Table of Contents
Advertisement
•
For command set 2, the contents in the new rule are incrementally added to the existing rule.
To view the existing user-defined ACL rules, use the
command.
Both the
undo rule rule-id
delete an entire rule. When you use the
specify all the attributes of the rule. The
delete rules created by using scripts, which have no rule IDs.
For command set 2:
•
In addition to use-defined strings, a rule can use the source IP address, destination IP address,
port number, and protocol type to match packets.
•
To match INT packets, follow these rules:
To match TCP INT packets, specify
To match UDP INT packets, specify
Specify
•
To match TCP packets, specify
purposes.
•
To match UDP packets, specify
purposes.
•
To match IP packets, specify
purposes.
•
You can use the
specifying keywords in the command or delete the entire rule without specifying any keywords.
•
For a rule to take effect, do not configure both IPv4 and IPv6 attributes in the rule.
•
The
precedence
The
counting
hardware-count
hardware for all rules in an ACL. For more information about the
packet filter commands in Security Command Reference.
Examples
# Create a rule for user-defined ACL 5005 to permit ARP packets where the 12th and 13th bytes
starting from the Layer 2 header are 0x0806.
<Sysname> system-view
[Sysname] acl user-defined 5005
[Sysname-acl-user-5005] rule permit l2 0806 ffff 12
# Create a rule for user-defined ACL 5009 to allow the TCP packets with the ACK bit set to pass
through.
<Sysname> system-view
[
]
Sysname
[
Sysname-acl-user-5009
Related commands
acl
display acl
packet-filter
packet-filter global
time-range
command and the
for the
ifa
udf-format
undo rule rule-id
and
tos
parameters cannot be used to match IPv6 packets.
keyword in this command enables match counting specific to rules, and the
keyword in the
acl user-defined 5009
]
rule permit tcp ack 1
(interface view) (Security Command Reference)
(Security Command Reference)
undo rule { deny | permit }
undo rule { deny | permit }
undo rule { deny | permit }
for the
tcp
for the
udp
argument, and specify
for the
tcp
protocol
for the
udp
protocol
for the
ip
protocol
command to delete some attributes of the rule by
packet-filter
26
display acl user-defined all
command, you must
command can be used to
argument.
protocol
argument.
protocol
for offset purposes.
l5
argument, and specify
argument, and specify
argument, and specify
command enables match counting in
packet-filter
command
for offset
l5
for offset
l5
for offset
l4
command , see
Advertisement
Chapters
Table of Contents
