rule (UCL view)

Function

The rule command creates a user ACL rule in the UCL view.

If a user ACL rule already exists, this command can be used to modify the ACL rule.

By default, no user ACL rule has been created.

Format

rule [ rule-id ] [ name rule-name ] { permit | deny } { zero | protocol | gre | igmp | ip | ipinip | ospf | 7-16 | 18-255 } [ [ source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp } ] | [ time-range time-name ] | [ logging ] | [ fragment-type frangment-enum ] | vlan vlan-id | inner-vlan cvlan-id ] *

rule [ rule-id ] [ name rule-name ] { permit | deny } { 6 | tcp } [ [ source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ source-port { operator { port-number | tcp-src-bport-enum } | range { port-number | tcp-src-bport-enum } { port-number | tcp-src-eport-enum } } ] | [ destination-port { operator { port-number | tcp-dst-bport-enum } | range { port-number | tcp-dst-bport-enum } { port-number | tcp-dst-eport-enum } } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp } ] | [ time-range time-name ] | [ syn-flag { syn-flag [ mask mask-value ] | { bit-match { established | fin | syn | rst | psh | ack | urg | ece | cwr | ns } } } ] | [ logging ] | [ fragment-type frangment-enum ] | vlan vlan-id | inner-vlan cvlan-id ] *

rule [ rule-id ] [ name rule-name ] { permit | deny } { udp | 17 } [ [ source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ source-port { operator { port-number | udp-src-bport-enum } | range { port-number | udp-src-bport-enum } { port-number | udp-src-eport-enum } } ] | [ destination-port { operator { port-number | udp-dst-bport-enum } | range { port-number | udp-dst-bport-enum } { port-number | udp-dst-eport-enum } } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp } ] | [ time-range time-name ] | [ logging ] | [ fragment-type frangment-enum ] | vlan vlan-id | inner-vlan cvlan-id ] *

rule [ rule-id ] [ name rule-name ] { permit | deny } { icmp | 1 } [ [ source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ icmp-type { icmp-type icmp-code | icmp-name } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp } ] | [ time-range time-name ] | [ logging ] | [ fragment-type frangment-enum ] | vlan vlan-id | inner-vlan cvlan-id ] *

undo rule [ name rule-name ] { permit | deny } { zero | protocol | gre | igmp | ip | ipinip | ospf | 7-16 | 18-255 } [ [ source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp } ] | [ time-range time-name ] | [ logging ] | [ fragment-type frangment-enum ] | vlan vlan-id | inner-vlan cvlan-id ] *

undo rule [ name rule-name ] { permit | deny } { 6 | tcp } [ [ source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ source-port { operator { port-number | tcp-src-bport-enum } | range { port-number | tcp-src-bport-enum } { port-number | tcp-src-eport-enum } } ] | [ destination-port { operator { port-number | tcp-dst-bport-enum } | range { port-number | tcp-dst-bport-enum } { port-number | tcp-dst-eport-enum } } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp } ] | [ time-range time-name ] | [ syn-flag { syn-flag [ mask mask-value ] | { bit-match { established | fin | syn | rst | psh | ack | urg | ece | cwr | ns } } } ] | [ logging ] | [ fragment-type frangment-enum ] | vlan vlan-id | inner-vlan cvlan-id ] *

undo rule [ name rule-name ] { permit | deny } { udp | 17 } [ [ source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ source-port { operator { port-number | udp-src-bport-enum } | range { port-number | udp-src-bport-enum } { port-number | udp-src-eport-enum } } ] | [ destination-port { operator { port-number | udp-dst-bport-enum } | range { port-number | udp-dst-bport-enum } { port-number | udp-dst-eport-enum } } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp } ] | [ time-range time-name ] | [ logging ] | [ fragment-type frangment-enum ] | vlan vlan-id | inner-vlan cvlan-id ] *

undo rule [ name rule-name ] { permit | deny } { icmp | 1 } [ [ source { { ip-address { source-ip-address { source-ip-address-mask | 0 } | any } | source-pool source-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ destination { { ip-address { destination-ip-address { destination-ip-address-mask | 0 } | any } | destination-pool destination-pool-name } | any | [ service-group { service-group-name | any } | user-group { user-group-name | any } ] } ] | [ icmp-type { icmp-type icmp-code | icmp-name } ] | [ { { precedence { precedence | precedence-enum } | tos { tos | tos-enum } } * | dscp dscp } ] | [ time-range time-name ] | [ logging ] | [ fragment-type frangment-enum ] | vlan vlan-id | inner-vlan cvlan-id ] *

undo rule rule-id

Parameters

Parameter Description Value
rule-id

Specifies the ID of a user ACL rule.

The value is an integer ranging from 0 to 4294967294.
name rule-name

Specifies the name of an ACL rule.

The value is a string of 1 to 32 case-sensitive characters that cannot begin with an underscore (_), spaces not supported.
permit

Permits packets that match conditions.

-
deny

Denies packets that match conditions.

-
zero

IPv4 Zero Protocol.

-
protocol

Matches packets based on a protocol.

The value is a keyword or number.

  • When the value is a keyword, it is a character string which can be gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp (17).
  • When the value is a number, it is an integer ranging from 1 to 255.
gre

GRE tunnelling(47).

-
igmp

Internet Group Management Protocol(2).

-
ip

Any IP protocol.

-
ipinip

IP in IP tunnelling(4).

-
ospf

OSPF routing protocol(89).

-
7-16

Protocol number.

The value is an integer ranging from 7 to 16.
18-255

Protocol number.

The value is an integer ranging from 18 to 255.
source

Matches packets based on source information.

-
ip-address

Matches packets based on the IP address.

If no source IP address is specified, an ACL takes effect for ARP packets with any source IP address.

-
source-ip-address

Specifies a source IP address.

The value is in dotted decimal notation.
source-ip-address-mask

Specifies the wildcard of the source IP address.

The value is in dotted decimal notation. The wildcard of a source IP address can be 0, equivalent to 0.0.0.0, indicating that the source IP address is a host address.
0

Wildcard bits: 0.0.0.0 (a host).

-
any

Matches packets with any source IP address.

-
source-pool source-pool-name

Specifies an ACL source IP address pool.

An ACL IP address pool is created using the acl ip-pool pool-name command.

The value is an integer ranging from 1 to 32.
service-group

Matches packets based on the service group.

If no source service group is specified, an ACL takes effect for packets with any source service group.

-
service-group-name

Specifies the name of the service group.

The value is a string of 1 to 31 case-sensitive characters.
user-group

Matches packets based on the user group.

If no source user group is specified, an ACL takes effect for packets with any source service group.

-
user-group-name

Specifies the name of the user group.

The value is a string of 1 to 32 case-sensitive characters.
destination

Matches packets based on destination information.

-
destination-ip-address

Specifies a destination IP address.

The value is in dotted decimal notation.
destination-ip-address-mask

Specifies the wildcard of a destination IP address.A wildcard mask is a 32-bit number string that indicates which bits of an IP address are checked. Its form is the same as that of an IP address. A source or destination IP address range can be determined by a wildcard mask and an IP address of criteria conditions. If a packet address is within this range, the packet meets the criteria conditions; otherwise, the packet does not.

The value is in dotted decimal notation.The wildcard of a destination IP address can be 0, equivalent to 0.0.0.0, indicating that the destination IP address is a host address.
destination-pool destination-pool-name

Specifies an ACL destination IP address pool.

An ACL IP address pool is created using the acl ip-pool pool-name command.

The value is an integer ranging from 1 to 32.
precedence precedence

Matches packets based on the high-order 3-bit ToS field in an IP packet as defined in standard protocols.

Precedence is 3-bit, and left bit is high bit, and right bit is low bit. The Precedence equals to 4 in decimal number (100 in binary number), rather than 1.

The value is an integer ranging from 0 to 7.
precedence-enum

Matches packets based on the high-order 3-bit ToS field in an IP packet as defined in standard protocols.Precedence is 3-bit, and left bit is high bit, and right bit is low bit. The Precedence equals to 4 in decimal number (100 in binary number), rather than 1.

The value is a keyword, it can be critical (5), flash (3), flash-override (4), immediate (2), internet (6), network (7), priority (1), or routine (0).
tos tos

Matches packets based on the 4-bit ToS field in an IPv4 packet as defined in standard protocols.

ToS in Advanced ACL is 4 bits long as defined in standard protocols. The ToS shown in the following figure equals to 8 in decimal number (1000 in binary number), rather than 1.

The value is an integer ranging from 0 to 15.

The precedence and tos parameters are QoS configurations.
tos-enum

Matches packets based on the 4-bit ToS field in an IPv4 packet as defined in standard protocols.

ToS in Advanced ACL is 4 bits long as defined in standard protocols. The ToS equals to 8 in decimal number (1000 in binary number), rather than 1.

The value is a keyword, it can be max-reliability(2), max-throughput(4), min-delay(8), min-monetary-cost(1), or normal(0).
dscp dscp

Matches packets based on a DSCP value.

DSCP cannot be configured concurrently with ToS or precedence.

The value is an integer ranging from 0 to 63.
time-range time-name

Specifies a time range during which a user ACL rule takes effect. If the time-range is not configured for ACL, it indicates the ACL takes effect immediately.

A time range is configured using the time-range command.

The value is a string of 1 to 32 case-sensitive characters, spaces not supported.
logging

Logs matching packets.

-
fragment-type frangment-enum

Matches packets based on the fragment type of the packets.

The available packet fragmentation types are as follows:

  • fragment: checks fragmented packets.
  • non-fragment: checks non-fragmented packets.
  • fragment-subseq: checks subsequent fragments.
  • fragment-spe-first: checks the first fragment.
  • non-subseq: checks the first fragment or non-fragmented packets.

    After an IP packet is fragmented, only the first fragment of the packet contains Layer 4 information. If an ACL is configured with rules that match L4 information, the ACL can only filter non-fragmented packets or the first fragment. The other fragmented packets without Layer 4 information can cause mismatching. Therefore, the value non-subseq is recommended if fragmented packets need to be filtered by ACL rules that match only Layer 4 information.
vlan vlan-id

Specifies an outer VLAN ID.

The value is an integer ranging from 1 to 4094.
inner-vlan cvlan-id

Specifies inner VLAN ID.

The value is an integer ranging from 1 to 4094.
rule

Specify an ACL rule.

-
6

Protocol number.

The value is 6.
tcp

Transmission Control Protocol(6).

-
source-port

Matches packets based on the source port.

If source port is not specified, packets originating from any port are matched.

-
operator

Specifies an operator that compares source port numbers.

The value of operator can be:

  • eq: matches packets with the specified port number.
  • gt: matches packets with the port number greater than the specified port number.
  • lt: matches packets with the port number less than the specified port number.
port-number

Specifies a TCP or UDP port number.

The value is a number, it is an integer ranging from 0 to 65535.
tcp-src-bport-enum

Specifies a TCP port number.

The available keyword options are as follows:{echo,discard,daytime,CHARgen,ftp-data,ftp,telnet,smtp,time,whois,tacacs,domain,gopher,finger,www,hostname,pop2,pop3,sunrpc,nntp,bgp,irc,exec,login,cmd,lpd,talk,uucp,klogin,kshell}
range

matches packets with the port number within the specified port number range.

-
tcp-src-eport-enum

Specifies a TCP port number.

The available keyword options are as follows:{echo,discard,daytime,CHARgen,ftp-data,ftp,telnet,smtp,time,whois,tacacs,domain,gopher,finger,www,hostname,pop2,pop3,sunrpc,nntp,bgp,irc,exec,login,cmd,lpd,talk,uucp,klogin,kshell}
destination-port

Matches packets based on destination information.

This parameter is available only when protocol is set to TCP or UDP. If destination-port is not specified, packets destined for any port are matched.

-
tcp-dst-bport-enum

Specifies a TCP port number.

The available keyword options are as follows:{echo,discard,daytime,CHARgen,ftp-data,ftp,telnet,smtp,time,whois,tacacs,domain,gopher,finger,www,hostname,pop2,pop3,sunrpc,nntp,bgp,irc,exec,login,cmd,lpd,talk,uucp,klogin,kshell}
tcp-dst-eport-enum

Specifies a TCP port number.

The available keyword options are as follows:{echo,discard,daytime,CHARgen,ftp-data,ftp,telnet,smtp,time,whois,tacacs,domain,gopher,finger,www,hostname,pop2,pop3,sunrpc,nntp,bgp,irc,exec,login,cmd,lpd,talk,uucp,klogin,kshell}
syn-flag

Matches packets based on the fragment type of the packets.

-
syn-flag

Specifies a TCP flag value.

The value is an integer ranging from 0 to 511.
mask mask-value

Specifies a TCP flag mask.

The value is an integer ranging from 0 to 511.
bit-match

Indicates TCP-FLAG field matching by bit.

-
established

Matches TCP packets in the Established state.

For TCP packets in the Established state, either the ACK or RST value is 1.

Network attackers may send a large number of invalid TCP SYN packets to attack network devices. You can configure established in an advanced ACL rule to allow TCP packets to be transmitted unidirectionally. This means that after a router has set up TCP connections with other devices, the router only sends TCP packets in the established state to the other devices but does not receive TCP packets in the established state from the other devices.

-
fin

Matches TCP packets based on the FIN flag.

-
syn

Matches TCP packets based on the SYN flag.

-
rst

Matches TCP packets based on the RST flag.

-
psh

Matches TCP packets based on the PSH flag.

-
ack

Matches TCP packets based on the ACK flag.

-
urg

Matches TCP packets based on the URG flag.

-
ece

Matches TCP packets based on the ECE flag.

-
cwr

Matches TCP packets based on the CWR flag.

-
ns

Matches TCP packets based on the NS flag.

-
udp

User Datagram Protocol(17).

-
17

Protocol number.

The value is 17.
udp-src-bport-enum

Specifies a UDP port number.

The available keyword options are as follows:{echo,discard,daytime,CHARgen,ftp-data,ftp,telnet,smtp,time,whois,tacacs,domain,gopher,finger,www,hostname,pop2,pop3,sunrpc,nntp,bgp,irc,exec,login,cmd,lpd,talk,uucp,klogin,kshell}
udp-src-eport-enum

Specifies a UDP port number.

The available keyword options are as follows:{echo,discard,daytime,CHARgen,ftp-data,ftp,telnet,smtp,time,whois,tacacs,domain,gopher,finger,www,hostname,pop2,pop3,sunrpc,nntp,bgp,irc,exec,login,cmd,lpd,talk,uucp,klogin,kshell}
udp-dst-bport-enum

Specifies a UDP port number.

The available keyword options are as follows:{echo,discard,daytime,CHARgen,ftp-data,ftp,telnet,smtp,time,whois,tacacs,domain,gopher,finger,www,hostname,pop2,pop3,sunrpc,nntp,bgp,irc,exec,login,cmd,lpd,talk,uucp,klogin,kshell}
udp-dst-eport-enum

Specifies a UDP port number.

The available keyword options are as follows:{echo,discard,daytime,CHARgen,ftp-data,ftp,telnet,smtp,time,whois,tacacs,domain,gopher,finger,www,hostname,pop2,pop3,sunrpc,nntp,bgp,irc,exec,login,cmd,lpd,talk,uucp,klogin,kshell}
icmp

Internet Control Message Protocol(1).

-
1

Protocol number.

The value is 1.
icmp-type

Matches ICMP packets based on the ICMP type and message code.

This parameter is available only when protocol is ICMP. If this parameter is not specified, any types of ICMP packets are matched.

-
icmp-type

Specifies an ICMP message type.

The value is an integer ranging from 0 to 255.
icmp-code

Specifies the code of an ICMP message.

The value is an integer ranging from 0 to 255.
icmp-name

Specifies the name of an ICMP message.

The available keyword options are as follows: echo,echo-reply,fragmentneed-DFset,host-redirect,host-tos-redirect,host-unreachable,information-reply,information-request,net-redirect,net-tos-redirect,net-unreachable,parameter-problem,port-unreachable,protocol-unreachable,reassembly-timeout,source-quench,source-route-failed,timestamp-reply,timestamp-request,ttl-exceeded,address-mask-reply,address-mask-request.
undo

Cancel current setting.

-

Views

UCL view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
acl write

Usage Guidelines

Usage Scenario

After a user ACL has been created, run the rule command to add rules to the user ACL.

Prerequisites

A user ACL has been created using the acl command.

A validity period has been configured using the time-range command in the system view if you want the specified user ACL rule to take effect only in a specified period of time.

Configuration Impact

When specifying a user ACL rule ID, note the following:

  • If a rule with a specified rule ID already exists, and the new rule conflicts with the existing one, the conflicting part in the new rule overwrites that in the existing rule.
  • If no rule with the specified rule ID exists, a rule with the specified rule ID is created.

    When a user ACL rule ID is not specified and a rule is added, the system automatically allocates an ID to this rule. User ACL rules are arranged in ascending order of rule IDs, with the difference between two adjacent rules as an ACL increment.

    The rule numbers automatically generated by the system start from the ACL increment. For example, if the ACL increment is 5, the rule number starts from 5; if the ACL increment is 2, the rule number starts from 2. This allows you to add rules before the first rule.

    Exercise caution when you run the rule deny ip command. This configuration may cause a service interruption.

Precautions

If auto is configured when you run the acl command to create an ACL, you cannot specify a rule ID when creating a rule. The system automatically uses the ACL increment as the start rule ID, and the subsequent rules are numbered by an ACL increment in ascending order.

If rule-id is not specified when you run the rule command to create an ACL, the system automatically assigns an ID to the ACL rule. You can run the display acl command to check the rule ID automatically assigned to an ACL.

If name rule-name is not specified when you run the rule command to create an ACL, the system automatically generates a name for the ACL in the format of "rule"+"_"+rule ID. Rule ID is the ID of an ACL rule that can be specified using the rule-id parameter or automatically assigned by the system. You can check the automatically generated name of an ACL rule through the NMS.

You must specify the rule ID when deleting a rule. To check rule IDs, run the display acl command.

Before deleting an ACL rule, run the display acl command to check whether the ACL rule has been applied to other services. Delete the rule only when it is not applied to other services.

Example

# Create a user ACL numbered 6999 and create a user ACL rule to prohibit the host with any source service group from sending IP packets to a host with any destination user group.
<HUAWEI> system-view
[~HUAWEI] acl number 6999
[*HUAWEI-acl-ucl-6999] rule deny ip source service-group any destination user-group any
Parent Topic: ACL Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >