rule (Advanced ACL6 view) (tcp)

Function

The rule command creates or modifies an ACL6 rule in the advanced ACL6 view.

The undo rule command deletes an ACL6 rule in the advanced ACL6 view.

By default, no advanced ACL6 rule is created.

Format

rule [ rule-id ] [ name rule-name ] { permit | deny } { tcp | 6 } [ { destination { destination-ipv6-address prefix-length | dest-ipv6-addr-prefix | any } | destination-pool destination-pool-name } | destination-port { range { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } | { gt | lt | eq | neq } { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } } | fragment | { source { source-ipv6-address prefix-length | src-ipv6-addr-prefix | any } | source-pool source-pool-name } | source-port { range { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } | { gt | lt | eq | neq } { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } } | time-range time-name | [ dscp dscp-value | [ precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } | tos { value | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } ] * ] | [ vpn-instance vpn-instance-name | vpn-instance-any ] | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst | syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack | syn | urg ] * } | { syn [ fin | psh | rst | ack | urg ] * } | { urg [ fin | psh | rst | syn | ack ] * } } ] *

undo rule [ name rule-name ] { permit | deny } { tcp | 6 } [ { destination { destination-ipv6-address prefix-length | dest-ipv6-addr-prefix | any } | destination-pool destination-pool-name } | destination-port { range { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } | { gt | lt | eq | neq } { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } } | fragment | { source { source-ipv6-address prefix-length | src-ipv6-addr-prefix | any } | source-pool source-pool-name } | source-port { range { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } | { gt | lt | eq | neq } { port | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } } | time-range time-name | [ dscp dscp-value | [ precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } | tos { value | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } ] * ] | [ vpn-instance vpn-instance-name | vpn-instance-any ] | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst | syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack | syn | urg ] * } | { syn [ fin | psh | rst | ack | urg ] * } | { urg [ fin | psh | rst | syn | ack ] * } } ] *

Parameters

Parameter Description Value
rule-id

Specifies the ID of an ACL6 rule.

The value is an integer ranging from 0 to 4294967294.
name rule-name

Specifies the name of an ACL rule.

The value is a string of 1 to 32 case-sensitive characters that cannot begin with an underscore (_), spaces not supported.
permit

Permits packets that match conditions.

-
deny

Denies packets that match conditions.

-
tcp 6

Transmission Control Protocol (6).

-
destination

Matches packets based on destination IPv6 addresses.

If destination is not configured, packets to any destination IPv6 address are matched.

-
destination-ipv6-address

Specifies a destination IPv6 address.

The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
prefix-length

Specifies the length of an IPv6 address mask.

The value is an integer ranging from 1 to 128.
dest-ipv6-addr-prefix

Specifies the destination IPv6 address with a prefix.

The value is a string case-sensitive characters, spaces not supported.
any

Matches packets with any destination IPv6 address.

-
destination-pool destination-pool-name

Specifies the name of a destination IPv6 address pool used by an advanced ACL. An ACL IPv6 address pool is created using the acl ipv6-pool command.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
destination-port

Matches packets based on the destination port number.

This parameter is available only when protocol is set to TCP or UDP. If this parameter is not specified, packets with any destination port number are matched.

-
range

Matches packets with the specified port number in a specified range.

-
port

Specifies a TCP port number.

The number is an integer ranging from 0 to 65535.
chargen

Port for the Character Generator Protocol (19).

-
bgp

Border Gateway Protocol (179).

-
cmd

Port used to execute non-interactive commands on a remote system (rshell, rcp) (514).

-
daytime

Port used to send the date and time to the requesting host (13).

-
discard

Empty service used for connection test (9).

-
domain

Domain Name Service (53).

-
echo

Echo service (7).

-
exec

Port used to authenticate remote processes (512).

-
finger

Port for the Finger service, which is used to query information, such as online users of remote hosts (79).

-
ftp

File Transfer Protocol data port (21).

-
ftp-data

FTP data connections port (20).

-
gopher

Information retrieval protocol (used for Internet document searching and retrieval) (70).

-
hostname

Host name service on the NIC (101).

-
irc

Port for the IRC protocol (194).

-
klogin

Port for Kerberos remote login protocol version 5 (543).

-
kshell

Port for Kerberos remote shell protocol version 5 (544).

-
login

Remote login (513).

-
lpd

Port for the Line Printer Daemon protocol (515).

-
nntp

NNTP port, which carries USENET (119).

-
pop2

Port for the email protocol version 2 (109).

-
pop3

Port for the email protocol version 3 (110).

-
smtp

Simple Mail Transport Protocol (25).

-
sunrpc

Remote Procedure Call (RPC) protocol of SUN. It is used to execute remote commands and is used by the network file system (NFS). (111).

-
tacacs

Port for the access control system based on TCP/IP authentication (TACACS login host protocol) (49).

-
talk

Port used to remotely talk with servers and clients (517).

-
telnet

Telnet (23).

-
time

Clock protocol (37).

-
uucp

Unix-to-Unix Copy Program (540).

-
whois

Directory service (43).

-
www

HTTP port for the WWW service, which is used to browse web pages (80).

-
gt

Matches packets with a port number greater than the specified port number.

-
lt

Matches packets with a port number smaller than the specified port number.

-
eq

Matches packets with the specified port number.

-
neq

Matches packets with a port number not equal to the specified port number.

-
fragment

Checks fragmented packets.

-
source

Matches packets based on the source IPv6 address.

If no source IPv6 address is configured, packets with any source IPv6 address are matched.

-
source-ipv6-address

Specifies a source IPv6 address.

The address is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
src-ipv6-addr-prefix

Specifies the length of an IPv6 address mask.

The value is an integer ranging from 1 to 128.
source-pool source-pool-name

Specifies the name of a source IPv6 address pool used by an advanced ACL. An ACL IPv6 address pool is created using the acl ipv6-pool pool-name command.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
source-port

Matches packets based on the source port.

If this parameter is not specified, packets with any source port number are matched.

-
time-range time-name

Specifies the time range during which the rule takes effect. If this parameter is not specified, the rule takes effect immediately after being configured.

The time range is configured using the time-range command.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
dscp dscp-value

Specifies a DSCP.

The number is an integer ranging from 0 to 63.
precedence precedence

Matches IPv6 packets based on the leftmost three bits of the TC field.

The is an integer ranging from 0 to 7.
critical

Indicates the critical priority (5).

-
flash

Flash priority (3).

-
flash-override

Flash-override priority (4).

-
immediate

Immediate priority (2).

-
internet

Internetwork control priority (6).

-
network

Network control priority (7).

-
priority

priority (1).

-
routine

Routine priority (0).

-
tos value

Matches IPv6 packets based on the leftmost four to seven bits of the TC field.

The number is an integer ranging from 0 to 15.
max-reliability

Highest-reliability service (2).

-
max-throughput

Maximum throughput service (4).

-
min-delay

Minimum delay service (8).

-
min-monetary-cost

Cheapest service (1).

-
normal

Common service (0).

-
vpn-instance vpn-instance-name

Matches packets based on an IPv6 VPN instance name. If the IPv6 packet is an L3VPN service address, this parameter needs to be added to the ACL. If this parameter is not specified, the packets are public IPv6 packets.

The value is a string of 1 to 31 case-sensitive characters.
vpn-instance-any

Specifies any VPN instance.

-
tcp-flag tcp-flag

Specifies a TCP flag value.

This parameter is available only when protocol is set to tcp (6). The TCP header has six flag bits (including URG, ACK, PSH, PST, SYN, and FIN), the meanings of the flag bits are as follows:

  • URG: indicates that the urgent pointer is valid.
  • ACK: indicates that the sequence number is confirmed to be valid.
  • PSH: indicates that the receiver should deliver this segment to the application layer as soon as possible.
  • PST: indicates that the connection is reestablished.
  • SYN: indicates that the sequence number is synchronized to initiate a connection.
  • FIN: indicates that the sender finishes sending data.

The value is an integer ranging from 0 to 63.

ACLs use an integer (0 to 63) to indicate the 6 flags. For example, if tcp-flag is set to 0, all the bits of the 6 flags are 0s. If tcp-flag is set to 63, all the bits of the 6 flags are 1s. If SYN is 1 and ACK is 1, other flags are 0, set tcp-flag to 18 (binary number is 010010).
mask mask-value

Specifies the mask of a TCP flag.

The value is an integer ranging from 0 to 63.

After this parameter is set, the system uses bits to match the value of the Flags field in TCP packets. The matching is considered successful if the bits obtained by performing the bitwise AND operation on the values of the Flags field carried in a TCP packet and the mask-value parameter are consistent with those obtained by performing the same operation on the specified values of the tcp-flag and mask-value parameters.
established

Matches TCP packets in the Established state.

After established is configured in an ACL rule, a device matches the TCP packets whose ACK is 1 or RST is 1.

Network attackers may send a large number of invalid TCP SYN packets to attack network devices. You can configure established in an advanced ACL rule to allow TCP packets to be transmitted unidirectionally. This means that after a device has set up TCP connections with other devices, the device only sends TCP packets to the other devices but does not receive TCP packets from the other devices.

-
ack

Matches TCP packets based on the ACK flag.

-
fin

Matches TCP packets based on the FIN flag.

-
psh

Matches TCP packets based on the PSH flag.

-
rst

Matches TCP packets based on the RST flag.

-
syn

Matches TCP packets based on the SYN flag.

-
urg

Matches TCP packets based on the URG flag.

-
rule

Specifies an ACL6 rule.

-

Views

Advanced ACL6 view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
acl write

Usage Guidelines

Usage Scenario

After an advanced ACL6 is created, run the rule command to add rules to the ACL6.

Prerequisites

An advanced ACL6 has been created using the acl ipv6 command in the system view.

A time range has been configured using the time-range command in the system view if you want to specify a validity period when creating an advanced ACL6 rule.

Configuration Impact

When specifying an ACL6 rule ID, note the following:

  • If a rule with a specified rule ID already exists, and the new rule conflicts with the existing one, the conflicting part in the new rule overwrites that in the existing rule.
  • If no rule with the specified rule ID exists, a rule with the specified rule ID is created.

    When an ACL6 rule ID is not specified and a rule is added, the system automatically allocates an ID to this rule. ACL6 rules are arranged in ascending order of rule IDs, with the difference between two adjacent rules as an ACL6 step.

    The rule IDs automatically generated by the system start from the ACL6 step. For example, if the ACL6 step is 5, the rule ID starts from 5; if the ACL6 step is 2, the rule ID starts from 2. This allows you to add rules before the first rule.

Precautions

When you configure advanced ACL6 rules for TCP or UDP, fragment and destination-port or source-port cannot be both configured.

If auto is configured when you run the acl ipv6 command to create an ACL6, you cannot specify a rule ID when creating a rule. The system automatically uses the ACL6 step as the start rule ID, and the subsequent rules are numbered by a step in ascending order.

If the auto mode based on the depth-first principle is specified as the matching order for an advanced ACL6 rule group, you cannot specify a rule ID when creating a rule.

If rule-id is not specified when you run the rule command to create an ACL6, the system automatically assigns an ID to the ACL6 rule. You can run the display acl ipv6 command to check the rule ID automatically assigned to an ACL6.

If name rule-name is not specified when you run the rule command to create an ACL6, the system automatically generates a name for the ACL6 in the format of "rule"+"_"+rule ID. Rule ID is the ID of an ACL6 rule that can be specified using the rule-id parameter or automatically assigned by the system. You can check the automatically generated name of an ACL6 rule through the NMS.

You must specify the rule ID when deleting a rule. To check rule IDs, run the display acl ipv6 command.

Before deleting an ACL6 rule, run the display acl ipv6 command to check whether the ACL6 rule has been applied to other services. Delete the rule only when it is not applied to other services.

If the ID of an advanced ACL6 rule to be deleted is not specified, you must specify all parameters in the rule before deleting it.

Example

# Configure an advanced ACL6 whose matching order is config.
<HUAWEI> system-view
[~HUAWEI] acl ipv6 3000
[*HUAWEI-acl6-advance-3000] rule permit tcp source 2001:db8::1 64
Parent Topic: ACL6 Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >