rule (service-sec6-policy view)

Function

The rule command adds a rule for an MPAC policy in the service6-sec view.

The undo rule command deletes a rule or part of the rule configuration from an MPAC policy in the service6-sec view.

By default, no rule is configured for an MPAC policy in the service6-sec view.

Format

rule [ rule-id ] [ name rule-name ] { permit | deny } protocol { ospf | rsvp | pim | ip | ip-protocol-number-18-255 | ip-protocol-number-1-5 | ip-protocol-number-7-16 } [ [ source-ip { source-ipv6-address { source-ipv6-prefix-length } | source-ipv6-address-with-prefix | any } ] | [ destination-ip { destination-ipv6-address { destination-ipv6-prefix-length } | destination-ipv6-address-with-prefix | any } ] ] *

rule [ rule-id ] [ name rule-name ] { permit | deny } protocol { bgp | dhcp-c | dhcp-r | ftp | ssh | telnet | lsp-ping | ntp | rip | snmp | tftp | ldp } [ [ source-ip { source-ipv6-address { source-ipv6-prefix-length } | source-ipv6-address-with-prefix | any } ] | [ destination-ip { destination-ipv6-address { destination-ipv6-prefix-length } | destination-ipv6-address-with-prefix | any } ] ] *

rule [ rule-id ] [ name rule-name ] { permit | deny } protocol { tcp | udp | tcp-protocol-number | udp-protocol-number } [ [ source-port source-port-number ] | [ destination-port destination-port-number ] | [ source-ip { source-ipv6-address { source-ipv6-prefix-length } | source-ipv6-address-with-prefix | any } ] | [ destination-ip { destination-ipv6-address { destination-ipv6-prefix-length } | destination-ipv6-address-with-prefix | any } ] ] *

rule [ rule-id ] [ name rule-name ] { permit | deny } protocol any

rule [ rule-id ] [ name rule-name ] { permit | deny } ipv6-ext-header source-routing-type srh

undo rule { rule-id | name rule-name } [ [ source-port ] | [ destination-port ] | [ source-ip ] | [ destination-ip ] ] *

Parameters

Parameter Description Value
rule-id

Specifies the ID of a rule for an MPAC policy.

The value is an integer ranging from 0 to 4294967294.
name rule-name

Specifies the name of a rule for a Management Plane Access Control (MPAC) policy.

The value is a string.
permit

Allows the matched packets to be sent to the CPU.

-
deny

Prevents the matched packets from being sent to the CPU.

-
protocol

Indicates the protocol name or number.

-
protocol any

Indicates any protocol.

-
ospf

Indicates OSPF.

-
rsvp

Indicates Resource Reservation Protocol (RSVP).

-
pim

Indicates PIM.

-
ip

Indicates IP.

-
ip-protocol-number-1-5 ip-protocol-number-7-16 ip-protocol-number-18-255

Specifies a protocol number except tcp and udp protocol number.

If the protocol number is 58, the protocol packets matching ICMPv6 are matched. MPAC Policy control is not performed on ND protocol packets in the ICMPv6.

The value is an integer ranging from 1 to 255 except 6 and 17.
source-ip

Indicates the source IP address of packets.

-
source-ipv6-address

Specifies a source IPv6 address.

The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
source-ipv6-prefix-length

Specifies the prefix length of a source IPv6 address.

The value is an integer ranging from 1 to 128.
any

Indicates any IP address.

-
destination-ip

Specifies the destination address of packets.

-
destination-ipv6-address

Specifies a destination IPv6 address.

The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
destination-ipv6-prefix-length

Specifies the prefix length of a destination IPv6 address.

The value is an integer ranging from 1 to 128.
bgp

Indicates BGP.

-
dhcp-c

Indicates Dynamic Host Configuration Protocol-C (DHCP-C).

-
dhcp-r

Indicates Dynamic Host Configuration Protocol-R (DHCP-R).

-
ftp

Indicates FTP.

-
ssh

Indicates SSH.

-
telnet

Indicates Telnet.

-
lsp-ping

Indicates LSP ping.

-
ntp

Indicates NTP.

-
rip

Indicates RIP.

-
snmp

Indicates SNMP.

-
tftp

Indicates TFTP.

-
ldp

Indicates LDP.

-
tcp

Indicates TCP.

-
udp

Indicates User Datagram Protocol (UDP).

-
tcp-protocol-number

Indicates TCP protocol number.

The value is 6.
udp-protocol-number

Indicates UDP protocol number.

The value is 17.
source-port source-port-number

Specifies the source port number.

The value is an integer ranging from 0 to 65535.
destination-port destination-port-number

Specifies the destination port number.

The value is an integer ranging from 0 to 65535.
ipv6-ext-header

Specifies the IPv6 extension header.

-
source-routing-type srh

Specifies the SRH-type routing extension header.

-

Views

Service6-sec-policy view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
hostdefend write

Usage Guidelines

Usage Scenario

To match specific users or packets, run the rule command to specify the protocol name, 5-tuple or IPv6 extension header matching rule. Currently, only SRH-type routing extension header is supported.

Prerequisites

Before configuring description for a management plane access control policy, run the service-security policy command to create a management plane access control policy.

Precautions

An IS-IS-based rule cannot be configured in the service6-sec policy view.

Exercise caution when using the rule [ rule-id ] deny protocol any command. After this command is applied globally, no protocol packets are sent to the CPU, causing the device to be out of management.

Example

# Configure the access control policy for IPv6 extension headers to allow SRH-type routing extension header access.
<HUAWEI> system-view
[~HUAWEI] service-security policy ipv6 test
[*HUAWEI-service6-sec-test] rule permit ipv6-ext-header source-routing-type srh
Parent Topic: MPAC Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >