A Goto rule can be added to any IP rule set and placed in any position within the rule set. This
rule has the usual filtering properties of Source/Destination Interface/Network plus the
service. If a match is found as the rule set is being scanned, the action of a Goto rule is to
transfer the processing to the beginning of another rule set.
Note: Goto rules can never point to the main rule set
A Goto rule may never use the rule set main as its target.
• Return Rules
When encountered, a Return rule will return IP rule set scanning to the rule set entry
immediately following the last Goto rule executed. It can be made to trigger only on specific
Source/Destination Interface/Network and service values.
Note: The main rule set cannot contain a Return rule
NetDefendOS does not allow a Return rule to be added to the IP rule set main and
this is not possible to configure using the Web Interface or the CLI.
Multiple Rule Set Search Processing
When multiple rule sets are defined, the way they are processed for a new connection is as
follows:
• The primary main IP rule set is always searched first for matches of source/destination
interface/network and the service.
• User-defined rule sets are used in a rule look-up only when the triggering rule or policy in
main is a Goto rule. A Goto rule must have another administrator defined IP rule set
associated with it and if the traffic matches that Goto rule then the rule look-up jumps to the
beginning of the new rule set.
• If the search in the new rule set finds no match then the connection is dropped.
• If a match is found in the new rule set then the matching rule or policy is executed. This
might be another Goto rule in which case the rule scanning jumps to the beginning of
another named rule set.
• If a Return rule is encountered then the scanning jumps back and resumes immediately after
the last Goto rule in the previous rule set. If no Goto rule is encountered and no other entry is
triggered then scanning stops and the connection is dropped.
Loop Avoidance
It is possible that a sequence of Goto rules could result in an infinite loop as scanning jumps
between rule sets. NetDefendOS detects such logic when a new configuration is saved. A new
configuration is rejected if logic is detected that could potentially cause a loop.
The loop avoidance mechanism has to be efficient to enable fast configuration deployment and
for this reason it uses an algorithm that might sometimes find a fault in correct but complex
logic. In this case it may be necessary to simplify the rule logic so the new configuration can be
saved.
Chapter 3: Fundamentals
236
To Next Page
Loading...
