_permit] source-address 10.1.1.0 24 [sysname-policy-dns-rule-policy_permit] action tpdns |
| Configuration scheme 2 | <sysname> system-view [sysname] dns-transparent-policy [sysname-policy-dns] rule name policy_sec [sysname-policy-dns-rule-policy_sec] source-address-exclude range 10.1.1.40 10.1.1.50 [sysname-policy-dns-rule-policy_sec] source-address 10.1.1.0 24 [sysname-policy-dns-rule-policy_sec] action tpdns |