rule (Advanced ACL view) (UDP)

Function

The rule command creates or modifies an ACL rule in the advanced ACL view.

The undo rule command deletes an ACL rule in the advanced ACL view.

By default, no advanced ACL rule is created.

Format

rule [ rule-id ] [ name rule-name ] { permit | deny } { udp | 17 } [ [ dscp { dscp | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef } | [ tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } | precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port { range { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } | { gt | lt | eq | neq } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } } | destination-port-pool destination-port-pool-name } | [ fragment-type { fragment | fragment-subseq | non-fragment | non-subseq | fragment-spe-first } ] | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port { range { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } | { gt | lt | eq | neq } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } } | source-port-pool source-port-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | packet-length { { gt | lt | eq | neq } begin-pktlen | range begin-pktlen end-pktlen } | ttl { { gt | lt | eq | neq } ttl-value | range ttl-value ttl-value } ] ^*

rule [ rule-id ] [ name rule-name ] { permit | deny } { udp | 17 } vxlan vni vni [ [ dscp { dscp | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef } | [ tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } | precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | [ fragment-type { fragment | fragment-subseq | non-fragment | non-subseq | fragment-spe-first } ] | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port { range { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } | { gt | lt | eq | neq } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } } | source-port-pool source-port-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | packet-length { { gt | lt | eq | neq } begin-pktlen | range begin-pktlen end-pktlen } | ttl { { gt | lt | eq | neq } ttl-value | range ttl-value ttl-value } ] ^*

undo rule [ name rule-name ] { permit | deny } { udp | 17 } [ [ dscp { dscp | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef } | [ tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } | precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | { destination-port { range { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } | { gt | lt | eq | neq } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } } | destination-port-pool destination-port-pool-name } | [ fragment-type { fragment | fragment-subseq | non-fragment | non-subseq | fragment-spe-first } ] | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port { range { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } | { gt | lt | eq | neq } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } } | source-port-pool source-port-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | packet-length { { gt | lt | eq | neq } begin-pktlen | range begin-pktlen end-pktlen } | ttl { { gt | lt | eq | neq } ttl-value | range ttl-value ttl-value } ] ^*

undo rule [ name rule-name ] { permit | deny } { udp | 17 } vxlan vni vni [ [ dscp { dscp | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | default | ef } | [ tos { tos | max-reliability | max-throughput | min-delay | min-monetary-cost | normal } | precedence { precedence | critical | flash | flash-override | immediate | internet | network | priority | routine } ] ^* ] | { destination { destination-ip-address { destination-wildcard | 0 | des-netmask } | any } | destination-pool destination-pool-name } | [ fragment-type { fragment | fragment-subseq | non-fragment | non-subseq | fragment-spe-first } ] | { source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | source-pool source-pool-name } | { source-port { range { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } | { gt | lt | eq | neq } { port-number | biff | bootpc | bootps | dns | discard | dnsix | echo | mobilip-ag | mobilip-mn | nameserver | netbios-dgm | netbios-ns | netbios-ssn | ntp | rip | snmp | snmptrap | sunrpc | syslog | tacacs-ds | talk | tftp | time | who | xdmcp } } | source-port-pool source-port-pool-name } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] | packet-length { { gt | lt | eq | neq } begin-pktlen | range begin-pktlen end-pktlen } | ttl { { gt | lt | eq | neq } ttl-value | range ttl-value ttl-value } ] ^*

Parameters

Parameter	Description	Value
rule-id	Specifies the ID of an ACL rule.	The value is an integer that ranges from 0 to 4294967294.
name rule-name	Specifies the name of an ACL rule.	The value is a string of 1 to 32 case-sensitive characters without spaces and cannot start with an underscore (_).
permit	Permits packets that match conditions.	-
deny	Denies packets that match conditions.	-
udp	User Datagram Protocol(17).	-
dscp dscp	Matches packets based on the 6-bit DSCP field in an IPv4 packet as defined in standard protocols. DSCP can be used together neither with ToS nor with IP Precedence. DSCP is 6-bit, and left bit is high bit, and right bit is low bit. The DSCP equals to 32 in decimal number (100000 in binary number), rather than 1.	The value is an integer that ranges from 0 to 63.
af11	Matches packets based on a DSCP value AF11 DSCP (001010).	-
af12	Matches packets based on a priority value AF12 DSCP (001100).	-
af13	Matches packets based on a priority value AF13 DSCP (001110).	-
af21	Matches packets based on a DSCP value AF21 DSCP (010010).	-
af22	Matches packets based on a DSCP value AF22 DSCP (010100).	-
af23	Matches packets based on a DSCP value AF23 DSCP (010110).	-
af31	Matches packets based on a DSCP value AF31 DSCP (011010).	-
af32	Matches packets based on a DSCP value AF32 DSCP (011100).	-
af33	Matches packets based on a DSCP value AF33 DSCP (011110).	-
af41	Matches packets based on a DSCP value AF41 DSCP (100010).	-
af42	Matches packets based on a DSCP value AF42 DSCP (100100).	-
af43	Matches packets based on a DSCP value AF43 DSCP (100110).	-
cs1	CS1 (IP Precedence 1) DSCP (001000).	-
cs2	CS2 (IP Precedence 2) DSCP (010000).	-
cs3	CS3 (IP Precedence 3) DSCP (011000).	-
cs4	CS4 (IP Precedence 4) DSCP (100000).	-
cs5	CS5 (IP Precedence 5) DSCP (101000).	-
cs6	CS6 (IP Precedence 6) DSCP (110000).	-
cs7	CS7 (IP Precedence 7) DSCP (111000).	-
default	Matches packets based on the 6-bit DSCP field in an IPv4 packet as defined in standard protocols, Default DSCP (000000).	-
ef	EF DSCP (101110).	-
tos tos	Matches packets based on the 4-bit ToS field in an IPv4 packet as defined in standard protocols. ToS in Advanced ACL is 4 bits long as defined in standard protocols. The ToS equals to 8 in decimal number (1000 in binary number), rather than 1.	The number is an integer ranging from 0 to 15.
max-reliability	Match packets with max reliable TOS(2).	-
max-throughput	Match packets with max throughput TOS(4).	-
min-delay	Match packets with min delay TOS(8).	-
min-monetary-cost	Match packets with min monetary cost TOS(1).	-
normal	Match packets with normal TOS(0).	-
precedence	Matches packets based on the high-order 3-bit ToS field in an IP packet as defined in standard protocols. Precedence is 3-bit, and left bit is high bit, and right bit is low bit. The Precedence equals to 4 in decimal number (100 in binary number), rather than 1.	The number is an integer ranging from 0 to 7.
precedence	Matches packets based on the high-order 3-bit ToS field in an IP packet as defined in standard protocols. Precedence is 3-bit, and left bit is high bit, and right bit is low bit. The Precedence equals to 4 in decimal number (100 in binary number), rather than 1.	The value is an integer ranging from 0 to 7.
critical	Specify critical precedence(5).	-
flash	Specify flash precedence(3).	-
flash-override	Specify flash-override precedence(4).	-
immediate	Specify immediate precedence(2).	-
internet	Specify internetwork control precedence(6).	-
network	Specify network control precedence(7).	-
priority	Specify the priority of ACL.	-
routine	Specify routine precedence(0).	-
destination	Matches packets based on destination IP addresses. If destination is not configured, packets to any destination IP address are matched.	-
destination-ip-address	Specifies a destination IP address.	The value is in dotted decimal notation.
destination-wildcard	Specifies the wildcard of a destination IP address. A wildcard mask is a 32-bit number string that indicates which bits of an IP address are checked. Its form is the same as that of an IP address. A source or destination IP address range can be determined by a wildcard mask and an IP address of criteria conditions. If a packet address is within this range, the packet meets the criteria conditions; otherwise, the packet does not.	The value is in dotted decimal notation. The wildcard of a destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is a host address.
0	Wildcard bits: 0.0.0.0 (a host).	-
des-netmask	Specifies the length of a destination IP address mask.	The value is an integer that ranges from 1 to 32.
any	Matches packets with any destination IP address.	-
destination-pool destination-pool-name	Name of destination pool.	The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
destination-port	Specify destination port.	-
range	Indicates that packets with TTL values less than the specified TTL value are matched.	-
range ttl-value	Matches packets based on a specified TTL value.	The value is an integer ranging from 1 to 255.
range begin-pktlen end-pktlen	Matches packets based on a specified packet length.	It is an integer ranging from 0 to 65535, in bytes.
port-number	Specifies a UDP port number.	The value is an integer ranging from 0 to 65535.
biff	Authenticating remotely executed threads (512).	-
bootpc	BOOTP client, used by DHCP users (68).	-
bootps	BOOTP server, used by the DHCP service(67).	-
dns	Domain Name Service (53).	-
discard	Empty service (9).	-
dnsix	DNSIX Security Attribute Token Map (90).	-
echo	Echo service (7).	-
mobilip-ag	MobileIP-Agent (434).	-
mobilip-mn	MobilIP-MN (435).	-
nameserver	Host Name Server (42).	-
netbios-dgm	NETBIOS Datagram Service (138).	-
netbios-ns	NETBIOS Name Service (137).	-
netbios-ssn	NETBIOS Session Service (139).	-
ntp	Network Time Protocol (123).	-
rip	Routing Information Protocol (520).	-
snmp	SNMP (161).	-
snmptrap	SNMPTRAP (162).	-
sunrpc	RPC protocol by SUN corporation, used for remote command execution by the NFS (111).	-
syslog	Remote commands, with no requirement for remote shell (rshell) and remote copy during login (514).	-
tacacs-ds	TACACS-Database Service (65).	-
talk	Remote dialog service and user (517).	-
tftp	Trivial File Transfer (69).	-
time	Clock protocol (37).	-
who	List of login users, Who(513).	-
xdmcp	X Display Manager Control Protocol (177).	-
gt	Indicates that packets with TTL values greater than the specified TTL value are matched.	-
lt	Indicates that packets with TTL values less than the specified TTL value are matched.	-
eq	Indicates that packets with TTL values equal to the specified TTL value are matched.	-
destination-port-pool destination-port-pool-name	Name of destination port pool.	The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
fragment-type	Matches packets based on the fragment type of the packets.	-
fragment	Fragmented packets are checked.	-
source	Matches packets based on source IP addresses. If source is not configured, packets from any source IP address are matched.	-
source-ip-address	Specifies a source IP address.	The value is in dotted decimal notation.
source-wildcard	Specifies the wildcard of a source IP address. A wildcard mask is a 32-bit number string that indicates which bits of an IP address are checked. Its form is the same as that of an IP address. A source or destination IP address range can be determined by a wildcard mask and an IP address of criteria conditions. If a packet address is within this range, the packet meets the criteria conditions; otherwise, the packet does not. Among bits of wildcard masks, 0 represents "Check corresponding bits", and 1 "Do not check corresponding bits".	The value is in dotted decimal notation. The wildcard of the source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is a host address. 192.168.1.16 0.0.0.15 indicates that the IP address ranges from 192.168.1.16 to 192.168.1.31. The wildcard mask 255.255.255.255 indicates all IP addresses. If all bits are set to 1, it indicates that all the 32 bits are not checked. In this case, any can be used to replace the wildcard mask. The wildcard mask 0.0.0.0 implies that all 32 bits need to be matched. The wildcard mask works in a different way from the IP subnet mask. In the subnet mask, 1 and 0 are used to determine the network, subnet, or the IP address of the corresponding host.
src-netmask	Specifies the mask length of a source IP address.	The value is an integer ranging from 1 to 32.
source-pool source-pool-name	Specifies an advanced ACL source IP address pool. An ACL IP address pool is created using the acl ip-pool command.	The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
source-port	Specify source port.	-
source-port-pool source-port-pool-name	Specifies the name of the source port pool used by an advanced ACL. The source ACL port pool is created using the acl port-pool command.	The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
time-range time-name	Specifies a time range during which an ACL rule takes effect. If the time-range is not configured for ACL, it indicates the ACL takes effect immediately. A time range is configured using the time-range command.	The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
ttl	Matches packets based on TTL values of packets.	-
neq	Matches the packets whose TTL values are not equal to the specified TTL value.	-
vpn-instance vpn-instance-name	Matches packets based on a VPN instance name.	The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string.
rule	Specify an ACL rule.	-
vxlan	Matches virtual extensible LAN (VXLAN) packets.	-
fragment-subseq	Checks subsequent fragments.	-
non-fragment	Checks non-fragmented packets.	-
non-subseq	Checks the first fragment or non-fragmented packets. After an IP packet is fragmented, only the first fragment of the packet contains Layer 4 information. If an ACL is configured with rules that match L4 information, the ACL can only filter non-fragmented packets or the first fragment. The other fragmented packets without Layer 4 information can cause mismatching. Therefore, the value non-subseq is recommended if fragmented packets need to be filtered by ACL rules that match only Layer 4 information.	-
fragment-spe-first	Checks the first fragment.	-
vpn-instance-any	Any VPN instance.	-
packet-length	Matches packets based on the packet length.	-
vni vni	Matches VXLAN packets based on a VNI.	The value is an integer ranging from 1 to 16777215.

Views

Advanced ACL view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
acl	write

Usage Guidelines

Usage Scenario

After an advanced ACL is created, run the rule command to add rules to the ACL.

Advanced ACL rules with the fragment-type can prevent such attacks by permitting only non-fragmented packets.

Prerequisites

An advanced ACL has been created using the acl command in the system view.

Configuration Impact

When specifying an ACL rule ID, note the following:

If a rule with a specified rule ID already exists, and the new rule conflicts with the existing one, the conflicting part in the new rule overwrites that in the existing rule.
If no rule with the specified rule ID exists, a rule with the specified rule ID is created.
When an ACL rule ID is not specified and a rule is added, the system automatically allocates an ID to this rule. ACL rules are arranged in ascending order of rule IDs, with the difference between two adjacent rules as an ACL increment.
The rule IDs automatically generated by the system start from the ACL increment. For example, if the ACL increment is 5, the rule ID starts from 5; if the ACL increment is 2, the rule ID starts from 2. This allows you to add rules before the first rule.
By default, if an ACL is not configured with the fragment-type,
If only Layer 3 information is configured to the rule, the ACL rules will filter all packets (including the first fragment of a packet, non-first fragments, and non-fragmented packets).
If both Layer 3 and Layer 4 information is configured to the rule,
- The ACL filters the first fragment of a packet and non-fragmented packets, as these packets contain Layer 3 and Layer 4 information.
- Only Layer 3 information about non-first fragments is filtered, as they contain Layer 3 information never Layer 4 information. If Layer 3 information matches the "permit" rule, the non-first fragment is allowed to pass through; if Layer 3 information matches the "deny" rule, continue matching the non-first fragment against the next rule. (Note: This is different to the normal ACL working process.)

Precautions

If auto is configured when you run the acl command to create an ACL, you cannot specify a rule ID when creating a rule. The system automatically uses the ACL increment as the start rule ID, and the subsequent rules are numbered by an ACL increment in ascending order.

If rule-id is not specified when you run the rule command to create an ACL, the system automatically assigns an ID to the ACL rule. You can run the display acl command to check the rule ID automatically assigned to an ACL.

If name rule-name is not specified when you run the rule command to create an ACL, the system automatically generates a name for the ACL in the format of "rule"+"_"+rule ID. Rule ID is the ID of an ACL rule that can be specified using the rule-id parameter or automatically assigned by the system. You can check the automatically generated name of an ACL rule through the NMS.

You must specify the rule ID when deleting a rule. To check rule IDs, run the display acl command.

Before deleting an ACL rule, run the display acl command to check whether the ACL rule has been applied to other services. Delete the rule only when it is not applied to other services.

Example

# Create an advanced ACL numbered 3999 and add a rule to ACL 3999 to match packets with the source and destination IP addresses 10.1.1.1 and 10.2.1.1, respectively.

<HUAWEI> system-view
[~HUAWEI] acl number 3999
[*HUAWEI-acl4-advance-3999] rule deny udp source 10.1.1.1 0 destination 10.2.1.1 0