Adding CLEAR-Flow Rules to ACLs

As described in the ACLs chapter, each ACL policy file consists of a number of named entries. Each entry consists of match conditions and actions to take if the entry is matched. CLEAR-Flow builds on the ACL concept to include rules that are periodically checked, and actions to take if a rule is triggered. The CLEAR-Flow entries are similar to the ACL entries.

The syntax of a CLEAR-Flow rule entry is:

entry <CLFrulename> {
if <match-type> { <match-conditions>;
}
Then {
<actions>;
}
}

Or you can specify an optional else clause:

entry <CLFrulename> {
if <match-type> { <match-conditions>;
}
Then {
<actions>;
} else {
<actions>;
}
}

In the CLEAR-Flow rule syntax, the CLFrulename is the name of the rule (maximum of 31 characters). The match-type specifies whether the rule is triggered when any of the expressions that make up the conditions are true (logical OR), or only when all of the expressions are true (logical AND). The match-type is an optional element. The match-conditions specifies the conditions that will trigger the rule, and how often to evaluate the rule. The actions in the then clause is the list of actions to take when the rule is triggered, and the optional else clause actions is the list of actions to take after the rule is triggered, and when the match-conditions later become false.

Note

Note

When you create an ACL policy file that contains CLEAR-Flow rules, the CLEAR-Flow rules do not have any precedence, unlike the ACL entries. Each CLEAR-Flow rule specifies how often it should be evaluated. The order of evaluation depends on the sampling time and when the CLEAR-Flow agent receives the counter statistics. The order of the CLEAR-Flow rules in the policy file does not have any significance.