ACL

All acl value types are described here.

Basic Type

acl action

yaml value: str

There are 4 types of acl actions:

forbid_log

Forbid if match the rule and log. Alternatives: deny_log, reject_log.
forbid

Forbid if match the rule. Alternatives: deny, reject.
permit_log

Permit if match the rule and log. Alternatives: allow_log, accept_log.
permit

Permit if match the rule. Alternatives: allow, accept.

The match order is the same as the list order above.

acl rule

yaml value: mix

All the rules share the same config format described in this section.

An acl rule is consisted of many records, each of them has an associated acl action. A default missed action can be set in the rule, it set the default action if no record matches.

The value in map format is consisted of the following fields:

default

Set the default acl action if no rule match.

Default action if rule is set but with default omitted: forbid if not specified in the rule’s doc.
any of the acl actions as the key str

The value should be a valid record or a list of them, with the key string as the acl action. See detail types for the format of each record type.

The value could also be a single record or a list of them, which means only them are permitted with no log.

The default missed action is forbid and the default found action is permit, if they are not specified in the detail types.

acl rule set

yaml value: seq

Acl rule set is a group of at least 2 acl rules. The rules are matched in order, see detail types for the real order.

If any record in any rules is matched, that acl action will be used. If missed in all rules, all default missed actions will be compared and the most strict one will be used, so there is no default missed action at rule set level.

Detail Type

network acl rule

yaml value: acl rule

The record type should be ip network str.

egress network acl rule

yaml value: network acl rule

The same type as network acl rule. Default added: forbid unspecified, loopback, link-local and discard-only addresses.

ingress network acl rule

yaml value: network acl rule

The same type as network acl rule. Default added: permit 127.0.0.1 and ::1.

dst subnet acl rule

yaml value: network acl rule

The same type as network acl rule. Default added: forbid unspecified, loopback and link-local addresses.

exact host acl rule

yaml value: acl rule

The record type should be host.

exact port acl rule

yaml value: acl rule

The record type should be ports.

child domain acl rule

yaml value: acl rule

Specify the parent domain to match, all children domain in this domain will be matched.

The record type should be domain.

regex domain acl rule

yaml value: acl rule

The record type should be a map or regex str.

The following keys are required for the map format:

parent

required, type: domain

Set the parent domain to match.

regex

required, type: regex str

Set the regex to match the sub part of the domain.

For str format, the regex will match against the full domain.

Added in version 1.11.5.

regex set acl rule

yaml value: acl rule

The record type should be regex str.

dst host acl rule set

yaml value: acl rule set

This rule set is used to match dst host for each request.

Consisted of the following rules:

exact_match

optional, type: exact host acl rule
child_match

optional, type: child domain acl rule

Match only if the host is a domain.
regex_match

optional, type: regex domain acl rule

Match only if the host is a domain.
subnet_match

optional, type: dst subnet acl rule

Match only if the host is an IP Address.

The match order is the same as the list order above.

user agent acl rule

yaml value: acl rule

The record type should be a valid product string as specified in rfc7231 User-Agent.

The default missed action is permit and the default found action is forbid.

proxy request acl rule

yaml value: acl rule

The record type should be a valid proxy request type.