summaryrefslogtreecommitdiffstats
path: root/acl/acl-api
diff options
context:
space:
mode:
authorMichal Cmarada <mcmarada@cisco.com>2018-11-19 14:59:14 +0100
committerMichal Cmarada <mcmarada@cisco.com>2018-11-19 14:59:14 +0100
commit718e9a3c7cac01860f3e3fe6174fcc1bd33fb4eb (patch)
tree34fae7680450e166e845f0c2db84ed8c3215930f /acl/acl-api
parentf9acfac8b701f9903a28edc98db127c36d73384f (diff)
HC2VPP-291: ACL model bump
- bump ACL yang models - fix ACL module implementation and validation - fix ACL Unit tests - update postman collection Change-Id: Iaab64e6d92d17babc3ccef7921b41070c3716516 Signed-off-by: Michal Cmarada <mcmarada@cisco.com>
Diffstat (limited to 'acl/acl-api')
-rw-r--r--acl/acl-api/src/main/yang/ietf-access-control-list@2016-07-08.yang212
-rwxr-xr-xacl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang667
-rwxr-xr-xacl/acl-api/src/main/yang/ietf-ethertypes@2018-10-01.yang362
-rw-r--r--acl/acl-api/src/main/yang/ietf-packet-fields@2016-07-08.yang180
-rwxr-xr-xacl/acl-api/src/main/yang/ietf-packet-fields@2018-10-01.yang588
-rw-r--r--acl/acl-api/src/main/yang/interface-acl@2016-12-14.yang103
-rw-r--r--acl/acl-api/src/main/yang/vpp-acl-context@2017-01-04.yang2
-rw-r--r--acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang284
-rw-r--r--acl/acl-api/src/main/yang/vpp-acl@2018-10-22.yang230
9 files changed, 1848 insertions, 780 deletions
diff --git a/acl/acl-api/src/main/yang/ietf-access-control-list@2016-07-08.yang b/acl/acl-api/src/main/yang/ietf-access-control-list@2016-07-08.yang
deleted file mode 100644
index bdd0d0ee3..000000000
--- a/acl/acl-api/src/main/yang/ietf-access-control-list@2016-07-08.yang
+++ /dev/null
@@ -1,212 +0,0 @@
-module ietf-access-control-list {
- yang-version 1.1;
- namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
- prefix acl;
- import ietf-yang-types {
- prefix yang;
- }
- import ietf-packet-fields {
- prefix packet-fields;
- }
- organization "IETF NETMOD (NETCONF Data Modeling Language)
- Working Group";
- contact
- "WG Web: http://tools.ietf.org/wg/netmod/
- WG List: netmod@ietf.org
- WG Chair: Juergen Schoenwaelder
- j.schoenwaelder@jacobs-university.de
- WG Chair: Tom Nadeau
- tnadeau@lucidvision.com
- Editor: Dean Bogdanovic
- ivandean@gmail.com
- Editor: Kiran Agrahara Sreenivasa
- kkoushik@cisco.com
- Editor: Lisa Huang
- lyihuang16@gmail.com
- Editor: Dana Blair
- dblair@cisco.com";
- description
- "This YANG module defines a component that describing the
- configuration of Access Control Lists (ACLs).
- Copyright (c) 2015 IETF Trust and the persons identified as
- the document authors. All rights reserved.
- Redistribution and use in source and binary forms, with or
- without modification, is permitted pursuant to, and subject
- to the license terms contained in, the Simplified BSD
- License set forth in Section 4.c of the IETF Trust's Legal
- Provisions Relating to IETF Documents
- (http://trustee.ietf.org/license-info).
- This version of this YANG module is part of RFC XXXX; see
- the RFC itself for full legal notices.";
- revision 2016-07-08 {
- description
- "Base model for Network Access Control List (ACL).";
- reference
- "RFC XXXX: Network Access Control List (ACL)
- YANG Data Model";
- }
- identity acl-base {
- description
- "Base Access Control List type for all Access Control List type
- identifiers.";
- }
- identity ipv4-acl {
- base acl:acl-base;
- description
- "ACL that primarily matches on fields from the IPv4 header
- (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP
- destination port). An acl of type ipv4-acl does not contain
- matches on fields in the ethernet header or the IPv6 header.";
- }
- identity ipv6-acl {
- base acl:acl-base;
- description
- "ACL that primarily matches on fields from the IPv6 header
- (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
- destination port). An acl of type ipv6-acl does not contain
- matches on fields in the ethernet header or the IPv4 header.";
- }
- identity eth-acl {
- base acl:acl-base;
- description
- "ACL that primarily matches on fields in the ethernet header,
- like 10/100/1000baseT or WiFi Access Control List. An acl of
- type eth-acl does not contain matches on fields in the IPv4
- header, IPv6 header or layer 4 headers.";
- }
- typedef acl-type {
- type identityref {
- base acl:acl-base;
- }
- description
- "This type is used to refer to an Access Control List
- (ACL) type";
- }
- /*
- HC2VPP-290: access-control-list-ref was modified to fix pyang errors
- TODO(HC2VPP-291): bump ietf-access-control-list version to resolve the issue
- */
- typedef access-control-list-ref {
- type leafref {
- path "/acl:access-lists/acl:acl/acl:acl-name";
- }
- description
- "This type is used by data models that need to reference an
- Access Control List";
- }
- container access-lists {
- description
- "This is a top level container for Access Control Lists.
- It can have one or more Access Control Lists.";
- list acl {
- key "acl-type acl-name";
- description
- "An Access Control List(ACL) is an ordered list of
- Access List Entries (ACE). Each Access Control Entry has a
- list of match criteria and a list of actions.
- Since there are several kinds of Access Control Lists
- implemented with different attributes for
- different vendors, this
- model accommodates customizing Access Control Lists for
- each kind and for each vendor.";
- leaf acl-name {
- type string;
- description
- "The name of access-list. A device MAY restrict the length
- and value of this name, possibly space and special
- characters are not allowed.";
- }
- leaf acl-type {
- type acl-type;
- description
- "Type of access control list. Indicates the primary intended
- type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc)
- used in the list instance.";
- }
- container acl-oper-data {
- config false;
- description
- "Overall Access Control List operational data";
- }
- container access-list-entries {
- description
- "The access-list-entries container contains
- a list of access-list-entries(ACE).";
- list ace {
- key "rule-name";
- ordered-by user;
- description
- "List of access list entries(ACE)";
- leaf rule-name {
- type string;
- description
- "A unique name identifying this Access List
- Entry(ACE).";
- }
- container matches {
- description
- "Definitions for match criteria for this Access List
- Entry.";
- choice ace-type {
- description
- "Type of access list entry.";
- case ace-ip {
- description "IP Access List Entry.";
- choice ace-ip-version {
- description
- "IP version used in this Access List Entry.";
- case ace-ipv4 {
- uses packet-fields:acl-ipv4-header-fields;
- }
- case ace-ipv6 {
- uses packet-fields:acl-ipv6-header-fields;
- }
- }
- uses packet-fields:acl-ip-header-fields;
- }
- case ace-eth {
- description
- "Ethernet Access List entry.";
- uses packet-fields:acl-eth-header-fields;
- }
- }
- }
- container actions {
- description
- "Definitions of action criteria for this Access List
- Entry.";
- choice packet-handling {
- default "deny";
- description
- "Packet handling action.";
- case deny {
- leaf deny {
- type empty;
- description
- "Deny action.";
- }
- }
- case permit {
- leaf permit {
- type empty;
- description
- "Permit action.";
- }
- }
- }
- }
- container ace-oper-data {
- config false;
- description
- "Operational data for this Access List Entry.";
- leaf match-counter {
- type yang:counter64;
- description
- "Number of matches for this Access List Entry";
- }
- }
- }
- }
- }
- }
-}
diff --git a/acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang b/acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang
new file mode 100755
index 000000000..cc1dcb59f
--- /dev/null
+++ b/acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang
@@ -0,0 +1,667 @@
+module ietf-access-control-list {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
+ prefix acl;
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991 - Common YANG Data Types.";
+ }
+
+ import ietf-packet-fields {
+ prefix pf;
+ reference
+ "RFC XXXX - Network ACL YANG Model.";
+ }
+
+ import ietf-interfaces {
+ prefix if;
+ reference
+ "RFC 8343 - A YANG Data Model for Interface Management.";
+ }
+
+ organization
+ "IETF NETMOD (Network Modeling Language)
+ Working Group";
+
+ contact
+ "WG Web: http://tools.ietf.org/wg/netmod/
+ WG List: netmod@ietf.org
+
+ Editor: Mahesh Jethanandani
+ mjethanandani@gmail.com
+ Editor: Lisa Huang
+ lyihuang16@gmail.com
+ Editor: Sonal Agarwal
+ sagarwal12@gmail.com
+ Editor: Dana Blair
+ dblair@cisco.com";
+
+ description
+ "This YANG module defines a component that describe the
+ configuration of Access Control Lists (ACLs).
+
+ Copyright (c) 2018 IETF Trust and the persons identified as
+ the document authors. All rights reserved.
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD
+ License set forth in Section 4.c of the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX; see
+ the RFC itself for full legal notices.";
+
+ revision 2018-10-01 {
+ description
+ "Initial version.";
+ reference
+ "RFC XXX: Network Access Control List (ACL) YANG Data Model.";
+ }
+
+ /*
+ * Identities
+ */
+ /*
+ * Forwarding actions for a packet
+ */
+ identity forwarding-action {
+ description
+ "Base identity for actions in the forwarding category";
+ }
+
+ identity accept {
+ base forwarding-action;
+ description
+ "Accept the packet";
+ }
+
+ identity drop {
+ base forwarding-action;
+ description
+ "Drop packet without sending any ICMP error message";
+ }
+
+ identity reject {
+ base forwarding-action;
+ description
+ "Drop the packet and send an ICMP error message to the source";
+ }
+
+ /*
+ * Logging actions for a packet
+ */
+ identity log-action {
+ description
+ "Base identity for defining the destination for logging actions";
+ }
+
+ identity log-syslog {
+ base log-action;
+ description
+ "System log (syslog) the information for the packet";
+ }
+
+ identity log-none {
+ base log-action;
+ description
+ "No logging for the packet";
+ }
+
+ /*
+ * ACL type identities
+ */
+ identity acl-base {
+ description
+ "Base Access Control List type for all Access Control List type
+ identifiers.";
+ }
+
+ identity ipv4-acl-type {
+ base acl:acl-base;
+ if-feature "ipv4";
+ description
+ "An ACL that matches on fields from the IPv4 header
+ (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP
+ destination port). An acl of type ipv4 does not contain
+ matches on fields in the ethernet header or the IPv6 header.";
+ }
+
+ identity ipv6-acl-type {
+ base acl:acl-base;
+ if-feature "ipv6";
+ description
+ "An ACL that matches on fields from the IPv6 header
+ (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
+ destination port). An acl of type ipv6 does not contain
+ matches on fields in the ethernet header or the IPv4 header.";
+ }
+
+ identity eth-acl-type {
+ base acl:acl-base;
+ if-feature "eth";
+ description
+ "An ACL that matches on fields in the ethernet header,
+ like 10/100/1000baseT or WiFi Access Control List. An acl of
+ type ethernet does not contain matches on fields in the IPv4
+ header, IPv6 header or layer 4 headers.";
+ }
+
+ identity mixed-eth-ipv4-acl-type {
+ base "acl:eth-acl-type";
+ base "acl:ipv4-acl-type";
+ if-feature "mixed-eth-ipv4";
+ description
+ "An ACL that contains a mix of entries that
+ match on fields in ethernet headers,
+ entries that match on IPv4 headers.
+ Matching on layer 4 header fields may also exist in the
+ list.";
+ }
+ identity mixed-eth-ipv6-acl-type {
+ base "acl:eth-acl-type";
+ base "acl:ipv6-acl-type";
+ if-feature "mixed-eth-ipv6";
+ description
+ "ACL that contains a mix of entries that
+ match on fields in ethernet headers, entries
+ that match on fields in IPv6 headers. Matching on
+ layer 4 header fields may also exist in the list.";
+ }
+
+ identity mixed-eth-ipv4-ipv6-acl-type {
+ base "acl:eth-acl-type";
+ base "acl:ipv4-acl-type";
+ base "acl:ipv6-acl-type";
+ if-feature "mixed-eth-ipv4-ipv6";
+ description
+ "ACL that contains a mix of entries that
+ match on fields in ethernet headers, entries
+ that match on fields in IPv4 headers, and entries
+ that match on fields in IPv6 headers. Matching on
+ layer 4 header fields may also exist in the list.";
+ }
+
+ /*
+ * Features
+ */
+
+ /*
+ * Features supported by device
+ */
+ feature match-on-eth {
+ description
+ "The device can support matching on ethernet headers.";
+ }
+
+ feature match-on-ipv4 {
+ description
+ "The device can support matching on IPv4 headers.";
+ }
+
+ feature match-on-ipv6 {
+ description
+ "The device can support matching on IPv6 headers.";
+ }
+
+ feature match-on-tcp {
+ description
+ "The device can support matching on TCP headers.";
+ }
+
+ feature match-on-udp {
+ description
+ "The device can support matching on UDP headers.";
+ }
+
+ feature match-on-icmp {
+ description
+ "The device can support matching on ICMP (v4 and v6) headers.";
+ }
+
+ /*
+ * Header classifications combinations supported by
+ * device
+ */
+ feature eth {
+ if-feature "match-on-eth";
+ description
+ "Plain Ethernet ACL supported";
+ }
+
+ feature ipv4 {
+ if-feature "match-on-ipv4";
+ description
+ "Plain IPv4 ACL supported";
+ }
+
+ feature ipv6 {
+ if-feature "match-on-ipv6";
+ description
+ "Plain IPv6 ACL supported";
+ }
+
+ feature mixed-eth-ipv4 {
+ if-feature "match-on-eth and match-on-ipv4";
+ description
+ "Ethernet and IPv4 ACL combinations supported";
+ }
+
+ feature mixed-eth-ipv6 {
+ if-feature "match-on-eth and match-on-ipv6";
+ description
+ "Ethernet and IPv6 ACL combinations supported";
+ }
+
+ feature mixed-eth-ipv4-ipv6 {
+ if-feature "match-on-eth and match-on-ipv4
+ and match-on-ipv6";
+ description
+ "Ethernet, IPv4 and IPv6 ACL combinations supported.";
+ }
+
+ /*
+ * Stats Features
+ */
+ feature interface-stats {
+ description
+ "ACL counters are available and reported only per interface";
+ }
+
+ feature acl-aggregate-stats {
+ description
+ "ACL counters are aggregated over all interfaces, and reported
+ only per ACL entry";
+ }
+
+ /*
+ * Attachment point features
+ */
+ feature interface-attachment {
+ description
+ "ACLs are set on interfaces.";
+ }
+
+ /*
+ * Typedefs
+ */
+ typedef acl-type {
+ type identityref {
+ base acl-base;
+ }
+ description
+ "This type is used to refer to an Access Control List
+ (ACL) type";
+ }
+
+ /*
+ * Groupings
+ */
+ grouping acl-counters {
+ description
+ "Common grouping for ACL counters";
+
+ leaf matched-packets {
+ type yang:counter64;
+ config false;
+ description
+ "Count of the number of packets matching the current ACL
+ entry.
+
+ An implementation should provide this counter on a
+ per-interface per-ACL-entry basis if possible.
+
+ If an implementation only supports ACL counters on a per
+ entry basis (i.e., not broken out per interface), then the
+ value should be equal to the aggregate count across all
+ interfaces.
+
+ An implementation that provides counters on a per entry per
+ interface basis is not required to also provide an aggregate
+ count, e.g., per entry -- the user is expected to be able
+ implement the required aggregation if such a count is
+ needed.";
+ }
+
+ leaf matched-octets {
+ type yang:counter64;
+ config false;
+ description
+ "Count of the number of octets (bytes) matching the current
+ ACL entry.
+
+ An implementation should provide this counter on a
+ per-interface per-ACL-entry if possible.
+
+ If an implementation only supports ACL counters per entry
+ (i.e., not broken out per interface), then the value
+ should be equal to the aggregate count across all interfaces.
+
+ An implementation that provides counters per entry per
+ interface is not required to also provide an aggregate count,
+ e.g., per entry -- the user is expected to be able implement
+ the required aggregation if such a count is needed.";
+ }
+ }
+
+ /*
+ * Configuration data nodes
+ */
+ container acls {
+ description
+ "This is a top level container for Access Control Lists.
+ It can have one or more acl nodes.";
+ list acl {
+ key "name";
+ description
+ "An Access Control List (ACL) is an ordered list of
+ Access Control Entries (ACE). Each ACE has a
+ list of match criteria and a list of actions.
+ Since there are several kinds of Access Control Lists
+ implemented with different attributes for
+ different vendors, this model accommodates customizing
+ Access Control Lists for each kind and, for each vendor.";
+ leaf name {
+ type string {
+ length "1..64";
+ }
+ description
+ "The name of access list. A device MAY restrict the length
+ and value of this name, possibly space and special
+ characters are not allowed.";
+ }
+ leaf type {
+ type acl-type;
+ description
+ "Type of access control list. Indicates the primary intended
+ type of match criteria (e.g. ethernet, IPv4, IPv6, mixed,
+ etc) used in the list instance.";
+ }
+ container aces {
+ description
+ "The aces container contains one or more ace nodes.";
+ list ace {
+ key "name";
+ ordered-by user;
+ description
+ "List of Access Control Entries (ACEs)";
+ leaf name {
+ type string {
+ length "1..64";
+ }
+ description
+ "A unique name identifying this Access Control
+ Entry (ACE).";
+ }
+
+ container matches {
+ description
+ "The rules in this set determine what fields will be
+ matched upon before any action is taken on them.
+ The rules are selected based on the feature set
+ defined by the server and the acl-type defined.
+ If no matches are defined in a particular container,
+ then any packet will match that container. If no
+ matches are specified at all in an ACE, then any
+ packet will match the ACE.";
+
+ choice l2 {
+ container eth {
+ when "derived-from-or-self(/acls/acl/type, " +
+ "'acl:eth-acl-type')";
+ if-feature match-on-eth;
+ uses pf:acl-eth-header-fields;
+ description
+ "Rule set that matches ethernet headers.";
+ }
+ description
+ "Match layer 2 headers, for example ethernet
+ header fields.";
+ }
+
+ choice l3 {
+ container ipv4 {
+ when "derived-from-or-self(/acls/acl/type, " +
+ "'acl:ipv4-acl-type')";
+ if-feature match-on-ipv4;
+ uses pf:acl-ip-header-fields;
+ uses pf:acl-ipv4-header-fields;
+ description
+ "Rule set that matches IPv4 headers.";
+ }
+
+ container ipv6 {
+ when "derived-from-or-self(/acls/acl/type, " +
+ "'acl:ipv6-acl-type')";
+ if-feature match-on-ipv6;
+ uses pf:acl-ip-header-fields;
+ uses pf:acl-ipv6-header-fields;
+ description
+ "Rule set that matches IPv6 headers.";
+ }
+ description
+ "Choice of either ipv4 or ipv6 headers";
+ }
+
+ choice l4 {
+ container tcp {
+ if-feature match-on-tcp;
+ uses pf:acl-tcp-header-fields;
+ container source-port {
+ choice source-port {
+ case range-or-operator {
+ uses pf:port-range-or-operator;
+ description
+ "Source port definition from range or
+ operator.";
+ }
+ description
+ "Choice of source port definition using
+ range/operator or a choice to support future
+ 'case' statements, such as one enabling a
+ group of source ports to be referenced.";
+ }
+ description
+ "Source port definition.";
+ }
+ container destination-port {
+ choice destination-port {
+ case range-or-operator {
+ uses pf:port-range-or-operator;
+ description
+ "Destination port definition from range or
+ operator.";
+ }
+ description
+ "Choice of destination port definition using
+ range/operator or a choice to support future
+ 'case' statements, such as one enabling a
+ group of destination ports to be referenced.";
+ }
+ description
+ "Destination port definition.";
+ }
+ description
+ "Rule set that matches TCP headers.";
+ }
+
+ container udp {
+ if-feature match-on-udp;
+ uses pf:acl-udp-header-fields;
+ container source-port {
+ choice source-port {
+ case range-or-operator {
+ uses pf:port-range-or-operator;
+ description
+ "Source port definition from range or
+ operator.";
+ }
+ description
+ "Choice of source port definition using
+ range/operator or a choice to support future
+ 'case' statements, such as one enabling a
+ group of source ports to be referenced.";
+ }
+ description
+ "Source port definition.";
+ }
+ container destination-port {
+ choice destination-port {
+ case range-or-operator {
+ uses pf:port-range-or-operator;
+ description
+ "Destination port definition from range or
+ operator.";
+ }
+ description
+ "Choice of destination port definition using
+ range/operator or a choice to support future
+ 'case' statements, such as one enabling a
+ group of destination ports to be referenced.";
+ }
+ description
+ "Destination port definition.";
+ }
+ description
+ "Rule set that matches UDP headers.";
+ }
+
+ container icmp {
+ if-feature match-on-icmp;
+ uses pf:acl-icmp-header-fields;
+ description
+ "Rule set that matches ICMP headers.";
+ }
+ description
+ "Choice of TCP, UDP or ICMP headers.";
+ }
+
+ leaf egress-interface {
+ type if:interface-ref;
+ description
+ "Egress interface. This should not be used if this ACL
+ is attached as an egress ACL (or the value should
+ equal the interface to which the ACL is attached).";
+ }
+
+ leaf ingress-interface {
+ type if:interface-ref;
+ description
+ "Ingress interface. This should not be used if this ACL
+ is attached as an ingress ACL (or the value should
+ equal the interface to which the ACL is attached)";
+ }
+ }
+
+ container actions {
+ description
+ "Definitions of action for this ace entry";
+ leaf forwarding {
+ type identityref {
+ base forwarding-action;
+ }
+ mandatory true;
+ description
+ "Specifies the forwarding action per ace entry";
+ }
+
+ leaf logging {
+ type identityref {
+ base log-action;
+ }
+ default log-none;
+ description
+ "Specifies the log action and destination for
+ matched packets. Default value is not to log the
+ packet.";
+ }
+ }
+ container statistics {
+ if-feature "acl-aggregate-stats";
+ config false;
+ description
+ "Statistics gathered across all attachment points for the
+ given ACL.";
+ uses acl-counters;
+ }
+ }
+ }
+ }
+ container attachment-points {
+ description
+ "Enclosing container for the list of
+ attachment-points on which ACLs are set";
+
+ /*
+ * Groupings
+ */
+ grouping interface-acl {
+ description
+ "Grouping for per-interface ingress ACL data";
+
+ container acl-sets {
+ description
+ "Enclosing container the list of ingress ACLs on the
+ interface";
+
+ list acl-set {
+ key "name";
+ ordered-by user;
+ description
+ "List of ingress ACLs on the interface";
+
+ leaf name {
+ type leafref {
+ path "/acls/acl/name";
+ }
+ description
+ "Reference to the ACL name applied on ingress";
+ }
+
+ list ace-statistics {
+ if-feature "interface-stats";
+ key "name";
+ config false;
+ description
+ "List of Access Control Entries (ACEs)";
+ leaf name {
+ type leafref {
+ path "/acls/acl/aces/ace/name";
+ }
+ description
+ "The ace name";
+ }
+ uses acl-counters;
+ }
+ }
+ }
+ }
+
+ list interface {
+ if-feature interface-attachment;
+ key "interface-id";
+ description
+ "List of interfaces on which ACLs are set";
+
+ leaf interface-id {
+ type if:interface-ref;
+ description
+ "Reference to the interface id list key";
+ }
+
+ container ingress {
+ uses interface-acl;
+ description
+ "The ACLs applied to ingress interface";
+ }
+ container egress {
+ uses interface-acl;
+ description
+ "The ACLs applied to egress interface";
+ }
+ }
+ }
+ }
+}
diff --git a/acl/acl-api/src/main/yang/ietf-ethertypes@2018-10-01.yang b/acl/acl-api/src/main/yang/ietf-ethertypes@2018-10-01.yang
new file mode 100755
index 000000000..c06426912
--- /dev/null
+++ b/acl/acl-api/src/main/yang/ietf-ethertypes@2018-10-01.yang
@@ -0,0 +1,362 @@
+module ietf-ethertypes {
+ namespace "urn:ietf:params:xml:ns:yang:ietf-ethertypes";
+ prefix ethertypes;
+
+ organization
+ "IETF NETMOD (NETCONF Data Modeling Language)";
+
+ contact
+ "WG Web: <http://tools.ietf.org/wg/netmod/>
+ WG List: <mailto:netmod@ietf.org>
+
+ Editor: Mahesh Jethanandani
+ <mjethanandani@gmail.com>";
+
+ description
+ "This module contains the common definitions for the
+ Ethertype used by different modules. It is a
+ placeholder module, till such time that IEEE
+ starts a project to define these Ethertypes
+ and publishes a standard.
+
+ At that time this module can be deprecated.";
+
+ revision 2018-10-01 {
+ description
+ "Initial revision.";
+ reference
+ "RFC XXXX: IETF Ethertype YANG Data Module.";
+ }
+
+ typedef ethertype {
+ type union {
+ type uint16;
+ type enumeration {
+ enum ipv4 {
+ value 2048;
+ description
+ "Internet Protocol version 4 (IPv4) with a
+ hex value of 0x0800.";
+ reference
+ "RFC 791: Internet Protocol.";
+ }
+ enum arp {
+ value 2054;
+ description
+ "Address Resolution Protocol (ARP) with a
+ hex value of 0x0806.";
+ reference
+ "RFC 826: An Ethernet Address Resolution Protocol.";
+ }
+ enum wlan {
+ value 2114;
+ description
+ "Wake-on-LAN. Hex value of 0x0842.";
+ }
+ enum trill {
+ value 8947;
+ description
+ "Transparent Interconnection of Lots of Links.
+ Hex value of 0x22F3.";
+ reference
+ "RFC 6325: Routing Bridges (RBridges): Base Protocol
+ Specification.";
+ }
+ enum srp {
+ value 8938;
+ description
+ "Stream Reservation Protocol. Hex value of
+ 0x22EA.";
+ reference
+ "IEEE 801.1Q-2011.";
+ }
+ enum decnet {
+ value 24579;
+ description
+ "DECnet Phase IV. Hex value of 0x6003.";
+ }
+ enum rarp {
+ value 32821;
+ description
+ "Reverse Address Resolution Protocol.
+ Hex value 0x8035.";
+ reference
+ "RFC 903. A Reverse Address Resolution Protocol.";
+ }
+ enum appletalk {
+ value 32923;
+ description
+ "Appletalk (Ethertalk). Hex value 0x809B.";
+ }
+ enum aarp {
+ value 33011;
+ description
+ "Appletalk Address Resolution Protocol. Hex value
+ of 0x80F3.";
+ }
+ enum vlan {
+ value 33024;
+ description
+ "VLAN-tagged frame (802.1Q) and Shortest Path
+ Bridging IEEE 802.1aq with NNI compatibility.
+ Hex value 0x8100.";
+ reference
+ "802.1Q.";
+ }
+ enum ipx {
+ value 33079;
+ description
+ "Internetwork Packet Exchange (IPX). Hex value
+ of 0x8137.";
+ }
+ enum qnx {
+ value 33284;
+ description
+ "QNX Qnet. Hex value of 0x8204.";
+ }
+ enum ipv6 {
+ value 34525;
+ description
+ "Internet Protocol Version 6 (IPv6). Hex value
+ of 0x86DD.";
+ reference
+ "RFC 8200: Internet Protocol, Version 6 (IPv6)
+ Specification
+ RFC 8201: Path MTU Discovery for IPv6.";
+ }
+ enum efc {
+ value 34824;
+ description
+ "Ethernet flow control using pause frames.
+ Hex value of 0x8808";
+ reference
+ "IEEE Std. 802.1Qbb.";
+ }
+ enum esp {
+ value 34825;
+ description
+ "Ethernet Slow Protocol. Hex value of 0x8809.";
+ reference
+ "IEEE Std. 802.3-2015";
+ }
+ enum cobranet {
+ value 34841;
+ description
+ "CobraNet. Hex value of 0x";
+ }
+ enum mpls-unicast {
+ value 34887;
+ description
+ "MultiProtocol Label Switch (MPLS) unicast traffic.
+ Hex value of 0x8847.";
+ reference
+ "RFC 3031: Multiprotocol Label Switching Architecture.";
+ }
+ enum mpls-multicast {
+ value 34888;
+ description
+ "MultiProtocol Label Switch (MPLS) multicast traffic.
+ Hex value of 0x8848.";
+ reference
+ "RFC 3031: Multiprotocol Label Switching Architecture.";
+ }
+ enum pppoe-discovery {
+ value 34915;
+ description
+ "Point-to-Point Protocol over Ethernet. Used during
+ the discovery process. Hex value of 0x8863.";
+ reference
+ "RFC 2516: A method for Transmitting PPP over Ethernet
+ PPPoE.";
+ }
+ enum pppoe-session {
+ value 34916;
+ description
+ "Point-to-Point Protocol over Ethernet. Used during
+ session stage. Hex value of 0x8864.";
+ reference
+ "RFC 2516: A method for Transmitting PPP over Ethernet
+ PPPoE.";
+ }
+ enum intel-ans {
+ value 34925;
+ description
+ "Intel Advanced Networking Services. Hex value of
+ 0x886D.";
+ }
+ enum jumbo-frames {
+ value 34928;
+ description
+ "Jumbo frames or Ethernet frames with more than
+ 1500 bytes of payload, upto 9000 bytes.";
+ }
+ enum homeplug {
+ value 34939;
+ description
+ "Family name for the various power line
+ communications. Hex value of 0x887B.";
+ }
+ enum eap {
+ value 34958;
+ description
+ "Ethernet Access Protocol (EAP) over LAN. Hex value
+ of 0x888E.";
+ reference
+ "IEEE 802.1X";
+ }
+ enum profinet {
+ value 34962;
+ description
+ "PROcess FIeld Net (PROFINET). Hex value of 0x8892.";
+ }
+ enum hyperscsi {
+ value 34970;
+ description
+ "SCSI over Ethernet. Hex value of 0x889A";
+ }
+ enum aoe {
+ value 34978;
+ description
+ "Advanced Technology Advancement (ATA) over Ethernet.
+ Hex value of 0x88A2.";
+ }
+ enum ethercat {
+ value 34980;
+ description
+ "Ethernet for Control Automation Technology (EtherCAT).
+ Hex value of 0x88A4.";
+ }
+ enum provider-bridging {
+ value 34984;
+ description
+ "Provider Bridging (802.1ad) and Shortest Path Bridging
+ (801.1aq). Hex value of 0x88A8.";
+ reference
+ "IEEE 802.1ad, IEEE 802.1aq).";
+ }
+ enum ethernet-powerlink {
+ value 34987;
+ description
+ "Ethernet Powerlink. Hex value of 0x88AB.";
+ }
+ enum goose {
+ value 35000;
+ description
+ "Generic Object Oriented Substation Event (GOOSE).
+ Hex value of 0x88B8.";
+ reference
+ "IEC/ISO 8802-2 and 8802-3.";
+ }
+ enum gse {
+ value 35001;
+ description
+ "Generic Substation Events. Hex value of 88B9.";
+ reference
+ "IEC 61850.";
+ }
+ enum sv {
+ value 35002;
+ description
+ "Sampled Value Transmission. Hex value of 0x88BA.";
+ reference
+ "IEC 61850.";
+ }
+ enum lldp {
+ value 35020;
+ description
+ "Link Layer Discovery Protocol (LLDP). Hex value of
+ 0x88CC.";
+ reference
+ "IEEE 802.1AB.";
+ }
+ enum sercos {
+ value 35021;
+ description
+ "Sercos Interface. Hex value of 0x88CD.";
+ }
+ enum wsmp {
+ value 35036;
+ description
+ "WAVE Short Message Protocl (WSMP). Hex value of
+ 0x88DC.";
+ }
+ enum homeplug-av-mme {
+ value 35041;
+ description
+ "HomePlug AV MME. Hex value of 88E1.";
+ }
+ enum mrp {
+ value 35043;
+ description
+ "Media Redundancy Protocol (MRP). Hex value of
+ 0x88E3.";
+ reference
+ "IEC62439-2.";
+ }
+ enum macsec {
+ value 35045;
+ description
+ "MAC Security. Hex value of 0x88E5.";
+ reference
+ "IEEE 802.1AE.";
+ }
+ enum pbb {
+ value 35047;
+ description
+ "Provider Backbone Bridges (PBB). Hex value of
+ 0x88E7.";
+ reference
+ "IEEE 802.1ah.";
+ }
+ enum cfm {
+ value 35074;
+ description
+ "Connectivity Fault Management (CFM). Hex value of
+ 0x8902.";
+ reference
+ "IEEE 802.1ag.";
+ }
+ enum fcoe {
+ value 35078;
+ description
+ "Fiber Channel over Ethernet (FCoE). Hex value of
+ 0x8906.";
+ reference
+ "T11 FC-BB-5.";
+ }
+ enum fcoe-ip {
+ value 35092;
+ description
+ "FCoE Initialization Protocol. Hex value of 0x8914.";
+ }
+ enum roce {
+ value 35093;
+ description
+ "RDMA over Converged Ethernet (RoCE). Hex value of
+ 0x8915.";
+ }
+ enum tte {
+ value 35101;
+ description
+ "TTEthernet Protocol Control Frame (TTE). Hex value
+ of 0x891D.";
+ reference
+ "SAE AS6802.";
+ }
+ enum hsr {
+ value 35119;
+ description
+ "High-availability Seamless Redundancy (HSR). Hex
+ value of 0x892F.";
+ reference
+ "IEC 62439-3:2016.";
+ }
+ }
+ }
+ description
+ "The uint16 type placeholder is defined to enable
+ users to manage their own ethertypes not
+ covered by the module. Otherwise the module contains
+ enum definitions for the more commonly used ethertypes.";
+ }
+}
diff --git a/acl/acl-api/src/main/yang/ietf-packet-fields@2016-07-08.yang b/acl/acl-api/src/main/yang/ietf-packet-fields@2016-07-08.yang
deleted file mode 100644
index 0b1ce5cdd..000000000
--- a/acl/acl-api/src/main/yang/ietf-packet-fields@2016-07-08.yang
+++ /dev/null
@@ -1,180 +0,0 @@
-module ietf-packet-fields {
- yang-version 1.1;
- namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields";
- prefix packet-fields;
- import ietf-inet-types {
- prefix inet;
- }
- import ietf-yang-types {
- prefix yang;
- }
- organization "IETF NETMOD (NETCONF Data Modeling Language) Working
- Group";
- contact
- "WG Web: http://tools.ietf.org/wg/netmod/
- WG List: netmod@ietf.org
- WG Chair: Juergen Schoenwaelder
- j.schoenwaelder@jacobs-university.de
- WG Chair: Tom Nadeau
- tnadeau@lucidvision.com
- Editor: Dean Bogdanovic
- deanb@juniper.net
- Editor: Kiran Agrahara Sreenivasa
- kkoushik@cisco.com
- Editor: Lisa Huang
- lyihuang16@gmail.com
- Editor: Dana Blair
- dblair@cisco.com";
- description
- "This YANG module defines groupings that are used by
- ietf-access-control-list YANG module. Their usage is not
- limited to ietf-access-control-list and can be
- used anywhere as applicable.
- Copyright (c) 2015 IETF Trust and the persons identified as
- the document authors. All rights reserved.
- Redistribution and use in source and binary forms, with or
- without modification, is permitted pursuant to, and subject
- to the license terms contained in, the Simplified BSD
- License set forth in Section 4.c of the IETF Trust's Legal
- Provisions Relating to IETF Documents
- (http://trustee.ietf.org/license-info).
- This version of this YANG module is part of RFC XXXX; see
- the RFC itself for full legal notices.";
- revision 2016-07-08 {
- description
- "Initial version of packet fields used by
- ietf-access-control-list";
- reference
- "RFC XXXX: Network Access Control List (ACL)
- YANG Data Model";
- }
- grouping acl-transport-header-fields {
- description
- "Transport header fields";
- container source-port-range {
- presence "Enables setting source port range";
- description
- "Inclusive range representing source ports to be used.
- When only lower-port is present, it represents a single port.";
- leaf lower-port {
- type inet:port-number;
- mandatory true;
- description
- "Lower boundary for port.";
- }
- leaf upper-port {
- type inet:port-number;
- must ". >= ../lower-port" {
- error-message
- "The upper-port must be greater than or equal to lower-port";
- }
- description
- "Upper boundary for port . If existing, the upper port
- must be greater or equal to lower-port.";
- }
- }
- container destination-port-range {
- presence "Enables setting destination port range";
- description
- "Inclusive range representing destination ports to be used. When
- only lower-port is present, it represents a single port.";
- leaf lower-port {
- type inet:port-number;
- mandatory true;
- description
- "Lower boundary for port.";
- }
- leaf upper-port {
- type inet:port-number;
- must ". >= ../lower-port" {
- error-message
- "The upper-port must be greater than or equal to lower-port";
- }
-
- description
- "Upper boundary for port. If existing, the upper port must
- be greater or equal to lower-port";
- }
- }
- }
- grouping acl-ip-header-fields {
- description
- "IP header fields common to ipv4 and ipv6";
- leaf dscp {
- type inet:dscp;
- description
- "Value of dscp.";
- }
- leaf protocol {
- type uint8;
- description
- "Internet Protocol number.";
- }
- uses acl-transport-header-fields;
- }
- grouping acl-ipv4-header-fields {
- description
- "Fields in IPv4 header.";
- leaf destination-ipv4-network {
- type inet:ipv4-prefix;
- description
- "Destination IPv4 address prefix.";
- }
- leaf source-ipv4-network {
- type inet:ipv4-prefix;
- description
- "Source IPv4 address prefix.";
- }
- }
- grouping acl-ipv6-header-fields {
- description
- "Fields in IPv6 header";
- leaf destination-ipv6-network {
- type inet:ipv6-prefix;
- description
- "Destination IPv6 address prefix.";
- }
- leaf source-ipv6-network {
- type inet:ipv6-prefix;
- description
- "Source IPv6 address prefix.";
- }
- leaf flow-label {
- type inet:ipv6-flow-label;
- description
- "IPv6 Flow label.";
- }
- reference
- "RFC 4291: IP Version 6 Addressing Architecture
- RFC 4007: IPv6 Scoped Address Architecture
- RFC 5952: A Recommendation for IPv6 Address Text Representation";
- }
- grouping acl-eth-header-fields {
- description
- "Fields in Ethernet header.";
- leaf destination-mac-address {
- type yang:mac-address;
- description
- "Destination IEEE 802 MAC address.";
- }
- leaf destination-mac-address-mask {
- type yang:mac-address;
- description
- "Destination IEEE 802 MAC address mask.";
- }
- leaf source-mac-address {
- type yang:mac-address;
- description
- "Source IEEE 802 MAC address.";
- }
- leaf source-mac-address-mask {
- type yang:mac-address;
- description
- "Source IEEE 802 MAC address mask.";
- }
- reference
- "IEEE 802: IEEE Standard for Local and Metropolitan Area
- Networks: Overview and Architecture.";
- }
-
-} \ No newline at end of file
diff --git a/acl/acl-api/src/main/yang/ietf-packet-fields@2018-10-01.yang b/acl/acl-api/src/main/yang/ietf-packet-fields@2018-10-01.yang
new file mode 100755
index 000000000..dc175d335
--- /dev/null
+++ b/acl/acl-api/src/main/yang/ietf-packet-fields@2018-10-01.yang
@@ -0,0 +1,588 @@
+module ietf-packet-fields {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields";
+ prefix packet-fields;
+
+ import ietf-inet-types {
+ prefix inet;
+ reference
+ "RFC 6991 - Common YANG Data Types.";
+ }
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "RFC 6991 - Common YANG Data Types.";
+ }
+
+ import ietf-ethertypes {
+ prefix eth;
+ reference
+ "RFC XXXX - Network ACL YANG Model.";
+ }
+
+ organization
+ "IETF NETMOD (Network Modeling Language) Working
+ Group";
+
+ contact
+ "WG Web: http://tools.ietf.org/wg/netmod/
+ WG List: netmod@ietf.org
+
+ Editor: Mahesh Jethanandani
+ mjethanandani@gmail.com
+ Editor: Lisa Huang
+ lyihuang16@gmail.com
+ Editor: Sonal Agarwal
+ sagarwal12@gmail.com
+ Editor: Dana Blair
+ dblair@cisco.com";
+
+ description
+ "This YANG module defines groupings that are used by
+ ietf-access-control-list YANG module. Their usage is not
+ limited to ietf-access-control-list and can be
+ used anywhere as applicable.
+
+ Copyright (c) 2018 IETF Trust and the persons identified as
+ the document authors. All rights reserved.
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD
+ License set forth in Section 4.c of the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX; see
+ the RFC itself for full legal notices.";
+
+ revision 2018-10-01 {
+ description
+ "Initial version.";
+ reference
+ "RFC XXX: Network Access Control List (ACL) YANG Data Model.";
+ }
+
+ /*
+ * Typedefs
+ */
+ typedef operator {
+ type enumeration {
+ enum lte {
+ description
+ "Less than or equal.";
+ }
+ enum gte {
+ description
+ "Greater than or equal.";
+ }
+ enum eq {
+ description
+ "Equal to.";
+ }
+ enum neq {
+ description
+ "Not equal to.";
+ }
+ }
+ description
+ "The source and destination port range definitions
+ can be further qualified using an operator. An
+ operator is needed only if lower-port is specified
+ and upper-port is not specified. The operator
+ therefore further qualifies lower-port only.";
+ }
+
+ /*
+ * Groupings
+ */
+ grouping port-range-or-operator {
+ choice port-range-or-operator {
+ case range {
+ leaf lower-port {
+ type inet:port-number;
+ must ". <= ../upper-port" {
+ error-message
+ "The lower-port must be less than or equal to
+ upper-port.";
+ }
+ mandatory true;
+ description
+ "Lower boundry for a port.";
+ }
+ leaf upper-port {
+ type inet:port-number;
+ mandatory true;
+ description
+ "Upper boundry for port.";
+ }
+ }
+ case operator {
+ leaf operator {
+ type operator;
+ default eq;
+ description
+ "Operator to be applied on the port below.";
+ }
+ leaf port {
+ type inet:port-number;
+ mandatory true;
+ description
+ "Port number along with operator on which to
+ match.";
+ }
+ }
+ description
+ "Choice of specifying a port range or a single
+ port along with an operator.";
+ }
+ description
+ "Grouping for port definitions in the form of a
+ choice statement.";
+ }
+
+ grouping acl-ip-header-fields {
+ description
+ "IP header fields common to ipv4 and ipv6";
+ reference
+ "RFC 791: Internet Protocol.";
+
+ leaf dscp {
+ type inet:dscp;
+ description
+ "Differentiated Services Code Point.";
+ reference
+ "RFC 2474: Definition of Differentiated services field
+ (DS field) in the IPv4 and IPv6 headers.";
+ }
+
+ leaf ecn {
+ type uint8 {
+ range 0..3;
+ }
+ description
+ "Explicit Congestion Notification.";
+ reference
+ "RFC 3168: Explicit Congestion Notification.";
+ }
+
+ leaf length {
+ type uint16;
+ description
+ "In IPv4 header field, this field is known as the Total Length.
+ Total Length is the length of the datagram, measured in octets,
+ including internet header and data.
+
+ In IPv6 header field, this field is known as the Payload
+ Length, the length of the IPv6 payload, i.e. the rest of
+ the packet following the IPv6 header, in octets.";
+ reference
+ "RFC 791: Internet Protocol,
+ RFC 8200: Internet Protocol, Version 6 (IPv6) Specification.";
+ }
+
+ leaf ttl {
+ type uint8;
+ description
+ "This field indicates the maximum time the datagram is allowed
+ to remain in the internet system. If this field contains the
+ value zero, then the datagram must be dropped.
+
+ In IPv6, this field is known as the Hop Limit.";
+ reference
+ "RFC 791: Internet Protocol,
+ RFC 8200: Internet Protocol, Version 6 (IPv6) Specification.";
+ }
+
+ leaf protocol {
+ type uint8;
+ description
+ "Internet Protocol number. Refers to the protocol of the
+ payload. In IPv6, this field is known as 'next-header,
+ and if extension headers are present, the protocol is
+ present in the 'upper-layer' header.";
+ reference
+ "RFC 791: Internet Protocol,
+ RFC 8200: Internet Protocol, Version 6 (IPv6) Specification.";
+ }
+ }
+
+ grouping acl-ipv4-header-fields {
+ description
+ "Fields in IPv4 header.";
+
+ leaf ihl {
+ type uint8 {
+ range "5..60";
+ }
+ description
+ "An IPv4 header field, the Internet Header Length (IHL) is
+ the length of the internet header in 32 bit words, and
+ thus points to the beginning of the data. Note that the
+ minimum value for a correct header is 5.";
+ }
+
+ leaf flags {
+ type bits {
+ bit reserved {
+ position 0;
+ description
+ "Reserved. Must be zero.";
+ }
+ bit fragment {
+ position 1;
+ description
+ "Setting value to 0 indicates may fragment, while setting
+ the value to 1 indicates do not fragment.";
+ }
+ bit more {
+ position 2;
+ description
+ "Setting the value to 0 indicates this is the last fragment,
+ and setting the value to 1 indicates more fragments are
+ coming.";
+ }
+ }
+ description
+ "Bit definitions for the flags field in IPv4 header.";
+ }
+
+ leaf offset {
+ type uint16 {
+ range "20..65535";
+ }
+ description
+ "The fragment offset is measured in units of 8 octets (64 bits).
+ The first fragment has offset zero. The length is 13 bits";
+ }
+
+ leaf identification {
+ type uint16;
+ description
+ "An identifying value assigned by the sender to aid in
+ assembling the fragments of a datagram.";
+ }
+
+ choice destination-network {
+ case destination-ipv4-network {
+ leaf destination-ipv4-network {
+ type inet:ipv4-prefix;
+ description
+ "Destination IPv4 address prefix.";
+ }
+ }
+ description
+ "Choice of specifying a destination IPv4 address or
+ referring to a group of IPv4 destination addresses.";
+ }
+ choice source-network {
+ case source-ipv4-network {
+ leaf source-ipv4-network {
+ type inet:ipv4-prefix;
+ description
+ "Source IPv4 address prefix.";
+ }
+ }
+ description
+ "Choice of specifying a source IPv4 address or
+ referring to a group of IPv4 source addresses.";
+ }
+ }
+
+ grouping acl-ipv6-header-fields {
+ description
+ "Fields in IPv6 header";
+
+ choice destination-network {
+ case destination-ipv6-network {
+ leaf destination-ipv6-network {
+ type inet:ipv6-prefix;
+ description
+ "Destination IPv6 address prefix.";
+ }
+ }
+ description
+ "Choice of specifying a destination IPv6 address
+ or referring to a group of IPv6 destination
+ addresses.";
+ }
+
+ choice source-network {
+ case source-ipv6-network {
+ leaf source-ipv6-network {
+ type inet:ipv6-prefix;
+ description
+ "Source IPv6 address prefix.";
+ }
+ }
+ description
+ "Choice of specifying a source IPv6 address or
+ referring to a group of IPv6 source addresses.";
+ }
+
+ leaf flow-label {
+ type inet:ipv6-flow-label;
+ description
+ "IPv6 Flow label.";
+ }
+ reference
+ "RFC 4291: IP Version 6 Addressing Architecture
+ RFC 4007: IPv6 Scoped Address Architecture
+ RFC 5952: A Recommendation for IPv6 Address Text
+ Representation";
+ }
+
+ grouping acl-eth-header-fields {
+ description
+ "Fields in Ethernet header.";
+
+ leaf destination-mac-address {
+ type yang:mac-address;
+ description
+ "Destination IEEE 802 MAC address.";
+ }
+ leaf destination-mac-address-mask {
+ type yang:mac-address;
+ description
+ "Destination IEEE 802 MAC address mask.";
+ }
+ leaf source-mac-address {
+ type yang:mac-address;
+ description
+ "Source IEEE 802 MAC address.";
+ }
+ leaf source-mac-address-mask {
+ type yang:mac-address;
+ description
+ "Source IEEE 802 MAC address mask.";
+ }
+ leaf ethertype {
+ type eth:ethertype;
+ description
+ "The Ethernet Type (or Length) value represented
+ in the canonical order defined by IEEE 802.
+ The canonical representation uses lowercase
+ characters.";
+ reference
+ "IEEE 802-2014 Clause 9.2";
+ }
+ reference
+ "IEEE 802: IEEE Standard for Local and Metropolitan
+ Area Networks: Overview and Architecture.";
+ }
+
+ grouping acl-tcp-header-fields {
+ description
+ "Collection of TCP header fields that can be used to
+ setup a match filter.";
+
+ leaf sequence-number {
+ type uint32;
+ description
+ "Sequence number that appears in the packet.";
+ }
+
+ leaf acknowledgement-number {
+ type uint32;
+ description
+ "The acknowledgement number that appears in the
+ packet.";
+ }
+
+ leaf data-offset {
+ type uint8 {
+ range "5..15";
+ }
+ description
+ "Specifies the size of the TCP header in 32-bit
+ words. The minimum size header is 5 words and
+ the maximum is 15 words thus giving the minimum
+ size of 20 bytes and maximum of 60 bytes,
+ allowing for up to 40 bytes of options in the
+ header.";
+ }
+
+ leaf reserved {
+ type uint8;
+ description
+ "Reserved for future use.";
+ }
+
+ leaf flags {
+ type bits {
+ bit cwr {
+ position 1;
+ description
+ "Congestion Window Reduced (CWR) flag is set by
+ the sending host to indicate that it received
+ a TCP segment with the ECE flag set and had
+ responded in congestion control mechanism.";
+ reference
+ "RFC 3168: The Addition of Explicit Congestion
+ Notification (ECN) to IP.";
+ }
+ bit ece {
+ position 2;
+ description
+ "ECN-Echo has a dual role, depending on the value
+ of the SYN flag. It indicates:
+ If the SYN flag is set (1), that the TCP peer is ECN
+ capable. If the SYN flag is clear (0), that a packet
+ with Congestion Experienced flag set (ECN=11) in IP
+ header was received during normal transmission
+ (added to header by RFC 3168). This serves as an
+ indication of network congestion (or impending
+ congestion) to the TCP sender.";
+ reference
+ "RFC 3168: The Addition of Explicit Congestion
+ Notification (ECN) to IP.";
+ }
+ bit urg {
+ position 3;
+ description
+ "Indicates that the Urgent pointer field is significant.";
+ }
+ bit ack {
+ position 4;
+ description
+ "Indicates that the Acknowledgment field is significant.
+ All packets after the initial SYN packet sent by the
+ client should have this flag set.";
+ }
+ bit psh {
+ position 5;
+ description
+ "Push function. Asks to push the buffered data to the
+ receiving application.";
+ }
+ bit rst {
+ position 6;
+ description
+ "Reset the connection.";
+ }
+ bit syn {
+ position 7;
+ description
+ "Synchronize sequence numbers. Only the first packet
+ sent from each end should have this flag set. Some
+ other flags and fields change meaning based on this
+ flag, and some are only valid for when it is set,
+ and others when it is clear.";
+ }
+ bit fin {
+ position 8;
+ description
+ "Last package from sender.";
+ }
+ }
+ description
+ "Also known as Control Bits. Contains 9 1-bit flags.";
+ reference
+ "RFC 793: Transmission Control Protocol (TCP).";
+ }
+
+ leaf window-size {
+ type uint16;
+ units "bytes";
+ description
+ "The size of the receive window, which specifies
+ the number of window size units beyond the segment
+ identified by the sequence number in the acknowledgment
+ field that the sender of this segment is currently
+ willing to receive.";
+ }
+
+ leaf urgent-pointer {
+ type uint16;
+ description
+ "This field is an offset from the sequence number
+ indicating the last urgent data byte.";
+ }
+
+ leaf options {
+ type binary {
+ length "1..40";
+ }
+ description
+ "The length of this field is determined by the
+ data offset field. Options have up to three
+ fields: Option-Kind (1 byte), Option-Length
+ (1 byte), Option-Data (variable). The Option-Kind
+ field indicates the type of option, and is the
+ only field that is not optional. Depending on
+ what kind of option we are dealing with,
+ the next two fields may be set: the Option-Length
+ field indicates the total length of the option,
+ and the Option-Data field contains the value of
+ the option, if applicable.";
+ }
+ }
+
+ grouping acl-udp-header-fields {
+ description
+ "Collection of UDP header fields that can be used
+ to setup a match filter.";
+
+ leaf length {
+ type uint16;
+ description
+ "A field that specifies the length in bytes of
+ the UDP header and UDP data. The minimum
+ length is 8 bytes because that is the length of
+ the header. The field size sets a theoretical
+ limit of 65,535 bytes (8 byte header + 65,527
+ bytes of data) for a UDP datagram. However the
+ actual limit for the data length, which is
+ imposed by the underlying IPv4 protocol, is
+ 65,507 bytes (65,535 minus 8 byte UDP header
+ minus 20 byte IP header).
+
+ In IPv6 jumbograms it is possible to have
+ UDP packets of size greater than 65,535 bytes.
+ RFC 2675 specifies that the length field is set
+ to zero if the length of the UDP header plus
+ UDP data is greater than 65,535.";
+ }
+ }
+
+ grouping acl-icmp-header-fields {
+ description
+ "Collection of ICMP header fields that can be
+ used to setup a match filter.";
+
+ leaf type {
+ type uint8;
+ description
+ "Also known as Control messages.";
+ reference
+ "RFC 792: Internet Control Message Protocol (ICMP),
+ RFC 4443: Internet Control Message Protocol (ICMPv6)
+ for Internet Protocol Version 6 (IPv6)
+ Specifciation.";
+ }
+
+ leaf code {
+ type uint8;
+ description
+ "ICMP subtype. Also known as Control messages.";
+ reference
+ "RFC 792: Internet Control Message Protocol (ICMP),
+ RFC 4443: Internet Control Message Protocol (ICMPv6)
+ for Internet Protocol Version 6 (IPv6)
+ Specifciation.";
+ }
+
+ leaf rest-of-header {
+ type binary;
+ description
+ "Unbounded in length, the contents vary based on the
+ ICMP type and code. Also referred to as 'Message Body'
+ in ICMPv6.";
+ reference
+ "RFC 792: Internet Control Message Protocol (ICMP),
+ RFC 4443: Internet Control Message Protocol (ICMPv6)
+ for Internet Protocol Version 6 (IPv6)
+ Specifciation.";
+ }
+ }
+}
diff --git a/acl/acl-api/src/main/yang/interface-acl@2016-12-14.yang b/acl/acl-api/src/main/yang/interface-acl@2016-12-14.yang
deleted file mode 100644
index f051830fe..000000000
--- a/acl/acl-api/src/main/yang/interface-acl@2016-12-14.yang
+++ /dev/null
@@ -1,103 +0,0 @@
-module interface-acl {
- yang-version 1;
- namespace "urn:opendaylight:params:xml:ns:yang:interface:acl";
- prefix "ifc-acl";
-
- import ietf-interfaces {
- prefix "if";
- }
-
- import yang-ext {
- prefix "ext";
- }
-
- import ietf-access-control-list {
- prefix "acl";
- }
-
- organization
- "FD.io - The Fast Data Project";
-
- contact
- "Hc2vpp Wiki <https://wiki.fd.io/view/Hc2vpp>
- Mailing List <hc2vpp@lists.fd.io>";
-
- description
- "This module contains a collection of YANG definitions for
- applying ACLs on VPP interfaces.
- Uses ACL implementation provided by ACL plugin of VPP.
-
- Copyright (c) 2016 Cisco and/or its affiliates.
-
- Licensed under the Apache License, Version 2.0 (the 'License');
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at:
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an 'AS IS' BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.";
-
- revision "2016-12-14" {
- description "Initial revision of interface-acl model";
- }
-
- grouping vpp-acls-base-attributes {
- description
- "List of ACLs of vpp-acl type"; // TODO(HC2VPP-201): express constraint in the model if possible
- list vpp-acls {
- key "type name";
- ordered-by user;
-
- leaf type {
- type acl:acl-type;
- }
-
- // FIXME(HC2VPP-290): define leafref in interface-acl or bump ietf-access-control-list
- leaf name {
- type acl:access-control-list-ref;
- }
- }
- }
-
- grouping vpp-macip-acls-base-attributes {
- container vpp-macip-acl {
- description
- "ACL of vpp-macip-acl type"; // TODO(HC2VPP-201): express constraint in the model if possible
-
- leaf type {
- type acl:acl-type;
- }
-
- leaf name {
- type acl:access-control-list-ref;
- }
- }
- }
-
- grouping interface-acl-attributes {
- container acl {
- container ingress {
- uses vpp-acls-base-attributes;
- uses vpp-macip-acls-base-attributes;
- }
- container egress {
- uses vpp-acls-base-attributes;
- }
- }
- }
-
- augment /if:interfaces/if:interface {
- ext:augment-identifier "vpp-acl-interface-augmentation";
- uses interface-acl-attributes;
- }
-
- augment /if:interfaces-state/if:interface {
- ext:augment-identifier "vpp-acl-interface-state-augmentation";
- uses interface-acl-attributes;
- }
-
-} \ No newline at end of file
diff --git a/acl/acl-api/src/main/yang/vpp-acl-context@2017-01-04.yang b/acl/acl-api/src/main/yang/vpp-acl-context@2017-01-04.yang
index 016883e1e..34ac3b9f5 100644
--- a/acl/acl-api/src/main/yang/vpp-acl-context@2017-01-04.yang
+++ b/acl/acl-api/src/main/yang/vpp-acl-context@2017-01-04.yang
@@ -1,6 +1,6 @@
module vpp-acl-context {
yang-version 1;
- namespace "urn:opendaylight:params:xml:ns:yang:vpp:acl:context";
+ namespace "http://fd.io/hc2vpp/yang/vpp/acl/context";
prefix "vac";
import naming-context {
diff --git a/acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang b/acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang
deleted file mode 100644
index 2f7f82e9c..000000000
--- a/acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang
+++ /dev/null
@@ -1,284 +0,0 @@
-module vpp-acl {
- yang-version 1;
- namespace "urn:opendaylight:params:xml:ns:yang:vpp:acl";
- prefix "vpp-acl";
-
- import ietf-access-control-list {
- prefix "acl";
- }
-
- import yang-ext {
- prefix "ext";
- }
-
- import ietf-packet-fields {
- prefix packet-fields;
- }
-
- import ietf-inet-types {
- prefix inet;
- }
-
- import ietf-yang-types {
- prefix yang;
- }
-
- organization
- "FD.io - The Fast Data Project";
-
- contact
- "Hc2vpp Wiki <https://wiki.fd.io/view/Hc2vpp>
- Mailing List <hc2vpp@lists.fd.io>";
-
- description
- "This module contains a collection of YANG definitions
- that extend ietf-access-control-list module
- with VPP specific features provided by the VPP ACL plugin.
-
- Copyright (c) 2016-2017 Cisco and/or its affiliates.
-
- Licensed under the Apache License, Version 2.0 (the 'License');
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at:
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an 'AS IS' BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.";
-
- revision "2017-06-15" {
- description
- "Renamed stateful/permit leaf to permit-and-reflect";
- }
-
- revision "2016-12-14" {
- description
- "Initial revision of vpp-acl model.";
- }
-
- augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:actions/acl:packet-handling {
- ext:augment-identifier "stateful-acl-action-augmentation";
- when "../acl:matches/acl:ace-type = 'vpp-acl:vpp-acl'";
- case stateful {
- leaf permit-and-reflect {
- type empty;
- description
- "Permits egress TCP/UDP traffic and ingress in reverse direction by creating reflexive ACEs.";
- }
- }
- }
-
- identity vpp-acl {
- base acl:acl-base;
- description
- "ACL that contains only aces of vpp-ace type.";
- }
-
- identity vpp-macip-acl {
- base acl:acl-base;
- description
- "ACL that contains only aces of vpp-macip-acl type.";
- }
-
- grouping value-range {
- description "Defines value range with first and last value defined";
-
- leaf first {
- type uint8;
- mandatory true;
- description "Lower boundary for range";
- }
-
- leaf last {
- type uint8;
- mandatory true;
- description "Upper boundary for range";
- must "last >= first";
- }
- }
-
- grouping acl-icmp-header-fields {
- description
- "ICMP header fields";
- container icmp-type-range {
- presence "Enables setting icmp-type";
- description
- "Inclusive range representing icmp types to be used.";
- uses value-range;
- }
-
- container icmp-code-range {
- presence "Enables setting icmp-code";
- description
- "Inclusive range representing icmp codes to be used.";
- uses value-range;
- }
- }
-
- grouping acl-tcp-header-fields {
- description
- "TCP header fields";
- leaf tcp-flags-mask {
- description
- "Binary mask for tcp flags to match. MSB order (FIN at position 0).
- Applied as logical AND to tcp flags field of the packet being matched,
- before it is compared with tcp-flags-value.";
- type uint8;
- }
- leaf tcp-flags-value {
- description
- "Binary value for tcp flags to match. MSB order (FIN at position 0).
- Before tcp-flags-value is compared with tcp flags field of the packet being matched,
- tcp-flags-mask is applied to packet field value.";
- type uint8;
- }
- }
-
- grouping acl-other-protocol-fields {
- description "Used for any other protocol than TCP/UDP/ICMP/ICMPv6";
- leaf protocol {
- must "protocol != 1 and protocol != 6 and protocol != 17 and protocol != 58";
- type uint8;
- description "Internet Protocol number.";
- }
- }
-
- grouping acl-ip-protocol-header-fields {
- description
- "Defines header fields for TCP/UDP or ICMP protocols";
- choice ip-protocol {
- case icmp {
- container icmp-nodes {
- uses acl-icmp-header-fields;
- }
- }
- case icmp-v6 {
- container icmp-v6-nodes {
- uses acl-icmp-header-fields;
- }
- }
- case udp {
- container udp-nodes {
- uses packet-fields:acl-transport-header-fields;
- }
- }
- case tcp {
- container tcp-nodes {
- uses packet-fields:acl-transport-header-fields;
- uses acl-tcp-header-fields;
- }
- }
- case other {
- container other-nodes {
- uses acl-other-protocol-fields;
- }
- }
- }
- }
-
- augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type {
- ext:augment-identifier "vpp-acl-type-augmentation";
- case vpp-ace {
- description
- "Access List entry that can define:
- - IP4/IP6 src/dst ip prefix- Internet Protocol number
- - Internet Protocol number
- - selected L4 headers:
- * ICMP (type range)
- * UDP (port range)
- * TCP (port range, flags mask, flags value)";
- container vpp-ace-nodes {
- choice ace-ip-version {
- description
- "IP version used in this Access List Entry.";
- case ace-ipv4 {
- uses packet-fields:acl-ipv4-header-fields;
- }
- case ace-ipv6 {
- uses packet-fields:acl-ipv6-header-fields;
- }
- }
- uses acl-ip-protocol-header-fields;
- }
- }
- }
-
- grouping vpp-macip-ace-eth-header-fields {
- description
- "Fields in Ethernet header supported by vpp-macip rule";
- leaf source-mac-address {
- type yang:mac-address;
- description
- "Source IEEE 802 MAC address.
- Before source-mac-address is compared with source mac address field of the packet being matched,
- source-mac-address-mask is applied to packet field value.";
- }
- leaf source-mac-address-mask {
- type yang:mac-address;
- description
- "Source IEEE 802 MAC address mask.
- Applied as logical AND with source mac address field of the packet being matched,
- before it is compared with source-mac-address.";
- }
- }
-
- grouping vpp-macip-ace-ipv4-header-fields {
- description
- "Fields in IPv4 header supported by vpp-macip rule";
- leaf source-ipv4-network {
- type inet:ipv4-prefix;
- description
- "Source IPv4 address prefix.";
- }
- }
-
- grouping vpp-macip-ace-ipv6-header-fields {
- description
- "Fields in IPv6 header supported by vpp-macip rule";
- leaf source-ipv6-network {
- type inet:ipv6-prefix;
- description
- "Source IPv6 address prefix.";
- }
- }
-
- augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type {
- ext:augment-identifier "vpp-macip-acl-type-augmentation";
- case vpp-macip-ace {
- description
- "Access List entry that can define:
- - IP4/IP6 src ip prefix
- - src MAC address mask
- - src MAC address value
- - can be used only for static ACLs.";
- container vpp-macip-ace-nodes {
- choice ace-ip-version {
- description
- "IP version used in this Access List Entry.";
- case ace-ipv4 {
- uses vpp-macip-ace-ipv4-header-fields;
- }
- case ace-ipv6 {
- uses vpp-macip-ace-ipv6-header-fields;
- }
- }
- uses vpp-macip-ace-eth-header-fields;
- }
- }
- }
-
- augment /acl:access-lists/acl:acl {
- ext:augment-identifier "vpp-acl-augmentation";
- leaf tag {
- type string {
- length 1..63;
- }
- description
- "ASCII tag that can be used as a placeholder for ACL metadata. Value is stored in vpp,
- and returned in read requests. No processing involved.";
- }
- }
-} \ No newline at end of file
diff --git a/acl/acl-api/src/main/yang/vpp-acl@2018-10-22.yang b/acl/acl-api/src/main/yang/vpp-acl@2018-10-22.yang
new file mode 100644
index 000000000..f94dfa29a
--- /dev/null
+++ b/acl/acl-api/src/main/yang/vpp-acl@2018-10-22.yang
@@ -0,0 +1,230 @@
+module vpp-acl {
+ yang-version 1;
+ namespace "http://fd.io/hc2vpp/yang/vpp/acl";
+ prefix "vpp-acl";
+
+ import ietf-access-control-list {
+ prefix "acl";
+ }
+
+ import yang-ext {
+ prefix "ext";
+ }
+
+ import ietf-packet-fields {
+ prefix packet-fields;
+ }
+
+ import ietf-inet-types {
+ prefix inet;
+ }
+
+ import ietf-yang-types {
+ prefix yang;
+ }
+
+ organization
+ "FD.io - The Fast Data Project";
+
+ contact
+ "Hc2vpp Wiki <https://wiki.fd.io/view/Hc2vpp>
+ Mailing List <hc2vpp@lists.fd.io>";
+
+ description
+ "This module contains a collection of YANG definitions
+ that extend ietf-access-control-list module
+ with VPP specific features provided by the VPP ACL plugin.
+
+ Copyright (c) 2016-2017 Cisco and/or its affiliates.
+
+ Licensed under the Apache License, Version 2.0 (the 'License');
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at:
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an 'AS IS' BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.";
+
+ revision "2018-10-22" {
+ description
+ "Updated vpp dependencies to match changes in ietf-access-control-list@2018-10-01 yang model.";
+ }
+
+ revision "2017-06-15" {
+ description
+ "Renamed stateful/permit leaf to permit-and-reflect";
+ }
+
+ revision "2016-12-14" {
+ description
+ "Initial revision of vpp-acl model.";
+ }
+
+ identity vpp-acl {
+ base acl:acl-base;
+ description
+ "ACL that contains only aces of vpp-ace type.";
+ }
+
+ identity vpp-macip-acl {
+ base acl:acl-base;
+ description
+ "ACL that contains only aces of vpp-macip-acl type.";
+ }
+
+ identity accept-and-reflect {
+ base acl:forwarding-action;
+ description
+ "Permits egress TCP/UDP traffic and ingress in reverse direction by creating reflexive ACEs.";
+ }
+
+ grouping value-range {
+ description "Defines value range with first and last value defined";
+
+ leaf first {
+ type uint8;
+ mandatory true;
+ description "Lower boundary for range";
+ }
+
+ leaf last {
+ type uint8;
+ mandatory true;
+ description "Upper boundary for range";
+ must "last >= first";
+ }
+ }
+
+ grouping acl-icmp-header-fields {
+ description
+ "ICMP header fields";
+ container icmp-type-range {
+ presence "Enables setting icmp-type";
+ description
+ "Inclusive range representing icmp types to be used.";
+ uses value-range;
+ }
+
+ container icmp-code-range {
+ presence "Enables setting icmp-code";
+ description
+ "Inclusive range representing icmp codes to be used.";
+ uses value-range;
+ }
+ }
+
+ grouping acl-tcp-header-fields {
+
+ description "ICMP header fields";
+
+ leaf flags-mask {
+ type bits {
+ bit cwr {
+ position 1;
+ description
+ "Congestion Window Reduced (CWR) flag is set by
+ the sending host to indicate that it received
+ a TCP segment with the ECE flag set and had
+ responded in congestion control mechanism.";
+ reference
+ "RFC 3168: The Addition of Explicit Congestion
+ Notification (ECN) to IP.";
+ }
+ bit ece {
+ position 2;
+ description
+ "ECN-Echo has a dual role, depending on the value
+ of the SYN flag. It indicates:
+ If the SYN flag is set (1), that the TCP peer is ECN
+ capable. If the SYN flag is clear (0), that a packet
+ with Congestion Experienced flag set (ECN=11) in IP
+ header was received during normal transmission
+ (added to header by RFC 3168). This serves as an
+ indication of network congestion (or impending
+ congestion) to the TCP sender.";
+ reference
+ "RFC 3168: The Addition of Explicit Congestion
+ Notification (ECN) to IP.";
+ }
+ bit urg {
+ position 3;
+ description
+ "Indicates that the Urgent pointer field is significant.";
+ }
+ bit ack {
+ position 4;
+ description
+ "Indicates that the Acknowledgment field is significant.
+ All packets after the initial SYN packet sent by the
+ client should have this flag set.";
+ }
+ bit psh {
+ position 5;
+ description
+ "Push function. Asks to push the buffered data to the
+ receiving application.";
+ }
+ bit rst {
+ position 6;
+ description
+ "Reset the connection.";
+ }
+ bit syn {
+ position 7;
+ description
+ "Synchronize sequence numbers. Only the first packet
+ sent from each end should have this flag set. Some
+ other flags and fields change meaning based on this
+ flag, and some are only valid for when it is set,
+ and others when it is clear.";
+ }
+ bit fin {
+ position 8;
+ description
+ "Last package from sender.";
+ }
+ }
+ description
+ "Also known as Control Bits. Contains 9 1-bit flags.";
+ reference
+ "RFC 793: Transmission Control Protocol (TCP).";
+ }
+ }
+
+ augment /acl:acls/acl:acl/acl:aces/acl:ace/acl:matches/acl:l4/acl:icmp/acl:icmp {
+ ext:augment-identifier "vpp-icmp-ace-augmentation";
+ container vpp-icmp-ace {
+ description
+ "Access List entry that can define:
+ - icmp code range fields
+ - icmp type range fields.";
+ uses acl-icmp-header-fields;
+ }
+ }
+
+ augment /acl:acls/acl:acl/acl:aces/acl:ace/acl:matches/acl:l4/acl:tcp/acl:tcp {
+ ext:augment-identifier "vpp-tcp-ace-augmentation";
+ container vpp-tcp-ace {
+ description
+ "Access List entry that can define:
+ - Flag mask";
+ uses acl-tcp-header-fields;
+ }
+ }
+
+ augment /acl:acls/acl:acl {
+ ext:augment-identifier "vpp-acl-augmentation";
+ leaf tag {
+ type string {
+ length 1..63;
+ }
+ description
+ "ASCII tag that can be used as a placeholder for ACL metadata. Value is stored in vpp,
+ and returned in read requests. No processing involved.";
+ }
+ }
+} \ No newline at end of file