Professional Documents
Culture Documents
Policy Language
(SandScript)
Module Objectives
Learning Objectives
On successful completion of this lesson, you will demonstrate an
understanding of policy language used on PTS systems. You will be
able to:
Describe the fundamentals of policy language
Describe the use of conditions and actions
Describe policy groups
Define:
• PTS-specific hardware Define text-based IP Define policy
properties map of the network. enforcement rules
• Remote configuration
parameters
• Inline/offline mode
• Traffic shunting
• Physical Topology
condition action
Valid conditions:
attribute protocol
class provider
expr() time
ip_addr tcp_port
layer4protocol true
udp_port
allow increment
block mark
captive_portal set
continue set_attribute
count shape
decrement tcp_reset
Diameter actions tee
divert Timer actions
http_response
Example:
By using the “true” condition in the last rule of a Policy Group, a default
action can be established:
PolicyGroup
{
if protocol “skype” then <action 1>
if protocol “http” then <action 2> If none of the other rules evaluate to
if true then block true, we will always block the flow.
}
Syntax:
PolicyGroup [condition(s)]
{
<policy rule(s) and/or nested policy group(s)>
}
If the entry conditions are met (true), the path of evaluation goes into
the policy group and the rules are executed.
If the entry conditions are not met (false), the entire contents of the
policy group are skipped.
Default behavior:
Only the first match is executed and all subsequent rules in the group are
skipped
Modified behavior:
The “all” option ignores the default action of halting on the first match.
“all” forces all rules to be read and processed in order
Example:
PolicyGroup time hours 0800-1700 all
{
if protocol “skype” then <action 1>
if subscriber “tier” = “gold” then <action 2>
}
Learning Objectives
On successful completion of this lesson, you will demonstrate an
understanding of node qualifiers and how they relate to internal and
external PTS's in a network. You will know how to:
Describe the difference between
• client / server
• sender / receiver
• subscriber / internet
Internal External
“client”
“server”
PTS Operation Course (Part 2) Section 1 Module 1 - Policy Language slide 24
Node Qualifiers – client & server
When using the client/server node qualifiers, if we write policy
that says “to client”, is it upstream or downstream traffic?
Internal External
TCP SYN
TCP SYN-ACK
TCP SYN-ACK
server client
“to client” = upstream
“sender”
“receiver”
PTS Operation Course (Part 2) Section 1 Module 1 - Policy Language slide 26
Node Qualifiers – sender & receiver
As with the client/server node qualifiers, the sender and the
receiver can be either internal or external.
With client/server it depends on who initiates the session.
With sender/receiver it depends on the direction of transfer.
Internal External
Bulk Data Flow
Data ACKs
Internal
Bulk Data Flow External
Data ACKs
External
“internet”
“subscriber”
SetPortRole 1-2 internet
The side of the flow that transmits &
receives to and from a SUBSCRIBER port
on the PTS (an ODD numbered port)
PolicyGroup
{
if true then \
shape to subscriber shaper “Downstream”
}
Internal External
Data
Sender
receiver
Data ACK + Data
Data
receiver Sender
Internal External
Data A
Sender
receiver sender
receiver
ACK + Data B
If the volume of Data B sent with the ACK packet is greater than the
volume of Data A, then the sender and receiver nodes can flip around
mid-flow.
Should this occur, the above policy will stop working. (Why?)
PTS Operation Course (Part 2) Section 1 Module 1 - Policy Language slide 33
Node Qualifiers - Summary
When deciding which node qualifiers to use, follow these rules:
• Always use the subscriber/internet node qualifiers if possible.
• If you cannot use the subscriber/internet node qualifiers, choose
client/server for policy that applies to bidirectional protocols.
• If you cannot use the subscriber/internet node qualifiers and you
are writing policy for unidirectional protocols, you can use either
client/server or sender/receiver.
Which of the following would you rather write and maintain?
Learning Objectives
On successful completion of this lesson, you will demonstrate an
understanding of language conditions used in Policy.
• attribute • protocol
• class • provider
• expr() • tcp_port
• ip_addr • time
• layer4protocol • true
• udp_port
Syntax:
Example:
Note that the internet node qualifier is not available with the attribute
keyword. (Why?)
When using the client/server or sender/receiver node qualifiers with
the attribute condition, it is important to understand how they interact:
This condition implicitly states that the client endpoint of the flow must be
on the internal side and correspond to a subscriber.
Internal External
client server
sub_1 10 internal
4.0.0.0/19
What the above line says is: If the client endpoint of the flow is
internal and its IP address falls in the range 4.0.0.0/19 then the
condition will be true.
If the client endpoint of the flow is external, or if it is internal
but the IP address isn’t in the range 4.0.0.0/19, the condition
will be false.
Syntax:
Example:
Syntax:
Examples:
Syntax:
Example: TCP
Syntax:
Example:
# man protocols
protocols(1) FreeBSD General Commands
Manual protocols(1)
NAME
protocols - Sandvine Traffic Matching Library
DESCRIPTION
The protocols package provides a protocol definition library to the
ptsd
application. The ptsd loads this package on startup which allows rules
to be written in the policy.conf about the supported protocols.
SUPPORTED PROTOCOLS
The protocols supported in this package are:
6to4
abacast
alibaba
aol2
aoluncut
appleJuice
ares
ares_download
Network
Category Protocol Sub-protocol Policy Keyword
Demographics
AppleJuice … AppleJuice AppleJuice
… ares Ares
Ares Control ares_control Ares Control
Ares
Ares Download ares_download Ares
Ares UDP ares_udp Ares UDP
BitTorrent … bittorrent BitTorrent
Peer-to-
Peer BitTorrent
BitTorrent Encrypted bittorent_encryted
Encrypted
BitTorrent UDP bittorrent_udp BitTorrent UDP
Blubster … blubster Blubster
Direct Connect … directconnect Direct Connect
Earthstation 5 … earthstation5 Earthstation 5
Earthstation 5
earthstation5_control Earthstation 5
Control
bittorrent_encrypted
Sub-protocols
bittorrent_udp
If we use the parent protocol with the protocol condition, all sub-
protocols will be affected too:
if protocol “bittorrent” then <action>
If we use a sub-protocol with the protocol condition, only that
specific sub-protocol will be affected:
if protocol “bittorrent_udp” then <action>
Would not affect bittorrent_encrypted flows.
PTS Operation Course (Part 2) Section 1 Module 1 - Policy Language slide 49
provider
Example:
This list and the associated hit counters for each entry can be
cleared by using the command:
/usr/local/sandvine/etc/rc.conf.default.providers.
It is possible to track minutes and calls for VoIP providers not
identified in rc.conf.default.providers by manually
adding signatures rc.conf*:
providersTable=“myprovider1 $providersTable”
myprovider1__uri=“^pulver.fwd.net$”
myprovider1__name=“Free World Dialup”
Syntax:
sender|receiver|client|server|subscriber|internet
Example:
The time of day condition lets you limit an action to a specific time frame.
Syntax:
Examples:
If a weekday and hours are both specified, the hours can extend
beyond the specified day.
In the above condition, the period will start at 6pm on Friday and
extend to 2 AM on Saturday.
Don’t forget that you can use the boolean “not” operator for
conditions outside a certain time frame.
Example: “primetime” is between 5pm and 11pm every day and you
want to apply certain actions in the hours outside primetime:
Syntax:
This line tells the policy engine to always execute the “count”
and “count demographic” actions.
PTS Operation Course (Part 2) Section 1 Module 1 - Policy Language slide 57
udp_port
Syntax:
sender|receiver|client|server|subscriber|internet
Example:
Learning Objectives
On successful completion of this lesson, you will demonstrate an
understanding of policy language actions.
allow mark
block reevaluate
captive_portal set_attribute
count shape
divert tcp_reset
limit tee
It will then pass straight thru the box and will show up in reports.
Example:
block
Stops specified traffic from flowing through the PTS.
Packets are dropped.
Example:
Captive Portal allows you to re-direct a subscriber’s HTTP session to a set URL.
PolicyGroup {
if protocol "http_get" and server class "portal" then allow
if protocol "http_get" and client "abuser"="true" then \
captive_portal "http://myportal.domain.com/abuser.rvt"
}
DATA
Full divert
Half divert
Divert host(s)
PTS Operation Course (Part 2) Section 1 Module 1 - Policy Language slide 65
divert
Syntax:
if <condition> then \
divert destination “name”
Example:
Example:
PolicyGroup {
if protocol “ps2_callofduty” then mark dscp 34
if protocol “skype” then mark 248 6
if true mark dscp 6
}
Syntax:
Example:
if ip_addr 192.168.2.1 then \
set_attribute subscriber “abuser” = “true” for 2 days
Syntax:
Terminates TCP based connections by injecting a TCP reset into the flow.
Syntax:
Example:
ISP Network
DATA
Copy of data
Tee host
PTS Operation Course (Part 2) Section 1 Module 1 - Policy Language slide 73
tee
Sends a copy of selected packets to another host or file.
Syntax:
destination “<name>” \
divert|tee|file|group|ipmap <args>
if <condition> then \
tee to|from client|server destination “name”
Example:
if protocol "unknownTCP" \
then tee from client destination “T1" \
and tee from server destination “T1”
include “/usr/local/sandvine/ptsd/policy2.conf”
include "/usr/local/sandvine/etc/policy.conf.top_talker“
policy2.conf
policy.conf
policy.conf.test
include “policy2.conf.test”
include “policy2.conf”
include “policy.conf.toptalker”
policy.conf.toptalker
# svreload
Example:
#less policy.conf
# tail /var/log/svlog
20060113_22:47:57`
character: s`
# tail /var/log/svlog
Results in no errors:
# tail /var/log/svlog
Apr 6 14:54:30 TSE1 ptsd: svlog01;0000007640;0000008689:Sandvine libprotocols:
`4.22.0014: 20060113_22:47:57`
Apr 6 14:54:33 TSE1 ptsd: svlog01;0000007640;0000007607:Loaded policy file:
`/usr/local/sandvine/etc/policy.conf`
Apr 6 14:54:33 TSE1 ptsd: svlog01;0000007640;0000008690:Policy Configuration Loaded
Apr 6 14:54:33 TSE1 ptsd: svlog01;0000007642;0000008052:Created tracker for `SIP
Control`
Apr 6 14:54:33 TSE1 ptsd: svlog01;0000007162;0000011662:Loading policy files
complete
Apr 6 14:54:33 TSE1 ptsd: svlog01;0000006467;0000008687:PTSD System Startup
Completed
Learning Objectives
On successful completion of this exercise, you will demonstrate an
ability to write simple policy.
Write a policy that will track all interface based and network
class stats for all protocol types:
Write a policy that will block all traffic with the exception of HTTP:
Write a policy that will block http, fasttrack, winmx and gnutella
downloads by subscribers.
or…
Write a policy that will limit the number of upload connections to the
internet to 10 connections for the FastTrack protocol:
Write a policy that will mark SIP Data traffic as dscp 6 between
0800 and 1700 hours Monday through Friday: