How Simple Filters Evaluate Packets
Simple Filters That Contain a Single Term
For a simple filter that consists of a single term, the policy framework software evaluates a packet as follows:
If the packet matches all the conditions, the actions are taken.
If the packet matches all the conditions and no actions are specified, the packet is accepted.
If the packet does not match all the conditions, it is discarded.
Simple Filters That Contain Multiple Terms
For a simple filter that consists of multiple terms, the policy framework software evaluates a packet against the terms in the filter sequentially, beginning with the first term in the filter, until either the packet matches all the conditions in one of the terms or there are no more terms in the filter.
If the packet matches all the conditions in a term, the actions in that term are performed and evaluation of the packet ends at that term. Any subsequent terms in the filter are not used.
If the packet does not match all the conditions in the term, evaluation of the packet proceeds to the next term in the filter.
Simple Filter Terms That Do Not Contain Any Match Conditions
For simple filters with a single term and for filters with multiple terms, if a term does not contain any match conditions, the actions are taken on any packet evaluated.
Simple Filter Terms That Do Not Contain Any Actions
If a simple filter term does not contain any actions, and if the packet matches the conditions in the term, the packet is accepted.
Simple Filter Default Action
Each simple filter has an implicit discard
action at the end of the filter, which is equivalent
to including the following example term explicit_discard
as the final term in the simple filter:
term explicit_discard { then discard; }
By default, if a packet matches none of the terms in a simple filter, the packet is discarded.