diff options
author | Jan Srnicek <jsrnicek@cisco.com> | 2016-12-12 17:25:34 +0100 |
---|---|---|
committer | Marek Gradzki <mgradzki@cisco.com> | 2016-12-14 12:49:10 +0000 |
commit | c5e153510d4ca0c36bce6e97a72631e41fdcc60a (patch) | |
tree | 5fe05009945ccc52d9713a7c831b5167906d4a78 | |
parent | 74b0f3f992cbaf87977c383c204c1c9b9bf0f484 (diff) |
Acl model improvements
Adds case to cover other protocol numbers
Adds constraint to not allow stateless mac-ip acl's
Change-Id: I9feeba5ac6b6480282cac62e5479c433c92c8d99
Signed-off-by: Jan Srnicek <jsrnicek@cisco.com>
-rw-r--r-- | acl/acl-api/src/main/yang/vpp-acl.yang | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/acl/acl-api/src/main/yang/vpp-acl.yang b/acl/acl-api/src/main/yang/vpp-acl.yang index ff30d5ec5..a81516a90 100644 --- a/acl/acl-api/src/main/yang/vpp-acl.yang +++ b/acl/acl-api/src/main/yang/vpp-acl.yang @@ -30,6 +30,7 @@ module vpp-acl { augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:actions/acl:packet-handling { ext:augment-identifier "stateful-acl-action-augmentation"; + when "../acl:matches/acl:ace-type = 'vpp-acl:vpp-acl'"; case stateful { leaf permit { type empty; @@ -105,6 +106,15 @@ module vpp-acl { } } + grouping acl-other-protocol-fields { + description "Used for any other protocol than TCP/UDP/ICMP/ICMPv6"; + leaf protocol { + must "protocol != 1 and protocol != 6 and protocol != 17 and protocol != 58"; + type uint8; + description "Internet Protocol number."; + } + } + grouping acl-ip-protocol-header-fields { description "Defines header fields for TCP/UDP or ICMP protocols"; @@ -112,6 +122,9 @@ module vpp-acl { case icmp { uses acl-icmp-header-fields; } + case icmp-v6 { + uses acl-icmp-header-fields; + } case udp { uses packet-fields:acl-transport-header-fields; } @@ -119,6 +132,9 @@ module vpp-acl { uses packet-fields:acl-transport-header-fields; uses acl-tcp-header-fields; } + case other { + uses acl-other-protocol-fields; + } } } @@ -144,11 +160,6 @@ module vpp-acl { uses packet-fields:acl-ipv6-header-fields; } } - leaf protocol { - type uint8; - description - "Internet Protocol number."; - } uses acl-ip-protocol-header-fields; } } |