rule (basic ACL view)

Function

The rule command adds or modifies a basic ACL rule.

The undo rule command deletes a basic ACL rule.

By default, no rule is configured for a basic ACL.

Format

rule [ rule-id ] { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | { vpn-instance vpn-instance-name | public } ] ^*

undo rule { deny | permit } [ source { source-address source-wildcard | any } | fragment | logging | time-range time-name | { vpn-instance vpn-instance-name | public } ] ^*

undo rule rule-id [ fragment | logging | source | time-range | { vpn-instance | public } ] ^*

The vpn-instance and public parameter is supported only when a software-based ACL is applied to the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, or S6730S-S. For usage scenarios of software-based ACLs, see "ACL Implementations" in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - Security ACL Configuration - ACL Fundamentals.

Parameters

Parameter	Description	Value
rule-id	Specifies the ID of an ACL rule. If the specified rule ID has been created, the new rule is added to the rule with this ID, that is, the old rule is modified. If the specified rule ID does not exist, the device creates a rule and determines the position of the rule according to the ID. If the rule ID is not specified, the device allocates an ID to the new rule. The rule IDs are sorted in ascending order. The device automatically allocates IDs according to the step. The step value is set by using the step command. NOTE: ACL rule IDs assigned automatically by the device starts from the step value. The default step value is 5. With this step, the device creates ACL rules with IDs being 5, 10, 15, and so on.	The value is an integer that ranges from 0 to 4294967294.
deny	Denies the packets that match the rule.	-
permit	Permits the packets that match a rule.	-
source { source-address source-wildcard \| any }	Indicates the source IP address of packets that match an ACL rule. If this parameter is not specified, packets with any source IP address are matched. source-address: specifies the source IP address of packets. source-wildcard: specifies the wildcard mask of the source IP address. any: indicates any source IP address of packets. That is, the value of source-address is 0.0.0.0 or the value of source-wildcard is 255.255.255.255.	source-address: The value is in dotted decimal notation. source-wildcard: The value is in dotted decimal notation. The wildcard mask of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is the host address. NOTE: The wildcard is in dotted decimal format. After the value is converted to a binary number, the value 0 indicates that the IP address needs to be matched and the value 1 indicates that the IP address does not need to be matched. The values 1 and 0 can be discontinuous. For example, the IP address 192.168.1.169 and the wildcard 0.0.0.172 represent the website 192.168.1.x0x0xx01. The value x can be 0 or 1.
fragment	Indicates that the rule is valid for only non-first fragmented packets. If fragment is contained, the rule is valid for non-first fragmented packets and invalid for non-fragmented packets and first fragmented packet. NOTE: Rules that do not contain fragment are valid for all the packets.	-
logging	Logs IP information of packets that match the rule. NOTE: The logging parameter takes effect for incoming packets in either of the following scenarios: An ACL-based simplified traffic policy is configured and the traffic-filter and traffic-secure commands reference ACLs. MQC is configured, the traffic behavior is set to permit or deny, and the traffic-policy command references ACLs. In addition, for the S2720-EI, S5720I-SI, S5720-LI, S5735-L, S5735S-L, S5735S-L-M, S5720S-LI, S5720S-SI, S5720-SI, S5735-S, S5735S-S, S5735-S-I, S5730S-EI, S5730-SI, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, deny must be specified for the logging parameter to take effect.	-
time-range time-name	Specifies the name of a time range during which ACL rules take effect. If this parameter is not specified, ACL rules take effect at any time. NOTE: When you specify the time-range parameter to reference a time range to the ACL, if the specified time-name does not exit, the ACL cannot be bound to the specified time range.	The value is a string of 1 to 32 characters.
vpn-instance vpn-instance-name \| public	vpn-instance vpn-instance-name: Specifies the name of a VPN instance, indicating that the ACL rule matches private network packets. public: Indicates that the ACL rule matches public network packets. NOTE: This two parameter cannot be configured together. If neither vpn-instance nor public is specified, both public and private network packets are matched.	-

Views

Basic ACL view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A basic ACL matches packets based on information such as source IP addresses, fragment flags, and time ranges.

The rule command defines the time range and flexibly configures the time ACL rules take effect.

Prerequisites

An ACL has been created before the rule is configured.

Precautions

If the specified rule ID already exists and the new rule conflicts with the original rule, the new rule replaces the original rule.

To modify an existing rule, delete the old rule, and then create a new rule. Otherwise, the configuration result will be incorrect.

The undo rule command deletes an ACL rule even if the ACL rule is referenced. Use this command with caution, especially when you delete an ACL rule that has been referenced.

Example

# Add a rule in ACL 2001 to permit the packets from 192.168.32.1.

<HUAWEI> system-view 
[HUAWEI] acl 2001 
[HUAWEI-acl-basic-2001] rule permit source 192.168.32.1 0

# Delete rule 5 from ACL 2001.

<HUAWEI> system-view 
[HUAWEI] acl 2001 
[HUAWEI-acl-basic-2001] undo rule 5