rule (MPAC policy)

Function

The rule command adds a rule to the MPAC policy view.

The undo rule command deletes a rule or some configurations from the MPAC policy view.

By default, an MPAC policy does not have a rule.

Format

rule [ rule-id ] { permit | deny } protocol { protocol-number | ftp | ssh | snmp | telnet | tftp | bgp | ldp | rsvp | ospf | rip | ntp | lsp-ping | dhcp-c | dhcp-r | ip } [ [ source-ip { source-ipv4-address { source-ipv4-mask | 0 } | any } ] | [ destination-ip { destination-ipv4-address { destination-ipv4-mask | 0 } | any } ] ] ^*

rule [ rule-id ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-protocol-number } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-ipv4-address { source-ipv4-mask | 0 } | any } ] | [ destination-ip { destination-ipv4-address { destination-ipv4-mask | 0 } | any } ] ] ^*

rule [ rule-id ] { deny | permit } protocol { any | isis }

rule [ rule-id ] { permit | deny } protocol { protocol-number | ftp | ssh | snmp | telnet | tftp | bgp | ldp | rsvp | ospf | rip | ntp | lsp-ping | dhcp-c | dhcp-r | ip } [ [ source-ip { source-ipv6-address source-ipv6-prefix-length | source-ipv6-address/prefix-length | any } ] | [ destination-ip { destination-ipv6-address destination-ipv6-prefix-length | destination-ipv6-address/prefix-length | any } ] ] ^*

rule [ rule-id ] { permit | deny } protocol { tcp | tcp-protocol-number | udp | udp-protocol-number } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-ipv6-address source-ipv6-prefix-length | source-ipv6-address/prefix-length | any } ] | [ destination-ip { destination-ipv6-address destination-ipv6-prefix-length | destination-ipv6-address/prefix-length | any } ] ] ^*

undo rule rule-id [ source-ip | destination-ip | source-port | destination-port ] ^*

Parameters

Parameter	Description	Value
rule-id	Indicates the MPAC rule ID.	The value is an integer that ranges from 0 to 4294967294.
deny	Prevents protocol packets matching the rules from being sent to the CPU.	-
permit	Allows the protocol packets matching the rules to be sent to the CPU.	-
protocol	Specifies the protocol name or number.	-
tcp	Indicates the Transmission Control Protocol (TCP).	-
tcp-protocol-number	Indicates the TCP protocol number.	It has a fixed value of 6.
udp	Indicates the User Datagram Protocol (UDP).	-
udp-protocol-number	Indicates the UDP protocol number.	It has a fixed value of 17.
source-port source-port-number	Specifies the source port number of protocol packets.	The value is an integer that ranges from 1 to 65535.
destination-port destination-port-number	Specifies the destination port number of protocol packets.	The value is an integer that ranges from 1 to 65535.
protocol-number	Specifies a protocol number.	The value is an integer that ranges from 1 to 255.
ftp	Indicates the File Transfer Protocol (FTP).	-
ssh	Indicates the Secure Shell (SSH) protocol.	-
snmp	Indicates the Simple Network Management Protocol (SNMP).	-
telnet	Indicates the Telnet protocol.	-
tftp	Indicates the Trivial File Transfer Protocol (TFTP).	-
bgp	Indicates the Border Gateway Protocol (BGP).	-
ldp	Indicates the Label Distribution Protocol (LDP).	-
rsvp	Indicates the Resource Reservation Protocol (RSVP).	-
ospf	Indicates the Open Shortest Path First (OSPF) protocol.	-
rip	Indicates the Routing Information Protocol (RIP).	-
ntp	Indicates the Network Time Protocol (NTP).	-
lsp-ping	Indicates the Label Switched Path (LSP)-PING protocol.	-
dhcp-c	Indicates the Dynamic Host Configuration Protocol-C (DHCP-C) protocol.	-
dhcp-r	Indicates the DHCP-R protocol.	-
ip	Indicates the Internet Protocol (IP).	-
source-ip	Indicates the source address of protocol packets.	-
source-ipv4-address	Specifies a source IPv4 address.	The value is in dotted decimal notation.
source-ipv4-mask \| 0	Specifies the mask of the source IPv4 address. The protocol packets from the specified subnet are allowed to be sent to the CPU or discarded. 0 Specifies the source host name. The protocol packets from the specified host are allowed to be sent to the CPU or discarded.	The value is in dotted decimal notation.
destination-ip	Indicates the destination address of protocol packets.	-
destination-ipv4-address	Specifies a destination IPv4 address.	The value is in dotted decimal notation.
destination-ipv4-mask \| 0	Specifies the mask of the destination IPv4 address. The protocol packets destined for the specified subnet are sent to the CPU or discarded. 0 Specifies the destination host name. The protocol packets destined for the specified host are sent to the CPU or discarded.	The value is in dotted decimal notation.
any	Indicates any IP address.	-
isis	Indicates the Intermediate System to Intermediate System (IS-IS) protocol.	-
source-ipv6-address	Specifies a source IPv6 address.	The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.
source-ipv6-prefix-length	Specifies the prefix length of a source IPv6 address.	The value is an integer that ranges from 1 to 128.
source-ipv6-address/prefix-length	Specifies the source IPv6 address and prefix length.	The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X/M. M is an integer that ranges from 1 to 128.
destination-ipv6-address	Specifies a destination IPv6 address.	The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X.
destination-ipv6-prefix-length	Specifies the prefix length of a destination IPv6 address.	The value is an integer that ranges from 1 to 128.
destination-ipv6-address/prefix-length	Specifies the destination IPv6 address and prefix length.	The value is a 32-digit hexadecimal number, in the format X:X:X:X:X:X:X:X/M. M is an integer that ranges from 1 to 128.

Views

MPAC policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To match specific users or packets, run the rule command with the protocol name or five packet attributes specified.

The MPAC matching rules for TCP/UDP are described in Table 1.

**Table 1** Description of the MPAC matching rules for TCP/UDP
Protocol	TCP/UDP	Description
FTP	TCP	The source/destination port number is 21.
SSH	TCP	The source/destination port number is 22.
Telnet	TCP	The source/destination port number is 23.
BGP	TCP	The source/destination port number is 179.
LDP	TCP/UDP	TCP: The source/destination port number is 646. UDP: The destination port number is 646.
DHCP-R	UDP	IPv4: The destination port number is 67. IPv6: The destination port number is 547.
DHCP-C	UDP	IPv4: The destination port number is 68. IPv6: The destination port number is 546.
NTP	UDP	The destination port number is 123.
SNMP	UDP	The destination port number is 161.
RIP	UDP	IPv4: The destination port number is 520. IPv6: The destination port number is 521.
LSP-PING	UDP	The source/destination port number is 3503.

Prerequisites

An MPAC policy has been created using the service-security policy command.

Precautions

The MPAC rules configured in the service6-sec policy view do not support ISIS.
Exercise caution when using the rule [ rule-id ] deny protocol any command. If this command is executed in the system view, no protocol packets can be sent to the CPU, causing the device to be out of management.
If a whitelist is configured for an MPAC IPv6 policy, run the rule permit protocol 58 command to allow ICMPv6 packets to pass.

Example

# Add a rule to an MPAC policy.

<HUAWEI> system-view
[HUAWEI] service-security policy ipv4 huawei
[HUAWEI-service-sec-huawei] rule 5 permit protocol udp source-port 3503 destination-ip 127.0.0.1 255.255.255.255