Configuring ACS Ruledef for L7 Protocols for DPI

A ruledef represents a set of matching conditions across multiple L3 – L7 protocol based on protocol fields and state information. Each ruledef can be used across multiple rulebases within the active charging service.

Note

In UPF, if rule-line addition or deletion inside a ruledef is done during active calls and data flows, then this configuration change is not applied for current flows. However, the configuration change applies to new calls and new flows on same calls.

The following is a sample configuration that describes how to create, configure, or delete ACS rule definitions.


configure 
   active-charging service service_name 
      ruledef ruledef_name 
         dns { any-match value | query-type query_type | query-name query_name } 
         ip any-match [ = | != ] [ TRUE | FALSE ] 
         ip dst-address { operator { { ipv4_address | ipv6_address } | { ipv4_address/mask | ipv6_address/mask} | address-group ipv6_address } | { !range | range } host-pool host_pool_name } 
         ip server-ip-address { operator { { ipv4_address | ipv6_address } | { ipv4_address/mask | ipv6_address/mask} | address-group ipv6_address } | { !range | range } host-pool host_pool_name } 
         multi-line-or all-lines 
         rule-application { charging | post-processing | routing }
         { tcp | udp } { either-port port_number } 
         end 

NOTES:

  • ruledef ruledef_name : Specifies the ruledef to add, configure, or delete. ruledef_name must be the name of an ACS ruledef, and must be an alphanumeric string of 1 to 63 characters, and can contain punctuation characters. Each ruledef must have a unique name. Host pool, port map, IMSI pool, and firewall, routing, and charging ruledefs must have unique names.

  • If the named ruledef does not exist, it is created, and the CLI mode changes to the ACS Ruledef Configuration Mode wherein the ruledef can be configured.

  • If the named ruledef already exists, the CLI mode changes to the ACS Ruledef Configuration Mode for that ruledef. The ACS Ruledef Configuration Mode is used to create and manage rule expressions in individual rule definitions (ruledefs).

  • ip any-match [= | !=] [TRUE | FALSE]: This command defines the rule expressions to match IPv4/IPv6 packets. The operator and condition in the command specifies the following:

    • operator

      • !=: Does not equal

      • < =: Equals

    • condition

      • FALSE

      • TRUE

  • ip dst-address { operator { { ipv4_address | ipv6_address } | { ipv4_address/mask |ipv6_address/mask } | address-group ipv6_address } | { !range | range } host-pool host_pool_name } : This command allows defining rule expressions to match IP destination address field within IP headers.

    • ipv4_address | ipv6_address : Specifies the IP address of the destination node for outgoing traffic. ipv4_address | ipv6_address must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation.

    • ipv4_address/mask | ipv6_address/mask : Specifies the IP address of the destination node for outgoing traffic. ipv4_address/mask | ipv6_address/mask must be an IP address in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal notation with subnet mask bit. The mask bit is a numeric value which corresponds to the number of bits in the subnet mask.

    • address-group ipv6_address : Specifies a group of IPv6 addresses configured with wildcard input and/or specialized range input. Multiple wildcard characters can be accepted as input and only one 2 byte range input will be accepted. Both wildcard character input and 2-byte range input can be configured together within a given IPv6 address.

    • host-pool host_pool_name : Specifies the name of the host pool. host_pool_name must be an alphanumeric string of 1 to 63 characters.

    • The operator in the command specifies the following:

      • !=: Does not equal

      • <: Lesser than or equals

      • =: Equals

      • >=: Greater than or equals

  • multi-line-or all-lines : This command allows a single ruledef to specify multiple URL expressions. When a ruledef is evaluated, if the multi-line-or all-lines command is configured, the logical OR operator is applied to all the rule expressions in the ruledef to decide if the ruledef matches or not. If the multi-line-or all-lines command is not configured, the logical AND operator is applied to all the rule expressions.

  • rule-application { charging | post-processing | routing } : This command specifies the rule application for a rule definition.

    • charging : Specifies that the current ruledef is for charging purposes.

    • post-processing : Specifies that the current ruledef is for post-processing purposes. This enables processing of packets even if the rule matching for them has been disabled.

    • routing : Specifies that the current ruledef is for routing purposes. Up to 256 rule definitions can be defined for routing in an Active Charging Service. Default: Disabled.

  • dns { any-match value | query-type query_type | query-name query_name } : This command allows you to define rule expressions to match all DNS packets, or packets based on the query type or query name.

    ip server-ip-address ip_address_value : This command allows you to define rule expressions to match the IP address of the destination end of the connection.

  • { tcp | udp } { either-port port_number } : This command allows you to define rule expressions to match either a destination or source port number in UDP/TCP headers.