Add a new rule to an existing ACL¶
Insert a new ACL rule entry with the following parameters:
Item |
Value |
|---|---|
Request Type |
|
Content Type |
|
ACL Name |
blockbadhosts |
ACL Rule Sequence |
10 |
ACL Rule Action |
deny |
ACL Rule Source Address |
10.222.111.222/32 |
The new data passed in the -d parameter is JSON but with all whitespace
removed so it can be more easily expressed on a command line.
Warning
The Content-Type header must be set when performing a write operation
such as PUT or PATCH. The value of the header must reflect the type
of data being sent. These examples use JSON, so the header is set to
application/yang-data+json. When submitting XML, it would be
application/yang-data+xml
The URL is the same as if the query is retrieving the rule in question.
Warning
Note the presence of the sequence number in both the supplied JSON data and in the URL. This must match.
Command:
$ curl -f --cert ~/tnsr/tnsr-restconf-client.crt \
--key ~/tnsr/tnsr-restconf-client.key \
--cacert ~/tnsr/tnsr-restconf-CA.crt \
-H "Content-Type: application/yang-data+json" \
-X PUT \
-d '{"netgate-acl:acl-rule":[{"sequence": 10,"action":"deny","ip-version":"ipv4","src-ip-prefix":"10.222.111.222/32"}]}' \
https://tnsr.example.com/restconf/data/netgate-acl:acl-config/acl-table/acl-list=blockbadhosts/acl-rules/acl-rule=10
Output: This command has no output when it works successfully.
Retrieve the contents of the ACL again to see that the new rule is now present:
Command:
$ curl -f --cert ~/tnsr/tnsr-restconf-client.crt \
--key ~/tnsr/tnsr-restconf-client.key \
--cacert ~/tnsr/tnsr-restconf-CA.crt \
-X GET \
https://tnsr.example.com/restconf/data/netgate-acl:acl-config/acl-table/acl-list=blockbadhosts
Output:
{
"netgate-acl:acl-list": [
{
"acl-name": "blockbadhosts",
"acl-description": "Block bad hosts",
"acl-rules": {
"acl-rule": [
{
"sequence": 1,
"action": "deny",
"ip-version": "ipv4",
"src-ip-prefix": "203.0.113.14/32"
},
{
"sequence": 2,
"action": "deny",
"ip-version": "ipv4",
"src-ip-prefix": "203.0.113.15/32"
},
{
"sequence": 10,
"action": "deny",
"ip-version": "ipv4",
"src-ip-prefix": "10.222.111.222/32"
},
{
"sequence": 555,
"action": "deny",
"ip-version": "ipv4",
"src-ip-prefix": "5.5.5.5/32"
},
{
"sequence": 5000,
"acl-rule-description": "Default Permit",
"action": "permit",
"ip-version": "ipv4"
}
]
}
}
]
}