< Home

rule (ACL view)

Function

The rule command adds a rule in a specified ACL view.

The undo rule command deletes a rule.

Format

# Create or delete a rule in a basic ACL.

rule [ rule-id ] { deny | permit} [ logging | source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | time-range time-name ] * [ description description ]

undo rule rule-id [ logging | source | time-range ] *

# Create a rule in an advanced ACL.

  • For TCP:

    rule [ rule-id ] { permit | deny } { 6 | tcp } [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } | source-port operator port [ port2 ] | destination-port operator port [ port2 ] | precedence precedence | tos tos | time-range time-name | logging | dscp dscp-value | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack | fin | psh | rst | syn | urg } * } ] * [ description description ]

  • For UDP or SCTP:

    rule [ rule-id ] { permit | deny } { { 17 | udp } | { 132 | sctp } } [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } | source-port operator port [ port2 ] | destination-port operator port [ port2 ] | precedence precedence | tos tos | time-range time-name | logging | dscp dscp-value ] * [ description description ]

  • For ICMP:

    rule [ rule-id ] { permit | deny } { 1 | icmp } [ icmp-type { icmp-type-name | icmp-type-number icmp-code } | source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } | precedence precedence | tos tos | time-range time-name | logging | dscp dscp-value ] * [ description description ]

  • For other protocols:

    rule [ rule-id ] { permit | deny } { INTEGER<2-5> | INTEGER<7-16> | INTEGER<18-131> | INTEGER<133-255> | 0 | gre | igmp | ip | ipinip | ospf } [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } } | precedence precedence | tos tos | time-range time-name | logging | dscp dscp-value ] * [ description description ]

  • For referencing service sets:

    rule [ rule-id ] { permit | deny } service-set service-set-name [ source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any } | destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any } | precedence precedence | tos tos | time-range time-name | logging | dscp dscp-value ] * [ description description ]

# Delete a rule in an advanced ACL.

undo rule rule-id [ destination | destination-port | dscp | icmp-type | logging | precedence | source | source-port | time-range | tos | tcp-flag ] *

Parameters

Parameter Description Value

rule-id

Specifies the number of an ACL rule.

The value ranges from 0 to 4294967294.

deny

Discards the packets that match the rule.

-

permit

Allows the packets that match the rule to pass.

-

logging

Indicates whether to log the matched packets. It is optional. Logs record the sequence number of ACL rules, packets passed or discarded, upper layer protocol type over IP, source/destination addresses, source/destination port numbers, and number of packets.

-

source { source-ip-address { 0 | source-wildcard } | address-set address-set-name | any }

Indicates the source address of an ACL rule. It is optional. If no source address is specified, it indicates that any source address matches.

Three methods are available for specifying the source address in an ACL rule:

  • source-ip-address { 0 | source-wildcard }

    Specify the source address/address segment and wildcard as the IP address matching conditions. If 0 is specified as the wildcard, the source IP address is a host address.

  • address-set address-set-name

    Specifies the address object or address group as the IP address matching condition. address-set-name specifies the name of an address object or address group.

  • any

    Represents the source address 0.0.0.0 with the wildcard 255.255.255.255.
  • source-ip-address specifies the source IP address of a data packet in dotted decimal format.

  • source-wildcard specifies the source address wildcard in dotted decimal format.

    The value is in dotted decimal notation.

    For example, 192.168.1.0 0.0.0.255. 0.0.0.255 indicates the wildcard. The wildcard expressed in the binary format can be contiguous 1s, such as 0.255.0.255.

    When the wildcard is expressed in binary format, only digits 0s in the matching value (source IP address) are matched, but not digits 1s. For example, 0.0.0.255 can be expressed in binary format, 00000000 00000000 00000000 11111111. Therefore, packets whose source IP address is 192.168.1.* can be matched.

  • address-set-name must be the name of an existing address object or address group.

time-range time-name

Specifies the name of a time range.

The name is a string of case-sensitive characters. If the name does not contain any space, the length ranges from 1 to 32 characters. If the name contains spaces, the length ranges from 3 to 34 characters, and you must use double quotation marks ("") to enclose it (for example, "time for test").

The name cannot contain question marks (?), or commas (,). If the name does not contain any space, it also cannot have any double quotation marks ("). In addition, the name cannot be any or all.

description description

Specifies the description of the rule.

It is a string of 1 to 127 characters, spaces supported.

{ protocol-num |protocol }

Specifies the protocol by protocol name or protocol number.

It can be an integer ranging from 0 to 255 or a string, such as gre, icmp, igmp, ip, ipinip, ospf, tcp, udp and sctp.

destination { destination-ip-address { 0 | destination-wildcard } | address-set address-set-name | any }

Indicates the destination address of the rule. It is optional. If it is not configured, it indicates that any destination address matches.

Three methods are available for specifying the destination address in an ACL rule:

  • destination-ip-address { 0 | source-wildcard }

    Specify the destination address/address segment and wildcard as the IP address matching conditions. If 0 is specified as the wildcard, the destination IP address is a host address.

  • address-set address-set-name

    Specifies the address object or address group as the IP address matching condition. address-set-name specifies the name of an address object or address group.

  • any

    The parameter any indicates the destination address 0.0.0.0 with the wildcard 255.255.255.255.
  • The value of destination-ip-address is in dotted decimal notation.

  • The value of destination-wildcard is in dotted decimal notation.

    For example, 192.168.2.0 0.0.0.255. 0.0.0.255 indicates the wildcard. The wildcard expressed in the binary format can be contiguous 1s, such as 0.255.0.255.

    When the wildcard is expressed in binary format, only digits 0s, not digits 1s, in the matching value (source IP address) are matched. For example, 0.0.0.255 can be expressed 00000000 00000000 00000000 11111111 in the binary format. Therefore, packets whose source IP address is 192.168.2.* can be matched.

  • address-set-name must be the name of an existing address object or address group.

source-port operator port [ port2 ]

Indicates the source port of UDP or TCP packets. It is optional and valid in UDP or TCP. If no source port is specified, any source port of TCP/UDP packets is matched.
  • operator supported comparison operations include eq (equal to), gt (greater than), lt (lower than), and range (between). If the operator is range, two port numbers are used.
  • port can be expressed as a port name or port number. The number ranges from 0 to 65535.

destination-port operator port [ port2 ]

Indicates the destination port of UDP or TCP packets. It is optional and valid only when UDP or TCP is used. If no destination port is specified, any destination port of TCP/UDP packets matches the rule.
  • operator supported comparison operations include eq (equal to), gt (greater than), lt (lower than), and range (between). If the operator is range, two port numbers are used.
  • port can be expressed as a port name or port number. The number ranges from 0 to 65535.

icmp-type icmp-type-name

Specifies the ICMP packet type name. This parameter applies only to ICMP. If no parameters are set, all ICMP messages will be matched.

For icmp-type-name values, see Table 1.

icmp-type icmp-type-number icmp-code

Specifies the ICMP packet type number and ICMP message code. This parameter applies only to ICMP. If no parameters are set, all ICMP messages will be matched.

For icmp-type-number and icmp-code values, see Table 1.

precedence precedence

Filters packets according to precedence field. It is optional.

The value ranges from 0 to 7. The values 0 to 7 respectively indicate routine, priority, immediate, flash, flash-override, critical, internet, and network.

tos tos

Specifies the ToS field in a data packet.

It is a number or name. When a number is used, the value ranges from 0 to 15. 0, 1, 2, 4, 8, can be a name, namely, normal, min-monetary-cost, max-reliability, max-throughput, and min-delay respectively.

dscp dscp-value

Indicates the value of Differentiated Services CodePoint.

The value can be an integer or a string. That is, the value can be an integer ranging from 0 to 63, or a character string, which can be AF11, AF12, AF13, AF21, AF22, AF23, AF31, AF32, AF33, AF41, AF42, AF43, CS1, CS2, CS3, CS4, CS5, CS6, CS7, EF, or default.

tcp-flag

Indicates the TCP flag bit.

-

tcp-flag

Specifies the TCP flag bit.

he value is an integer ranging from 0 to 63.

mask mask-value

Specifies the mask of the TCP flag bit.

he value is an integer ranging from 0 to 63.

established

Indicates TCP packets that match the ESTABLISHED status.

TCP packets in ESTABLISHED state refer to the TCP packets whose flag bit ACK or RST is 1.

-

{ ack | fin | psh | rst | syn | urg }

Indicates the ACK, FIN, PSH, RST, SYN, and URG flag bits of TCP.

-

service-set service-set-name

Specifies the name of a user-defined service set.

The value must be the name of an existing service object or service group.
Table 1 Relationship between icmp-type-name, icmp-type-number and icmp-code

icmp-type-name

icmp-type-number

icmp-code

Echo

8

0

Echo-reply

0

0

Parameter-problem

12

0

Port-unreachable

3

3

Protocol-unreachable

3

2

Reassembly-timeout

11

1

Source-quench

4

0

Source-route-failed

3

5

Timestamp-reply

14

0

Timestamp-request

13

0

Ttl-exceeded

11

0

Fragmentneed-DFset

3

4

Host-redirect

5

1

Host-tos-redirect

5

3

Host-unreachable

3

1

Information-reply

16

0

Information-request

15

0

Net-redirect

5

0

Net-tos-redirect

5

2

Net-unreachable

3

0

Views

ACL view

Default Level

2: Configuration level

Usage Guidelines

When creating an ACL rule, you can determine whether to specify rule-id for the rule.

  • No rule-id is specified:

    The system automatically assigns an ID to the rule based on the configured step. The ID is larger than the largest existing ID and is an integer multiple of the step. For example, if the largest ID of the existing rule is 21 and the step is 5, the automatically assigned rule ID will be 25.

  • A rule-id is specified:

    • If the specified rule-id already exists, the new configuration replaces the existing one. The new rule is the non-conflicting union of the new and existing configurations. That is, the existing rule is edited, and the non-edited part of the rule is not affected.

      For example, in the same basic ACL view, ACL rule 24 has been configured using the rule 24 permit logging command. If you run the rule 24 deny source 192.168.1.0 0.0.0.255 command, you will edit ACL rule 24. After editing, the configuration is rule 24 deny source 192.168.1.0 0.0.0.255 logging. That is, the conflicting part is replaced by the new configuration, and the non-conflicting part remains.

    • The ACL rule specified by rule-id already exists, and the new configuration does not conflict with the existing one: The new rule is the union of the new and existing configurations.

      For example, in the same basic ACL view, ACL rule 24 has been configured using the rule 24 permit logging command. If you run the rule 24 permit source 192.168.1.0 0.0.0.255 command, the new configuration does not conflict with the existing one. So the final configuration is rule 24 permit source 192.168.1.0 0.0.0.255 logging.

    • The ACL rule specified by rule-id does not exist, the rule is created and inserted to the corresponding location based on the ID.

The rule ID must be specified when you delete a rule. If you do not know the ID, use the display acl command to query the ID.

When referring to ACLs in some features, parameters tos and precedence are not supported in the rule command of these ACLs to ensure that the rule can be matched. The features are as follows:

  • Port mirroring
  • Remote packet capture
  • NTP
  • User Interface

Note the following content when configuring advanced ACL rules:

  • dscp cannot be configured with tos or precedence, or the device will show a conflict.

  • If tcp-flag is followed by tcp-flag mask mask-value, the system performs bit-by-bit AND calculation on a received packet and compares the result with tcp-flag. If they are the same, the packet matches the rule. The following part is an example of the calculation method.

    There are two advanced ACL rules rule 33 permit tcp tcp-flag 1 mask 10 and rule 34 deny tcp tcp-flag 8 mask 10. The flag bits of a received TCP packet are 001001. The system performs bit-by-bit AND calculation on the ACL rule mask (001010) and the flag bits of the received TCP packet (001001). The result is 001000 (8 in decimal notation). Then the system compares the result with tcp-flag values. The result does not match rule 33 but matches rule 34. Therefore, the system blocks the TCP packet whose flag bits are 001001.

Example

# Create ACL 3101 and add a rule to prohibit receiving or sending RIP packets.

<sysname> system-view
[sysname] acl number 3101
[sysname-acl-adv-3101] rule deny udp destination-port eq rip

# Add a rule to permit hosts at 172.16.0.0 to send WWW packets to hosts at 172.16.160.0.

[sysname-acl-adv-3101] rule permit tcp source 172.16.0.0 0.0.255.255 destination 172.16.160.0 0.0.0.255 destination-port eq www

# Add a rule to deny the hosts at 172.16.0.0 to establish a connection to the WWW port (80) of the hosts at 172.16.160.0 and log violation events.

[sysname-acl-adv-3101] rule deny tcp source 172.16.0.0 0.0.255.255 destination 172.16.160.0 0.0.0.255 destination-port eq www logging

# Add a rule to prohibit all hosts from establishing Telnet (23) connections to the host at 172.16.160.1.

[sysname-acl-adv-3101] rule deny tcp destination 172.16.160.1 0 destination-port eq telnet

# Add a rule to prohibit creating UDP connections using port numbers greater than 128 from the host in network segment 172.16.8.0 to the host in network segment 172.16.160.0.

[sysname-acl-adv-3101] rule deny udp source 172.16.8.0 0.0.0.255 destination 172.16.160.0 0.0.0.255 destination-port gt 128

# Add a rule to prohibit the sending and receiving of packets with the TCP ack flag bit.

[sysname-acl-adv-3101] rule deny tcp tcp-flag ack
Parent Topic: ACL Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >