The rule command creates or modifies an ACL rule in the advanced ACL view.
The undo rule command deletes an ACL rule in the advanced ACL view.
By default, no advanced ACL rule is created.
rule [ rule-id ] [ name rule-name ] { permit | deny } { icmp | 1 } [ [ dscp { dscp | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef } | [ tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } | precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | [ fragment-type { fragment | fragment-subseq | non-fragment | non-subseq | fragment-spe-first } ] | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | packet-length { { gt | lt | eq | neq } begin-pktlen | range begin-pktlen end-pktlen } | ttl { { gt | lt | eq | neq } ttl-value | range ttl-value ttl-value } ] *
undo rule [ name rule-name ] { permit | deny } { icmp | 1 } [ [ dscp { dscp | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef } | [ tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } | precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | [ fragment-type { fragment | fragment-subseq | non-fragment | non-subseq | fragment-spe-first } ] | icmp-type { icmp-name | icmp-type [ to icmp-type-end ] [ icmp-code ] } | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | packet-length { { gt | lt | eq | neq } begin-pktlen | range begin-pktlen end-pktlen } | ttl { { gt | lt | eq | neq } ttl-value | range ttl-value ttl-value } ] *
| Parameter | Description | Value |
|---|---|---|
| rule-id |
Specifies the ID of an ACL rule. |
The value is an integer ranging from 0 to 4294967294. |
| name rule-name |
Specifies the name of an ACL rule. |
The value is a string of 1 to 32 case-sensitive characters without spaces and cannot start with an underscore (_). |
| permit |
Permits packets that match conditions. |
- |
| deny |
Denies packets that match conditions. |
- |
| icmp |
Internet Control Message Protocol(1). |
- |
| 1 |
Protocol number. |
- |
| dscp dscp |
Matches packets based on the 6-bit DSCP field in an IPv4 packet as defined in standard protocols. DSCP can be used together neither with ToS nor with IP Precedence. DSCP is 6-bit, and left bit is high bit, and right bit is low bit. The DSCP equals to 32 in decimal number (100000 in binary number), rather than 1. |
The value is an integer that ranges from 0 to 63. |
| af11 |
Matches packets based on a DSCP value AF11 DSCP (001010). |
- |
| af12 |
Matches packets based on a priority value AF12 DSCP (001100). |
- |
| af13 |
Matches packets based on a priority value AF13 DSCP (001110). |
- |
| af21 |
Matches packets based on a DSCP value AF21 DSCP (010010). |
- |
| af22 |
Matches packets based on a DSCP value AF22 DSCP (010100). |
- |
| af23 |
Matches packets based on a DSCP value AF23 DSCP (010110). |
- |
| af31 |
Matches packets based on a DSCP value AF31 DSCP (011010). |
- |
| af32 |
Matches packets based on a DSCP value AF32 DSCP (011100). |
- |
| af33 |
Matches packets based on a DSCP value AF33 DSCP (011110). |
- |
| af41 |
Matches packets based on a DSCP value AF41 DSCP (100010). |
- |
| af42 |
Matches packets based on a DSCP value AF42 DSCP (100100). |
- |
| af43 |
Matches packets based on a DSCP value AF43 DSCP (100110). |
- |
| cs1 |
CS1 (IP Precedence 1) DSCP (001000). |
- |
| cs2 |
CS2 (IP Precedence 2) DSCP (010000). |
- |
| cs3 |
CS3 (IP Precedence 3) DSCP (011000). |
- |
| cs4 |
CS4 (IP Precedence 4) DSCP (100000). |
- |
| cs5 |
CS5 (IP Precedence 5) DSCP (101000). |
- |
| cs6 |
CS6 (IP Precedence 6) DSCP (110000). |
- |
| cs7 |
CS7 (IP Precedence 7) DSCP (111000). |
- |
| default |
Matches packets based on the 6-bit DSCP field in an IPv4 packet as defined in standard protocols, Default DSCP (000000). |
- |
| ef |
EF DSCP (101110). |
- |
| tos tos |
Matches packets based on the 4-bit ToS field in an IPv4 packet as defined in standard protocols. ToS in Advanced ACL is 4 bits long as defined in standard protocols. The ToS equals to 8 in decimal number (1000 in binary number), rather than 1. |
The value is an integer that ranges from 0 to 15. |
| max-reliability |
Match packets with max reliable TOS(2). |
- |
| max-throughput |
Match packets with max throughput TOS(4). |
- |
| min-delay |
Match packets with min delay TOS(8). |
- |
| min-monetary-cost |
Match packets with min monetary cost TOS(1). |
- |
| normal |
Match packets with normal TOS(0). |
- |
| precedence precedence |
Matches packets based on the high-order 3-bit ToS field in an IP packet as defined in standard protocols. Precedence is 3-bit, and left bit is high bit, and right bit is low bit. The Precedence equals to 4 in decimal number (100 in binary number), rather than 1. |
The value is an integer that ranges from 0 to 7. |
| critical |
Specify critical precedence(5). |
- |
| flash |
Specify flash precedence(3). |
- |
| flash-override |
Specify flash-override precedence(4). |
- |
| immediate |
Specify immediate precedence(2). |
- |
| internet |
Specify internetwork control precedence(6). |
- |
| network |
Specify network control precedence(7). |
- |
| priority |
Specify the priority of ACL. |
- |
| routine |
Specify routine precedence(0). |
- |
| destination |
Matches packets based on destination IP addresses. If destination is not configured, packets to any destination IP address are matched. |
- |
| destination-ip-address |
Specifies a destination IP address. |
The value is in dotted decimal notation. |
| destination-wildcard |
Specifies the wildcard of a destination IP address. A wildcard mask is a 32-bit number string that indicates which bits of an IP address are checked. Its form is the same as that of an IP address. A source or destination IP address range can be determined by a wildcard mask and an IP address of criteria conditions. If a packet address is within this range, the packet meets the criteria conditions; otherwise, the packet does not. |
The value is in dotted decimal notation. The wildcard of a destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is a host address. |
| 0 |
Wildcard bits: 0.0.0.0 (a host). |
- |
| des-netmask |
Specifies the length of a destination IP address mask. |
The value is an integer ranging from 1 to 32. |
| any |
Matches packets with any IP address. |
- |
| destination-pool destination-pool-name |
Specifies the name of an ACL destination port pool. The ACL destination port pool is created using the acl port-pool pool-name command. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| fragment-type |
Matches packets based on the fragment type of the packets. |
- |
| fragment |
Checks fragmented packets. |
- |
| icmp-type |
Matches ICMP packets based on the ICMP type and message code. This parameter is available only when protocol is ICMP. If this parameter is not specified, any types of ICMP packets are matched. |
- |
| icmp-type |
Specifies an ICMP message type. |
The value is an integer ranging from 0 to 255. You can run the icmp name ? command in the system view or interface view to view the mappings between the ICMP packet name, type, and code. |
| icmp-name |
Specifies an ICMP message name. |
- |
| icmp-code |
Specifies an ICMP message code. |
The value is an integer ranging from 0 to 255. You can run the icmp name ? command in the system view or interface view to view the mappings between the ICMP packet name, type, and code. |
| source |
Matches packets based on source IP addresses. If source is not configured, packets from any source IP address are matched. |
- |
| source-ip-address |
Specifies a source IP address. |
The value is in dotted decimal notation. |
| source-wildcard |
Specifies the wildcard of a source IP address. A wildcard mask is a 32-bit number string that indicates which bits of an IP address are checked. Its form is the same as that of an IP address. A source or destination IP address range can be determined by a wildcard mask and an IP address of criteria conditions. If a packet address is within this range, the packet meets the criteria conditions; otherwise, the packet does not. Among bits of wildcard masks, 0 represents "Check corresponding bits", and 1 "Do not check corresponding bits". |
The value is in dotted decimal notation. The wildcard of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is a host address. 192.168.1.16 0.0.0.15 indicates that the IP address ranges from 192.168.1.16 to 192.168.1.31. The wildcard mask 255.255.255.255 indicates all IP addresses. If all bits are set to 1, it indicates that all the 32 bits are not checked. In this case, any can be used to replace the wildcard mask. The wildcard mask 0.0.0.0 implies that all 32 bits need to be matched. The wildcard mask works in a different way from the IP subnet mask. In the subnet mask, 1 and 0 are used to determine the network, subnet, or the IP address of the corresponding host. |
| src-netmask |
Specifies the mask length of a source IP address. |
The value is an integer that ranges from 1 to 32. |
| source-pool source-pool-name |
Specifies an advanced ACL source IP address pool. An ACL IP address pool is created using the acl ip-pool command. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| time-range time-name |
Specifies a time range during which an ACL rule takes effect. If the time-range is not configured for ACL, it indicates the ACL takes effect immediately. A time range is configured using the time-range command. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| ttl |
Matches packets based on TTL values of packets. |
- |
| gt |
Indicates that packets with TTL values greater than the specified TTL value are matched. |
- |
| lt |
Indicates that packets with TTL values less than the specified TTL value are matched. |
- |
| eq |
Indicates that packets with TTL values equal to the specified TTL value are matched. |
- |
| neq |
Matches the packets whose TTL values are not equal to the specified TTL value. |
- |
| range ttl-value |
Matches packets based on a specified TTL value. If range is specified for ttl-operation, specify ttl-value twice to specify a range. |
The value is an integer ranging from 1 to 255. |
| range begin-pktlen end-pktlen |
Matches packets based on a specified packet length. If length-operation is set to range, this parameter needs to be set twice to specify a range. |
The value is an integer that ranges from 0 to 65535, in bytes. |
| vpn-instance vpn-instance-name |
Matches packets based on a VPN instance name. The parameter indicates the L3VPN that the traffic belongs to. If the traffic is from L3VPN, this option must be configured in the ACL. If this option is not configured, it indicates the traffic belongs to the public network rather than L3VPN. This parameter does not take effect in a traffic policy configuration. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. The VPN instance name cannot be _public_. When double quotation marks are used around the string, spaces are allowed in the string. |
| rule |
Specify an ACL rule. |
- |
| fragment-subseq |
Checks subsequent fragments. |
- |
| non-fragment |
Checks non-fragmented packets. |
- |
| non-subseq |
Checks the first fragment or non-fragmented packets. After an IP packet is fragmented, only the first fragment of the packet contains Layer 4 information. If an ACL is configured with rules that match L4 information, the ACL can only filter non-fragmented packets or the first fragment. The other fragmented packets without Layer 4 information can cause mismatching. Therefore, the value non-subseq is recommended if fragmented packets need to be filtered by ACL rules that match only Layer 4 information. |
- |
| fragment-spe-first |
checks the first fragment. |
- |
| vpn-instance-any |
Any VPN instance. |
- |
| packet-length |
Matches packets based on the packet length. |
- |
| to icmp-type-end |
Specifies the end value of an ICMP packet type. |
The value is an integer that ranges from 0 to 255. |
| undo |
Cancel current setting. |
- |
Usage Scenario
After an advanced ACL is created, run the rule command to add rules to the ACL.
Advanced ACL rules with the fragment-type can prevent such attacks by permitting only non-fragmented packets.Prerequisites
An advanced ACL has been created using the acl command in the system view.
Configuration Impact
When specifying an ACL rule ID, note the following:
Precautions
If auto is configured when you run the acl command to create an ACL, you cannot specify a rule ID when creating a rule. The system automatically uses the ACL increment as the start rule ID, and the subsequent rules are numbered by an ACL increment in ascending order.
If rule-id is not specified when you run the rule command to create an ACL, the system automatically assigns an ID to the ACL rule. You can run the display acl command to check the rule ID automatically assigned to an ACL. If name rule-name is not specified when you run the rule command to create an ACL, the system automatically generates a name for the ACL in the format of "rule"+"_"+rule ID. Rule ID is the ID of an ACL rule that can be specified using the rule-id parameter or automatically assigned by the system. You can check the automatically generated name of an ACL rule through the NMS. You must specify the rule ID when deleting a rule. To check rule IDs, run the display acl command. Before deleting an ACL rule, run the display acl command to check whether the ACL rule has been applied to other services. Delete the rule only when it is not applied to other services.<HUAWEI> system-view [~HUAWEI] acl number 3999 [*HUAWEI-acl4-advance-3999] rule 1 permit icmp source 10.1.1.1 0 destination 10.2.1.1 0