ACL

All acl value types are described here.

Basic Type

acl action

yaml value: str

There are 4 types of acl actions:

  • permit

    Permit if match the rule. Alternatives: allow, accept.

  • permit_log

    Permit if match the rule and log. Alternatives: allow_log, accept_log.

  • forbid

    Forbid if match the rule. Alternatives: deny, reject.

  • forbid_log

    Forbid if match the rule and log. Alternatives: deny_log, reject_log.

acl rule

yaml value: mix

All the rules share the same config format described in this section.

An acl rule is consisted of many records, each of them has an associated acl action. A default missed action can be set in the rule, it set the default action if no record matches.

The value in map format is consisted of the following fields:

  • default

    Set the default acl action if no rule match.

    Default action if rule is set but with default omitted: forbid if not specified in the rule’s doc.

  • any of the acl actions as the key str

    The value should be a valid record or a list of them, with the key string as the acl action. See detail types for the format of each record type.

The value could also be a single record or a list of them, which means only them are permitted with no log.

The default missed action is forbid and the default found action is permit, if they are not specified in the detail types.

acl rule set

yaml value: seq

Acl rule set is a group of at least 2 acl rules. The rules are matched in order, see detail types for the real order.

If any record in any rules is matched, that acl action will be used. If missed in all rules, all default missed actions will be compared and the most strict one will be used, so there is no default missed action at rule set level.

Detail Type

network acl rule

yaml value: acl rule

The record type should be ip network str.

ingress network acl rule

yaml value: network acl rule

The same type as network acl rule. Default added: permit 127.0.0.1 and ::1.

user agent acl rule

yaml value: acl rule

The record type should be a valid product string as specified in rfc7231 User-Agent.

The default missed action is permit and the default found action is forbid.