Updated on 2024-12-25 GMT+08:00

Updating an ACL Rule

Function

This API is used to update an ACL rule.

Calling Method

For details, see Calling APIs.

URI

PUT /v1/{project_id}/acl-rule/{acl_rule_id}

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID, which can be obtained by calling an API or from the console. For details, see Obtaining a Project ID.

acl_rule_id

Yes

String

Rule ID, which can be obtained by calling the API for querying protection rules. Find the value in data.records.rule_id (The period [.] is used to separate different levels of objects).

Table 2 Query Parameters

Parameter

Mandatory

Type

Description

enterprise_project_id

No

String

Enterprise project ID, which is the ID of a project planned based on organizations. You can obtain the enterprise project ID by referring to Obtaining an Enterprise Project ID. If the enterprise project function is not enabled, the value is 0.

fw_instance_id

No

String

Firewall ID, which can be obtained by referring to Obtaining a Firewall ID.

Request Parameters

Table 3 Request header parameters

Parameter

Mandatory

Type

Description

X-Auth-Token

Yes

String

User token. You can obtain the token by referring to Obtaining a User Token.

Table 4 Request body parameters

Parameter

Mandatory

Type

Description

address_type

No

Integer

Address type: 0 (IPv4), 1 (IPv6).

name

No

String

Rule name.

direction

No

Integer

Direction: 0 (inbound) or 1 (outbound). This parameter is mandatory when type is set to 0 (Internet rule) or 2 (NAT rule).

action_type

No

Integer

Rule action: 0 (permit), 1 (deny).

status

No

Integer

Rule status: 0 (disabled), 1 (enabled).

applications

No

Array of strings

Rule application list. Rule application type: HTTP, HTTPS, TLS1, DNS, SSH, MYSQL, SMTP, RDP, RDPS, VNC, POP3, ** IMAP4**, SMTPS, POP3S, FTPS, ANY, or BGP.

description

No

String

Rule description.

long_connect_time_hour

No

Long

Persistent connection duration (hour).

long_connect_time_minute

No

Long

Persistent connection duration (minute).

long_connect_time_second

No

Long

Persistent connection duration (second).

long_connect_time

No

Long

Persistent connection duration.

long_connect_enable

No

Integer

Whether to support persistent connections: 0 (no), 1 (yes).

source

No

RuleAddressDto object

Source address DTO.

destination

No

RuleAddressDto object

Destination address DTO.

service

No

RuleServiceDto object

Service object.

type

No

Integer

Rule type: 0 (Internet rule), 1 (VPC rule), or 2 (NAT rule).

tag

No

TagsVO object

Tag object attached to a rule.

Table 5 RuleAddressDto

Parameter

Mandatory

Type

Description

type

Yes

Integer

Address type: 0 (manual input), 1 (associated IP address group), 2 (domain name), 3 (geographical location), 4 (domain name group) 5 (multiple objects), 6 (domain name group - DNS resolution), 7 (domain name group - website filtering).

address_type

No

Integer

Address type: 0 (IPv4), 1 (IPv6). If its value is 0, the input cannot be left blank.

address

No

String

IP address information. It cannot be left blank if type is set to 0.

address_set_id

No

String

ID of an associated IP address group. This parameter cannot be left blank when type is set to 1. You can obtain the value by calling the API for querying the address group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects).

address_set_name

No

String

Name of an associated IP address group. This parameter cannot be left blank when type is set to 1. You can obtain the value by calling the API for querying the address group list. Find the value in data.records.name (The period [.] is used to separate different levels of objects).

domain_address_name

No

String

Name of a domain name address. This parameter is valid when type is set to 2 (domain name) or 7 (application domain name group).

region_list_json

No

String

JSON value of the rule region list.

region_list

No

Array of IpRegionDto objects

Rule region list.

domain_set_id

No

String

Domain name group ID. The value cannot be left blank when type is set to 4 (domain name group) or 7 (domain name group - website filtering). Its value can be obtained by calling the API for querying the domain name group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects).

domain_set_name

No

String

Domain name group name. The value cannot be left blank when type is set to 4 (domain name group) or 7 (domain name group - website filtering). Its value can be obtained by calling the API for querying the domain name group list. Find the value in data.records.name (The period [.] is used to separate different levels of objects).

ip_address

No

Array of strings

IP address list. This parameter cannot be left blank when type is set to 5 (multiple objects).

address_group

No

Array of strings

Address group ID list. This parameter cannot be left blank when type is set to 5 (multiple objects). Its value can be obtained by calling the API for querying the address group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects). In the search criteria, query_address_set_type must be set to 0 (user-defined address group).

address_group_names

No

Array of AddressGroupVO objects

Address group name list.

address_set_type

No

Integer

Address group type. It cannot be left blank when type is set to 1 (associated IP address group). It value can be 0 (user-defined address group), 1 (WAF back-to-source IP address group), 2 (DDoS back-to-source IP address group), or 3 (NAT64 address group).

predefined_group

No

Array of strings

Pre-defined address group ID list. This parameter cannot be left blank when type is set to 5 (multiple objects). Its value can be obtained by calling the API for querying the address group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects). In the search criteria, query_address_set_type must be set to 1 (predefined address group).

Table 6 IpRegionDto

Parameter

Mandatory

Type

Description

region_id

No

String

Region ID.

description_cn

No

String

Region description in Chinese, which is used only for China regions.

description_en

No

String

Region description in English, which is used only for non-China regions.

region_type

No

Integer

Region type: 0 (country), 1 (province), or 2 (continent).

Table 7 AddressGroupVO

Parameter

Mandatory

Type

Description

address_set_type

No

Integer

Address group type: 0 (user-defined address group), 1 (WAF back-to-source IP address group), 2 (DDoS back-to-source IP address group), or 3 (NAT64 address group).

name

No

String

Name of an associated IP address group, which can be obtained by calling the API for querying the address group list. Find the value in data.records.name (The period [.] is used to separate different levels of objects).

set_id

No

String

ID of an associated IP address group, which can be obtained by calling the API for querying the address group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects).

Table 8 RuleServiceDto

Parameter

Mandatory

Type

Description

type

Yes

Integer

Service input type: 0 (manual), 1 (automatic).

protocol

No

Integer

Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any). It cannot be left blank when type is set to 0 (manual).

protocols

No

Array of integers

Protocol list. Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any). It cannot be left blank when type is set to 0 (manual).

source_port

No

String

Source port.

dest_port

No

String

Destination port.

service_set_id

No

String

Service group ID. This parameter cannot be left blank when type is set to 1 (associated IP address group). Its value can be obtained by calling the API for querying the service group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects).

service_set_name

No

String

Service group name. This parameter cannot be left blank when type is set to 1 (associated IP address group). Its value can be obtained by calling the API for querying the service group list. Find the value in data.records.name (The period [.] is used to separate different levels of objects).

custom_service

No

Array of ServiceItem objects

Custom service.

predefined_group

No

Array of strings

Predefined service group ID list. The service group ID can be obtained by calling the API for querying the service group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects). In the search criteria, query_service_set_type must be set to 1 (predefined service group).

service_group

No

Array of strings

Service group ID list. The service group ID can be obtained by calling the API for querying the service group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects). In the search criteria, query_service_set_type must be set to 0 (user-defined service group).

service_group_names

No

Array of ServiceGroupVO objects

Service group name list.

service_set_type

No

Integer

Service group type: 0 (user-defined service group), 1 (common web service), 2 (common remote login and ping), or 3 (common database).

Table 9 ServiceItem

Parameter

Mandatory

Type

Description

protocol

No

Integer

Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any). It cannot be left blank when RuleServiceDto.type is set to 0 (manual).

source_port

No

String

Source port.

dest_port

No

String

Destination port.

description

No

String

Service member description.

name

No

String

Service member name.

Table 10 ServiceGroupVO

Parameter

Mandatory

Type

Description

name

No

String

Service group name.

protocols

No

Array of integers

Protocol list. Protocol type: 6 (TCP), 17 (UDP), 1 (ICMP), 58 (ICMPv6), or -1 (any).

service_set_type

No

Integer

Service group type: 0 (user-defined service group), 1 (predefined service group).

set_id

No

String

Service group ID, which can be obtained by calling the API for querying the service group list. Find the value in data.records.set_id (The period [.] is used to separate different levels of objects).

Table 11 TagsVO

Parameter

Mandatory

Type

Description

tag_id

No

String

Rule ID

tag_key

No

String

Rule tag key.

tag_value

No

String

Rule tag value.

Response Parameters

Status code: 200

Table 12 Response body parameters

Parameter

Type

Description

data

RuleId object

Rule data.

Table 13 RuleId

Parameter

Type

Description

id

String

Rule ID.

name

String

Rule name.

Status code: 400

Table 14 Response body parameters

Parameter

Type

Description

error_code

String

Error code.

error_msg

String

Error description.

Example Requests

The following example shows how to update an IPv4 inbound rule. The rule name is Test rule, the source is the IP address 1.1.1.1, the destination is the IP address 2.2.2.2, the service type is service, the protocol type is TCP, the source port is 0, and the destination port is 0. Persistent connections are not supported. The action is to allow. The status is enabled.

https://{Endpoint}/v1/9d80d070b6d44942af73c9c3d38e0429/acl-rule/ceaa0407-b9c8-4dfd-9eca-b6ead2dfd031

{
  "name" : "Test rule.",
  "status" : 1,
  "action_type" : 0,
  "description" : "",
  "source" : {
    "type" : 0,
    "address" : "1.1.1.1"
  },
  "destination" : {
    "type" : 0,
    "address" : "2.2.2.2"
  },
  "service" : {
    "type" : 0,
    "protocol" : 6,
    "source_port" : "0",
    "dest_port" : "0"
  },
  "type" : 0,
  "address_type" : 0,
  "tag" : {
    "tag_key" : "",
    "tag_value" : ""
  },
  "long_connect_enable" : 0,
  "direction" : 0
}

Example Responses

Status code: 200

OK

{
  "data" : {
    "id" : "ceaa0407-b9c8-4dfd-9eca-b6ead2dfd031"
  }
}

Status code: 400

Bad Request

{
  "error_code" : "CFW.00200005",
  "error_msg" : "Object not found."
}

SDK Sample Code

The SDK sample code is as follows.

Java

The following example shows how to update an IPv4 inbound rule. The rule name is Test rule, the source is the IP address 1.1.1.1, the destination is the IP address 2.2.2.2, the service type is service, the protocol type is TCP, the source port is 0, and the destination port is 0. Persistent connections are not supported. The action is to allow. The status is enabled.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.cfw.v1.region.CfwRegion;
import com.huaweicloud.sdk.cfw.v1.*;
import com.huaweicloud.sdk.cfw.v1.model.*;


public class UpdateAclRuleSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        CfwClient client = CfwClient.newBuilder()
                .withCredential(auth)
                .withRegion(CfwRegion.valueOf("<YOUR REGION>"))
                .build();
        UpdateAclRuleRequest request = new UpdateAclRuleRequest();
        request.withAclRuleId("{acl_rule_id}");
        UpdateRuleAclDto body = new UpdateRuleAclDto();
        TagsVO tagbody = new TagsVO();
        tagbody.withTagKey("")
            .withTagValue("");
        RuleServiceDto servicebody = new RuleServiceDto();
        servicebody.withType(0)
            .withProtocol(6)
            .withSourcePort("0")
            .withDestPort("0");
        RuleAddressDto destinationbody = new RuleAddressDto();
        destinationbody.withType(0)
            .withAddress("2.2.2.2");
        RuleAddressDto sourcebody = new RuleAddressDto();
        sourcebody.withType(0)
            .withAddress("1.1.1.1");
        body.withTag(tagbody);
        body.withType(UpdateRuleAclDto.TypeEnum.NUMBER_0);
        body.withService(servicebody);
        body.withDestination(destinationbody);
        body.withSource(sourcebody);
        body.withLongConnectEnable(UpdateRuleAclDto.LongConnectEnableEnum.NUMBER_0);
        body.withDescription("");
        body.withStatus(1);
        body.withActionType(UpdateRuleAclDto.ActionTypeEnum.NUMBER_0);
        body.withDirection(UpdateRuleAclDto.DirectionEnum.NUMBER_0);
        body.withName("Test rule.");
        body.withAddressType(UpdateRuleAclDto.AddressTypeEnum.NUMBER_0);
        request.withBody(body);
        try {
            UpdateAclRuleResponse response = client.updateAclRule(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Python

The following example shows how to update an IPv4 inbound rule. The rule name is Test rule, the source is the IP address 1.1.1.1, the destination is the IP address 2.2.2.2, the service type is service, the protocol type is TCP, the source port is 0, and the destination port is 0. Persistent connections are not supported. The action is to allow. The status is enabled.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkcfw.v1.region.cfw_region import CfwRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkcfw.v1 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = CfwClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(CfwRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = UpdateAclRuleRequest()
        request.acl_rule_id = "{acl_rule_id}"
        tagbody = TagsVO(
            tag_key="",
            tag_value=""
        )
        servicebody = RuleServiceDto(
            type=0,
            protocol=6,
            source_port="0",
            dest_port="0"
        )
        destinationbody = RuleAddressDto(
            type=0,
            address="2.2.2.2"
        )
        sourcebody = RuleAddressDto(
            type=0,
            address="1.1.1.1"
        )
        request.body = UpdateRuleAclDto(
            tag=tagbody,
            type=0,
            service=servicebody,
            destination=destinationbody,
            source=sourcebody,
            long_connect_enable=0,
            description="",
            status=1,
            action_type=0,
            direction=0,
            name="Test rule.",
            address_type=0
        )
        response = client.update_acl_rule(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Go

The following example shows how to update an IPv4 inbound rule. The rule name is Test rule, the source is the IP address 1.1.1.1, the destination is the IP address 2.2.2.2, the service type is service, the protocol type is TCP, the source port is 0, and the destination port is 0. Persistent connections are not supported. The action is to allow. The status is enabled.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    cfw "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cfw/v1/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := cfw.NewCfwClient(
        cfw.CfwClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.UpdateAclRuleRequest{}
	request.AclRuleId = "{acl_rule_id}"
	tagKeyTag:= ""
	tagValueTag:= ""
	tagbody := &model.TagsVo{
		TagKey: &tagKeyTag,
		TagValue: &tagValueTag,
	}
	protocolService:= int32(6)
	sourcePortService:= "0"
	destPortService:= "0"
	servicebody := &model.RuleServiceDto{
		Type: int32(0),
		Protocol: &protocolService,
		SourcePort: &sourcePortService,
		DestPort: &destPortService,
	}
	addressDestination:= "2.2.2.2"
	destinationbody := &model.RuleAddressDto{
		Type: int32(0),
		Address: &addressDestination,
	}
	addressSource:= "1.1.1.1"
	sourcebody := &model.RuleAddressDto{
		Type: int32(0),
		Address: &addressSource,
	}
	typeUpdateRuleAclDto:= model.GetUpdateRuleAclDtoTypeEnum().E_0
	longConnectEnableUpdateRuleAclDto:= model.GetUpdateRuleAclDtoLongConnectEnableEnum().E_0
	descriptionUpdateRuleAclDto:= ""
	statusUpdateRuleAclDto:= int32(1)
	actionTypeUpdateRuleAclDto:= model.GetUpdateRuleAclDtoActionTypeEnum().E_0
	directionUpdateRuleAclDto:= model.GetUpdateRuleAclDtoDirectionEnum().E_0
	nameUpdateRuleAclDto:= "Test rule."
	addressTypeUpdateRuleAclDto:= model.GetUpdateRuleAclDtoAddressTypeEnum().E_0
	request.Body = &model.UpdateRuleAclDto{
		Tag: tagbody,
		Type: &typeUpdateRuleAclDto,
		Service: servicebody,
		Destination: destinationbody,
		Source: sourcebody,
		LongConnectEnable: &longConnectEnableUpdateRuleAclDto,
		Description: &descriptionUpdateRuleAclDto,
		Status: &statusUpdateRuleAclDto,
		ActionType: &actionTypeUpdateRuleAclDto,
		Direction: &directionUpdateRuleAclDto,
		Name: &nameUpdateRuleAclDto,
		AddressType: &addressTypeUpdateRuleAclDto,
	}
	response, err := client.UpdateAclRule(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

More

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

OK

400

Bad Request

401

Unauthorized

403

Forbidden

404

Not Found

500

Internal Server Error

Error Codes

See Error Codes.