How Service Filters Evaluate Packets
Service Filters That Contain a Single Term
For a service filter that consists of a single term, the policy framework software evaluates a packet as follows:
If the packet matches all the conditions, the actions are taken.
If the packet matches all the conditions and no actions are specified, the packet is accepted.
If the packet does not match all the conditions, it is discarded.
Service Filters That Contain Multiple Terms
For a service filter that consists of multiple terms, the policy framework software evaluates a packet against the terms in the filter sequentially, beginning with the first term in the filter, until either the packet matches all the conditions in one of the terms or there are no more terms in the filter.
If the packet matches all the conditions in a term, the actions in that term are performed and evaluation of the packet ends at that term. Any subsequent terms in the filter are not used.
If the packet does not match all the conditions in the term, evaluation of the packet proceeds to the next term in the filter.
Service Filter Terms That Do Not Contain Any Match Conditions
For service filters with a single term and for filters with multiple terms, if a term does not contain any match conditions, the actions are taken on any packet evaluated.
Service Filter Terms That Do Not Contain Any Actions
If a term does not contain any actions, and if the packet matches the conditions in the term, the packet is accepted.
Service Filter Default Action
Each service filter has an implicit skip
action at the end of the filter, which is equivalent to including the following example term explicit_skip
as the final term in the service filter:
term explicit_skip { then skip; }
By default, if a packet matches none of the terms in a service filter, the packet bypasses service processing.