diff options
author | Michal Cmarada <mcmarada@cisco.com> | 2018-11-19 14:59:14 +0100 |
---|---|---|
committer | Michal Cmarada <mcmarada@cisco.com> | 2018-11-19 14:59:14 +0100 |
commit | 718e9a3c7cac01860f3e3fe6174fcc1bd33fb4eb (patch) | |
tree | 34fae7680450e166e845f0c2db84ed8c3215930f /acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang | |
parent | f9acfac8b701f9903a28edc98db127c36d73384f (diff) |
HC2VPP-291: ACL model bump
- bump ACL yang models
- fix ACL module implementation and validation
- fix ACL Unit tests
- update postman collection
Change-Id: Iaab64e6d92d17babc3ccef7921b41070c3716516
Signed-off-by: Michal Cmarada <mcmarada@cisco.com>
Diffstat (limited to 'acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang')
-rwxr-xr-x | acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang | 667 |
1 files changed, 667 insertions, 0 deletions
diff --git a/acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang b/acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang new file mode 100755 index 000000000..cc1dcb59f --- /dev/null +++ b/acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang @@ -0,0 +1,667 @@ +module ietf-access-control-list { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; + prefix acl; + + import ietf-yang-types { + prefix yang; + reference + "RFC 6991 - Common YANG Data Types."; + } + + import ietf-packet-fields { + prefix pf; + reference + "RFC XXXX - Network ACL YANG Model."; + } + + import ietf-interfaces { + prefix if; + reference + "RFC 8343 - A YANG Data Model for Interface Management."; + } + + organization + "IETF NETMOD (Network Modeling Language) + Working Group"; + + contact + "WG Web: http://tools.ietf.org/wg/netmod/ + WG List: netmod@ietf.org + + Editor: Mahesh Jethanandani + mjethanandani@gmail.com + Editor: Lisa Huang + lyihuang16@gmail.com + Editor: Sonal Agarwal + sagarwal12@gmail.com + Editor: Dana Blair + dblair@cisco.com"; + + description + "This YANG module defines a component that describe the + configuration of Access Control Lists (ACLs). + + Copyright (c) 2018 IETF Trust and the persons identified as + the document authors. All rights reserved. + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD + License set forth in Section 4.c of the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info). + + This version of this YANG module is part of RFC XXXX; see + the RFC itself for full legal notices."; + + revision 2018-10-01 { + description + "Initial version."; + reference + "RFC XXX: Network Access Control List (ACL) YANG Data Model."; + } + + /* + * Identities + */ + /* + * Forwarding actions for a packet + */ + identity forwarding-action { + description + "Base identity for actions in the forwarding category"; + } + + identity accept { + base forwarding-action; + description + "Accept the packet"; + } + + identity drop { + base forwarding-action; + description + "Drop packet without sending any ICMP error message"; + } + + identity reject { + base forwarding-action; + description + "Drop the packet and send an ICMP error message to the source"; + } + + /* + * Logging actions for a packet + */ + identity log-action { + description + "Base identity for defining the destination for logging actions"; + } + + identity log-syslog { + base log-action; + description + "System log (syslog) the information for the packet"; + } + + identity log-none { + base log-action; + description + "No logging for the packet"; + } + + /* + * ACL type identities + */ + identity acl-base { + description + "Base Access Control List type for all Access Control List type + identifiers."; + } + + identity ipv4-acl-type { + base acl:acl-base; + if-feature "ipv4"; + description + "An ACL that matches on fields from the IPv4 header + (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP + destination port). An acl of type ipv4 does not contain + matches on fields in the ethernet header or the IPv6 header."; + } + + identity ipv6-acl-type { + base acl:acl-base; + if-feature "ipv6"; + description + "An ACL that matches on fields from the IPv6 header + (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP + destination port). An acl of type ipv6 does not contain + matches on fields in the ethernet header or the IPv4 header."; + } + + identity eth-acl-type { + base acl:acl-base; + if-feature "eth"; + description + "An ACL that matches on fields in the ethernet header, + like 10/100/1000baseT or WiFi Access Control List. An acl of + type ethernet does not contain matches on fields in the IPv4 + header, IPv6 header or layer 4 headers."; + } + + identity mixed-eth-ipv4-acl-type { + base "acl:eth-acl-type"; + base "acl:ipv4-acl-type"; + if-feature "mixed-eth-ipv4"; + description + "An ACL that contains a mix of entries that + match on fields in ethernet headers, + entries that match on IPv4 headers. + Matching on layer 4 header fields may also exist in the + list."; + } + identity mixed-eth-ipv6-acl-type { + base "acl:eth-acl-type"; + base "acl:ipv6-acl-type"; + if-feature "mixed-eth-ipv6"; + description + "ACL that contains a mix of entries that + match on fields in ethernet headers, entries + that match on fields in IPv6 headers. Matching on + layer 4 header fields may also exist in the list."; + } + + identity mixed-eth-ipv4-ipv6-acl-type { + base "acl:eth-acl-type"; + base "acl:ipv4-acl-type"; + base "acl:ipv6-acl-type"; + if-feature "mixed-eth-ipv4-ipv6"; + description + "ACL that contains a mix of entries that + match on fields in ethernet headers, entries + that match on fields in IPv4 headers, and entries + that match on fields in IPv6 headers. Matching on + layer 4 header fields may also exist in the list."; + } + + /* + * Features + */ + + /* + * Features supported by device + */ + feature match-on-eth { + description + "The device can support matching on ethernet headers."; + } + + feature match-on-ipv4 { + description + "The device can support matching on IPv4 headers."; + } + + feature match-on-ipv6 { + description + "The device can support matching on IPv6 headers."; + } + + feature match-on-tcp { + description + "The device can support matching on TCP headers."; + } + + feature match-on-udp { + description + "The device can support matching on UDP headers."; + } + + feature match-on-icmp { + description + "The device can support matching on ICMP (v4 and v6) headers."; + } + + /* + * Header classifications combinations supported by + * device + */ + feature eth { + if-feature "match-on-eth"; + description + "Plain Ethernet ACL supported"; + } + + feature ipv4 { + if-feature "match-on-ipv4"; + description + "Plain IPv4 ACL supported"; + } + + feature ipv6 { + if-feature "match-on-ipv6"; + description + "Plain IPv6 ACL supported"; + } + + feature mixed-eth-ipv4 { + if-feature "match-on-eth and match-on-ipv4"; + description + "Ethernet and IPv4 ACL combinations supported"; + } + + feature mixed-eth-ipv6 { + if-feature "match-on-eth and match-on-ipv6"; + description + "Ethernet and IPv6 ACL combinations supported"; + } + + feature mixed-eth-ipv4-ipv6 { + if-feature "match-on-eth and match-on-ipv4 + and match-on-ipv6"; + description + "Ethernet, IPv4 and IPv6 ACL combinations supported."; + } + + /* + * Stats Features + */ + feature interface-stats { + description + "ACL counters are available and reported only per interface"; + } + + feature acl-aggregate-stats { + description + "ACL counters are aggregated over all interfaces, and reported + only per ACL entry"; + } + + /* + * Attachment point features + */ + feature interface-attachment { + description + "ACLs are set on interfaces."; + } + + /* + * Typedefs + */ + typedef acl-type { + type identityref { + base acl-base; + } + description + "This type is used to refer to an Access Control List + (ACL) type"; + } + + /* + * Groupings + */ + grouping acl-counters { + description + "Common grouping for ACL counters"; + + leaf matched-packets { + type yang:counter64; + config false; + description + "Count of the number of packets matching the current ACL + entry. + + An implementation should provide this counter on a + per-interface per-ACL-entry basis if possible. + + If an implementation only supports ACL counters on a per + entry basis (i.e., not broken out per interface), then the + value should be equal to the aggregate count across all + interfaces. + + An implementation that provides counters on a per entry per + interface basis is not required to also provide an aggregate + count, e.g., per entry -- the user is expected to be able + implement the required aggregation if such a count is + needed."; + } + + leaf matched-octets { + type yang:counter64; + config false; + description + "Count of the number of octets (bytes) matching the current + ACL entry. + + An implementation should provide this counter on a + per-interface per-ACL-entry if possible. + + If an implementation only supports ACL counters per entry + (i.e., not broken out per interface), then the value + should be equal to the aggregate count across all interfaces. + + An implementation that provides counters per entry per + interface is not required to also provide an aggregate count, + e.g., per entry -- the user is expected to be able implement + the required aggregation if such a count is needed."; + } + } + + /* + * Configuration data nodes + */ + container acls { + description + "This is a top level container for Access Control Lists. + It can have one or more acl nodes."; + list acl { + key "name"; + description + "An Access Control List (ACL) is an ordered list of + Access Control Entries (ACE). Each ACE has a + list of match criteria and a list of actions. + Since there are several kinds of Access Control Lists + implemented with different attributes for + different vendors, this model accommodates customizing + Access Control Lists for each kind and, for each vendor."; + leaf name { + type string { + length "1..64"; + } + description + "The name of access list. A device MAY restrict the length + and value of this name, possibly space and special + characters are not allowed."; + } + leaf type { + type acl-type; + description + "Type of access control list. Indicates the primary intended + type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, + etc) used in the list instance."; + } + container aces { + description + "The aces container contains one or more ace nodes."; + list ace { + key "name"; + ordered-by user; + description + "List of Access Control Entries (ACEs)"; + leaf name { + type string { + length "1..64"; + } + description + "A unique name identifying this Access Control + Entry (ACE)."; + } + + container matches { + description + "The rules in this set determine what fields will be + matched upon before any action is taken on them. + The rules are selected based on the feature set + defined by the server and the acl-type defined. + If no matches are defined in a particular container, + then any packet will match that container. If no + matches are specified at all in an ACE, then any + packet will match the ACE."; + + choice l2 { + container eth { + when "derived-from-or-self(/acls/acl/type, " + + "'acl:eth-acl-type')"; + if-feature match-on-eth; + uses pf:acl-eth-header-fields; + description + "Rule set that matches ethernet headers."; + } + description + "Match layer 2 headers, for example ethernet + header fields."; + } + + choice l3 { + container ipv4 { + when "derived-from-or-self(/acls/acl/type, " + + "'acl:ipv4-acl-type')"; + if-feature match-on-ipv4; + uses pf:acl-ip-header-fields; + uses pf:acl-ipv4-header-fields; + description + "Rule set that matches IPv4 headers."; + } + + container ipv6 { + when "derived-from-or-self(/acls/acl/type, " + + "'acl:ipv6-acl-type')"; + if-feature match-on-ipv6; + uses pf:acl-ip-header-fields; + uses pf:acl-ipv6-header-fields; + description + "Rule set that matches IPv6 headers."; + } + description + "Choice of either ipv4 or ipv6 headers"; + } + + choice l4 { + container tcp { + if-feature match-on-tcp; + uses pf:acl-tcp-header-fields; + container source-port { + choice source-port { + case range-or-operator { + uses pf:port-range-or-operator; + description + "Source port definition from range or + operator."; + } + description + "Choice of source port definition using + range/operator or a choice to support future + 'case' statements, such as one enabling a + group of source ports to be referenced."; + } + description + "Source port definition."; + } + container destination-port { + choice destination-port { + case range-or-operator { + uses pf:port-range-or-operator; + description + "Destination port definition from range or + operator."; + } + description + "Choice of destination port definition using + range/operator or a choice to support future + 'case' statements, such as one enabling a + group of destination ports to be referenced."; + } + description + "Destination port definition."; + } + description + "Rule set that matches TCP headers."; + } + + container udp { + if-feature match-on-udp; + uses pf:acl-udp-header-fields; + container source-port { + choice source-port { + case range-or-operator { + uses pf:port-range-or-operator; + description + "Source port definition from range or + operator."; + } + description + "Choice of source port definition using + range/operator or a choice to support future + 'case' statements, such as one enabling a + group of source ports to be referenced."; + } + description + "Source port definition."; + } + container destination-port { + choice destination-port { + case range-or-operator { + uses pf:port-range-or-operator; + description + "Destination port definition from range or + operator."; + } + description + "Choice of destination port definition using + range/operator or a choice to support future + 'case' statements, such as one enabling a + group of destination ports to be referenced."; + } + description + "Destination port definition."; + } + description + "Rule set that matches UDP headers."; + } + + container icmp { + if-feature match-on-icmp; + uses pf:acl-icmp-header-fields; + description + "Rule set that matches ICMP headers."; + } + description + "Choice of TCP, UDP or ICMP headers."; + } + + leaf egress-interface { + type if:interface-ref; + description + "Egress interface. This should not be used if this ACL + is attached as an egress ACL (or the value should + equal the interface to which the ACL is attached)."; + } + + leaf ingress-interface { + type if:interface-ref; + description + "Ingress interface. This should not be used if this ACL + is attached as an ingress ACL (or the value should + equal the interface to which the ACL is attached)"; + } + } + + container actions { + description + "Definitions of action for this ace entry"; + leaf forwarding { + type identityref { + base forwarding-action; + } + mandatory true; + description + "Specifies the forwarding action per ace entry"; + } + + leaf logging { + type identityref { + base log-action; + } + default log-none; + description + "Specifies the log action and destination for + matched packets. Default value is not to log the + packet."; + } + } + container statistics { + if-feature "acl-aggregate-stats"; + config false; + description + "Statistics gathered across all attachment points for the + given ACL."; + uses acl-counters; + } + } + } + } + container attachment-points { + description + "Enclosing container for the list of + attachment-points on which ACLs are set"; + + /* + * Groupings + */ + grouping interface-acl { + description + "Grouping for per-interface ingress ACL data"; + + container acl-sets { + description + "Enclosing container the list of ingress ACLs on the + interface"; + + list acl-set { + key "name"; + ordered-by user; + description + "List of ingress ACLs on the interface"; + + leaf name { + type leafref { + path "/acls/acl/name"; + } + description + "Reference to the ACL name applied on ingress"; + } + + list ace-statistics { + if-feature "interface-stats"; + key "name"; + config false; + description + "List of Access Control Entries (ACEs)"; + leaf name { + type leafref { + path "/acls/acl/aces/ace/name"; + } + description + "The ace name"; + } + uses acl-counters; + } + } + } + } + + list interface { + if-feature interface-attachment; + key "interface-id"; + description + "List of interfaces on which ACLs are set"; + + leaf interface-id { + type if:interface-ref; + description + "Reference to the interface id list key"; + } + + container ingress { + uses interface-acl; + description + "The ACLs applied to ingress interface"; + } + container egress { + uses interface-acl; + description + "The ACLs applied to egress interface"; + } + } + } + } +} |