23.2. IPACL management

The IP Access Control List can store up to 256 filters definitions.

In this section will be described the commands for the IP Access Control List management.

These are the commands:

Every filter is identified by a priority index which is used to add, modify and delete IPACL entries.

Priority indexes, every time a filter is added or deleted, are automatically kept in sequential order.

Changes to IPACL are immediately active, so there's no need to restart Abilis CPX.

23.2.1. D IPACL (Display IP Access Control List)

It shows the current content of the IP access list. By omitting the priority, the command will show all the filters currently in the table.

Type d ipacl ?, to display the syntax of the command.

[15:45:59] ABILIS_CPX:d ipacl

IPRTR resource parameters:  ACL:YES       ACLBYPASS:#
                            COS:ENABLED   COSDFT:NORMAL

Tot-IPACL-Number:0

-------------------------------------------------------------------------------
PR: [DESCR:]
    TYPE:  SA:                             PROT:              ICMP-TYPE:
    IPCOS: DA:                             SPO:/PO:           DPO:
    TOS-O: TOS-I:                          SRES:              DRES:
           TI:
-------------------------------------------------------------------------------
                      *** NO IP ACCESS LISTS DEFINED ***                       

Meaning of the parameters:

PR

The priority index sets the filter verifying order. The verifying procedure is executed on each datagram. It starts from the filter with priority 0 and continues until the suitable datagram is found or the list ends. If the IP datagram doesn't match any filter, it will be routed; if the IP services class functionality is activated, the Router will assign to the datagram the default priority set in the parameter COSDFT of the port IPRTR.

TYPE

This command sets whether the datagram, matching the filter, have to be routed (filter matched type PERMIT) or discarded (filter matched type DENY).

IPCOS

Ip Class of Service [DFT, HIGH, NORMAL, LOW or D, H, N, L]

SA

It sets the IP address which the datagrams source address has to match (or be contained in). It may be expressed as:

  • a single value, using the Dotted Decimal Notation (E.g.: 150.200.192.192).

  • an interval, by separating the two IP addresses with : (colon) character (E.g.: 192.168.0.0:192.168.0.100).

  • the name of an Elements List of type IP or IR or RU or MR, written between primes (E.g.: 'My_List').

  • the * (asterisk) string, that stands for “any IP address”.

DA

It sets the IP address (IP interval of addresses) which the datagrams destination address has to match (or be contained in). It may be expressed as:

  • a single value, using the Dotted Decimal Notation (E.g.: 150.200.192.192).

  • an interval, by separating the two IP addresses with : (colon) character (E.g.: 192.168.0.0:192.168.0.100).

  • the name of an Elements List of type IP or IR or RU or MR, written between primes (E.g.: 'My_List').

  • the * (asterisk) string, that stands for “any IP address”.

PROT

It sets the Internet protocol where the filter can be applied on. It may be expressed as:

  • mnemonic or numeric identifier [1 - 254] of an Internet Protocol (E.g.: tcp or 6).

  • the name of an Elements List of type IPT or RU or MR, written between primes (E.g.: 'My_List').

  • the tcpudp string, that stands for “tcp and/or udp protocols”.

  • the * (asterisk) string, that stands for “any Internet protocol”.

SPO

This parameter is used only for TCP and UDP protocols type. It sets the source port (interval of ports) that the datagrams source port has to match (or be contained in). It may be expressed as:

  • mnemonic or numeric identifier [1 - 65535] of a TCP/UDP port (E.g.: telnet or 23).

  • an interval, by separating the two TCP/UDP ports value with : (colon) character (E.g. 23:161 or telnet:snmp).

  • the name of an Elements List of type TUP or RU or MR, written between primes (E.g.: 'My_List').

  • the * (asterisk) string, that stands for “any TCP/UDP port”.

DPO

This parameter is used only for TCP and UDP protocols type. It sets the destination port (interval of ports) that the datagrams destination port has to match (or be contained in). It may be expressed as:

  • mnemonic or numeric identifier [1 - 65535] of a TCP/UDP port (E.g.: telnet or 23).

  • an interval, by separating the two TCP/UDP ports value with : (colon) character (E.g. 23:161 or telnet:snmp).

  • the name of an Elements List of type TUP or RU or MR, written between primes (E.g.: 'My_List').

  • the * (asterisk) string, that stands for “any TCP/UDP port”.

PO

This parameter is used only for TCP and UDP protocols type, in alternative to the parameters SPO and DPO. It sets the port value (or an interval of values) which the datagram source or destination port has to match (or be contained in).

  • mnemonic or numeric identifier [1 - 65535] of a TCP/UDP port (E.g.: telnet or 23).

  • an interval, by separating the two TCP/UDP ports value with : (colon) character (E.g. 23:161 or telnet:snmp).

  • the name of an Elements List of type TUP or RU or MR, written between primes (E.g.: 'My_List').

  • the * (asterisk) string, that stands for “any TCP/UDP port”.

TOS-I

Input Type of Service octet or Differentiated Services Field. It may be expressed as:

  • * or *-* means “don't change”.

  • p-t, PRECEDENCE and TOS values, where p can be [0..7, *] and t can be [combination of N: None; D: Minimize Delay; T: Maximize Throughput; R: Maximize Reliability; C: Minimize Monetary Cost; *].

  • bbbbbb, DS value bit by bit, where b can be [0, 1, x] and x means “don't care”.

TOS-O

Output Type of Service octet or Differentiated Services Field. It may be expressed as:

  • * or *-* means “don't change”.

  • p-t, PRECEDENCE and TOS values, where p can be [0..7, *] and t can be [combination of N: None; D: Minimize Delay; T: Maximize Throughput; R: Maximize Reliability; C: Minimize Monetary Cost; *].

  • bbbbbb, DS value bit by bit, where b can be [0, 1, x] and x means “don't care”.

SRES

Source Ip resource: An Ip resource [Ip-1..Ip-250] or "*" or "INT" or the name of a CR/RU/MR list between single quotes. (E.g. INT or * or Ip-3 or 'list']

DRES

Destination Ip resource: An Ip resource [Ip-1..Ip-250] or "*" or "INT" or the name of a CR/RU/MR list between single quotes. (E.g. INT or * or Ip-3 or 'list']

ICMP-TYPE

ICMP message type. <Only for PROT:ICMP> An ICMP message type mnemonic or decimal value [0..255] or "*" or "#" or the name of an ICMPT/RU/MR list between single quotes. (E.g.: Unreachable or 3 or * or # or 'List') See HELP INTERNET ICMP for the list of ICMP message types.

TI

Time interval; this parameters allows to specify a time band for which the IPACL can be used. The time band must be indicated in the following form:

day,hh1:mm1-hh2:mm2

where

  • day: is the indication of the day/s of the week in which the routing can be utilized and can assume the following values:

    • single day: [MO, TU, WE, TH, FR, SA, SU].

    • a set of days: (es.: MO+TH or TU+TH+SU etc.).

    • an interval: (es.: MO-WE or TH-SU etc.).

    • "ALL"

  • hh1:mm1: is the indication of the beginning of the hourly interval of the validity of the routing.

  • hh2:mm2: is the indication of the end of the hourly interval of the validity of the routing.

Use * to make the time interval to be ignored.

23.2.2. A IPACL (Add IP Access Control List filter)

It adds a new filter to the IP access list, with priority “PR:xxx” and it sets the requested parameters to the specified values.

The syntax of the command is:

a ipacl pr:xxx TYPE:val SA:val DA:val PROT:val [SPO:val DPO:val] [par:val]

[11:56:38] ABILIS_CPX:a ipacl pr:0 type:permit sa:192.168.0.50:192.168.0.60 da:* prot:tcp spo:* dpo:80 sres:ip-2 dres:ip-5

COMMAND EXECUTED

[11:58:02] ABILIS_CPX:d ipacl

IPRTR resource parameters:  ACL:YES       ACLBYPASS:#
                            COS:ENABLED   COSDFT:NORMAL

- Not Saved (SAVE CONF) -------------------------------------------------------
Tot-IPACL-Number:1

-------------------------------------------------------------------------------
PR: [DESCR:]
    TYPE:  SA:                             PROT:              ICMP-TYPE:
    IPCOS: DA:                             SPO:/PO:           DPO:
    TOS-O: TOS-I:                          SRES:              DRES:
           TI:
-------------------------------------------------------------------------------
0   PERMIT 192.168.000.050:192.168.000.060 tcp                
    DFT    *                               *                  http(80)
    *      *                               Ip-2               Ip-5
-------------------------------------------------------------------------------

23.2.3. C IPACL (Clear IP Acces Control List filter)

It deletes the specified definition, if present in the IP access list. The priority of those filters, whose “PR:xxx” is higher that the deleted one, is decremented by one, because of table contiguity.

The syntax of the command is:

c ipacl pr:xx

[11:58:02] ABILIS_CPX:d ipacl

IPRTR resource parameters:  ACL:YES       ACLBYPASS:#
                            COS:ENABLED   COSDFT:NORMAL

- Not Saved (SAVE CONF) -------------------------------------------------------
Tot-IPACL-Number:2

-------------------------------------------------------------------------------
PR: [DESCR:]
    TYPE:  SA:                             PROT:              ICMP-TYPE:
    IPCOS: DA:                             SPO:/PO:           DPO:
    TOS-O: TOS-I:                          SRES:              DRES:
           TI:
-------------------------------------------------------------------------------
0   PERMIT 192.168.000.050:192.168.000.060 tcp                
    DFT    *                               *                  http(80)
    *      *                               Ip-2               Ip-5
-------------------------------------------------------------------------------
1   PERMIT 192.168.001.070                 udp                
    HIGH   *                               *                  *
    *      *                               Ip-2               Ip-5
-------------------------------------------------------------------------------

[11:58:04] ABILIS_CPX:c ipacl pr:1

COMMAND EXECUTED

[11:58:57] ABILIS_CPX:d ipacl

IPRTR resource parameters:  ACL:YES       ACLBYPASS:#
                            COS:ENABLED   COSDFT:NORMAL

- Not Saved (SAVE CONF) -------------------------------------------------------
Tot-IPACL-Number:1

-------------------------------------------------------------------------------
PR: [DESCR:]
    TYPE:  SA:                             PROT:              ICMP-TYPE:
    IPCOS: DA:                             SPO:/PO:           DPO:
    TOS-O: TOS-I:                          SRES:              DRES:
           TI:
-------------------------------------------------------------------------------
0   PERMIT 192.168.000.050:192.168.000.060 tcp                
    DFT    *                               *                  http(80)
    *      *                               Ip-2               Ip-5
-------------------------------------------------------------------------------

23.2.4. S IPACL (Set IP Access Control List filter)

It sets the values of the specified filter. The syntax of the command is:

s ipacl pr:xxx par:val [par:val]

[11:58:57] ABILIS_CPX:d ipacl

IPRTR resource parameters:  ACL:YES       ACLBYPASS:#
                            COS:ENABLED   COSDFT:NORMAL

- Not Saved (SAVE CONF) -------------------------------------------------------
Tot-IPACL-Number:1

-------------------------------------------------------------------------------
PR: [DESCR:]
    TYPE:  SA:                             PROT:              ICMP-TYPE:
    IPCOS: DA:                             SPO:/PO:           DPO:
    TOS-O: TOS-I:                          SRES:              DRES:
           TI:
-------------------------------------------------------------------------------
0   PERMIT 192.168.000.050:192.168.000.060 *                  *
    DFT    *                               *                  *
    *      *                               Ip-2               Ip-5
-------------------------------------------------------------------------------

[11:58:58] ABILIS_CPX:s ipacl pr:0 prot:tcp

COMMAND EXECUTED

[12:00:46] ABILIS_CPX:d ipacl

IPRTR resource parameters:  ACL:YES       ACLBYPASS:#
                            COS:ENABLED   COSDFT:NORMAL

- Not Saved (SAVE CONF) -------------------------------------------------------
Tot-IPACL-Number:1

-------------------------------------------------------------------------------
PR: [DESCR:]
    TYPE:  SA:                             PROT:              ICMP-TYPE:
    IPCOS: DA:                             SPO:/PO:           DPO:
    TOS-O: TOS-I:                          SRES:              DRES:
           TI:
-------------------------------------------------------------------------------
0   PERMIT 192.168.000.050:192.168.000.060 tcp                
    DFT    *                               *                  *
    *      *                               Ip-2               Ip-5
------------------------------------------------------------------------------

23.2.5. M IPACL (Move IP Access Control List filter)

It changes the filter priority value from “PR:xxx” to “PR:yyy”.

The syntax of the command is:

m ipacl pr:xxx pr:yyy

[12:01:38] ABILIS_CPX:d ipacl

IPRTR resource parameters:  ACL:YES       ACLBYPASS:#
                            COS:ENABLED   COSDFT:NORMAL

- Not Saved (SAVE CONF) -------------------------------------------------------
Tot-IPACL-Number:2

-------------------------------------------------------------------------------
PR: [DESCR:]
    TYPE:  SA:                             PROT:              ICMP-TYPE:
    IPCOS: DA:                             SPO:/PO:           DPO:
    TOS-O: TOS-I:                          SRES:              DRES:
           TI:
-------------------------------------------------------------------------------
0   PERMIT 192.168.000.050:192.168.000.060 tcp                
    DFT    *                               *                  *
    *      *                               Ip-2               Ip-5
-------------------------------------------------------------------------------
1   PERMIT 192.168.001.070                 udp                
    HIGH   *                               *                  *
    *      *                               Ip-2               Ip-5
-------------------------------------------------------------------------------

[12:01:39] ABILIS_CPX:m ipacl pr:0 pr:1

COMMAND EXECUTED

[12:01:43] ABILIS_CPX:d ipacl

IPRTR resource parameters:  ACL:YES       ACLBYPASS:#
                            COS:ENABLED   COSDFT:NORMAL

- Not Saved (SAVE CONF) -------------------------------------------------------
Tot-IPACL-Number:2

-------------------------------------------------------------------------------
PR: [DESCR:]
    TYPE:  SA:                             PROT:              ICMP-TYPE:
    IPCOS: DA:                             SPO:/PO:           DPO:
    TOS-O: TOS-I:                          SRES:              DRES:
           TI:
-------------------------------------------------------------------------------
0   PERMIT 192.168.001.070                 udp                
    HIGH   *                               *                  *
    *      *                               Ip-2               Ip-5
-------------------------------------------------------------------------------
1   PERMIT 192.168.000.050:192.168.000.060 tcp                
    DFT    *                               *                  *
    *      *                               Ip-2               Ip-5
-------------------------------------------------------------------------------

23.2.6. F IPACL (Find IP Access Control List filter)

It verifies how the IP datagram, specified in the command, will be managed depending on the current content of the IP access list.

The search is made by verifying the source and destination IP address, the Type Of Service, Internet protocol, source IP resource, source and destination ports (required only for TCP and UDP protocols), icmp message type (required only for ICMP protocol only); optionally it can make a verification on the destination IP resource and time;

This is the syntax of the command:

  • F IPACL SrcAddr DstAddr TOS Ip forwarding test using IPACL Protocol SrcPort DstPort IcmpType SrcRes [DstRes] [Time]

[12:43:54] ABILIS_CPX:d ipacl

IPRTR resource parameters:  ACL:YES       ACLBYPASS:#
                            COS:ENABLED   COSDFT:NORMAL

- Not Saved (SAVE CONF) -------------------------------------------------------
Tot-IPACL-Number:2

-------------------------------------------------------------------------------
PR: [DESCR:]
    TYPE:  SA:                             PROT:              ICMP-TYPE:
    IPCOS: DA:                             SPO:/PO:           DPO:
    TOS-O: TOS-I:                          SRES:              DRES:
           TI:
-------------------------------------------------------------------------------
0   PERMIT 192.168.001.070                 udp                
    HIGH   *                               *                  *
    *      *                               Ip-2               Ip-5
-------------------------------------------------------------------------------
1   DENY   192.168.000.050:192.168.000.060 tcp                
    DFT    *                               *                  *
    *      *                               Ip-2               Ip-5
-------------------------------------------------------------------------------

[12:44:08] ABILIS_CPX:f ipacl 192.168.0.50 8.8.8.8 c tcp 80 8080 ip-2

EXTENDED SEARCH RESULT:

MATCH FOUND WITH IPACL PR:1

IP FORWARDING IS NOT PERMITTED

[12:44:12] ABILIS_CPX:f ipacl 192.168.1.70 8.8.8.8 c udp 3000 3080 ip-2

EXTENDED SEARCH RESULT:

MATCH FOUND WITH IPACL PR:0

IP FORWARDING IS PERMITTED:
- OUTPUT TOS/DS: 0-TR/000011 (00001100 [0C])
- IP CLASS OF SERVICE: HIGH