summaryrefslogtreecommitdiffstats
path: root/acl/acl-api
diff options
context:
space:
mode:
authorMarek Gradzki <mgradzki@cisco.com>2016-12-08 09:24:40 +0100
committerMarek Gradzki <mgradzki@cisco.com>2016-12-08 10:56:43 +0100
commiteee2b296b00cef593155474def5a142e71c96e4f (patch)
tree10a86eae6a0ddd2a9ed7108a7b3689f6d5f149ec /acl/acl-api
parentc4bab69a9be0ac0f7a649aedfbe3b211fe474a9f (diff)
HONEYCOMB-304: yang model for the acl plugin
Change-Id: Ic5d11961d5e620d171cd6e320879fd3de507b055 Signed-off-by: Marek Gradzki <mgradzki@cisco.com> Signed-off-by: Jan Srnicek <jsrnicek@cisco.com>
Diffstat (limited to 'acl/acl-api')
-rw-r--r--acl/acl-api/asciidoc/Readme.adoc3
-rw-r--r--acl/acl-api/pom.xml57
-rw-r--r--acl/acl-api/src/main/yang/interface-acl.yang98
-rw-r--r--acl/acl-api/src/main/yang/vpp-acl.yang209
4 files changed, 367 insertions, 0 deletions
diff --git a/acl/acl-api/asciidoc/Readme.adoc b/acl/acl-api/asciidoc/Readme.adoc
new file mode 100644
index 000000000..75fe5486a
--- /dev/null
+++ b/acl/acl-api/asciidoc/Readme.adoc
@@ -0,0 +1,3 @@
+= acl-api
+
+Overview of acl-api \ No newline at end of file
diff --git a/acl/acl-api/pom.xml b/acl/acl-api/pom.xml
new file mode 100644
index 000000000..fd619c730
--- /dev/null
+++ b/acl/acl-api/pom.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright (c) 2015 Cisco and/or its affiliates.
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at:
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+--><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <parent>
+ <groupId>io.fd.honeycomb.common</groupId>
+ <artifactId>api-parent</artifactId>
+ <version>1.17.01-SNAPSHOT</version>
+ </parent>
+
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>io.fd.hc2vpp.acl</groupId>
+ <artifactId>acl-api</artifactId>
+ <name>acl-api</name>
+ <version>1.17.01-SNAPSHOT</version>
+ <packaging>bundle</packaging>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.opendaylight.mdsal.model</groupId>
+ <artifactId>iana-if-type-2014-05-08</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.opendaylight.mdsal.model</groupId>
+ <artifactId>ietf-yang-types-20130715</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.opendaylight.mdsal.model</groupId>
+ <artifactId>ietf-interfaces</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.opendaylight.mdsal.model</groupId>
+ <artifactId>ietf-inet-types-2013-07-15</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.opendaylight.mdsal.model</groupId>
+ <artifactId>yang-ext</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>io.fd.hc2vpp.v3po</groupId>
+ <artifactId>v3po-api</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ </dependencies>
+</project>
diff --git a/acl/acl-api/src/main/yang/interface-acl.yang b/acl/acl-api/src/main/yang/interface-acl.yang
new file mode 100644
index 000000000..29b85e860
--- /dev/null
+++ b/acl/acl-api/src/main/yang/interface-acl.yang
@@ -0,0 +1,98 @@
+module interface-acl {
+ yang-version 1;
+ namespace "urn:opendaylight:params:xml:ns:yang:interface:acl";
+ prefix "ifc-acl";
+
+ revision "2016-12-14" {
+ description "Initial revision of interface-acl model";
+ }
+
+ import ietf-interfaces {
+ prefix "if";
+ }
+ import yang-ext {
+ prefix "ext";
+ }
+ import ietf-yang-types {
+ prefix "yang";
+ }
+
+ import vpp-acl {
+ prefix "vpp-acl";
+ }
+
+ import ietf-access-control-list {
+ prefix "acl";
+ }
+
+ description "Augmentations to interfaces model to apply acls exposed by acl plugin of vpp";
+
+ grouping vpp-acl-base-attributes {
+ leaf tag {
+ type yang:hex-string {
+ length 64;
+ }
+ description
+ "Placeholder for ACL metadata. Value is stored in vpp, and returned in read requests. No processing involved.";
+ }
+ }
+
+ grouping vpp-acls-base-attributes {
+ description
+ "List of ACLs of vpp-acl type"; // TODO express constraint in the model if possible
+ list vpp-acls {
+ key "type name";
+ ordered-by user;
+
+ leaf type {
+ type acl:acl-type;
+ }
+
+ leaf name {
+ type acl:access-control-list-ref;
+ }
+
+ uses vpp-acl-base-attributes;
+ }
+ }
+
+ grouping vpp-macip-acls-base-attributes {
+ container vpp-macip-acl {
+ description
+ "ACL of vpp-macip-acl type"; // TODO express constraint in the model if possible
+
+ leaf type {
+ type acl:acl-type;
+ }
+
+ leaf name {
+ type acl:access-control-list-ref;
+ }
+
+ uses vpp-acl-base-attributes;
+ }
+ }
+
+ grouping interface-acl-attributes {
+ container acl {
+ container ingress {
+ uses vpp-acls-base-attributes;
+ uses vpp-macip-acls-base-attributes;
+ }
+ container egress {
+ uses vpp-acls-base-attributes;
+ }
+ }
+ }
+
+ augment /if:interfaces/if:interface {
+ ext:augment-identifier "vpp-acl-interface-augmentation";
+ uses interface-acl-attributes;
+ }
+
+ augment /if:interfaces-state/if:interface {
+ ext:augment-identifier "vpp-acl-interface-state-augmentation";
+ uses interface-acl-attributes;
+ }
+
+} \ No newline at end of file
diff --git a/acl/acl-api/src/main/yang/vpp-acl.yang b/acl/acl-api/src/main/yang/vpp-acl.yang
new file mode 100644
index 000000000..dad5e71a8
--- /dev/null
+++ b/acl/acl-api/src/main/yang/vpp-acl.yang
@@ -0,0 +1,209 @@
+module vpp-acl {
+ yang-version 1;
+ namespace "urn:opendaylight:params:xml:ns:yang:vpp:acl";
+ prefix "vpp-acl";
+
+ revision "2016-12-14" {
+ description
+ "Initial revision of vpp-acl model.";
+ }
+
+ import ietf-access-control-list {
+ prefix "acl";
+ }
+
+ import yang-ext {
+ prefix "ext";
+ }
+
+ import ietf-packet-fields {
+ prefix packet-fields;
+ }
+
+ import ietf-inet-types {
+ prefix inet;
+ }
+
+ import ietf-yang-types {
+ prefix yang;
+ }
+
+ augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:actions/acl:packet-handling {
+ ext:augment-identifier "stateful-acl-action-augmentation";
+ case stateful {
+ leaf permit {
+ type empty;
+ description
+ "Permits egress TCP/UDP traffic and ingress in reverse direction by creating reflexive ACEs.";
+ }
+ }
+ }
+
+ identity vpp-acl {
+ base acl:acl-base;
+ description
+ "ACL that contains only aces of vpp-ace type.";
+ }
+
+ identity vpp-macip-acl {
+ base acl:acl-base;
+ description
+ "ACL that contains only aces of vpp-macip-acl type.";
+ }
+
+ grouping acl-icmp-header-fields {
+ description
+ "ICMP header fields";
+ container icmp-type-range {
+ presence "Enables setting icmp-type";
+ description
+ "Inclusive range representing icmp types to be used.";
+ leaf first-icmp-type {
+ type uint8;
+ mandatory true;
+ description
+ "Lower boundary for icmp type.";
+ }
+ leaf last-icmp-type {
+ type uint8;
+ mandatory true;
+ must ". >= ../lower-port" {
+ error-message
+ "The first-icmp-type must be greater than or equal to first-icmp-type";
+ }
+ description
+ "Upper boundary for icmp type";
+ }
+ }
+ }
+
+ grouping acl-tcp-header-fields {
+ description
+ "TCP header fields";
+ leaf tcp-flags-mask {
+ description
+ "Binary mask for tcp flags to match. MSB order (FIN at position 0).
+ Applied as logical AND to tcp flags field of the packet being matched,
+ before it is compared with tcp-flags-value.";
+ type uint8;
+ }
+ leaf tcp-flags-value {
+ description
+ "Binary value for tcp flags to match. MSB order (FIN at position 0).
+ Before tcp-flags-value is compared with tcp flags field of the packet being matched,
+ tcp-flags-mask is applied to packet field value.";
+ type uint8;
+ }
+ }
+
+ grouping acl-ip-protocol-header-fields {
+ description
+ "Defines header fields for TCP/UDP or ICMP protocols";
+ choice ip-protocol {
+ case icmp {
+ uses acl-icmp-header-fields;
+ }
+ case udp {
+ uses packet-fields:acl-transport-header-fields;
+ }
+ case tcp {
+ uses packet-fields:acl-transport-header-fields;
+ uses acl-tcp-header-fields;
+ }
+ }
+ }
+
+ augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type {
+ ext:augment-identifier "vpp-acl-type-augmentation";
+ case vpp-ace {
+ description
+ "Access List entry that can define:
+ - IP4/IP6 src/dst ip prefix- Internet Protocol number
+ - Internet Protocol number
+ - selected L4 headers:
+ * ICMP (type range)
+ * UDP (port range)
+ * TCP (port range, flags mask, flags value)";
+ choice ace-ip-version {
+ description
+ "IP version used in this Access List Entry.";
+ mandatory true;
+ case ace-ipv4 {
+ uses packet-fields:acl-ipv4-header-fields;
+ }
+ case ace-ipv6 {
+ uses packet-fields:acl-ipv6-header-fields;
+ }
+ }
+ leaf protocol {
+ type uint8;
+ description
+ "Internet Protocol number.";
+ }
+ uses acl-ip-protocol-header-fields;
+ }
+ }
+
+ grouping vpp-macip-ace-eth-header-fields {
+ description
+ "Fields in Ethernet header supported by vpp-macip rule";
+ leaf source-mac-address {
+ type yang:mac-address;
+ description
+ "Source IEEE 802 MAC address.
+ Before source-mac-address is compared with source mac address field of the packet being matched,
+ source-mac-address-mask is applied to packet field value.";
+ }
+ leaf source-mac-address-mask {
+ type yang:mac-address;
+ description
+ "Source IEEE 802 MAC address mask.
+ Applied as logical AND with source mac address field of the packet being matched,
+ before it is compared with source-mac-address.";
+ }
+ }
+
+ grouping vpp-macip-ace-ipv4-header-fields {
+ description
+ "Fields in IPv4 header supported by vpp-macip rule";
+ leaf source-ipv4-network {
+ type inet:ipv4-prefix;
+ description
+ "Source IPv4 address prefix.";
+ }
+ }
+
+ grouping vpp-macip-ace-ipv6-header-fields {
+ description
+ "Fields in IPv6 header supported by vpp-macip rule";
+ leaf source-ipv6-network {
+ type inet:ipv6-prefix;
+ description
+ "Source IPv6 address prefix.";
+ }
+ }
+
+ augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type {
+ ext:augment-identifier "vpp-macip-acl-type-augmentation";
+ case vpp-macip-ace {
+ description
+ "Access List entry that can define:
+ - IP4/IP6 src ip prefix
+ - src MAC address mask
+ - src MAC address value
+ - can be used only for static ACLs.";
+ choice ace-ip-version {
+ description
+ "IP version used in this Access List Entry.";
+ mandatory true;
+ case ace-ipv4 {
+ uses vpp-macip-ace-ipv4-header-fields;
+ }
+ case ace-ipv6 {
+ uses vpp-macip-ace-ipv6-header-fields;
+ }
+ }
+ uses vpp-macip-ace-eth-header-fields;
+ }
+ }
+} \ No newline at end of file