EZD0837I   Defensive filter packet denied messages limited: date time filter_rule= rulename filter_ext= instance filter_sipaddr= sipaddr / sip_prefix_length filter_dipaddr= dipaddr / dip_prefix_length filter_proto= proto tag1 tag2 filter_fragmentsonly= fragments_only filter_dir= dir filter_routing= routing suppressed_count= count

Explanation

This message is issued when limiting of filter match messages was requested for a defensive filter and at least one "packet denied" message (EZD1721I) for the defensive filter was suppressed during the preceding five minutes.

In the message text:
date
The date on which this message was issued. This date is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This timestamp might be different than the syslogd message timestamp.
time
The time at which this message was issued. This time is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This timestamp might be different than the syslogd message timestamp.
rulename
The defensive filter rule name as specified on the -N option when the defensive filter was added with the z/OS® UNIX ipsec command.
instance
The rule name extension.
sipaddr / sip_prefix_length
The source IP address specification for the defensive filter rule. The value 0.0.0.0/0 indicates that the defensive filter rule applies to all source IPv4 addresses. The value ::/0 indicates that the defensive filter rule applies to all source IPv6 addresses.
dipaddr / dip_prefix_length
The destination IP address specification for the defensive filter rule. The value 0.0.0.0/0 indicates that the defensive filter rule applies to all destination IPv4 addresses. The value ::/0 indicates that the defensive filter rule applies to all destination IPv6 addresses.
proto
The protocol specification for the defensive filter rule. Possible values are:
  • ICMP(1)
  • IGMP(2)
  • IP(4)
  • TCP(6)
  • UDP(17)
  • ESP(50)
  • AH(51)
  • ICMPv6(58)
  • OSPF(89)
  • IPIP(94)
  • MIPv6(135)
  • The protocol number
  • ALL
tag1
The tag1 value varies depending on the proto value.

If the proto value is ICMP or ICMPv6, the tag1 value is type= followed by the ICMP or ICMPv6 type, or followed by the value all.

If the proto value is TCP or UDP, the tag1 value is sport= followed by the source port range. For example, sport= 1024 - 65535. For a defensive filter that applies to all source ports the tag1 value is sport= 1 - 65535.

If the proto value is any value not previously mentioned, the tag1 value is -= which indicates that the data is not applicable.

tag2
The tag2 value varies depending on the protocol.

If the proto value is ICMP or ICMPv6, the tag2 value is code= followed by the ICMP or ICMPv6 code, or followed by the value all.

If the proto value is TCP or UDP, the tag2 value is dport= followed by the destination port range. For example, dport= 21 - 21. For a defensive filter that applies to all destination ports, the tag2 value is dport= 1 - 65535.

If the proto value is any value not previously mentioned, the tag2 value is -= which indicates that the data is not applicable.

fragments_only
The fragment specification for the defensive filter rule. Possible values are:
  • yes - The defensive filter rule applies only to fragments.
  • no - The defensive filter rule does not apply only to fragments.
dir
The direction specified for the defensive filter rule. Possible values are inbound and outbound.
routing
The routing specified for the defensive filter rule. Possible values are local, routed, and either.
count
The number of "packet denied" messages (EZD1721I) for the defensive filter that were suppressed during the preceding five minutes.

System action

TCP/IP processing continues.

Operator response

No action is needed.

System programmer response

No action is needed.

User response

Not applicable.

Problem determination

Not applicable.

Source

z/OS Communications Server TCP/IP: TRMD

Module

EZATRZOS

Routing code

*

Descriptor code

*

Automation

Not applicable for automation.

Example

EZD0837I Defensive filter packet denied messages limited: 11/28/2011 16:35:55.42 filter_rule= 
Block_10_UDP_301 filter_ext= 1 filter_sipaddr= 10.8.8.0 / 24 filter_dipaddr= 0.0.0.0 / 0
filter_proto= udp(17) sport= 301 - 301 dport= 1 - 65535 filter_fragmentsonly= no
filter_dir= inbound filter_routing= local suppressed_count= 125