The rule command creates or modifies an ACL rule in the advanced ACL view.
The undo rule command deletes an ACL rule in the advanced ACL view.
By default, no advanced ACL rule is created.
rule [ rule-id ] [ name rule-name ] { permit | deny } { tcp | 6 } [ [ dscp { dscp | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef } | [ precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } | tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port { range { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } | { gt | lt | eq | neq } { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } } | destination-port-pool destination-port-pool-name } | [ fragment-type { fragment | fragment-subseq | non-fragment | non-subseq | fragment-spe-first } ] | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port { range { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } | { gt | lt | eq | neq } { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } } | source-port-pool source-port-pool-name } | { syn-flag | tcp-flag } { tcp-flag [ mask mask-value ] | established | { ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst | syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack | syn | urg ] * } | { syn [ fin | psh | rst | ack | urg ] * } | { urg [ fin | psh | rst | syn | ack ] * } } | [ vpn-instance vpn-instance-name | vpn-instance-any ] | time-range time-name | packet-length { { gt | lt | eq | neq } begin-pktlen | range begin-pktlen end-pktlen } | ttl { { gt | lt | eq | neq } ttl-value | range ttl-value ttl-value } ] *
undo rule [ name rule-name ] { permit | deny } { tcp | 6 } [ [ dscp { dscp | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef } | [ precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } | tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } ] * ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port { range { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } | { gt | lt | eq | neq } { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } } | destination-port-pool destination-port-pool-name } | [ fragment-type { fragment | fragment-subseq | non-fragment | non-subseq | fragment-spe-first } ] | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port { range { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } | { gt | lt | eq | neq } { port-number | chargen | bgp | cmd | daytime | discard | domain | echo | exec | finger | ftp | ftp-data | gopher | hostname | irc | klogin | kshell | login | lpd | nntp | pop2 | pop3 | smtp | sunrpc | tacacs | talk | telnet | time | uucp | whois | www } } | source-port-pool source-port-pool-name } | tcp-flag { tcp-flag [ mask mask-value ] | established | { ack [ fin | psh | rst | syn | urg ] * } | { fin [ ack | psh | rst | syn | urg ] * } | { psh [ fin | ack | rst | syn | urg ] * } | { rst [ fin | psh | ack | syn | urg ] * } | { syn [ fin | psh | rst | ack | urg ] * } | { urg [ fin | psh | rst | syn | ack ] * } } | [ vpn-instance vpn-instance-name | vpn-instance-any ] | time-range time-name | packet-length { { gt | lt | eq | neq } begin-pktlen | range begin-pktlen end-pktlen } | ttl { { gt | lt | eq | neq } ttl-value | range ttl-value ttl-value } ] *
| Parameter | Description | Value |
|---|---|---|
| rule-id |
Specifies the ID of an ACL rule. |
The value is an integer that ranges from 0 to 4294967294. |
| name rule-name |
Specifies the name of an ACL rule. |
The value is a string of 1 to 32 case-sensitive characters without spaces and cannot start with an underscore (_). |
| permit |
Permits packets that match conditions. |
- |
| deny |
Denies packets that match conditions. |
- |
| tcp |
Transmission Control Protocol(6). |
- |
| 6 |
Protocol number. |
- |
| dscp dscp |
Matches packets based on the 6-bit DSCP field in an IPv4 packet as defined in standard protocols. DSCP can be used together neither with ToS nor with IP Precedence. DSCP is 6-bit, and left bit is high bit, and right bit is low bit. The DSCP equals to 32 in decimal number (100000 in binary number), rather than 1. |
The value is an integer that ranges from 0 to 63. |
| af11 |
Matches packets based on a DSCP value AF11 DSCP (001010). |
- |
| af12 |
Matches packets based on a priority value AF12 DSCP (001100). |
- |
| af13 |
Matches packets based on a priority value AF13 DSCP (001110). |
- |
| af21 |
Matches packets based on a DSCP value AF21 DSCP (010010). |
- |
| af22 |
Matches packets based on a DSCP value AF22 DSCP (010100). |
- |
| af23 |
Matches packets based on a DSCP value AF23 DSCP (010110). |
- |
| af31 |
Matches packets based on a DSCP value AF31 DSCP (011010). |
- |
| af32 |
Matches packets based on a DSCP value AF32 DSCP (011100). |
- |
| af33 |
Matches packets based on a DSCP value AF33 DSCP (011110). |
- |
| af41 |
Matches packets based on a DSCP value AF41 DSCP (100010). |
- |
| af42 |
Matches packets based on a DSCP value AF42 DSCP (100100). |
- |
| af43 |
Matches packets based on a DSCP value AF43 DSCP (100110). |
- |
| cs1 |
CS1 (IP Precedence 1) DSCP (001000). |
- |
| cs2 |
CS2 (IP Precedence 2) DSCP (010000). |
- |
| cs3 |
CS3 (IP Precedence 3) DSCP (011000). |
- |
| cs4 |
CS4 (IP Precedence 4) DSCP (100000). |
- |
| cs5 |
CS5 (IP Precedence 5) DSCP (101000). |
- |
| cs6 |
CS6 (IP Precedence 6) DSCP (110000). |
- |
| cs7 |
CS7 (IP Precedence 7) DSCP (111000). |
- |
| default |
Matches packets based on the 6-bit DSCP field in an IPv4 packet as defined in standard protocols, Default DSCP (000000). |
- |
| ef |
EF DSCP (101110). |
- |
| precedence precedence |
Matches packets based on the high-order 3-bit ToS field in an IP packet as defined in standard protocols. Precedence is 3-bit, and left bit is high bit, and right bit is low bit. The Precedence equals to 4 in decimal number (100 in binary number), rather than 1. |
The value is an integer that ranges from 0 to 7. |
| critical |
Specify critical precedence(5). |
- |
| flash |
Specify flash precedence(3). |
- |
| flash-override |
Specify flash-override precedence(4). |
- |
| immediate |
Specify immediate precedence(2). |
- |
| internet |
Specify internetwork control precedence(6). |
- |
| network |
Specify network control precedence(7). |
- |
| routine |
Specify routine precedence(0). |
- |
| tos tos |
Matches packets based on the 4-bit ToS field in an IPv4 packet as defined in standard protocols. ToS in Advanced ACL is 4 bits long as defined in standard protocols. The ToS equals to 8 in decimal number (1000 in binary number), rather than 1. |
The number is an integer ranging from 0 to 15. |
| max-reliability |
Match packets with max reliable TOS(2). |
- |
| max-throughput |
Match packets with max throughput TOS(4). |
- |
| min-delay |
Match packets with min delay TOS(8). |
- |
| min-monetary-cost |
Match packets with min monetary cost TOS(1). |
- |
| normal |
Match packets with normal TOS(0). |
- |
| destination |
Matches packets based on destination IP addresses. If destination is not configured, packets to any destination IP address are matched. |
- |
| destination-ip-address |
Specifies a destination IP address. |
The value is in dotted decimal notation. |
| destination-wildcard |
Specifies the wildcard of a destination IP address.A wildcard mask is a 32-bit number string that indicates which bits of an IP address are checked. Its form is the same as that of an IP address. A source or destination IP address range can be determined by a wildcard mask and an IP address of criteria conditions. If a packet address is within this range, the packet meets the criteria conditions; otherwise, the packet does not. |
The value is in dotted decimal notation. The wildcard of the destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is a host address. |
| 0 |
Wildcard bits : 0.0.0.0 ( a host ). |
- |
| des-netmask |
Specifies the length of a destination IP address mask. |
The value is an integer ranging from 1 to 32. |
| any |
Matches packets with any IP address. |
- |
| destination-pool destination-pool-name |
Specifies an ACL destination IP address pool. An ACL IP address pool is created using the acl ip-pool pool-name command. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| destination-port |
Specify destination port. |
- |
| range ttl-value |
Matches packets based on a specified TTL value. |
The value is an integer ranging from 1 to 255. |
| range begin-pktlen end-pktlen |
Matches packets based on a specified packet length. If length-operation is set to range, this parameter needs to be set twice to specify a range. |
It is an integer ranging from 0 to 65535, in bytes. |
| port-number |
Specifies a TCP port number. |
The value is an integer that ranges from 0 to 65535. |
| chargen |
Character generator (19). |
- |
| bgp |
Border Gateway Protocol (179). |
- |
| cmd |
Remote commands, with no requirement for remote shell (rshell) and remote copy during login (514). |
- |
| daytime |
Daytime (13). |
- |
| discard |
Empty service (9). |
- |
| domain |
Domain Name Service (53). |
- |
| echo |
Echo service (7). |
- |
| exec |
Authenticating remotely executed threads(rsh, 512). |
- |
| finger |
Finger service for user contact information, used to query such information as the online users of remote host (79). |
- |
| ftp |
File Transfer Protocol (21). |
- |
| ftp-data |
FTP data connections (20). |
- |
| gopher |
Information retrieval protocol (used for Internet document searching and retrieval) (70). |
- |
| hostname |
NIC hostname server (101). |
- |
| irc |
Internet Relay Chat (194). |
- |
| klogin |
Remote login using Kerberos(543). |
- |
| kshell |
Remote shell using Kerberos(544). |
- |
| login |
Login (rlogin, 513). |
- |
| lpd |
Printer service (515). |
- |
| nntp |
Network News Transport Protocol (119). |
- |
| pop2 |
Post Office Protocol v2 (109). |
- |
| pop3 |
Post Office Protocol v3 (110). |
- |
| smtp |
Simple Mail Transport Protocol (25). |
- |
| sunrpc |
RPC protocol by SUN corporation, used for remote command execution by the NFS (111). |
- |
| tacacs |
Access control system used for TCP/IP authentication and access (TACACS)(49). |
- |
| talk |
Remote dialog service and user (517). |
- |
| telnet |
Telnet service (23). |
- |
| time |
Clock protocol (37). |
- |
| uucp |
Unix-to-Unix Copy Program (540). |
- |
| whois |
Directory service (43). |
- |
| www |
HTTP for WWW services, used for web page browsing (HTTP, 80). |
- |
| gt |
Indicates that packets with TTL values greater than the specified TTL value are matched. |
- |
| lt |
Indicates that packets with TTL values less than the specified TTL value are matched. |
- |
| eq |
Indicates that packets with TTL values equal to the specified TTL value are matched. |
- |
| destination-port-pool destination-port-pool-name |
Specifies an ACL destination IP address pool. An ACL IP address pool is created using the acl ip-pool command. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| fragment-type |
Matches packets based on the fragment type of the packets. |
- |
| fragment |
Checks fragmented packets. |
- |
| source |
Matches packets based on source IP addresses. If source is not configured, packets from any source IP address are matched. |
- |
| source-ip-address |
Specifies a source IP address. |
The value is in dotted decimal notation. |
| source-wildcard |
Specifies the wildcard of a source IP address. A wildcard mask is a 32-bit number string that indicates which bits of an IP address are checked. Its form is the same as that of an IP address. A source or destination IP address range can be determined by a wildcard mask and an IP address of criteria conditions. If a packet address is within this range, the packet meets the criteria conditions; otherwise, the packet does not. Among bits of wildcard masks, 0 represents "Check corresponding bits", and 1 "Do not check corresponding bits". |
The value is in dotted decimal notation. The wildcard of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is a host address. 192.168.1.16 0.0.0.15 indicates that the IP address ranges from 192.168.1.16 to 192.168.1.31. The wildcard mask 255.255.255.255 indicates all IP addresses. If all bits are set to 1, it indicates that all the 32 bits are not checked. In this case, any can be used to replace the wildcard mask. The wildcard mask 0.0.0.0 implies that all 32 bits need to be matched. The wildcard mask works in a different way from the IP subnet mask. In the subnet mask, 1 and 0 are used to determine the network, subnet, or the IP address of the corresponding host. |
| src-netmask |
Specifies the mask length of a source IP address. |
The value is an integer ranging from 1 to 32. |
| source-pool source-pool-name |
Specifies an advanced ACL source IP address pool. An ACL IP address pool is created using the acl ip-pool command. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| source-port |
Specify source port. |
- |
| source-port-pool source-port-pool-name |
Specifies the name of the source port pool used by an advanced ACL. The source ACL port pool is created using the acl port-pool command. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| tcp-flag |
Specifies the TCP-flag field. |
- |
| tcp-flag |
Specifies a TCP flag value.This parameter is available only when protocol is set to tcp (6). The TCP header has six flag bits (including URG, ACK, PSH, PST, SYN, and FIN), The meanings of the flag bits are as follows:
|
The value is an integer that ranges from 0 to 63. In the ACL, the value of each flag bit is an integer ranging from 0 to 63. For example, 0 indicates that all the six flag bits are 0; 63 indicates that all the six flag bits are 1. If SYN is 1, ACK is 1, and other bits are 0, the value is 18 (010010010 in binary). |
| mask mask-value |
Specifies a TCP flag mask. |
The value is an integer that ranges from 0 to 63 |
| ack |
Matches TCP packets based on the ACK flag. |
- |
| fin |
Matches TCP packets based on the FIN flag. |
- |
| psh |
Matches TCP packets based on the PSH flag. |
- |
| rst |
Matches TCP packets based on the RST flag. |
- |
| syn |
Matches TCP packets based on the SYN flag. |
- |
| urg |
Matches TCP packets based on the URG flag. |
- |
| ttl |
Matches packets based on TTL values of packets. |
- |
| neq |
Matches the packets whose TTL values are not equal to the specified TTL value. |
- |
| vpn-instance vpn-instance-name |
Matches packets based on a VPN instance name. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. The VPN instance name cannot be _public_. When double quotation marks are used around the string, spaces are allowed in the string. |
| time-range time-name |
Specifies a time range during which an ACL rule takes effect. If the time-range is not configured for ACL, it indicates the ACL takes effect immediately. A time range is configured using the time-range command. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| rule |
Specify an ACL rule. |
- |
| fragment-subseq |
Checks subsequent fragments. |
- |
| non-fragment |
Checks non-fragmented packets. |
- |
| non-subseq |
Checks the first fragment or non-fragmented packets. After an IP packet is fragmented, only the first fragment of the packet contains Layer 4 information. If an ACL is configured with rules that match L4 information, the ACL can only filter non-fragmented packets or the first fragment. The other fragmented packets without Layer 4 information can cause mismatching. Therefore, the value non-subseq is recommended if fragmented packets need to be filtered by ACL rules that match only Layer 4 information. |
- |
| fragment-spe-first |
Checks the first fragment. |
- |
| syn-flag |
Matches packets based on the fragment type of the packets. |
- |
| vpn-instance-any |
Any VPN instance. |
- |
| packet-length |
Matches packets based on the packet length. |
- |
| undo |
Cancel current setting. |
- |
Usage Scenario
After an advanced ACL is created, run the rule command to add rules to the ACL.
Advanced ACL rules with the fragment-type can prevent such attacks by permitting only non-fragmented packets.Prerequisites
An advanced ACL has been created using the acl command in the system view.
Configuration Impact
When specifying an ACL rule ID, note the following:
Precautions
If auto is configured when you run the acl command to create an ACL, you cannot specify a rule ID when creating a rule. The system automatically uses the ACL increment as the start rule ID, and the subsequent rules are numbered by an ACL increment in ascending order.
If rule-id is not specified when you run the rule command to create an ACL, the system automatically assigns an ID to the ACL rule. You can run the display acl command to check the rule ID automatically assigned to an ACL. If name rule-name is not specified when you run the rule command to create an ACL, the system automatically generates a name for the ACL in the format of "rule"+"_"+rule ID. Rule ID is the ID of an ACL rule that can be specified using the rule-id parameter or automatically assigned by the system. You can check the automatically generated name of an ACL rule through the NMS. You must specify the rule ID when deleting a rule. To check rule IDs, run the display acl command. Before deleting an ACL rule, run the display acl command to check whether the ACL rule has been applied to other services. Delete the rule only when it is not applied to other services.<HUAWEI> system-view [~HUAWEI] acl number 3999 [*HUAWEI-acl4-advance-3999] rule deny tcp source 10.1.1.1 0 destination 10.2.1.1 0