Start of Content Area

This graphic is explained in the accompanying text Route Table Examples  Locate the document in its SAP Library structure

In this part, few examples are given, how the entries in the route permission file are mapped into the internal table.

Table Fields

Field

Meaning

Possible Values

t

type

P = permitted; D = denied; T = SNC target

s

SNC

X = secure network communication required

n

native

X = native protocols permitted

shs

previous SAProuter hops

number

dsh

post SAProuter hops

number

s-add

source address

 

s-msk

source address mask

 

d-add

destination address

 

d-msk

destination address mask

 

a

all destination ports

X = no port specified

d-p-l

destination port min (low)

16-bit integer

d-p-m

destination port max (high)

16-bit integer

pwd

password

string

snc-n

SNC name

string

ExampleExample mapping route table file into internal route table

The route table file

D    10.1.0.0  *               *

P0,* 10.1.*.*  *               *

S*,0 *         10.2.00001xxx.* *

P*,1 *         10.2.*.*        *

P    10.3.0.0  10.4.*.*        7

P    10.3.0.1  10.4.0.1        * test

P    10.3.0.2  localhost       *

P    10.3.0.3  localhost       * info

S    10.3.0.4

KT   "p:CN=s0" 10.5.0.0        *

KD   "p:CN=s1" 10.5.0.1        *

KP   "p:CN=s1" *               *

KS   *         10.5.0.*        *

D    *         *               *

is mapped into the following internal route table:

t

s

n

shs

dsh

s-add

s-msk

d-add

d-msk

a

d-p-l

 

d-p-h

pwd

snc-n

Entry

D

 

~

~~~

~~~

a.1.0.0

00.00.00.00

0.0.0.0

ff.ff.ff.ff

X

~~~~~~~

~~~~~~~

 * 

~~~~~~~

a

P

 

X

 0

255

a.1.0.0

00.00.ff.ff

0.0.0.0

ff.ff.ff.ff

X

~~~~~~~

~~~~~~~

 * 

~~~~~~~

b

P

 

 

255

 0

0.0.0.0

ff.ff.ff.ff

a.2.8.0

00.00.07.ff

X

~~~~~~~

~~~~~~~

 * 

~~~~~~~

c

P

 

X

255

 1

0.0.0.0

ff.ff.ff.ff

a.2.0.0

00.00.ff.ff

X

~~~~~~~

~~~~~~~

 * 

~~~~~~~

d

P

 

X

255

255

a.3.0.0

00.00.00.00

a.4.0.0

00.00.ff.ff

 

7

7

 * 

~~~~~~~

e

P

 

X

255

255

a.3.0.1

00.00.00.00

a.4.0.1

00.00.00.00

X

~~~~~~~

~~~~~~~

test

~~~~~~~

f

P

 

X

255

255

a.3.0.2

00.00.00.00

7f.0.0.1

00.00.00.00

X

~~~~~~~

~~~~~~~

 * 

~~~~~~~

g

P

 

X

255

255

a.3.0.3

00.00.00.00

7f.0.0.1

00.00.00.00

X

~~~~~~~

~~~~~~~

info

~~~~~~~

h

P

 

 

255

255

a.3.0.4

00.00.00.00

0.0.0.0

ff.ff.ff.ff

X

~~~~~~~

~~~~~~~

 * 

~~~~~~~

i

T

X

~

255

255

0.0.0.0

ff.ff.ff.ff

a.5.0.0

00.00.00.00

X

~~~~~~~

~~~~~~~

 * 

p:CN=s0

j

D

X

~

~~~

~~~

0.0.0.0

ff.ff.ff.ff

a.5.0.1

00.00.00.00

X

~~~~~~~

~~~~~~~

 * 

p:CN=s1

k

P

X

X

255

255

0.0.0.0

ff.ff.ff.ff

0.0.0.0

ff.ff.ff.ff

X

~~~~~~~

~~~~~~~

 * 

p:CN=s1

l

P

X

 

255

255

0.0.0.0

ff.ff.ff.ff

a.5.0.0

00.00.00.ff

X

~~~~~~~

~~~~~~~

 * 

   *

m

D

 

~

~~~

~~~

0.0.0.0

ff.ff.ff.ff

0.0.0.0

ff.ff.ff.ff

X

~~~~~~~

~~~~~~~

 * 

~~~~~~~

n

The entry '~' will specify a filed as not initialized respectively unused.

 

Permission example with permission table above

The current SAProuter is running on the host "this" on port 3299. A '*' indicates a parameter without effect.

For a match, one of the following conditions for the destination port must be complied:

...

       1.      Entry 'destination port' is valid and equal with destination port of route

       2.      Entry 'native' is not set and 'all destination ports' is set, i.e. no destination port specified

       3.      Entry 'type' is not 'permitted' and 'all destination ports' is set

       4.      Route has further destination nodes and 'all destination ports' is set

 

Client 

native

Route                                    

 Entry

 P/D

 Reason

10.1.0.0

  

/H/this/H/*/S/3299/W/test    

   a  

 D

All connections from host 10.1.0.0 are denied.

   *   

  

/H/10.1.0.0/H/this/H/*                   

   a  

 D

All connections from host 10.1.0.0 are denied.

10.1.0.1

 X

/H/this/H/10.2.9.0/S/*       

   n  

 D

Entry b doesn’t match because ‚native’ is set and the route has no further destinations.

10.1.0.1

 X

/H/this/H/10.2.9.0/H/*/S/*   

   b  

  P

b matches as the route has further destinations (4.)

 *   

 X

/H/10.1.0.1/H/this/H/10.2.9.0/S/*       

   n  

 D

No match with b (native with no further destinations), c (native) and d (native with no further destinations).

 *   

 X

/H/10.1.0.1/H/this/H/10.2.9.0/H/*/S/*   

   b  

 D

Matches b but has one previous hop, so denied.

10.9.0.0

  

/H/this/H/10.2.9.0/S/*       

   c  

 P

Matches c (2.)

10.9.0.0

 X

/H/this/H/10.2.9.0/S/*       

   n  

 D

Does not match c (native with no further destinations)

10.9.0.0

 X

/H/this/H/10.2.9.0/H/*/S/*   

   c  

 D

Matches c (4.), is denied because it is native (type S). 

10.9.0.0

  

/H/this/H/10.2.9.0/H/*/S/*   

   c  

 D

Matches c (2.), is denied because no following hop is allowed.

10.9.0.0

  

/H/this/H/10.2.7.0/H/*/S/*   

   d  

 P

Doesn’t match c because of IP address; matches d (2.)

10.3.0.0

 X

/H/this/H/10.4.0.0/S/7       

   e  

 P

Matches e (1.)

10.3.0.0

  

/H/this/H/10.4.0.0/S/7       

   e  

 P

Matches e (1.)

10.3.0.0

 X

/H/this/H/10.4.0.0/H/*/S/7   

   n  

 D

Doesn’t match e because the port 7 must be used on host 10.4.0.0 (see 1.)

10.3.0.1

  

/H/this/H/10.4.0.1/H/*       

   f  

 D

Matches e, is denied because password test is missing

 

 

End of Content Area