ACLs
ACLs are executable policy in netverdict. They are used for interface filters, flow search, firewall inputs, and route/policy analysis where packet-like matching is required.
Support level
Section titled “Support level”| Area | Level | Notes |
|---|---|---|
| IPv4 standard ACLs | Supported | Source-only matching. |
| IPv4 extended ACLs | Supported | Protocol, source/destination, ports, ranges, established-style flags where implemented. |
| IPv6 ACLs | Supported | Named IPv6 ACLs and interface traffic filters. |
| Object groups | Supported | Network and service object groups in ACL evaluation. |
| Time ranges | Supported | ACL entries can be active only during configured simulation time. |
| Flow search | Supported | ACL evaluator is used by reachability search. |
Standards coverage
Section titled “Standards coverage”| Standard | Coverage | Notes |
|---|---|---|
| Cisco IOS ACL semantics | Behaviour model | Ordered first-match permit/deny with implicit deny. |
| IPv6 ACL semantics | Behaviour model | IPv6 prefix/protocol/port matching. |
Feature matrix
Section titled “Feature matrix”| Feature | Status | Notes |
|---|---|---|
| Numbered ACL | Supported | Standard and extended ranges. |
| Numbered standard wildcard form | Supported | access-list 10 permit 10.10.0.0 0.0.255.255. |
| Named ACL | Supported | IPv4 and IPv6. |
permit / deny | Supported | Ordered rule evaluation. |
| Protocol match | Supported | IP, TCP, UDP, ICMP, and common aliases. |
| Port operators | Supported | eq, neq, lt, gt, range where parsed. |
| Object-group references | Supported | Network and service groups. |
| Time-range references | Supported | Active/inactive rule gating. |
| Interface binding | Supported | Inbound/outbound direction. |
| Logging | Config model | Parsed/stored; syslog side effects are limited. |
Vendor command matrix
Section titled “Vendor command matrix”| Command | IOS-style | Junos-style | VyOS-style | Notes |
|---|---|---|---|---|
access-list 10 permit 10.0.0.0 0.0.0.255 | Supported | n/a | Partial | Standard IPv4 ACL. |
access-list 10 permit 10.10.0.0 0.0.255.255 | Supported | n/a | n/a | IOS/IOS-XE wildcard form is command-tree backed. |
ip access-list extended WEB | Supported | n/a | Partial | Named extended ACL. |
ipv6 access-list V6-IN | Supported | n/a | Partial | IPv6 ACL. |
object-group network SERVERS | Supported | n/a | Partial | Object group. |
time-range WORKHOURS | Supported | n/a | n/a | Time-gated entries. |
ip access-group WEB in | Supported | n/a | Partial | Interface binding. |
show access-lists | Supported | Partial | Partial | ACL view. |
Behaviour notes
Section titled “Behaviour notes”Evaluation is strictly ordered. The first matching ACE decides the result, and an implicit deny remains at the end. That rule is intentionally visible in flow search results because hidden policy failures are painful to debug.
Examples
Section titled “Examples”Canonical example
configure terminalip access-list extended WEB-IN permit tcp 10.0.0.0 0.0.0.255 host 192.0.2.10 eq 443 deny ip any anyinterface GigabitEthernet0/0 ip access-group WEB-IN inendshow access-listsVendor styles
IOS-style
ip access-list extended WEB-IN permit tcp 10.0.0.0 0.0.0.255 host 192.0.2.10 eq 443interface GigabitEthernet0/0 ip access-group WEB-IN inJunos-style
set firewall family inet filter WEB-IN term allow-web from source-address 10.0.0.0/24set firewall family inet filter WEB-IN term allow-web from destination-address 192.0.2.10/32set firewall family inet filter WEB-IN term allow-web from destination-port 443set firewall family inet filter WEB-IN term allow-web then acceptVyOS-style
set firewall ipv4 name WEB-IN rule 10 action acceptset firewall ipv4 name WEB-IN rule 10 protocol tcpset firewall ipv4 name WEB-IN rule 10 destination port 443set interfaces ethernet eth0 firewall in name WEB-INKnown limits
Section titled “Known limits”Reflexive ACLs, dynamic ACL lock-and-key, full logging side effects, and every vendor parser variant are not implemented.