< Home

rule (advanced ACL view)

Function

The rule command adds or modifies an advanced ACL rule.

The undo rule command deletes an advanced ACL rule.

By default, no advanced ACL rule is configured.

Format

  • When the parameter protocol is specified as the Internet Control Message Protocol (ICMP), the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *

    undo rule { deny | permit } { protocol-number | icmp } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | icmp-type { icmp-name | icmp-type [ icmp-code ] } | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *

  • When the parameter protocol is specified as the Transmission Control Protocol (TCP), the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *

    undo rule { deny | permit } { protocol-number | tcp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | tcp-flag { ack | established | fin | psh | rst | syn | urg } * | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *

  • When the parameter protocol is specified as the User Datagram Protocol (UDP), the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *

    undo rule { deny | permit } { protocol-number | udp } [ destination { destination-address destination-wildcard | any } | destination-port { eq port | gt port | lt port | range port-start port-end } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | source-port { eq port | gt port | lt port | range port-start port-end } | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *

  • When the parameter protocol is specified as another protocol rather than GRE, IGMP, IP, IPINIP, or OSPF, the command format is as follows:

    rule [ rule-id ] { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *

    undo rule { deny | permit } { protocol-number | gre | igmp | ip | ipinip | ospf } [ destination { destination-address destination-wildcard | any } | { { precedence precedence | tos tos } * | dscp dscp } | { fragment | first-fragment } | logging | source { source-address source-wildcard | any } | time-range time-name | ttl-expired | { vpn-instance vpn-instance-name | public } ] *

  • To delete an advanced ACL rule, run:

    undo rule rule-id [ destination | destination-port | { { precedence | tos } * | dscp } | { fragment | first-fragment } | logging | icmp-type | source | source-port | tcp-flag | time-range | ttl-expired | vpn-instance | public } ] *

  • Only the S5720-EI, S6720S-EI, and S6720-EI support ttl-expired.

  • The vpn-instance and public parameter is supported only when a software-based ACL is applied to the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, or S6730S-S. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.

  • If the ACL rules configured on the S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S5732-H, S6730-H, S6730S-H, S6730-S, S6730S-S, and S6720-HI are hardware-based ACLs, tcp-flag is not supported.
  • Only the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S support first-fragment. For the S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, and S5735-S-I, an ACL containing the first-fragment can only be used in the inbound direction.

Parameters

Parameter

Description

Value

rule-id
Specifies the ID of an ACL rule.
  • If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID.
  • If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command.
NOTE:

ACL rule IDs assigned automatically start from the step value. The default step is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.

The value is an integer that ranges from 0 to 4294967294.

deny

Denies the packets that match the rule.

-

permit

Permits the packets that match the rule.

-

icmp

Indicates that the protocol type is ICMP. The value 1 indicates that ICMP is specified.

-

tcp

Indicates that the protocol type is TCP. The value 6 indicates that TCP is specified.

-

udp

Indicates that the protocol type is UDP. The value 17 indicates that UDP is specified.

-

gre

Indicates that the protocol type is GRE. The value 47 indicates the GRE protocol.

-

igmp

Indicates that the protocol type is IGMP. The value 2 indicates the IGMP protocol.

-

ip

Indicates that the protocol type is IP.

-

ipinip

Indicates that the protocol type is IPINIP. The value 4 indicates the IPINIP protocol.

-

ospf

Indicates that the protocol type is OSPF. The value 89 indicates the OSPF protocol.

-

protocol-number
Indicates the protocol type expressed by name or number.
NOTE:

Parameters in an ACL vary with the protocol type. The combination of source-port { eq port | gt port | lt port | range port-start port-end } and destination-port { eq port | gt port | lt port | range port-start port-end } is applicable to TCP and UDP only.

The value expressed by number is an integer that ranges from 1 to 255.

destination { destination-address destination-wildcard | any }
Indicates the destination IP address of packets that match ACL rules. If this parameter is not specified, packets with any destination IP address are matched.
  • destination-address: specifies the destination IP address of data packets.
  • destination-wildcard: specifies the wildcard mask of the destination IP address.
  • any: indicates any destination IP address of packets. That is, the value of destination-address is 0.0.0.0 or the value of destination-wildcard is 255.255.255.255.

destination-address: The value is in dotted decimal notation.

destination-wildcard: The value is in dotted decimal notation. The wildcard mask of the destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is the host address.

NOTE:

The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

icmp-type { icmp-name | icmp-type [ icmp-code ] }
Indicates the type and code of ICMP packets, which are valid only when the protocol of packets is ICMP. If this parameter is not specified, all types of ICMP packets are matched.
  • icmp-name: specifies the name of ICMP packets.
  • icmp-type: specifies the type of ICMP packets.
  • icmp-code: specifies the code of ICMP packets.

icmp-type is an integer that ranges from 0 to 255.

icmp-code is an integer that ranges from 0 to 255.

The value of icmp6-name and the corresponding

The value of ICMP name and the corresponding

ICMP type and ICMP code are as Table 2.

source { source-address source-wildcard | any }
Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched.
  • source-address: specifies the source IP address of packets.
  • source-wildcard: specifies the wildcard mask of the source IP address.
  • any: indicates any source IP address of packets. That is, the value of source-address is 0.0.0.0 or the value of source-wildcard is 255.255.255.255.

source-address: The value is in dotted decimal notation.

source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address.

NOTE:

The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.

tcp-flag

Indicates the SYN Flag in the TCP packet header.

-

ack

Indicates that the SYN Flag type in the TCP packet header is ack (010000).

-

established

Indicates that the SYN Flag type in the TCP packet header is ack(010000) or rst(000100).

-

fin

Indicates that the SYN Flag type in the TCP packet header is fin (000001).

-

psh

Indicates that the SYN Flag type in the TCP packet header is psh (001000).

-

rst

Indicates that the SYN Flag type in the TCP packet header is rst (000100).

-

syn

Indicates that the SYN Flag type in the TCP packet header is syn (000010).

-

urg

Indicates that the SYN Flag type in the TCP packet header is urg (100000).

-

time-range time-name

Specifies the name of a time range during which ACL rules take effect.

If this parameter is not specified, ACL rules take effect at any time.

NOTE:

When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.

The value is a string of 1 to 32 characters.

destination-port { eq port | gt port | lt port | range port-start port-end }
Specifies the destination port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any destination port are matched. The operators are as follows:
  • eq port: equivalent to the destination port number.
  • gt port: greater than the destination port number.
  • 1t port: smaller than the destination port number.
  • range port-start port-end: destination port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

Table 3 and Table 4 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port.

source-port { eq port | gt port | lt port | range port-start port-end }
Specifies the source port of UDP or TCP packets. The value is valid only when the protocol of packets is TCP or UDP. If this parameter is not specified, TCP or UDP packets with any source port are matched. The operators are as follows:
  • eq port: equivalent to the source port number.
  • gt port: greater than the source port number.
  • 1t port: smaller than the source port number.
  • range port-start port-end: source port number range. port-start specifies the start port number. port-end specifies the end port number.

The value of port can be a name or a number.

  • When the value is expressed as a number, it ranges from 0 to 65535 in eq port
  • When the value is expressed as a number, it ranges from 0 to 65534 in gt port
  • When the value is expressed as a number, it ranges from 1 to 65535 in lt port

The value of port-start and port-end can be a name or a number. When the value is expressed as a number, it ranges from 0 to 65535.

Table 3 and Table 4 list the mapping between the well-known source or destination port numbers of UDP or TCP and values of port.

dscp dscp

Specifies the value of a Differentiated Services Code Point (DSCP).

NOTE:

The dscp dscp and precedence precedence parameters cannot be set for the same rule.

The dscp dscp and tos tos parameters cannot be set for the same rule.
The value is an integer or a name.
  • The value ranges from 0 to 63 when it is an integer.
  • When it is a name, the value can be af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, cs1, cs2, cs3, cs4, cs5, cs6, cs7, default, or ef.

tos tos

Indicates that packets are filtered according to the Type of Service (ToS).
The value is an integer or a name.
  • The value can be 0, 1, 2, 4, or 8 when it is an integer.
  • When the value is a name, the value can be normal, min-monetary-cost, max-reliability, max-throughput, or min-delay. Table 1 describes the mapping between ToS names and values.

precedence precedence

Indicates that packets are filtered based on the precedence field. precedence specifies the precedence value.

The value ranges from 0 to 7. The values 0 to 7 correspond to routine, priority, immediate, flash, flash-override, critical, internet, and network.

fragment

Indicates that the rule is valid only for non-initial fragments. If this parameter is specified, the rule is valid for only non-initial fragments.

-

first-fragment

Indicates that the rule is valid for only initial fragments. If this parameter is specified, the rule is valid for only initial fragments.

-

logging

Logs IP information of packets that match the rule.

NOTE:
The logging parameter takes effect for incoming packets in either of the following scenarios:
  • An ACL-based simplified traffic policy is configured and the traffic-filter and traffic-secure commands reference ACLs.
  • MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs.

In addition, for the S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, deny must be specified for the logging parameter to take effect.

-

ttl-expired

Matches packets with the TTL value 1. If this keyword is not specified, the ACL rule matches packets with any TTL value.

-

vpn-instance vpn-instance-name | public
  • vpn-instance vpn-instance-name: Specifies the name of a VPN instance, indicating that the ACL rule matches private network packets.
  • public: Indicates that the ACL rule matches public network packets.
NOTE:

This two parameter cannot be configured together. If neither vpn-instance nor public is specified, both public and private network packets are matched.

-
Table 1 Mapping between ToS names and values

ToS Name

Value

ToS Name

Value

normal

0

max-reliability

2

min-monetary-cost

1

max-throughput

4

min-delay

8

-

-
Table 2 Values of ICMP name and the corresponding ICMP type and ICMP code

ICMP name

ICMP type

ICMP code

Echo

8

0

Echo-reply

0

0

Parameter-problem

12

0

Port-unreachable

3

3

Protocol-unreachable

3

2

Reassembly-timeout

11

1

Source-quench

4

0

Source-route-failed

3

5

Timestamp-reply

14

0

Timestamp-request

13

0

Ttl-exceeded

11

0

Fragmentneed-DFset

3

4

Host-redirect

5

1

Host-tos-redirect

5

3

Host-unreachable

3

1

Information-reply

16

0

Information-request

15

0

Net-redirect

5

0

Net-tos-redirect

5

2

Net-unreachable

3

0
Table 3 Mapping between well-known source or destination port numbers of UDP and values of port

Parameter

Value of port

Protocol

Description

7

echo

Echo

Port for the Echo service.

9

discard

Discard

Port for the null service, which is used for connectivity test.

37

time

Time

Port for the time protocol.

42

nameserver

Host Name Server

Port for the host name service.

53

dns

Domain Name Service (DNS)

DNS port.

65

tacacs-ds

TACACS-Database Service

Port for the TACACS database service.

67

bootps

Bootstrap Protocol (BOOTP) Server

Port for the BOOTP server, which is also used by DHCP servers.

68

bootpc

Bootstrap Protocol (BOOTP) Client

Port for the BOOTP client, which is also used by DHCP clients.

69

tftp

Trivial File Transfer Protocol (TFTP)

TFTP port.

90

dnsix

DNSIX Security Attribute Token Map

Port for DoD Network Security for Information Exchange (DNSIX) Security Attribute Token Map.

111

sunrpc

SUN Remote Procedure Call (SUN RPC)

Port for the RPC protocol of SUN. It is used to remotely execute commands and used by the NFS.

123

ntp

Network Time Protocol (NTP)

NTP port, which may be utilized by worm virus.

137

netbios-ns

NETBIOS Name Service

Port for the NetBIOS name service.

138

netbios-dgm

NETBIOS Datagram Service

Port for the NetBIOS datagram service.

139

netbios-ssn

NETBIOS Session Service

Port for the NetBIOS session service.

161

snmp

SNMP

Port for the Simple Network Management Protocol (SNMP).

162

snmptrap

SNMPTRAP

Port for SNMP trap.

177

xdmcp

X Display Manager Control Protocol (XDMCP)

XDMCP port.

434

mobilip-ag

MobileIP-Agent

Port for the mobile IP agent.

435

mobilip-mn

MobileIP-MN

Port for mobile IP management.

512

biff

Mail notify

Port used to notify user of received emails.

513

who

Who

Port for the login user list.

514

syslog

Syslog

Port for the UNIX system log service.

517

talk

Talk

Port used to remotely talk with servers and clients.

520

rip

Routing Information Protocol

RIP port.
Table 4 Mapping between well-known source or destination port numbers of TCP and values of port

Port Number

Value of port

Protocol

Description

7

echo

Echo

Port for the Echo service.

9

discard

Discard

Port for the null service, which is used for connectivity test.

13

daytime

Daytime

Port used to send the date and time to the requesting host.

19

CHARgen

Character generator

Port for the Character Generator Protocol.

20

ftp-data

FTP data connections

FTP data port.

21

ftp

File Transfer Protocol (FTP)

FTP port.

23

telnet

Telnet

Port for the Telnet service.

25

smtp

Simple Mail Transport Protocol (SMTP)

SMTP port.

37

time

Time

Port for the time protocol.

43

whois

Nicname (WHOIS)

Port for the directory service.

49

tacacs

TAC Access Control System (TACACS)

Port for the access control system based on TCP/IP authentication (TACACS login host protocol).

53

domain

Domain Name Service (DNS)

DNS port.

70

gopher

Gopher

Port for the information index protocol (document searching and indexing on the Internet).

79

finger

Finger

Port for the Finger service, which is used to query information, such as online users of remote hosts.

80

www

World Wide Web (HTTP)

NOTE:

If the HTTPS protocol is used, the port number is 443.

HTTP port for the WWW service, which is used to browse web pages.

101

hostname

NIC hostname server

Host name service port on the NIC machine.

109

pop2

Post Office Protocol v2

Port for the email protocol version 2.

110

pop3

Post Office Protocol v3

Port for the email protocol version 3.

111

sunrpc

Sun Remote Procedure Call (RPC)

Port for the RPC protocol of SUN. It is used to remotely execute commands and used by the network file system (NFS).

119

nntp

Network News Transport Protocol (NNTP)

NNTP port, which carries USENET.

179

bgp

Border Gateway Protocol (BGP)

BGP port.

194

irc

Internet Relay Chat (IRC)

Port for the IRC protocol.

512

exec

Exec (rsh)

Port used to authenticate remote processes.

513

login

Login (rlogin)

Port for remote login.

514

cmd

Remote commands

Port used to execute non-interactive commands on a remote system (rshell, rcp).

515

lpd

Printer service

Port for the Line Printer Daemon protocol.

517

talk

Talk

Port used to remotely talk with servers and clients.

540

uucp

Unix-to-Unix Copy Program

Port for the Unix-to-Unix copy protocol.

543

klogin

Kerberos login

Port for Kerberos remote login protocol version 5.

544

kshell

Kerberos shell

Port for Kerberos remote shell protocol version 5.

Views

Advanced ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An advanced ACL matches packets based on information such as source and destination IP addresses, source and destination port numbers, and protocol types.

The rule command defines the time range and flexibly configures the time ACL rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

To configure both the precedence precedence and tos tos parameters, set the two parameters consecutively in the command.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. (If a simplified traffic policy references a specified rule in an ACL, this command does not take effect.) Before deleting a rule, ensure that the rule is not being referenced.

The parameter fragment cannot be set together with source-port, destination-port, icmp-type, and tcp-flag; otherwise, the following error message is displayed:
Error: The fragment cannot be configured together with the source-port, destination-port, icmp-type and tcp-flag.

Example

# Add a rule to ACL 3000 to filter ICMP packets.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 1 permit icmp

# Delete a rule from ACL 3000.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] undo rule 1

# Add a rule to ACL 3000 to filter IGMP packets.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 2 permit igmp

# Add a rule to ACL 3000 to filter packets with DSCP priorities.

<HUAWEI> system-view
[HUAWEI] acl 3000
[HUAWEI-acl-adv-3000] rule 3 permit ip dscp cs1

# Add a rule to ACL 3001 to filter all the IP packets sent from hosts at 10.9.0.0 to hosts at 10.38.160.0.

<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit ip source 10.9.0.0 0.0.255.255 destination 10.38.160.0 0.0.0.255

# Add a rule to ACL 3001 to filter the packets with source UDP port number 128 from 10.9.8.0 to 10.38.160.0.

<HUAWEI> system-view
[HUAWEI] acl 3001
[HUAWEI-acl-adv-3001] rule permit udp source 10.9.8.0 0.0.0.255 destination 10.38.160.0 0.0.0.255 destination-port eq 128
Parent Topic: ACL Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >