Creating an ACL Rule
Function
This API is used to create an ACL rule.
Calling Method
For details, see Calling APIs.
URI
POST /v1/{project_id}/acl-rule
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
project_id |
Yes |
String |
Project ID |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
enterprise_project_id |
No |
String |
Enterprise project id, the id generated by the enterprise project after the user supports the enterprise project. |
fw_instance_id |
No |
String |
Firewall instance ID, which is automatically generated after a CFW instance is created. You can obtain the ID by calling the API used for querying a firewall instance. For details, see the API Explorer and Help Center FAQ.By default, if fw_instance_Id is not specified, information about the first firewall under the account is returned. If fw_instance_Id is specified, information about the firewall with this fw_instance_Id is returned.If object_Id is specified, information about the firewall with this object_Id is returned by default. If both fw_instance_Id and object_Id are specified, the specified object_Id must belong to the specified firewall. |
Request Parameters
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
X-Auth-Token |
Yes |
String |
User token. It can be obtained by calling the IAM API used to obtain a user token. The value of X-Subject-Token in the response header is a token. |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
object_id |
Yes |
String |
Protected object ID, which is used to distinguish Internet border protection from VPC border protection after a CFW instance is created. You can obtain the ID by calling the API used for querying a firewall instance. Note that the value 0 indicates the ID of a protected object on the Internet border, and the value 1 indicates the ID of a protected object on the VPC border. For details, see the API Explorer and Help Center FAQ. |
type |
Yes |
Integer |
Rule type. The value can be 0 (Internet rule), 1 (VPC rule), or 2 (NAT rule). Enumeration values:
|
rules |
Yes |
Array of rules objects |
rules |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
name |
Yes |
String |
Rule name |
sequence |
Yes |
OrderRuleAclDto object |
Rule sequence |
address_type |
Yes |
Integer |
Address type. The value can be 0 (IPv4), 1 (IPv6), or 2 (domain). Enumeration values:
|
action_type |
Yes |
Integer |
Action. 0: allow; 1: deny |
status |
Yes |
Integer |
Rule delivery status. 0: disabled; 1: enabled. Enumeration values:
|
applications |
No |
Array of strings |
applications |
applicationsJsonString |
No |
String |
applications json string |
long_connect_time |
No |
Long |
Persistent connection duration |
long_connect_time_hour |
No |
Long |
Persistent connection duration (hour) |
long_connect_time_minute |
No |
Long |
Persistent connection duration (minute) |
long_connect_time_second |
No |
Long |
Persistent Connection Duration (second) |
long_connect_enable |
Yes |
Integer |
Whether to support persistent connections. 0: not supported; 1: supported. Enumeration values:
|
description |
No |
String |
Description |
direction |
No |
Integer |
Direction: 0 means outside to inside, 1 means inside to outside, direction value is required when rule type is internet or nat. Enumeration values:
|
profile |
No |
RuleProfileDto object |
domain url info |
source |
Yes |
RuleAddressDtoForRequest object |
Source address transmission object |
destination |
Yes |
RuleAddressDtoForRequest object |
Destination address transmission object |
service |
Yes |
RuleServiceDto object |
Service object |
tag |
No |
TagsVO object |
Tag value |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
dest_rule_id |
No |
String |
ID of the rule that the added rule will follow. This parameter cannot be left blank if the rule is not pinned on top, and is empty when the added rule is pinned on top. |
top |
No |
Integer |
Whether to pin on top. The options are as follows: 0: no; 1: yes. |
bottom |
No |
Integer |
Whether to pin on bottom. The options are as follows: 0: no; 1: yes. |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
type |
Yes |
Integer |
Source type. 0: manual input; 1: associated IP address group; 2: domain name; 3: region; 4: domain set 5: multi object, 6: domain set dns, 7: domain url profile |
address_type |
No |
Integer |
Source type. 0: IPv4; 1: IPv6 |
address |
No |
String |
Source IP address. The value cannot be empty for the manual type, and cannot be empty for the automatic or domain type. |
address_set_id |
No |
String |
ID of the associated IP address group. The value cannot be empty for the automatic type or for the manual or domain type. |
address_set_name |
No |
String |
IP address group name |
domain_address_name |
No |
String |
Name of the domain name address. This parameter cannot be left empty for the domain name type, and is empty for the manual or automatic type. |
region_list_json |
No |
String |
JSON value of the rule region list. |
region_list |
No |
Array of IpRegionDto objects |
Region list of a rule |
domain_set_id |
No |
String |
domain set id |
domain_set_name |
No |
String |
domain set name |
ip_address |
No |
Array of strings |
IP address list |
address_set_type |
No |
Integer |
Address set type, 0 indicates a custom define address set, 1 indicates a WAF return-to-source IP address set, 2 indicates a DDoS return-to-source IP address set, and 3 indicates a NAT64 translation address set. |
predefined_group |
No |
Array of strings |
predefined group |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
region_id |
No |
String |
region id |
description_cn |
No |
String |
cn description |
description_en |
No |
String |
en description |
region_type |
No |
Integer |
Region type, 0 means country, 1 means province, 2 means continent |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
type |
Yes |
Integer |
Service input type. The value 0 indicates manual input, and the value 1 indicates automatic input. |
protocol |
No |
Integer |
Protocol type. The value 6 indicates TCP, 17 indicates UDP, 1 indicates ICMP, 58 indicates ICMPv6, and -1 indicates any protocol. Regarding the addition type, a null value indicates it is automatically added. |
protocols |
No |
Array of integers |
Protocols |
source_port |
No |
String |
Source port |
dest_port |
No |
String |
Destination port |
service_set_id |
No |
String |
Service group ID. This parameter is left blank for the manual type and cannot be left blank for the automatic type. |
service_set_name |
No |
String |
Service group name |
custom_service |
No |
Array of ServiceItem objects |
custom service |
predefined_group |
No |
Array of strings |
predefined group |
service_group |
No |
Array of strings |
Service group list |
service_group_names |
No |
Array of AddressGroupVO objects |
Service group name list |
service_set_type |
No |
Integer |
Service set type, 0 indicates a custom service set, 1 indicates a predefined service set, 2 indicates commonly used remote login and PING, 3 indicates commonly used databases |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
protocol |
No |
Integer |
Protocol type. The value 6 indicates TCP, 17 indicates UDP, 1 indicates ICMP, 58 indicates ICMPv6, and -1 indicates any protocol. Regarding the addition type, a null value indicates it is automatically added. |
source_port |
No |
String |
source port |
dest_port |
No |
String |
destination port |
description |
No |
String |
description |
name |
No |
String |
name |
Parameter |
Mandatory |
Type |
Description |
|---|---|---|---|
set_id |
No |
String |
set id |
name |
No |
String |
name |
protocols |
No |
Array of integers |
Protocols |
service_set_type |
No |
Integer |
Service set type, 0 indicates a custom service set, 1 indicates a predefined service set, 2 indicates commonly used remote login and PING, 3 indicates commonly used databases |
Response Parameters
Status code: 200
Parameter |
Type |
Description |
|---|---|---|
data |
RuleIdList object |
Rule ID list |
Status code: 400
Parameter |
Type |
Description |
|---|---|---|
error_code |
String |
Error code Minimum: 8 Maximum: 36 |
error_msg |
String |
Description Minimum: 2 Maximum: 512 |
Example Requests
The following example shows how to add an IPv4 inbound rule. The rule name is TestRule, the source is the IP address 1.1.1.1, the destination is the IP address 2.2.2.2, the service type is service, the protocol type is TCP, the source port is 0, and the destination port is 0. Persistent connections are not supported. The action is to allow. The status is enabled.
https://{Endpoint}/v1/9d80d070b6d44942af73c9c3d38e0429/acl-rule
{
"object_id" : "ae42418e-f077-41a0-9d3b-5b2f5ad9102b",
"rules" : [ {
"name" : "TestRule",
"status" : 1,
"action_type" : 0,
"description" : "",
"source" : {
"type" : 0,
"address" : "1.1.1.1"
},
"destination" : {
"type" : 0,
"address" : "2.2.2.2"
},
"service" : {
"type" : 0,
"protocol" : 6,
"source_port" : "0",
"dest_port" : "0"
},
"address_type" : 0,
"tag" : {
"tag_key" : "",
"tag_value" : ""
},
"long_connect_enable" : 0,
"direction" : 0,
"sequence" : {
"top" : 1,
"dest_rule_id" : null
}
} ],
"type" : 0
}
Example Responses
Status code: 200
Response to the request for adding an ACL
{
"data" : {
"rules" : [ {
"id" : "0475c516-0e41-4caf-990b-0c504eebd73f"
} ]
}
}
Status code: 400
Bad Request
{
"error_code" : "CFW.00900016",
"error_msg" : "The import task is in progress. Please operate after the task is completed"
}
SDK Sample Code
The SDK sample code is as follows.
Java
The following example shows how to add an IPv4 inbound rule. The rule name is TestRule, the source is the IP address 1.1.1.1, the destination is the IP address 2.2.2.2, the service type is service, the protocol type is TCP, the source port is 0, and the destination port is 0. Persistent connections are not supported. The action is to allow. The status is enabled.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 |
package com.huaweicloud.sdk.test; import com.huaweicloud.sdk.core.auth.ICredential; import com.huaweicloud.sdk.core.auth.BasicCredentials; import com.huaweicloud.sdk.core.exception.ConnectionException; import com.huaweicloud.sdk.core.exception.RequestTimeoutException; import com.huaweicloud.sdk.core.exception.ServiceResponseException; import com.huaweicloud.sdk.cfw.v1.region.CfwRegion; import com.huaweicloud.sdk.cfw.v1.*; import com.huaweicloud.sdk.cfw.v1.model.*; import java.util.List; import java.util.ArrayList; public class AddAclRuleSolution { public static void main(String[] args) { // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment String ak = System.getenv("CLOUD_SDK_AK"); String sk = System.getenv("CLOUD_SDK_SK"); ICredential auth = new BasicCredentials() .withAk(ak) .withSk(sk); CfwClient client = CfwClient.newBuilder() .withCredential(auth) .withRegion(CfwRegion.valueOf("<YOUR REGION>")) .build(); AddAclRuleRequest request = new AddAclRuleRequest(); request.withEnterpriseProjectId("<enterprise_project_id>"); request.withFwInstanceId("<fw_instance_id>"); AddRuleAclDto body = new AddRuleAclDto(); TagsVO tagRules = new TagsVO(); tagRules.withTagKey("") .withTagValue(""); RuleServiceDto serviceRules = new RuleServiceDto(); serviceRules.withType(0) .withProtocol(6) .withSourcePort("0") .withDestPort("0"); RuleAddressDto destinationRules = new RuleAddressDto(); destinationRules.withType(0) .withAddress("2.2.2.2"); RuleAddressDto sourceRules = new RuleAddressDto(); sourceRules.withType(0) .withAddress("1.1.1.1"); OrderRuleAclDto sequenceRules = new OrderRuleAclDto(); sequenceRules.withTop(1); List<AddRuleAclDtoRules> listbodyRules = new ArrayList<>(); listbodyRules.add( new AddRuleAclDtoRules() .withName("TestRule") .withSequence(sequenceRules) .withAddressType(AddRuleAclDtoRules.AddressTypeEnum.NUMBER_0) .withActionType(0) .withStatus(AddRuleAclDtoRules.StatusEnum.NUMBER_1) .withLongConnectEnable(AddRuleAclDtoRules.LongConnectEnableEnum.NUMBER_0) .withDescription("") .withDirection(AddRuleAclDtoRules.DirectionEnum.NUMBER_0) .withSource(sourceRules) .withDestination(destinationRules) .withService(serviceRules) .withTag(tagRules) ); body.withRules(listbodyRules); body.withType(AddRuleAclDto.TypeEnum.NUMBER_0); body.withObjectId("ae42418e-f077-41a0-9d3b-5b2f5ad9102b"); request.withBody(body); try { AddAclRuleResponse response = client.addAclRule(request); System.out.println(response.toString()); } catch (ConnectionException e) { e.printStackTrace(); } catch (RequestTimeoutException e) { e.printStackTrace(); } catch (ServiceResponseException e) { e.printStackTrace(); System.out.println(e.getHttpStatusCode()); System.out.println(e.getRequestId()); System.out.println(e.getErrorCode()); System.out.println(e.getErrorMsg()); } } } |
Python
The following example shows how to add an IPv4 inbound rule. The rule name is TestRule, the source is the IP address 1.1.1.1, the destination is the IP address 2.2.2.2, the service type is service, the protocol type is TCP, the source port is 0, and the destination port is 0. Persistent connections are not supported. The action is to allow. The status is enabled.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
# coding: utf-8 from huaweicloudsdkcore.auth.credentials import BasicCredentials from huaweicloudsdkcfw.v1.region.cfw_region import CfwRegion from huaweicloudsdkcore.exceptions import exceptions from huaweicloudsdkcfw.v1 import * if __name__ == "__main__": # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment ak = __import__('os').getenv("CLOUD_SDK_AK") sk = __import__('os').getenv("CLOUD_SDK_SK") credentials = BasicCredentials(ak, sk) \ client = CfwClient.new_builder() \ .with_credentials(credentials) \ .with_region(CfwRegion.value_of("<YOUR REGION>")) \ .build() try: request = AddAclRuleRequest() request.enterprise_project_id = "<enterprise_project_id>" request.fw_instance_id = "<fw_instance_id>" tagRules = TagsVO( tag_key="", tag_value="" ) serviceRules = RuleServiceDto( type=0, protocol=6, source_port="0", dest_port="0" ) destinationRules = RuleAddressDto( type=0, address="2.2.2.2" ) sourceRules = RuleAddressDto( type=0, address="1.1.1.1" ) sequenceRules = OrderRuleAclDto( top=1 ) listRulesbody = [ AddRuleAclDtoRules( name="TestRule", sequence=sequenceRules, address_type=0, action_type=0, status=1, long_connect_enable=0, description="", direction=0, source=sourceRules, destination=destinationRules, service=serviceRules, tag=tagRules ) ] request.body = AddRuleAclDto( rules=listRulesbody, type=0, object_id="ae42418e-f077-41a0-9d3b-5b2f5ad9102b" ) response = client.add_acl_rule(request) print(response) except exceptions.ClientRequestException as e: print(e.status_code) print(e.request_id) print(e.error_code) print(e.error_msg) |
Go
The following example shows how to add an IPv4 inbound rule. The rule name is TestRule, the source is the IP address 1.1.1.1, the destination is the IP address 2.2.2.2, the service type is service, the protocol type is TCP, the source port is 0, and the destination port is 0. Persistent connections are not supported. The action is to allow. The status is enabled.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
package main import ( "fmt" "github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic" cfw "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1" "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/model" region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/region" ) func main() { // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security. // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment ak := os.Getenv("CLOUD_SDK_AK") sk := os.Getenv("CLOUD_SDK_SK") auth := basic.NewCredentialsBuilder(). WithAk(ak). WithSk(sk). Build() client := cfw.NewCfwClient( cfw.CfwClientBuilder(). WithRegion(region.ValueOf("<YOUR REGION>")). WithCredential(auth). Build()) request := &model.AddAclRuleRequest{} enterpriseProjectIdRequest:= "<enterprise_project_id>" request.EnterpriseProjectId = &enterpriseProjectIdRequest fwInstanceIdRequest:= "<fw_instance_id>" request.FwInstanceId = &fwInstanceIdRequest tagKeyTag:= "" tagValueTag:= "" tagRules := &model.TagsVo{ TagKey: &tagKeyTag, TagValue: &tagValueTag, } protocolService:= int32(6) sourcePortService:= "0" destPortService:= "0" serviceRules := &model.RuleServiceDto{ Type: int32(0), Protocol: &protocolService, SourcePort: &sourcePortService, DestPort: &destPortService, } addressDestination:= "2.2.2.2" destinationRules := &model.RuleAddressDto{ Type: int32(0), Address: &addressDestination, } addressSource:= "1.1.1.1" sourceRules := &model.RuleAddressDto{ Type: int32(0), Address: &addressSource, } topSequence:= int32(1) sequenceRules := &model.OrderRuleAclDto{ Top: &topSequence, } descriptionRules:= "" directionRules:= model.GetAddRuleAclDtoRulesDirectionEnum().E_0 var listRulesbody = []model.AddRuleAclDtoRules{ { Name: "TestRule", Sequence: sequenceRules, AddressType: model.GetAddRuleAclDtoRulesAddressTypeEnum().E_0, ActionType: int32(0), Status: model.GetAddRuleAclDtoRulesStatusEnum().E_1, LongConnectEnable: model.GetAddRuleAclDtoRulesLongConnectEnableEnum().E_0, Description: &descriptionRules, Direction: &directionRules, Source: sourceRules, Destination: destinationRules, Service: serviceRules, Tag: tagRules, }, } request.Body = &model.AddRuleAclDto{ Rules: listRulesbody, Type: model.GetAddRuleAclDtoTypeEnum().E_0, ObjectId: "ae42418e-f077-41a0-9d3b-5b2f5ad9102b", } response, err := client.AddAclRule(request) if err == nil { fmt.Printf("%+v\n", response) } else { fmt.Println(err) } } |
More
For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.
Status Codes
Status Code |
Description |
|---|---|
200 |
Response to the request for adding an ACL |
400 |
Bad Request |
401 |
Unauthorized |
403 |
Forbidden |
404 |
Not Found |
500 |
Internal Server Error |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
