rule (basic ACL view)

Function

The rule command creates or modifies an ACL rule in the basic ACL view.

The undo rule command deletes an ACL rule in the basic ACL view.

By default, no basic ACL rule is created.

Format

rule [ rule-id ] [ name rule-name ] { permit | deny } [ [ fragment-type { fragment | fragment-subseq | non-fragment | non-subseq | fragment-spe-first } ] | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

undo rule [ name rule-name ] { permit | deny } [ [ fragment-type { fragment | fragment-subseq | non-fragment | non-subseq | fragment-spe-first } ] | source { source-ip-address { source-wildcard | 0 | src-netmask } | any } | time-range time-name | [ vpn-instance vpn-instance-name | vpn-instance-any ] ] *

undo rule rule-id [ to end-rule-id ]

Parameters

Parameter Description Value
rule-id

Specifies the ID of an ACL rule.

The value is an integer ranging from 0 to 4294967294.
name rule-name

Specifies the name of an ACL rule.

The value is a string of 1 to 32 case-sensitive characters without spaces and cannot start with an underscore (_).
permit

Permits packets that match conditions.

-
deny

Denies packets that match conditions.

-
fragment-type

Matches packets based on the fragment type of the packets.

-
fragment

Fragmented packets are checked.

-
fragment-subseq

Non-first fragments of a fragmented packet are checked.

-
non-fragment

Non-fragmented packets are checked.

-
non-subseq

The first fragments of fragmented packets or non-fragmented packets are checked.

After an IP packet is fragmented, only the first fragment of a packet contains Layer 4 information. If Layer 4 information matches rules configured in an ACL, this ACL can only filter non-fragmented packets or the first fragment of a packet. The other fragmented packets without Layer 4 information can cause mismatching. Therefore, this type is recommended if fragmented packets need to be filtered by ACL rules that match only Layer 4 information.

-
fragment-spe-first

The first fragment of a fragmented packet is checked.

-
source

Matches packets based on source IP addresses.

If source is not configured, packets from any source IP address are matched.

-
source-ip-address

Specifies a source IP address.

  • indicates source of the traffic in most case.
  • indicates the route prefix if the ACL application is routing protocol.
  • indicates multicast source address or multicast group address if the ACL application is multicast protocol.

The value is in dotted decimal notation.

  • The parameter indicates source of the traffic in most case.
  • The parameter indicates the route prefix if the ACL application is routing protocol.
  • The parameter indicates multicast source address or multicast group address if the ACL application is multicast protocol.
source-wildcard

Specifies the wildcard of a source IP address.

A wildcard mask is a 32-bit number string that indicates which bits of an IP address are checked. Its form is the same as that of an IP address. A source or destination IP address range can be determined by a wildcard mask and an IP address of criteria conditions. If a packet address is within this range, the packet meets the criteria conditions; otherwise, the packet does not. Among bits of wildcard masks, 0 represents "Check corresponding bits", and 1 "Do not check corresponding bits".

The value is in dotted decimal notation.

The wildcard of a source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is a host address.

192.168.1.16 0.0.0.15 indicates that the IP address ranges from 192.168.1.16 to 192.168.1.31.

The wildcard mask 255.255.255.255 indicates all IP addresses. If all bits are set to 1, it indicates that all 32 bits are not checked. In this case, you can use any to replace it. The wildcard mask 0.0.0.0 implies that all 32 bits need to be matched.

The wildcard mask and IP subnet mask work in different ways. Among subnet masks, number 1 and 0 decide the network, subnet, or corresponding host IP addresses.
0

Wildcard bits: 0.0.0.0 (a host).

-
src-netmask

Specifies the mask length of a source IP address.

The value is an integer that ranges from 1 to 32.
any

Matches packets with any source IP address.

-
time-range time-name

Specifies a time range during which an ACL rule takes effect.

A time range is configured using the time-range command.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
vpn-instance vpn-instance-name

Matches packets based on a VPN instance name.

The parameter indicates the L3VPN that the traffic belongs to. If the traffic is from L3VPN, this option must be configured in the ACL. If this option is not configured, it indicates the traffic belongs to the public network rather than L3VPN.

The value is a string of 1 to 31 case-sensitive characters. It cannot contain spaces. The VPN instance name cannot be _public_. If the character string is quoted by double quotation marks, the character string can contain spaces.

This parameter does not take effect in traffic policy configuration.
vpn-instance-any

Specifies any VPN instance.

-
rule

Specify an ACL rule.

-
to end-rule-id

Specifies an end rule ID for ACL rules to be deleted in batches.

The value is an integer that ranges from 0 to 4294967294.

Views

Basic ACL view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
acl write

Usage Guidelines

Usage Scenario

After a basic ACL is created, run the rule command to add rules to the ACL.

"rule permit" and "rule permit source any" have the same matching result.

"rule deny" and "rule deny source any" have the same matching result.

Advanced ACL rules with the fragment-type can prevent such attacks by permitting only non-fragmented packets. In normal situations, Maximum Transmission Unit (MTU) is set on networks so that packets cannot be fragmented.

Prerequisites

A basic ACL has been created using the acl command in the system view.

Configuration Impact

When specifying an ACL rule ID, note the following:

  • If a rule with a specified rule ID already exists, and the new rule conflicts with the existing one, the conflicting part in the new rule overwrites that in the existing rule.
  • If no rule with the specified rule ID exists, a rule with the specified rule ID is created.

    When an ACL rule ID is not specified and a rule is added, the system automatically allocates an ID to this rule. ACL rules are arranged in ascending order of rule IDs, with the difference between two adjacent rules as an ACL increment.

    The rule IDs automatically generated by the system start from the ACL increment. For example, if the ACL increment is 5, the rule ID starts from 5; if the ACL increment is 2, the rule ID starts from 2. This allows you to add rules before the first rule.

    By default, if an ACL is not configured with the fragment-type:
  • If only Layer 3 information is configured to the rule, the ACL rules will filter all packets (including the first fragment of a packet, non-first fragments, and non-fragmented packets).
  • If both Layer 3 and Layer 4 information is configured to the rule,
    • The ACL filters the first fragment of a packet and non-fragmented packets, as these packets contain Layer 3 and Layer 4 information.
    • Only Layer 3 information about non-first fragments is filtered, as they contain Layer 3 information never Layer 4 information. If Layer 3 information matches the "permit" rule, the non-first fragment is allowed to pass through; if Layer 3 information matches the "deny" rule, continue matching the non-first fragment against the next rule. (Note: This is different to the normal ACL working process.)

Precautions

If auto is configured when you run the acl command to create an ACL, you cannot specify a rule ID when creating a rule. The system automatically uses the ACL increment as the start rule ID, and the subsequent rules are numbered by an ACL increment in ascending order.

If rule-id is not specified when you run the rule command to create an ACL, the system automatically assigns an ID to the ACL rule. You can run the display acl command to check the rule ID automatically assigned to an ACL.

If name rule-name is not specified when you run the rule command to create an ACL, the system automatically generates a name for the ACL in the format of "rule"+"_"+rule ID. Rule ID is the ID of an ACL rule that can be specified using the rule-id parameter or automatically assigned by the system. You can check the automatically generated name of an ACL rule through the NMS.

You must specify the rule ID when deleting a rule. To check rule IDs, run the display acl command.

Before deleting an ACL rule, run the display acl command to check whether the ACL rule has been applied to other services. Delete the rule only when it is not applied to other services.

Example

# Create a basic ACL numbered 2999 and add a rule to ACL 2999 to match packets with the source IP address 10.1.1.1.
<HUAWEI> system-view
[~HUAWEI] acl number 2999
[*HUAWEI-acl4-basic-2999] rule deny source 10.1.1.1 0
Parent Topic: ACL Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >