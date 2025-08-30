NVIDIA NVOS User Manual for NVLink Switches v25.02.1884
NVIDIA Docs Hub Homepage  NVIDIA Networking  Networking Software  Switch Software  NVIDIA NVOS User Manual for NVLink Switches v25.02.1884  Access Control List Commands

On This Page

Access Control List Commands

nv show acl

nv show acl

Display all available ACLs on the system.

Syntax Description

N/A

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl
ACL                         type   Summary
--------------------------  ----   -------------------
ACL1                        ipv4   rule: 1
Test                        ipv4   rule: 2
                                   rule: 3
                                   rule: 4
				                   ... 
ACL_MGMT_INBOUND_DEFAULT    ipv6   rule: 10
                                   rule: 20
                                   rule: 30
                                   rule: 40
...
 
custom                      ipv6   rule: 5

REST API

GET https://<ip>/nvue_v1/acl

Related Commands

nv set acl

Notes

  • By default, there are ACLs configured on the system as part of the default rules. The corresponding ACL names are as follows:

    • ACL_LOOPBACK_INBOUND_CP_DEFAULT—IPv4 default rules bound to the loopback interface in the inbound control-plane direction

    • ACL_LOOPBACK_INBOUND_CP_DEFAULT_IPV6—IPv6 default rules bound to the loopback interface in the inbound control-plane direction

    • ACL_MGMT_INBOUND_CP_DEFAULT—IPv4 default rules bound to the mgmt interface in the inbound control-plane direction

    • ACL_MGMT_INBOUND_CP_DEFAULT_IPV6—IPv6 default rules bound to the mgmt interface in the inbound control-plane direction

    • ACL_MGMT_INBOUND_DEFAULT—IPv4 default rules bound to the mgmt interface in the inbound direction

    • ACL_MGMT_INBOUND_DEFAULT_IPV6—IPv6 default rules bound to the mgmt interface in the inbound direction

    • ACL_MGMT_OUTBOUND_CP_DEFAULT— IPv4 default rules bound to the mgmt interface in the outbound control-plane direction

    • ACL_MGMT_OUTBOUND_CP_DEFAULT_IPV6—IPv6 default rules bound to the mgmt interface in the outbound control-plane direction

  • Each ACL can have either IPv4 or IPv6.

nv unset acl

nv unset acl

Clear all the new configured ACLs and restore the original default ACLs.

Syntax Description

N/A

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv unset acl

REST API

DELETE https://<ip>/nvue_v1/acl

Related Commands

nv show acl

Notes

This command will remove the modifications/extra ACLs configured on the system and restore to the original default ACLs.

nv show acl id

nv show acl <acl-id>

Get ACL <acl-id> information (i.e., rule-ids and the ACL type: ipv4 or ipv6).

Syntax Description

acl-id

ACL name

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_DEFAULT
      operational  applied
----  -----------  -------
type  ipv4         ipv4
 
 
 
rule
=======
    Number  Summary
    ------  --------------------------------------
    10      action:                           deny
            match.ip.protocol:                 tcp
            match.ip.tcp.all-mss-except: 536-65535

REST API

GET https://<ip>/nvue_v1/acl/<acl-id>

Related Commands

nv show acl

Notes

nv set/unset acl id

nv set acl <acl-id>

nv unset acl <acl-id>

Create a new custom ACL

Delete an existing ACL.

Syntax Description

acl-id

New, custom ACL name

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$nv set acl EXAMPLE_ACL

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/<acl-id>

Related Commands

nv show acl

Notes

  • ACL name can be chosen to any generic name but is important later on binding multiple ACLs on the same interface and same direction since ACLs list of rules will be ordered with lexicographical order.

    • For example, ACL with name 'A' that has 10 rules and acl with name 'B' with 5 rules, if bound to the same direction on the same interface, the 10 rules of acl 'A' will be before the 5 rules of acl 'B'.

  • This command is not enough for applying this custom acl, it needs to have at least one rule in it and needs to belong to the ip type either ipv4 or ipv6.

  • The unset command will not remove the specified ACL if it is bound to an interface. The user must unbind it and then use this command to delete the ACL.

  • Unset of default ACL will restore the original list of rules of that ACL.

nv set/unset acl type

nv set acl <acl-id> type <acl-type>

nv unset acl <acl-id> type <acl-type>

Add ACL type, whether it is an IPv4 or IPv6 ACL.

Syntax Description

acl-id

New, custom ACL name

acl-type

Enum: ipv4 | ipv6

History

25.02.1884

Example

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/<acl-id>/type/

Related Commands

nv show acl

Notes

Each ACL must have a type

nv show acl rule

nv show acl <acl-id> rule

Display all the rules configured on the specified ACL.

Syntax Description

acl-id

ACL name

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_CP_DEFAULT rule
Number  Summary
------  ----------------------------------------
1       action:                              log
10      action:                             deny
        match.ip.dest-ip:            127.0.0.0/8
20      action:                           permit
30      action:                             deny
        match.ip.protocol:                   tcp
40      action:                             deny
        match.ip.protocol:                   tcp
50      action:                             deny
        match.ip.protocol:                   tcp
60      action:                             deny
        match.ip.protocol:                   tcp
70      action:                             deny
80      action:                             deny
        match.ip.protocol:                   tcp
90      action:                             deny
        match.ip.protocol:                   tcp
100     action:                             deny
110     match.ip.protocol:                   tcp

REST API

GET https://<ip>/nvue_v1/acl/<acl-id>/rule

Related Commands

nv show acl <acl-id>

Notes

nv show acl rule id

nv show acl <acl-id> rule <rule-id>

Show ACL rule <rule-id> configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_CP_DEFAULT rule 10
             operational  applied
-----------  -----------  -----------
match
  ip
    dest-ip  127.0.0.0/8  127.0.0.0/8
action       deny         deny

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv set/unset acl rule

nv set acl <acl-id> rule <rule-id>

nv unset acl <acl-id> rule <rule-id>

Set/remove ACL rule <rule-id> configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl user_custom_acl rule 10

REST API

PATH https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • This command is used to declare the specified rule with the specified ACL.

  • Mere application of configuration is insufficient. Matching criteria on either the packet or action for this rule must be specified in order to be effective.

nv set/unset acl rule remark

nv set acl <acl-id> rule <rule-id> remark <string>

nv unset acl <acl-id> rule <rule-id> remark <string>

Set/remove ACL rule <rule-id> remark configurations (remark is the same as description).

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl user_custom_acl rule 20 remark "MY-PROTECTIVE-RULE"

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/action/deny

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

The remark acts the same as a description of a rule.

nv show acl rule action

nv show acl <acl-id> rule <rule-id> action

Show ACL rule <rule-id> action configuration.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_CP_DEFAULT rule 10 action
operational  applied
-----------  -------
deny         deny

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/action

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv set/unset acl rule action permit

nv set acl <acl-id> rule <rule-id> action permit

nv unset acl <acl-id> rule <rule-id> action permit

Set/remove ACL rule <rule-id> action permit.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl user_custom_acl rule 10 action permit

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/action/permit

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Only one action per rule can be specified.

  • Any rule matching the specified rule will be accepted to the system.

  • Leaving a rule with no action will leave any packet matching the specified rule unaffected.

nv set/unset acl rule action deny

nv set acl <acl-id> rule <rule-id> action deny

nv unset acl <acl-id> rule <rule-id> action deny

Set/remove ACL rule <rule-id> action deny.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl user_custom_acl rule 20 action deny

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/action/deny

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Only one action per rule can be specified.

  • Any rule matching the specified rule will be rejected by the system and will be processed any further.

  • Leaving a rule with no action will leave any packet matching the specified rule unaffected.

nv set/unset acl rule action log log-prefix

nv set acl <acl-id> rule <rule-id> action log log-prefix <str>

nv unset acl <acl-id> rule <rule-id> action log log-prefix <str>

Set/remove ACL rule <rule-id> action log log-prefix <str>.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

log-prefix-str

String

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl user_custom_acl rule 20 action log
Copy
Copied!
            

            
admin@nvos:~$ nv set acl user_custom_acl rule 30 action log log-prefix "Dropped-by-custom-acl"

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/action/log

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/action/log/log-prefix/<log-prefix-str>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Only one action per rule can be specified.

  • Log-prefix can be set to empty string.

  • Any packet matching specified rule with logging action will be logged to netfilter log.

  • Leaving a rule with no action will leave any packet matching the specified rule unaffected.

nv show acl rule match

nv show acl <acl-id> rule <rule-id> match

Show ACL rule <rule-id> match configuration.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_CP_DEFAULT rule 10 match
           operational  applied    
---------  -----------  -----------
ip
  dest-ip  127.0.0.0/8  127.0.0.0/8

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

Currently, displaying the matching criteria for the rule only contains layer 3 and 4 filtering criteria in the OSI model.

nv set/unset acl rule match

nv set acl <acl-id> rule <rule-id> match

nv unset acl <acl-id> rule <rule-id> match

Set/remove ACL rule <rule-id> match.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl user_custom_acl rule 20 match

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Leaving a rule with empty matching criteria will cause the rule to match any packet.

  • The unset form of the command will remove the match criteria of the rule.

nv show acl rule match ip

nv show acl <acl-id> rule <rule-id> match ip

Show ACL rule <rule-id> match IP configuration.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_CP_DEFAULT rule 10 match ip
           operational  applied    
---------  -----------  -----------
dest-ip    127.0.0.0/8  127.0.0.0/8

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

Displays the matching IP criteria for the rule.

nv set/unset acl rule match ip

nv set acl <acl-id> rule <rule-id> match ip

nv unset acl <acl-id> rule <rule-id> match ip

Set/remove ACL rule <rule-id> match ip configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv unset acl user_custom_acl rule 20 match ip

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Leaving a rule with empty IP matching criteria will cause the rule to match any packet.

  • The unset command will remove the IP match criteria of the rule.

nv show acl rule match ip udp

nv show acl <acl-id> rule <rule-id> match ip udp

Show ACL rule <rule-id> match IP UDP configuration.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$nv show acl ACL_MGMT_INBOUND_CP_DEFAULT rule 650 match ip udp
             operational  applied
-----------  -----------  -------
[dest-port]  53           53

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/udp

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Display the matching UDP IP criteria for the rule.

  • The output primarily contains either the source port or destination port.

nv show acl rule match ip udp dest-port

nv show acl <acl-id> rule <rule-id> match ip udp dest-port

Show ACL rule <rule-id> match IP UDP dest-port configuration.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl custom-acl rule 650 match ip udp dest-port
Ports
-----
53
22

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/udp/dest-port

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • The command displays the matching dest-port of UDP IP criteria for the rule.

  • The rule can have more than dest-port configured.

nv set/unset acl rule match ip udp dest-port

nv set acl <acl-id> rule <rule-id> match ip udp dest-port <port-num>

nv unset acl <acl-id> rule <rule-id> match ip udp dest-port <port-num>

Configure/remove ACL rule <rule-id> match IP UDP dest-port <port-num> configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

port-num

IP port ID (integer: 0–65535 | enum: ANY, bootpc, bootps, clag, dhcp-client, dhcp-server, domain, ftp, http, https, imap2, ldap, ldaps, ntp, msdp, pop3, smtp, snmp, snmp-trap, ssh, telnet, tftp | ip-port-range)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 650 match ip udp dest-port 22
admin@nvos:~$ nv set acl custom-acl rule 650 match ip udp dest-port 53

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/udp/dest-port/<port-num>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • The rule can have more than dest-port configured.

  • Rule cannot be configured with more than one source port and more than one dest-port at the same time in the same rule. For example, the user cannot configure ports 22, 53 on the dest-port and 1813 on the source-port, but can configure 22 on dest-port and 1813 on source-port.

  • The user can configure more than one port on dest-port or source-port.

nv show acl rule match ip udp source-port

nv show acl <acl-id> rule <rule-id> match ip udp source-port

Show ACL rule <rule-id> match IP UDP source-port configuration.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl custom-acl rule 650 match ip udp source-port
Ports
-----
53
22

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/udp/source-port

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Display the matching dest-port of UDP IP criteria for the rule.

  • The rule can have more than dest-port configured.

nv set/unset acl rule match ip udp source-port

nv set acl <acl-id> rule <rule-id> match ip udp source-port <port-num>

nv unset acl <acl-id> rule <rule-id> match ip udp source-port <port-num>

Configure/remove ACL rule <rule-id> match IP UDP source-port <port-num> configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

port-num

IP port ID (integer: 0–65535 | enum:ANY, bootpc, bootps, clag, dhcp-client, dhcp-server, domain, ftp,http, https, imap2, ldap, ldaps, ntp, msdp, pop3, smtp,snmp, snmp-trap,ssh, telnet, tftp | ip-port-range)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 650 match ip udp source-port 22
admin@nvos:~$ nv set acl custom-acl rule 650 match ip udp source-port 53

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/udp/source-port/<port-num>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • The rule can have more than source-port configured.

  • Rule cannot be configured with more than one source port and more than one dest-port at the same time in the same rule. For example, the user cannot configure ports 22, 53 on the dest-port and 1813 on the source-port, but can configure 22 on dest-port and 1813 on source-port.

  • The user can configure more than one port on dest-port or source-port.

nv show acl rule match ip tcp

nv show acl <acl-id> rule <rule-id> match ip tcp

Show ACL rule <rule-id> match ip tcp configuration.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$nv show acl ACL_MGMT_INBOUND_CP_DEFAULT rule 650 match ip tcp
             operational  applied
-----------  -----------  -------
[dest-port]  53           53
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_DEFAULT rule 10 match ip tcp
                operational  applied   
--------------  -----------  --------- 
all-mss-except  536-65535    536-65535 

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/tcp

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Display the matching UDP IP criteria for the rule.

  • The output primarily contains any of the source-port, dest-port, flags, mask, mss, all-mss-except.

nv show acl rule match ip tcp dest-port

nv show acl <acl-id> rule <rule-id> match ip tcp dest-port

Show ACL rule <rule-id> match IP TCP dest-port configuration.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl custom-acl rule 650 match ip tcp dest-port
Ports
-----
53
22

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/tcp/dest-port

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Display the matching dest-port of TCP IP criteria for the rule.

  • The rule can have more than dest-port configured.

nv set/unset acl rule match ip tcp dest-port

nv set acl <acl-id> rule <rule-id> match ip tcp dest-port <port-num>

nv unset acl <acl-id> rule <rule-id> match ip tcp dest-port <port-num>

Configure/remove ACL rule <rule-id> match ip tcp dest-port <port-num> configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

port-num

IP port ID (integer: 0–65535 | enum: ANY, bootpc, bootps, clag, dhcp-client, dhcp-server, domain, ftp,http, https, imap2, ldap, ldaps, ntp, msdp, pop3, smtp,snmp, snmp-trap,ssh, telnet, tftp | ip-port-range)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 650 match ip tcp dest-port 22
admin@nvos:~$ nv set acl custom-acl rule 650 match ip tcp dest-port 53

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/tcp/dest-port/<port-num>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • The rule can have more than source-port configured.

  • Rule cannot be configured with more than one source port and more than one dest-port at the same time in the same rule. For example, the user cannot configure ports 22, 53 on the dest-port and 1813 on the source-port, but can configure 22 on dest-port and 1813 on source-port.

  • The user can configure more than one port on dest-port or source-port.

nv show acl rule match ip tcp source-port

nv show acl <acl-id> rule <rule-id> match ip tcp source-port

Show ACL rule <rule-id> match IP TCP source-port configuration.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl custom-acl rule 650 match ip tcp source-port
Ports
-----
53
22

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/tcp/source-port

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Display the matching dest-port of UDP IP criteria for the rule.

  • The rule can have more than the dest-port configured.

nv set/unset acl rule match ip tcp source-port

nv set acl <acl-id> rule <rule-id> match ip tcp source-port <port-num>

nv unset acl <acl-id> rule <rule-id> match ip tcp source-port <port-num>

Configure/remove ACL rule <rule-id> match ip tcp source-port <port-num> configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

port-num

IP port ID (integer: 0–65535 | enum:ANY, bootpc, bootps, clag, dhcp-client, dhcp-server, domain, ftp,http, https, imap2, ldap, ldaps, ntp, msdp, pop3, smtp,snmp, snmp-trap,ssh, telnet, tftp | ip-port-range)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 650 match ip tcp source-port 22
admin@nvos:~$ nv set acl custom-acl rule 650 match ip tcp source-port 53

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/tcp/source-port/<port-num>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • The rule can have more than source-port configured.

  • Rule cannot be configured with more than one source port and more than one dest-port at the same time in the same rule. For example, the user cannot configure ports 22, 53 on the dest-port and 1813 on the source-port, but can configure 22 on dest-port and 1813 on source-port.

  • The user can configure more than one port on dest-port or source-port.

nv show acl rule match ip tcp flags

nv show acl <acl-id> rule <rule-id> match ip tcp flags

Show ACL rule <rule-id> match ip tcp flags configuration.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_CP_DEFAULT rule 60 match ip tcp flags  -o json
{
  "none": {}
}

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/tcp/flags

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv set/unset acl rule match ip tcp flags

nv set acl <acl-id> rule <rule-id> match ip tcp flags (syn | ack | fin | rst | urg | psh | all | none)

nv unset acl <acl-id> rule <rule-id> match ip tcp flags (syn | ack | fin | rst | urg | psh | all | none)

Configure/remove ACL rule <rule-id> match ip tcp flags <flag-id> configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

flag-id

enum: (syn | ack | fin | rst | urg | psh | all | none)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 650 match ip tcp flags all
admin@nvos:~$ nv set acl custom-acl rule 660 match ip tcp flags urg
admin@nvos:~$ nv set acl custom-acl rule 660 match ip tcp flags psh
admin@nvos:~$ nv set acl custom-acl rule 660 match ip tcp flags syn

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/tcp/flags/<flag-id>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • The user can configure multiple flags that are not 'none' or 'all'.

  • The flag configurations must come with TCP mask configurations.

nv show acl rule match ip tcp mask

nv show acl <acl-id> rule <rule-id> match ip tcp mask

ACL rule <rule-id> match IP TCP mask configuration.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_CP_DEFAULT rule 60 match ip tcp mask  -o json
{
  "ack": {},
  "fin": {},
  "rst": {},
  "syn": {}
}

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/tcp/mask

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv set/unset acl rule match ip tcp mask

nv set acl <acl-id> rule <rule-id> match ip tcp mask (syn | ack | fin | rst | urg | psh | all | none)

nv unset acl <acl-id> rule <rule-id> match ip tcp mask (syn | ack | fin | rst | urg | psh | all | none)

Configure/remove ACL rule <rule-id> match ip tcp mask <flag-id> configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

flag-id

enum: (syn | ack | fin | rst | urg | psh | all | none)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 650 match ip tcp mask all
admin@nvos:~$ nv set acl custom-acl rule 660 match ip tcp mask urg
admin@nvos:~$ nv set acl custom-acl rule 660 match ip tcp mask psh
admin@nvos:~$ nv set acl custom-acl rule 660 match ip tcp mask syn

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/tcp/flags/<flag-id>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • The user can configure multiple flags that are not 'none' or 'all'.

  • The flag configurations must come with TCP mask configurations.

nv set/unset acl rule match ip tcp mss

nv set acl <acl-id> rule <rule-id> match ip tcp mss <mss-format>

nv unset acl <acl-id> rule <rule-id> match ip tcp mss <mss-format>

Configure/remove ACL rule <rule-id> match ip tcp mss configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

mss-format

tcpmss value could be an integer or a range.

Examples: "0-1", "536-65535", "65000", "128"

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 650 match ip tcp mss 536
admin@nvos:~$ nv set acl custom-acl rule 660 match ip tcp mss 536-65535

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/tcp/mss/<mss-format>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

The command will match TCP packets with the specified MSS values.

nv set/unset acl rule match ip tcp all-mss-except

nv set acl <acl-id> rule <rule-id> match ip tcp all-mss-except <mss-format>

nv unset acl <acl-id> rule <rule-id> match ip tcp all-mss-except <mss-format>

Configure/remove ACL rule <rule-id> match ip tcp all-mss-except configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

mss-format

tcpmss value could be an integer or a range.

Examples: "0-1", "536-65535", "65000", "128"

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 650 match ip tcp all-mss-except 536
admin@nvos:~$ nv set acl custom-acl rule 660 match ip tcp all-mss-except 536-65535

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/tcp/all-mss-except/<mss-format>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

The command will match all TCP packets with MSS value different than the specified MSS values.

nv set/unset acl rule match ip fragment

nv set acl <acl-id> rule <rule-id> match ip fragment

nv unset acl <acl-id> rule <rule-id> match ip fragment

Configure/remove ACL rule <rule-id> match IP fragment configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 650 match ip fragment

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/fragment

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

Match fragmented packets.

nv show acl rule match ip ecn

nv show acl <acl-id> rule <rule-id> match ip ecn

Configure/remove ACL rule <rule-id> match IP ECN configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$nv show acl b rule 1 match ip ecn
        operational  applied
------  -----------  -------
ip-ect  3            3

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/ecn

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv set/unset acl rule match ip ecn

nv set acl <acl-id> rule <rule-id> match ip ecn

nv unset acl <acl-id> rule <rule-id> match ip ecn

Configure/remove ACL rule <rule-id> match IP ECN configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv unset acl custom-acl rule 650 match ip ecn

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/ecn

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv set/unset acl rule match ip ecn ip-ect

nv set acl <acl-id> rule <rule-id> match ip ecn ip-ect <ip-ect-num>

nv unset acl <acl-id> rule <rule-id> match ip ecn ip-ect <ip-ect-num>

Configure/remove ACL rule <rule-id> match IP ECN ip-ect configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

ip-ect

ip-ect (integer: 0-3)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 650 match ip ecn ip-ect 0

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/ecn/ip-ect

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv set/unset acl rule match ip ecn flags

nv set acl <acl-id> rule <rule-id> match ip ecn flags <ecn-flag>

nv unset acl <acl-id> rule <rule-id> match ip ecn flags <ecn-flag>

Configure/remove ACL rule <rule-id> match IP ECN ip-ect configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

en-flag

enum: tcp-cwr | tcp-ece

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 650 match ip ecn flags  tcp-cwr

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/ecn/flags/<flag-id>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv show acl rule match ip connection-state

nv show acl <acl-id> rule <rule-id> match ip connection-state

Show ACL rule <rule-id> match IP connection-state configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_OUTBOUND_CP_DEFAULT_IPV6 rule 10 match ip connection-state -o json
{
  "related": {},
  "new": {}
}

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/connection-state

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv set/unset acl rule match ip connection-state

nv set acl <acl-id> rule <rule-id> match ip connection-state <state-id>

nv unset acl <acl-id> rule <rule-id> match ip connection-state <state-id>

Configure/remove ACL rule <rule-id> match IP connection-state <state-id> configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

state-id

state-id can be: established, invalid, new, related

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip connection-state new

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/ecn/ip-ect

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

Multiple connection-states can be configured.

nv show acl rule match ip extension-header

nv show acl <acl-id> rule <rule-id> match ip extension-header

Show ACL rule <rule-id> match IP extension-header configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL1 rule 1 match ip extension-header
                        operational                applied
---------------------   -------------------------  ------------------------
type                    hop-by-hop                 hop-by-hop

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/extension-header

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv set/unset acl rule match ip extension-header type

nv set acl <acl-id> rule <rule-id> match ip extension-header type <hop-by-hop>

nv unset acl <acl-id> rule <rule-id> match ip extension-header type <hop-by-hop>

Configure/remove ACL rule <rule-id> match IP extension-header configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip extension-header type hop-by-hop

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/extension-header/type/<type>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • This configuration is relevant to IPv6 ACLs only.

  • Matches '-m hbh' in ip6tables tool

nv show acl rule match ip routing-header

nv show acl <acl-id> rule <rule-id> match ip routing-header

Show ACL rule <rule-id> match ip routing-header configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_CP_DEFAULT_IPV6 rule 850 match ip routing-header
      operational  applied
----  -----------  -------
type  0            0

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/routing-header

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv set/unset acl ACL rule match ip routing-header type

nv set acl <acl-id> rule <rule-id> match ip routing-header type <hop-by-hop>

nv unset acl <acl-id> rule <rule-id> match ip routing-header type <hop-by-hop>

Configure/remove ACL rule <rule-id> match ip routing-header configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip extension-header type 0

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/routing-header/type/<type>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • This configuration is relevant to IPv6 ACLs only.

  • Matches '-m rt' in ip6tables tool

nv set/unset acl ACL rule match ip source-ip

nv set acl <acl-id> rule <rule-id> match ip source-ip <ip-format>

nv unset acl <acl-id> rule <rule-id> match ip source-ip <ip-format>

Configure/remove ACL rule <rule-id> match ip source-ip configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

source-ip

(ANY | <ipv4> | <ipv6> | <ipv4-prefix> | <ipv6-prefix> | <ipv4-netmask> | <ipv6-netmask>)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip source-ip 127.0.0.1/8

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/source-ip/<ip-format>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

The user cannot configure IPv4 address on an ACL with IPv6 and vice versa.

nv set/unset acl ACL rule match ip dest-ip

nv set acl <acl-id> rule <rule-id> match ip dest-ip <ip-format>

nv unset acl <acl-id> rule <rule-id> match ip dest-ip <ip-format>

Configure/remove ACL rule <rule-id> match ip dest-ip configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

dest-ip

(ANY | <ipv4> | <ipv6> | <ipv4-prefix> | <ipv6-prefix> | <ipv4-netmask> | <ipv6-netmask>)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip dest-ip 127.0.0.1/8

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/dest-ip/<ip-format>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

The user cannot configure IPv4 address on an ACL with IPv6 and vice versa.

nv set/unset acl rule match ip protocol

nv set acl <acl-id> rule <rule-id> match ip protocol <protocol-format>

nv unset acl <acl-id> rule <rule-id> match ip protocol <protocol-format>

Configure/remove ACL rule <rule-id> match IP dest-ip configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

protocol-format

(0-255 | tcp | udp | icmp | icmpv6)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip protocol tcp

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/protocol/<protocol-format>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv set/unset acl rule match ip icmp-type

nv set acl <acl-id> rule <rule-id> match ip icmp-type <icmp-format>

nv unset acl <acl-id> rule <rule-id> match ip icmp-type <icmp-format>

Configure/remove ACL rule <rule-id> match IP ICMP-type configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

icmp-format

(0-255 | echo-reply | echo-request | time-exceeded | dest-unreachable | port-unreachable)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip icmp-type echo-reply
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip icmp-type 9

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/icmp-type/<icmp-format>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • The protocol must be specified to be ICMP

    Copy
    Copied!
                
    
            
    $nv set acl custom-acl rule 10 match ip protocol icmp

  • IPv4 type must be specified for the configured ACL.

nv set/unset acl rule match ip icmpv6-type

nv set acl <acl-id> rule <rule-id> match ip icmpv6-type <icmp-format>

nv unset acl <acl-id> rule <rule-id> match ip icmpv6-type <icmp-format>

Configure/remove ACL rule <rule-id> match IP ICMPv6-type configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

icmpv6-format

(0-255 | router-solicitation | router-advertisement | neighbor-solicitation | neighbor-advertisement)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip icmp-type router-solicitation
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip icmp-type 9

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/icmpv6-type/<icmpv6-format>

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • The protocol must be specified to be ICMPv6.

    Copy
    Copied!
                
    
            
    $nv set acl custom-acl rule 10 match ip protocol icmpv6

  • IPv6 type must be specified for the configured ACL.

nv show acl rule match ip recent-list

nv show acl <acl-id> rule <rule-id> match ip recent-list

Show ACL rule <rule-id> match ip recent-list configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_CP_DEFAULT_IPV6 rule 600 match ip recent-list
                 operational  applied
---------------  -----------  -------
name             UDP          UDP
update-interval  60           60
hit-count        100          100
action           update       update

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/recent-list

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Matches the 'recent' iptables module.

  • Used to filter IP address that passes a specific rate.

    In the above example, the rate is 100 packets per 60 seconds, if a source-ip sends more than this rate, the IP address will be blocked.

nv set/unset acl rule match ip recent-list name

nv set acl <acl-id> rule <rule-id> match ip recent-list name <generic-name>

nv unset acl <acl-id> rule <rule-id> match ip recent-list name <generic-name>

Configure/remove ACL rule <rule-id> match IP recent-list name configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip recent-list name "EXAMPLE"

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/recent-list

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • In order to configure recent-list, the user needs to configure action and name for the recent-list

    • For action set: configure name and action=set

    • For action update: configure name and action=update, hit-count and update-interval

  • There can be multiple recent-lists in the system and each is distinguished by a name.

  • Refer to the documentation of 'recent' in 'iptables' for further information.

nv set/unset acl rule match ip recent-list action

nv set acl <acl-id> rule <rule-id> match ip recent-list action (set | update)

nv unset acl <acl-id> rule <rule-id> match ip recent-list action (set | update)

Configure/remove ACL rule <rule-id> match IP recent-list action configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip recent-list action update

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/recent-list

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • In order to configure recent-list, the user needs to configure action and name for the recent-list

    • For action set: configure name and action=set

    • For action update: configure name and action=update, hit-count and update-interval

  • There can be multiple recent-lists in the system and each is distinguished by a name.

  • Refer to the documentation of 'recent' in 'iptables' for further information.

nv set/unset acl rule match ip recent-list hit-count

nv set acl <acl-id> rule <rule-id> match ip recent-list hit-count (1-4294967295)

nv unset acl <acl-id> rule <rule-id> match ip recent-list hit-count (1-4294967295)

Configure/remove ACL rule <rule-id> match ip recent-list hit-count configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip recent-list  hit-count  100

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/recent-list

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • In order to configure recent-list, the user needs to configure action and name for the recent-list

    • For action set: configure name and action=set

    • For action update: configure name and action=update, hit-count and update-interval

  • There can be multiple recent-lists in the system and each is distinguished by a name.

  • Refer to the documentation of 'recent' in 'iptables' for further information.

nv set/unset acl rule match ip recent-list update-interval

nv set acl <acl-id> rule <rule-id> match ip recent-list update-interval (1-4294967295)

nv unset acl <acl-id> rule <rule-id> match ip recent-list update-interval (1-4294967295)

Configure/remove ACL rule <rule-id> match ip recent-list update-interval configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip recent-list  update-interval  60

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/recent-list

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • In order to configure recent-list, the user needs to configure action and name for the recent-list

    • For action set: configure name and action=set

    • For action update: configure name and action=update, hit-count and update-interval

  • There can be multiple recent-lists in the system and each is distinguished by a name.

  • Refer to the documentation of 'recent' in 'iptables' for further information.

nv show acl rule match ip hashlimit

nv show acl <acl-id> rule <rule-id> match ip hashlimit

Show ACL rule <rule-id> match ip hashlimit configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show acl ACL_MGMT_INBOUND_CP_DEFAULT_IPV6 rule 870 match ip hashlimit
             operational  applied
-----------  -----------  ----------
name         LOGGING      LOGGING
rate-above   1/min        1/min
burst        5            5
source-mask  128          128
expire       4294967295   4294967295
mode         src-ip       src-ip

REST API

GET https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/recent-list

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Matches the 'hashlimit' iptables module.

  • This is another way to filter IP addresses.

  • The following properties are required for configuration: name, rate-above, burst, expire, mode.

nv set/unset acl rule match ip hashlimit name

nv set acl <acl-id> rule <rule-id> match ip hashlimit name <generic-name>

nv unset acl <acl-id> rule <rule-id> match ip hashlimit name <generic-name>

Configure/remove ACL rule <rule-id> match IP hashlimit name configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip hashlimit name "Limiter"

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/hashlimit

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Matches the 'hashlimit' iptables module.

  • The following properties are required for configuration: name, rate-above, burst, expire, mode.

nv set/unset acl rule match ip hashlimit rate-above

nv [un]set acl <acl-id> rule <rule-id> match ip hashlimit rate-above <rate-format>

Configure/remove ACL rule <rule-id> match IP hashlimit rate configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

rate-format

Rate limit, should be in the following format: integer/time-unit where time-unit is one of [second | min | hour]. The max supported rate is 1000000/second

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip hashlimit rate 2/min

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/hashlimit

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Matches the 'hashlimit' iptables module.

  • The following properties are required for configuration: name, rate-above, burst, expire, mode.

nv set/unset acl rule match ip hashlimit burst

nv [un]set acl <acl-id> rule <rule-id> match ip hashlimit burst <burst-int>

Configure/remove ACL rule <rule-id> match IP hashlimit burst configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

burst-int

integer:1–4294967295

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip hashlimit burst 5

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/hashlimit

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Matches the 'hashlimit' iptables module.

  • The following properties are required for configuration: name, rate-above, burst, expire, mode.

nv set/unset acl rule match ip hashlimit expire

nv [un]set acl <acl-id> rule <rule-id> match ip hashlimit expire <expire-int>

Configure/remove ACL rule <rule-id> match IP hashlimit expire configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

expire-int

integer:1–4294967295

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip hashlimit expire 3

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/hashlimit

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Matches the 'hashlimit' iptables module.

  • The following properties are required for configuration: name, rate-above, burst, expire, mode.

nv set/unset acl rule match ip hashlimit mode

nv set acl <acl-id> rule <rule-id> match ip hashlimit mode <mode>

nv unset acl <acl-id> rule <rule-id> match ip hashlimit mode <mode>

Configure/remove ACL rule <rule-id> match IP hashlimit mode configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

mode

(enum:src-ip, dst-ip | string)

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip hashlimit mode src-ip

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/hashlimit

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Matches the 'hashlimit' iptables module.

  • The following properties are required for configuration: name, rate-above, burst, expire, mode.

nv set/unset acl rule match ip hashlimit destination-mask

nv set acl <acl-id> rule <rule-id> match ip hashlimit destination-mask <mask>

nv unset acl <acl-id> rule <rule-id> match ip hashlimit destination-mask <mask>

Configure/remove ACL rule <rule-id> match IP hashlimit destination-mask configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

mask

integer: for ipv4 the range is 0-32 and for ipv6 the range is 0-128

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip hashlimit destination-mask 32

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/hashlimit

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Matches the 'hashlimit' iptables module.

  • The following properties are required for configuration: name, rate-above, burst, expire, mode.

nv set/unset acl rule match ip hashlimit source-mask

nv set acl <acl-id> rule <rule-id> match ip hashlimit source-mask <mask>

nv unset acl <acl-id> rule <rule-id> match ip hashlimit source-mask <mask>

Configure/remove ACL rule <rule-id> match ip hashlimit source-mask configurations.

Syntax Description

acl-id

ACL name

rule-id

Rule number (integer: 1–65535)

mask

Integer:

IPv4 range: 0–32

IPv6 range: 0–128

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set acl custom-acl rule 10 match ip hashlimit source-mask 32

REST API

PATCH/DELETE https://<ip>/nvue_v1/acl/{acl-id}/rule/{rule-id}/match/ip/hashlimit

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

  • Matches the 'hashlimit' iptables module.

  • The following properties are required for configuration: name, rate-above, burst, expire, mode.

nv show interface acl

nv show interface <iface-id> acl

Display the acl bound to the interface.

Syntax Description

iface-id

Interface could be one of 'eth0' or 'loopback'

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show interface eth0 acl
ACL Name                           Rule ID  In Packets  In Bytes  Out Packets  Out Bytes
---------------------------------  -------  ----------  --------  -----------  ---------
ACL_MGMT_INBOUND_CP_DEFAULT        1        15620       2481722
                                   10       0           0
                                   20       14437       1118906
                                   30       0           0
...
                                   740      0           0
                                   750      0           0
                                   760      28          2352
                                   770      0           0
                                   780      0           0
ACL_MGMT_INBOUND_CP_DEFAULT_IPV6   10       0           0
                                   20       0           0
                                   30       0           0
...
                                   800      0           0
                                   810      0           0
                                   820      0           0
                                   830      0           0
                                   840      0           0
                                   850      0           0
                                   860      0           0
                                   870      0           0
                                   880      0           0
ACL_MGMT_INBOUND_DEFAULT           10       5           296
ACL_MGMT_INBOUND_DEFAULT_IPV6      10       0           0
ACL_MGMT_OUTBOUND_CP_DEFAULT       10                             0            0
                                   20                             9750         1885408
ACL_MGMT_OUTBOUND_CP_DEFAULT_IPV6  10                             45           4680
                                   20                             160          13308

REST API

GET https://<ip>/nvue_v1/interface/{interface-id}/acl

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv show interface acl id

nv show interface <iface-id> acl <acl-id>

Display the given acl-id bound to the interface.

Syntax Description

iface-id

Interface could be one of 'eth0' or 'loopback'

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show interface eth0 acl ACL_MGMT_OUTBOUND_CP_DEFAULT
Statistics
=============
    Rule  In Packet  In Byte  Out Packet  Out Byte  Layer  Remark  Action  Summary
    ----  ---------  -------  ----------  --------  -----  ------  ------  -------
    10                        0           0         ip             deny
    20                        9767        1902332                  permit

REST API

GET https://<ip>/nvue_v1/interface/{interface-id}/acl/{acl-id}

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv show interface acl statistics

nv show interface <iface-id> acl <acl-id> statistics

Display the given acl-id statistics bound to the interface.

Syntax Description

iface-id

Interface could be one of 'eth0' or 'loopback'

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show interface eth0 acl ACL_MGMT_OUTBOUND_CP_DEFAULT statistics  
 
Rule  In Packet  In Byte  Out Packet  Out Byte  Layer  Remark  Action  Summary
----  ---------  -------  ----------  --------  -----  ------  ------  -------
10                        0           0         ip             deny
20                        9767        1902332                  permit

REST API

GET https://<ip>/nvue_v1/interface/{interface-id}/acl/{acl-id}/statistics

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv show interface acl statistics

nv show interface <iface-id> acl <acl-id> statistics <rule-id>

Display the given acl-id statistics bound to the interface.

Syntax Description

iface-id

Interface could be one of 'eth0' or 'loopback'

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show interface eth0 acl  ACL_MGMT_INBOUND_DEFAULT statistics 10
                      operational  applied
--------------------  -----------  -------
match
  ip
    protocol          tcp
    tcp
      all-mss-except  536-65535
action                deny
inbound
  packet              5
  byte                296

REST API

GET https://<ip>/nvue_v1/interface/{interface-id}/acl/{acl-id}/statistics/{rule-id}

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

nv show interface acl outbound

nv show interface <iface-id> acl <acl-id> outbound

Display the given acl-id bound to the interface in the outbound direction.

Syntax Description

iface-id

Interface could be one of 'eth0' or 'loopback'

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show interface eth0 acl ACL_MGMT_OUTBOUND_CP_DEFAULT outbound
Statistics
=============
No Data

REST API

GET https://<ip>/nvue_v1/interface/{interface-id}/acl/{acl-id}/outbound

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

If an ACL is configured on one direction and not the other, it will be shown in the parent show (nv show interface <iface> acl <acl-id>) and not in the show of the direction it is not configured on.

nv show interface acl outbound control-plane

nv show interface <iface-id> acl <acl-id> outbound control-plane

Display the given acl-id bound to the interface in the outbound control-plane direction.

Syntax Description

iface-id

Interface could be one of 'eth0' or 'loopback'

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show interface eth0 acl ACL_MGMT_OUTBOUND_CP_DEFAULT outbound control-plane
Statistics
=============
    Rule  In Packet  In Byte  Out Packet  Out Byte  Layer  Remark  Action  Summary
    ----  ---------  -------  ----------  --------  -----  ------  ------  -------
    10                        0           0         ip             deny
    20                        9823        1908964                  permit

REST API

GET https://<ip>/nvue_v1/interface/{interface-id}/acl/{acl-id}/outbound/control-plane

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

If an ACL is configured on one direction and not the other, it will be shown in the parent show (nv show interface <iface> acl <acl-id>) and not in the show of the direction it is not configured on.

nv show interface acl inbound

nv show interface <iface-id> acl <acl-id> inbound

Display the given acl-id bound to the interface in the inbound direction.

Syntax Description

iface-id

Interface could be one of 'eth0' or 'loopback'

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show interface eth0 acl ACL_MGMT_OUTBOUND_CP_DEFAULT inbound
Statistics
=============
    Rule  In Packet  In Byte  Out Packet  Out Byte  Layer  Remark  Action  Summary
    ----  ---------  -------  ----------  --------  -----  ------  ------  --------------------------------------
    10    5          296                            ip             deny    match.ip.protocol:                 tcp
                                                                           match.ip.tcp.all-mss-except: 536-65535

REST API

GET https://<ip>/nvue_v1/interface/{interface-id}/acl/{acl-id}/inbound

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

If an ACL is configured on one direction and not the other, it will be shown in the parent show (nv show interface <iface> acl <acl-id>) and not in the show of the direction it is not configured on.

nv show interface acl inbound control-plane

nv show interface <iface-id> acl <acl-id>

Display the given acl-id bound to the interface in the inbound direction.

Syntax Description

iface-id

Interface could be one of 'eth0' or 'loopback'

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv show interface eth0 acl AAA inbound control-plane
Statistics
=============
    Rule  In Packet  In Byte  Out Packet  Out Byte  Layer  Remark  Action  Summary
    ----  ---------  -------  ----------  --------  -----  ------  ------  --------------------------------------
    10    5          296                            ip             deny    match.ip.protocol:                 tcp
                                                                           match.ip.tcp.all-mss-except: 536-65535

REST API

GET https://<ip>/nvue_v1/interface/{interface-id}/acl/{acl-id}/inbound/control-plane

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

If an ACL is configured on one direction and not the other, it will be shown in the parent show (nv show interface <iface> acl <acl-id>) and not in the show of the direction it is not configured on.

nv set/unset interface acl inbound

nv set interface <iface-id> acl <acl-id> inbound

nv unset interface <iface-id> acl <acl-id> inbound

Configure/remove the binding of the given ACL on the specified interface.

Syntax Description

iface-id

Interface could be one of 'eth0' or 'loopback'

acl-id

ACL name

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set interface eth0 acl ACL1 inbound

REST API

PATCH/DELETE https://<ip>/nvue_v1/interface/{interface-id}/acl/{acl-id}/inboun

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

An ACL cannot be bound to inbound and inbound control-plane or cannot be bound to outbound and outbound control-plane on the same interface!

nv set/unset interface acl inbound control-plane

nv set interface <iface-id> acl <acl-id> inbound control-plane

nv unset interface <iface-id> acl <acl-id> inbound control-plane

Configure/remove the binding of the given ACL on the specified interface.

Syntax Description

iface-id

interface could be one of 'eth0' or 'loopback'

acl-id

ACL name

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set interface eth0 acl ACL1 inbound control-plane

REST API

PATCH/DELETE https://<ip>/nvue_v1/interface/{interface-id}/acl/{acl-id}/inbound/control-plane

nv set acl <acl-id> rule <rule-id>

Notes

An ACL cannot be bound to inbound and inbound control-plane or cannot be bound to outbound and outbound control-plane on the same interface!

nv set/unset interface acl outbound control-plane

nv set interface <iface-id> acl <acl-id> inbound control-plane

nv unset interface <iface-id> acl <acl-id> inbound control-plane

Configure/remove the binding of the given ACL on the specified interface.

Syntax Description

iface-id

Interface could be one of 'eth0' or 'loopback'

acl-id

ACL name

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set interface eth0 acl ACL1 outbound control-plane

REST API

PATCH/DELETE https://<ip>/nvue_v1/interface/{interface-id}/acl/{acl-id}/outbound/control-plane

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

An ACL cannot be bound to inbound and inbound control-plane or cannot be bound to outbound and outbound control-plane on the same interface!

nv set/unset interface acl outbound

nv set interface <iface-id> acl <acl-id> outbound

nv unset interface <iface-id> acl <acl-id> outbound

Configure/remove the binding of the given ACL on the specified interface.

Syntax Description

iface-id

Interface could be one of 'eth0' or 'loopback'

acl-id

ACL name

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv set interface eth0 acl ACL1 outbound

REST API

PATCH/DELETE https://<ip>/nvue_v1/interface/{interface-id}/acl/{acl-id}/outbound

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes

An ACL cannot be bound to inbound and inbound control-plane or cannot be bound to outbound and outbound control-plane on the same interface!

nv action clear acl counters

nv action clear acl counters

Clear the ACL counters in the show command.

Syntax Description

N/A

History

25.02.1884

Example
Copy
Copied!
            

            
admin@nvos:~$ nv action clear acl counters

REST API

POST https://<ip>/nvue_v1/acl

Related Commands

nv set acl <acl-id> rule <rule-id>

Notes
© Copyright 2025, NVIDIA. Last updated on Aug 30, 2025.
content here