Help Center/ Cloud Firewall/ API Reference/ API/ ACL Rule Management/ Creating an ACL Rule

Updated on 2023-12-06 GMT+08:00

View PDF

Creating an ACL Rule

Function

This API is used to create an ACL rule.

Debugging

You can debug this API through automatic authentication in or use the SDK sample code generated by API Explorer.

URI

POST /v1/{project_id}/acl-rule

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Project ID

**Table 2** Query Parameters
Parameter	Mandatory	Type	Description
enterprise_project_id	No	String	Enterprise project id, the id generated by the enterprise project after the user supports the enterprise project.
fw_instance_id	No	String	Firewall instance ID, which is automatically generated after a CFW instance is created. You can obtain the ID by calling the API used for querying a firewall instance. For details, see the API Explorer and Help Center FAQ.By default, if fw_instance_Id is not specified, information about the first firewall under the account is returned. If fw_instance_Id is specified, information about the firewall with this fw_instance_Id is returned.If object_Id is specified, information about the firewall with this object_Id is returned by default. If both fw_instance_Id and object_Id are specified, the specified object_Id must belong to the specified firewall.

Request Parameters

**Table 3** Request header parameters
Parameter	Mandatory	Type	Description
X-Auth-Token	Yes	String	User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token.

**Table 4** Request body parameters
Parameter	Mandatory	Type	Description
object_id	Yes	String	Protected object ID, which is used to distinguish Internet border protection from VPC border protection after a CFW instance is created. You can obtain the ID by calling the API used for querying a firewall instance. Note that the value 0 indicates the ID of a protected object on the Internet border, and the value 1 indicates the ID of a protected object on the VPC border. For details, see the API Explorer and Help Center FAQ.
type	Yes	Integer	Rule type. The value can be 0 (Internet rule), 1 (VPC rule), or 2 (NAT rule). Enumeration values: 0 1 2
rules	Yes	Array of rules objects	rules

**Table 5** rules
Parameter	Mandatory	Type	Description
name	Yes	String	Rule name
sequence	Yes	OrderRuleAclDto object	Rule sequence
address_type	Yes	Integer	Address type. The value can be 0 (IPv4), 1 (IPv6), or 2 (domain). Enumeration values: 0 1 2
action_type	Yes	Integer	Action. 0: allow; 1: deny
status	Yes	Integer	Rule delivery status. 0: disabled; 1: enabled. Enumeration values: 0 1
long_connect_time	No	Long	Persistent connection duration
long_connect_time_hour	No	Long	Persistent connection duration (hour)
long_connect_time_minute	No	Long	Persistent connection duration (minute)
long_connect_time_second	No	Long	Persistent Connection Duration (second)
long_connect_enable	Yes	Integer	Whether to support persistent connections. 0: not supported; 1: supported. Enumeration values: 0 1
description	No	String	Description
direction	No	Integer	direction:0 outToin,1 inToout Enumeration values: 0 1
source	Yes	RuleAddressDto object	Source address transmission object
destination	Yes	RuleAddressDto object	Destination address transmission object
service	Yes	RuleServiceDto object	Service object

**Table 6** OrderRuleAclDto
Parameter	Mandatory	Type	Description
dest_rule_id	No	String	ID of the rule that the added rule will follow. This parameter cannot be left blank if the rule is not pinned on top, and is empty when the added rule is pinned on top.
top	No	Integer	Whether to pin on top. The options are as follows: 0: no; 1: yes.

**Table 7** RuleAddressDto
Parameter	Mandatory	Type	Description
type	Yes	Integer	Source type. 0: manual input; 1: associated IP address group; 2: domain name
address_type	No	Integer	Source type. 0: IPv4; 1: IPv6
address	No	String	Source IP address. The value cannot be empty for the manual type, and cannot be empty for the automatic or domain type.
address_set_id	No	String	ID of the associated IP address group. The value cannot be empty for the automatic type or for the manual or domain type.
address_set_name	No	String	IP address group name
domain_address_name	No	String	Name of the domain name address. This parameter cannot be left empty for the domain name type, and is empty for the manual or automatic type.

**Table 8** RuleServiceDto
Parameter	Mandatory	Type	Description
type	Yes	Integer	Service input type. The value 0 indicates manual input, and the value 1 indicates automatic input.
protocol	No	Integer	Protocol type. The value 6 indicates TCP, 17 indicates UDP, 1 indicates ICMP, 58 indicates ICMPv6, and -1 indicates any protocol. Regarding the addition type, a null value indicates it is automatically added.
source_port	No	String	Source port
dest_port	No	String	Destination port
service_set_id	No	String	Service group ID. This parameter is left blank for the manual type and cannot be left blank for the automatic type.
service_set_name	No	String	Service group name

Response Parameters

Status code: 200

**Table 9** Response body parameters
Parameter	Type	Description
data	RuleIdList object	Rule ID list

**Table 10** RuleIdList
Parameter	Type	Description
rules	Array of RuleId objects	Rule ID list

**Table 11** RuleId
Parameter	Type	Description
id	String	id

Status code: 400

**Table 12** Response body parameters
Parameter	Type	Description
error_code	String	Error code Minimum: 8 Maximum: 36
error_msg	String	Description Minimum: 2 Maximum: 512

Example Requests

The following example shows how to add an IPv4 inbound rule. The rule name is TestRule, the source is the IP address 1.1.1.1, the destination is the IP address 2.2.2.2, the service type is service, the protocol type is TCP, the source port is 0, and the destination port is 0. Persistent connections are not supported. The action is to allow. The status is enabled.

https://{Endpoint}/v1/9d80d070b6d44942af73c9c3d38e0429/acl-rule

{
  "object_id" : "e12bd2cd-ebfc-4af7-ad6f-ebe6da398029",
  "rules" : [ {
    "name" : "TestRule",
    "status" : 1,
    "action_type" : 0,
    "description" : "",
    "source" : {
      "type" : 0,
      "address" : "1.1.1.1"
    },
    "destination" : {
      "type" : 0,
      "address" : "2.2.2.2"
    },
    "service" : {
      "type" : 0,
      "protocol" : 6,
      "source_port" : "0",
      "dest_port" : "0"
    },
    "address_type" : 0,
    "long_connect_enable" : 0,
    "direction" : 0,
    "sequence" : {
      "top" : 1
    }
  } ],
  "type" : 0
}

Example Responses

Status code: 200

Response to the request for adding an ACL

{
  "data" : {
    "rules" : [ {
      "id" : "ceaa0407-b9c8-4dfd-9eca-b6ead2dfd031"
    } ]
  }
}

Status code: 400

Bad Request

{
  "error_code" : "CFW.00900016",
  "error_msg" : "The import task is in progress. Please operate after the task is completed"
}

Status Codes

Status Code	Description
200	Response to the request for adding an ACL
400	Bad Request
401	Unauthorized
403	Forbidden
404	Not Found
500	Internal Server Error

Error Codes

See Error Codes.

Parent topic: ACL Rule Management

Previous topic: ACL Rule Management

Next topic: Updating an ACL Rule

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel