The source-address-exclude command excludes specific source addresses from a policy rule.
The undo source-address-exclude command deletes the source addresses excluded from a policy rule.
source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range ipv4-start-address ipv4-end-address } [ description description ]
undo source-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range ipv4-start-address ipv4-end-address } [ description ]
| Parameter | Description | Value |
|---|---|---|
| address-set address-set-name &<1-6> | Specifies the name of an address or address group. | The specified address or address group must exist. You can add or delete a maximum of six addresses or address groups at a time. |
| ipv4-address | Specifies the IPv4 address. | The value is in dotted decimal notation. |
| ipv4-mask-length | Specifies the mask length of an IPv4 address. | The value is an integer ranging from 1 to 32. |
| mask mask-address | Specifies the mask of an IPv4 address. | The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 255.0.255.0 is not a legitimate wildcard because its binary form is 11111111.00000000.11111111.00000000. In the binary form, digits 1 are to be matched, whereas digits 0 are not. For example, 192.168.1.1/255.0.255.0 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
| wildcard | Specifies the wildcard of an IPv4 address. | The value is in dotted decimal notation whose binary form cannot be inconsecutive. For example, 0.255.0.255 is not a legitimate wildcard because its binary form is 00000000.11111111.00000000.11111111. In the binary form, digits 0 are to be matched, whereas digits 1 are not. For example, 192.168.1.1/0.255.0.255 indicates that only IP addresses of the 192.*.1.* form are to be matched. |
| range | Indicates the address range. | - |
| ipv4-start-address | Specifies the start address of an IPv4 address range. | The value is in dotted decimal notation. |
| ipv4-end-address | Specifies the end address of an IPv4 address range. | The value is in dotted decimal notation. |
| description description | Specifies the description of an individual IPv4 address or address segment. | The value is a string of 1 to 128 characters. |
When the source address of a flow is excluded from a rule of the configured SSL-encrypted traffic detection policy, the flow is not subject to the policy.
Application Scenario
For example, a user wants to implement SSL decryption for traffic whose source address is within network segment 10.1.1.0/24, but not for the traffic whose source address (excluded source address) is in the range of 10.1.1.40 or 10.1.1.50 on the network segment. Two SSL-encrypted traffic detection policy configuration schemes are available to meet the requirement. In configuration scheme 1, two policies are configured to take different actions on two flows. This scheme increases policies, which makes it difficult to maintain policies. In configuration scheme 2, only one policy needs to be configured. Excluding source addresses from a rule of the policy has the same function as configuration scheme 1, which reduces the policy maintenance workload and facilitates the configuration.
| Configuration Scheme | Command |
|---|---|
| Configuration scheme 1 | <sysname> system-view [sysname] decryption-policy [sysname-policy-decryption] rule name policy_deny [sysname-policy-decryption-rule-policy_deny] source-address range 10.1.1.40 10.1.1.50 [sysname-policy-decryption-rule-policy_deny] action no-decrypt [sysname-policy-decryption-rule-policy_deny] quit [sysname-policy-decryption] rule name policy_permit [sysname-policy-decryption-rule-policy_permit] source-address 10.1.1.0 24 [sysname-policy-decryption-rule-policy_permit] action decrypt profile file1 |
| Configuration scheme 2 | <sysname> system-view [sysname] decryption-policy [sysname-policy-decryption] rule name policy_sec [sysname-policy-decryption-rule-policy_sec] source-address-exclude range 10.1.1.40 10.1.1.50 [sysname-policy-decryption-rule-policy_sec] source-address 10.1.1.0 24 [sysname-policy-decryption-rule-policy_sec] action decrypt profile file1 |