summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarek Gradzki <mgradzki@cisco.com>2016-08-15 15:03:10 +0200
committerMaros Marsalek <mmarsale@cisco.com>2016-08-15 13:15:45 +0000
commita5c5d37dd656f6db71f24fc979b783d5e3c38390 (patch)
tree34e0c2fe40f2afaf99c18f1664a7b9c07344e85e
parentdfc64f9c32b10fd9f0e4dece9828e6dd90ce53c4 (diff)
HONEYCOMB-139: yang model for ietf-acl draft revision 8
Change-Id: I9250e07f3811036f483959aa841897380bcb7669 Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
-rw-r--r--v3po/api/src/main/yang/ietf-access-control-list.yang208
-rw-r--r--v3po/api/src/main/yang/ietf-packet-fields.yang180
-rw-r--r--v3po/api/src/main/yang/v3po.yang36
-rw-r--r--v3po/api/src/main/yang/vpp-vlan.yang4
4 files changed, 428 insertions, 0 deletions
diff --git a/v3po/api/src/main/yang/ietf-access-control-list.yang b/v3po/api/src/main/yang/ietf-access-control-list.yang
new file mode 100644
index 000000000..3083ee2a0
--- /dev/null
+++ b/v3po/api/src/main/yang/ietf-access-control-list.yang
@@ -0,0 +1,208 @@
+module ietf-access-control-list {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
+ prefix acl;
+ import ietf-yang-types {
+ prefix yang;
+ }
+ import ietf-packet-fields {
+ prefix packet-fields;
+ }
+ organization "IETF NETMOD (NETCONF Data Modeling Language)
+ Working Group";
+ contact
+ "WG Web: http://tools.ietf.org/wg/netmod/
+ WG List: netmod@ietf.org
+ WG Chair: Juergen Schoenwaelder
+ j.schoenwaelder@jacobs-university.de
+ WG Chair: Tom Nadeau
+ tnadeau@lucidvision.com
+ Editor: Dean Bogdanovic
+ ivandean@gmail.com
+ Editor: Kiran Agrahara Sreenivasa
+ kkoushik@cisco.com
+ Editor: Lisa Huang
+ lyihuang16@gmail.com
+ Editor: Dana Blair
+ dblair@cisco.com";
+ description
+ "This YANG module defines a component that describing the
+ configuration of Access Control Lists (ACLs).
+ Copyright (c) 2015 IETF Trust and the persons identified as
+ the document authors. All rights reserved.
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD
+ License set forth in Section 4.c of the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+ This version of this YANG module is part of RFC XXXX; see
+ the RFC itself for full legal notices.";
+ revision 2016-07-08 {
+ description
+ "Base model for Network Access Control List (ACL).";
+ reference
+ "RFC XXXX: Network Access Control List (ACL)
+ YANG Data Model";
+ }
+ identity acl-base {
+ description
+ "Base Access Control List type for all Access Control List type
+ identifiers.";
+ }
+ identity ipv4-acl {
+ base acl:acl-base;
+ description
+ "ACL that primarily matches on fields from the IPv4 header
+ (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP
+ destination port). An acl of type ipv4-acl does not contain
+ matches on fields in the ethernet header or the IPv6 header.";
+ }
+ identity ipv6-acl {
+ base acl:acl-base;
+ description
+ "ACL that primarily matches on fields from the IPv6 header
+ (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
+ destination port). An acl of type ipv6-acl does not contain
+ matches on fields in the ethernet header or the IPv4 header.";
+ }
+ identity eth-acl {
+ base acl:acl-base;
+ description
+ "ACL that primarily matches on fields in the ethernet header,
+ like 10/100/1000baseT or WiFi Access Control List. An acl of
+ type eth-acl does not contain matches on fields in the IPv4
+ header, IPv6 header or layer 4 headers.";
+ }
+ typedef acl-type {
+ type identityref {
+ base acl:acl-base;
+ }
+ description
+ "This type is used to refer to an Access Control List
+ (ACL) type";
+ }
+ typedef access-control-list-ref {
+ type leafref {
+ path "/access-lists/acl/acl-name";
+ }
+ description
+ "This type is used by data models that need to reference an
+ Access Control List";
+ }
+ container access-lists {
+ description
+ "This is a top level container for Access Control Lists.
+ It can have one or more Access Control Lists.";
+ list acl {
+ key "acl-type acl-name";
+ description
+ "An Access Control List(ACL) is an ordered list of
+ Access List Entries (ACE). Each Access Control Entry has a
+ list of match criteria and a list of actions.
+ Since there are several kinds of Access Control Lists
+ implemented with different attributes for
+ different vendors, this
+ model accommodates customizing Access Control Lists for
+ each kind and for each vendor.";
+ leaf acl-name {
+ type string;
+ description
+ "The name of access-list. A device MAY restrict the length
+ and value of this name, possibly space and special
+ characters are not allowed.";
+ }
+ leaf acl-type {
+ type acl-type;
+ description
+ "Type of access control list. Indicates the primary intended
+ type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc)
+ used in the list instance.";
+ }
+ container acl-oper-data {
+ config false;
+ description
+ "Overall Access Control List operational data";
+ }
+ container access-list-entries {
+ description
+ "The access-list-entries container contains
+ a list of access-list-entries(ACE).";
+ list ace {
+ key "rule-name";
+ ordered-by user;
+ description
+ "List of access list entries(ACE)";
+ leaf rule-name {
+ type string;
+ description
+ "A unique name identifying this Access List
+ Entry(ACE).";
+ }
+ container matches {
+ description
+ "Definitions for match criteria for this Access List
+ Entry.";
+ choice ace-type {
+ description
+ "Type of access list entry.";
+ case ace-ip {
+ description "IP Access List Entry.";
+ choice ace-ip-version {
+ description
+ "IP version used in this Access List Entry.";
+ case ace-ipv4 {
+ uses packet-fields:acl-ipv4-header-fields;
+ }
+ case ace-ipv6 {
+ uses packet-fields:acl-ipv6-header-fields;
+ }
+ }
+ uses packet-fields:acl-ip-header-fields;
+ }
+ case ace-eth {
+ description
+ "Ethernet Access List entry.";
+ uses packet-fields:acl-eth-header-fields;
+ }
+ }
+ }
+ container actions {
+ description
+ "Definitions of action criteria for this Access List
+ Entry.";
+ choice packet-handling {
+ default "deny";
+ description
+ "Packet handling action.";
+ case deny {
+ leaf deny {
+ type empty;
+ description
+ "Deny action.";
+ }
+ }
+ case permit {
+ leaf permit {
+ type empty;
+ description
+ "Permit action.";
+ }
+ }
+ }
+ }
+ container ace-oper-data {
+ config false;
+ description
+ "Operational data for this Access List Entry.";
+ leaf match-counter {
+ type yang:counter64;
+ description
+ "Number of matches for this Access List Entry";
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/v3po/api/src/main/yang/ietf-packet-fields.yang b/v3po/api/src/main/yang/ietf-packet-fields.yang
new file mode 100644
index 000000000..0b1ce5cdd
--- /dev/null
+++ b/v3po/api/src/main/yang/ietf-packet-fields.yang
@@ -0,0 +1,180 @@
+module ietf-packet-fields {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields";
+ prefix packet-fields;
+ import ietf-inet-types {
+ prefix inet;
+ }
+ import ietf-yang-types {
+ prefix yang;
+ }
+ organization "IETF NETMOD (NETCONF Data Modeling Language) Working
+ Group";
+ contact
+ "WG Web: http://tools.ietf.org/wg/netmod/
+ WG List: netmod@ietf.org
+ WG Chair: Juergen Schoenwaelder
+ j.schoenwaelder@jacobs-university.de
+ WG Chair: Tom Nadeau
+ tnadeau@lucidvision.com
+ Editor: Dean Bogdanovic
+ deanb@juniper.net
+ Editor: Kiran Agrahara Sreenivasa
+ kkoushik@cisco.com
+ Editor: Lisa Huang
+ lyihuang16@gmail.com
+ Editor: Dana Blair
+ dblair@cisco.com";
+ description
+ "This YANG module defines groupings that are used by
+ ietf-access-control-list YANG module. Their usage is not
+ limited to ietf-access-control-list and can be
+ used anywhere as applicable.
+ Copyright (c) 2015 IETF Trust and the persons identified as
+ the document authors. All rights reserved.
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD
+ License set forth in Section 4.c of the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+ This version of this YANG module is part of RFC XXXX; see
+ the RFC itself for full legal notices.";
+ revision 2016-07-08 {
+ description
+ "Initial version of packet fields used by
+ ietf-access-control-list";
+ reference
+ "RFC XXXX: Network Access Control List (ACL)
+ YANG Data Model";
+ }
+ grouping acl-transport-header-fields {
+ description
+ "Transport header fields";
+ container source-port-range {
+ presence "Enables setting source port range";
+ description
+ "Inclusive range representing source ports to be used.
+ When only lower-port is present, it represents a single port.";
+ leaf lower-port {
+ type inet:port-number;
+ mandatory true;
+ description
+ "Lower boundary for port.";
+ }
+ leaf upper-port {
+ type inet:port-number;
+ must ". >= ../lower-port" {
+ error-message
+ "The upper-port must be greater than or equal to lower-port";
+ }
+ description
+ "Upper boundary for port . If existing, the upper port
+ must be greater or equal to lower-port.";
+ }
+ }
+ container destination-port-range {
+ presence "Enables setting destination port range";
+ description
+ "Inclusive range representing destination ports to be used. When
+ only lower-port is present, it represents a single port.";
+ leaf lower-port {
+ type inet:port-number;
+ mandatory true;
+ description
+ "Lower boundary for port.";
+ }
+ leaf upper-port {
+ type inet:port-number;
+ must ". >= ../lower-port" {
+ error-message
+ "The upper-port must be greater than or equal to lower-port";
+ }
+
+ description
+ "Upper boundary for port. If existing, the upper port must
+ be greater or equal to lower-port";
+ }
+ }
+ }
+ grouping acl-ip-header-fields {
+ description
+ "IP header fields common to ipv4 and ipv6";
+ leaf dscp {
+ type inet:dscp;
+ description
+ "Value of dscp.";
+ }
+ leaf protocol {
+ type uint8;
+ description
+ "Internet Protocol number.";
+ }
+ uses acl-transport-header-fields;
+ }
+ grouping acl-ipv4-header-fields {
+ description
+ "Fields in IPv4 header.";
+ leaf destination-ipv4-network {
+ type inet:ipv4-prefix;
+ description
+ "Destination IPv4 address prefix.";
+ }
+ leaf source-ipv4-network {
+ type inet:ipv4-prefix;
+ description
+ "Source IPv4 address prefix.";
+ }
+ }
+ grouping acl-ipv6-header-fields {
+ description
+ "Fields in IPv6 header";
+ leaf destination-ipv6-network {
+ type inet:ipv6-prefix;
+ description
+ "Destination IPv6 address prefix.";
+ }
+ leaf source-ipv6-network {
+ type inet:ipv6-prefix;
+ description
+ "Source IPv6 address prefix.";
+ }
+ leaf flow-label {
+ type inet:ipv6-flow-label;
+ description
+ "IPv6 Flow label.";
+ }
+ reference
+ "RFC 4291: IP Version 6 Addressing Architecture
+ RFC 4007: IPv6 Scoped Address Architecture
+ RFC 5952: A Recommendation for IPv6 Address Text Representation";
+ }
+ grouping acl-eth-header-fields {
+ description
+ "Fields in Ethernet header.";
+ leaf destination-mac-address {
+ type yang:mac-address;
+ description
+ "Destination IEEE 802 MAC address.";
+ }
+ leaf destination-mac-address-mask {
+ type yang:mac-address;
+ description
+ "Destination IEEE 802 MAC address mask.";
+ }
+ leaf source-mac-address {
+ type yang:mac-address;
+ description
+ "Source IEEE 802 MAC address.";
+ }
+ leaf source-mac-address-mask {
+ type yang:mac-address;
+ description
+ "Source IEEE 802 MAC address mask.";
+ }
+ reference
+ "IEEE 802: IEEE Standard for Local and Metropolitan Area
+ Networks: Overview and Architecture.";
+ }
+
+} \ No newline at end of file
diff --git a/v3po/api/src/main/yang/v3po.yang b/v3po/api/src/main/yang/v3po.yang
index 9ef133979..e99da965c 100644
--- a/v3po/api/src/main/yang/v3po.yang
+++ b/v3po/api/src/main/yang/v3po.yang
@@ -28,6 +28,9 @@ module v3po {
import vpp-classifier {
prefix "vpp-classifier";
}
+ import ietf-access-control-list {
+ prefix "acl";
+ }
typedef bridge-domain-ref {
type leafref {
@@ -424,6 +427,31 @@ module v3po {
}
}
+ grouping ietf-acl-base-attributes {
+ description
+ "Provides limited support for ietf-acl model.";
+
+ container access-lists {
+ description
+ "Defines references to ietf-acl lists. Before assignment to interface,
+ ACL lists are merged into 3 type of acls (eth0, ip4 and ip6) that are supported by vpp.
+ Then corresponding tables and sessions are created and assigned to the interface.
+
+ Assignment update/delete removes all created tables and sessions and repeats process described above.
+ Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first).
+
+ Read is supported only for acls that were created and assigned by Honeycomb agent
+ (corresponding metadata are present).";
+ list acl {
+ key "reference";
+
+ leaf reference {
+ type acl:access-control-list-ref;
+ }
+ }
+ }
+ }
+
augment /if:interfaces/if:interface {
ext:augment-identifier "vpp-interface-augmentation";
@@ -481,6 +509,10 @@ module v3po {
container acl {
uses acl-base-attributes;
}
+
+ container ietf-acl {
+ uses ietf-acl-base-attributes;
+ }
}
container vpp {
@@ -553,6 +585,10 @@ module v3po {
container acl {
uses acl-base-attributes;
}
+
+ container ietf-acl {
+ uses ietf-acl-base-attributes;
+ }
}
augment /if:interfaces-state/if:interface/if:statistics {
diff --git a/v3po/api/src/main/yang/vpp-vlan.yang b/v3po/api/src/main/yang/vpp-vlan.yang
index bd3f265ec..15c2af29a 100644
--- a/v3po/api/src/main/yang/vpp-vlan.yang
+++ b/v3po/api/src/main/yang/vpp-vlan.yang
@@ -162,6 +162,10 @@ module vpp-vlan {
container acl {
uses v3po:acl-base-attributes;
}
+
+ container ietf-acl {
+ uses v3po:ietf-acl-base-attributes;
+ }
}
grouping sub-interface-config-attributes {