summaryrefslogtreecommitdiffstats
path: root/nat/nat-api/src/main/yang/ietf-nat@2018-02-23.yang
diff options
context:
space:
mode:
authorMarek Gradzki <mgradzki@cisco.com>2018-05-10 08:41:03 +0200
committerMarek Gradzki <mgradzki@cisco.com>2018-05-17 05:20:09 +0000
commit58bb277ee19627abbf5d8c7e77aeacfe8b63995f (patch)
tree274497583238d25fbcdc3b827d18adecf2597144 /nat/nat-api/src/main/yang/ietf-nat@2018-02-23.yang
parent03f6001049d60c59c81408c472996cba4e703a75 (diff)
HC2VPP-321: bump nat model to ietf-nat@2018-02-23.yang
Uses ietf-nat module as defined in https://tools.ietf.org/html/draft-ietf-opsawg-nat-yang-14 Modifications to original model: - ip-address is used instead of ip-prefix (draft is not clear, see HC2VPP-325). API changes relevant to HC/VPP: - nat-config and nat-state merged into nat container - nat-instances and nat-instace renamed to instances and instance respectively - external-ip-address-pool has new parent - policy list - port-type choice was removed, port is now defined using start-port-number and end-port-number leaves. Missing end is equivalent to single-port-number case from the older version. TODOs: - HC2VPP-322: single nat64Prefix per NAT instance - HC2VPP-323: update postman collection - HC2VPP-324: update CSIT tests. Out of the scope of NAT model update: - HC2VPP-326: support for nat-type handling (vpp-nat model might become obsolete) - HC2VPP-327: support external-realm container (requires adding augmentations that are alredy present in the interface-nat model). Change-Id: Ie229a55b0a3f6ee3f8c97f4fd13c54a797a62438 Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
Diffstat (limited to 'nat/nat-api/src/main/yang/ietf-nat@2018-02-23.yang')
-rw-r--r--nat/nat-api/src/main/yang/ietf-nat@2018-02-23.yang2392
1 files changed, 2392 insertions, 0 deletions
diff --git a/nat/nat-api/src/main/yang/ietf-nat@2018-02-23.yang b/nat/nat-api/src/main/yang/ietf-nat@2018-02-23.yang
new file mode 100644
index 000000000..77e2d7be7
--- /dev/null
+++ b/nat/nat-api/src/main/yang/ietf-nat@2018-02-23.yang
@@ -0,0 +1,2392 @@
+module ietf-nat {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-nat";
+ prefix "nat";
+
+ import ietf-inet-types {
+ prefix inet;
+ reference
+ "Section 4 of RFC 6991";
+ }
+
+ import ietf-yang-types {
+ prefix yang;
+ reference
+ "Section 3 of RFC 6991";
+ }
+
+ import ietf-interfaces {
+ prefix if;
+ reference
+ "RFC 8343: A YANG Data Model for Interface Management";
+ }
+
+ organization
+ "IETF OPSAWG (Operations and Management Area Working Group)";
+
+ contact
+
+ "WG Web: <https://datatracker.ietf.org/wg/opsawg/>
+ WG List: <mailto:opsawg@ietf.org>
+
+ Editor: Mohamed Boucadair
+ <mailto:mohamed.boucadair@orange.com>
+
+ Editor: Senthil Sivakumar
+ <mailto:ssenthil@cisco.com>
+
+ Editor: Christian Jacquenet
+ <mailto:christian.jacquenet@orange.com>
+
+ Editor: Suresh Vinapamula
+ <mailto:sureshk@juniper.net>
+
+ Editor: Qin Wu
+ <mailto:bill.wu@huawei.com>";
+
+ description
+ "This module is a YANG module for NAT implementations.
+
+ NAT44, Network Address and Protocol Translation from IPv6
+ Clients to IPv4 Servers (NAT64), Customer-side transLATor (CLAT),
+ Stateless IP/ICMP Translation (SIIT), Explicit Address Mappings
+ for Stateless IP/ICMP Translation (SIIT EAM), IPv6 Network
+ Prefix Translation (NPTv6), and Destination NAT are covered.
+
+ Copyright (c) 2018 IETF Trust and the persons identified as
+ authors of the code. All rights reserved.
+
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD License
+ set forth in Section 4.c of the IETF Trust's Legal Provisions
+ Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+
+ This version of this YANG module is part of RFC XXXX; see
+ the RFC itself for full legal notices.";
+
+ revision 2018-02-23 {
+ description
+ "Initial revision.";
+ reference
+ "RFC XXXX: A YANG Module for Network Address Translation
+ (NAT) and Network Prefix Translation (NPT)";
+ }
+
+ /*
+ * Definitions
+ */
+
+ typedef percent {
+ type uint8 {
+ range "0 .. 100";
+ }
+ description
+ "Percentage";
+ }
+
+ /*
+ * Features
+ */
+
+ feature basic-nat44{
+ description
+ "Basic NAT44 translation is limited to IP addresses alone.";
+ reference
+ "RFC 3022: Traditional IP Network Address Translator
+ (Traditional NAT)";
+ }
+
+ feature napt44 {
+ description
+ "Network Address/Port Translator (NAPT): translation is
+ extended to include IP addresses and transport identifiers
+ (such as a TCP/UDP port or ICMP query ID).
+
+ If the internal IP address is not sufficient to uniquely
+ disambiguate NAPT44 mappings, an additional attribute is
+ required. For example, that additional attribute may
+ be an IPv6 address (a.k.a., DS-Lite) or
+ a Layer 2 identifier (a.k.a., Per-Interface NAT)";
+ reference
+ "RFC 3022: Traditional IP Network Address Translator
+ (Traditional NAT)";
+ }
+
+ feature dst-nat {
+ description
+ "Destination NAT is a translation that acts on the destination
+ IP address and/or destination port number. This flavor is
+ usually deployed in load balancers or at devices
+ in front of public servers.";
+ }
+
+ feature nat64 {
+ description
+ "NAT64 translation allows IPv6-only clients to contact IPv4
+ servers using unicast UDP, TCP, or ICMP. One or more
+ public IPv4 addresses assigned to a NAT64 translator are
+ shared among several IPv6-only clients.";
+ reference
+ "RFC 6146: Stateful NAT64: Network Address and Protocol
+ Translation from IPv6 Clients to IPv4 Servers";
+ }
+
+ feature siit {
+ description
+ "The Stateless IP/ICMP Translation Algorithm (SIIT), which
+ translates between IPv4 and IPv6 packet headers (including
+ ICMP headers).
+
+ In the stateless mode, an IP/ICMP translator converts IPv4
+ addresses to IPv6 and vice versa solely based on the
+ configuration of the stateless IP/ICMP translator and
+ information contained within the packet being translated.
+
+ The translator must support the stateless address mapping
+ algorithm defined in RFC6052, which is the default behavior.";
+ reference
+ "RFC 7915: IP/ICMP Translation Algorithm";
+ }
+
+ feature clat {
+ description
+ "CLAT is customer-side translator that algorithmically
+ translates 1:1 private IPv4 addresses to global IPv6 addresses,
+ and vice versa.
+
+ When a dedicated /64 prefix is not available for translation
+ from DHCPv6-PD, the CLAT may perform NAT44 for all IPv4 LAN
+ packets so that all the LAN-originated IPv4 packets appear
+ from a single IPv4 address and are then statelessly translated
+ to one interface IPv6 address that is claimed by the CLAT via
+ the Neighbor Discovery Protocol (NDP) and defended with
+ Duplicate Address Detection.";
+ reference
+ "RFC 6877: 464XLAT: Combination of Stateful and Stateless
+ Translation";
+ }
+
+ feature eam {
+ description
+ "Explicit Address Mapping (EAM) is a bidirectional coupling
+ between an IPv4 Prefix and an IPv6 Prefix.";
+ reference
+ "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
+ Translation";
+ }
+
+ feature nptv6 {
+ description
+ "NPTv6 is a stateless transport-agnostic IPv6-to-IPv6
+ prefix translation.";
+ reference
+ "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
+ }
+
+ /*
+ * Identities
+ */
+
+ identity nat-type {
+ description
+ "Base identity for nat type.";
+ }
+
+ identity basic-nat44 {
+ base nat:nat-type;
+ description
+ "Identity for Basic NAT support.";
+ reference
+ "RFC 3022: Traditional IP Network Address Translator
+ (Traditional NAT)";
+ }
+
+ identity napt44 {
+ base nat:nat-type;
+ description
+ "Identity for NAPT support.";
+ reference
+ "RFC 3022: Traditional IP Network Address Translator
+ (Traditional NAT)";
+ }
+
+ identity dst-nat {
+ base nat:nat-type;
+ description
+ "Identity for Destination NAT support.";
+ }
+
+ identity nat64 {
+ base nat:nat-type;
+ description
+ "Identity for NAT64 support.";
+ reference
+ "RFC 6146: Stateful NAT64: Network Address and Protocol
+ Translation from IPv6 Clients to IPv4 Servers";
+ }
+
+ identity siit {
+ base nat:nat-type;
+ description
+ "Identity for SIIT support.";
+ reference
+ "RFC 7915: IP/ICMP Translation Algorithm";
+ }
+
+ identity clat {
+ base nat:nat-type;
+ description
+ "Identity for CLAT support.";
+ reference
+ "RFC 6877: 464XLAT: Combination of Stateful and Stateless
+ Translation";
+ }
+
+ identity eam {
+ base nat:nat-type;
+ description
+ "Identity for EAM support.";
+ reference
+ "RFC 7757: Explicit Address Mappings for Stateless IP/ICMP
+ Translation";
+ }
+
+ identity nptv6 {
+ base nat:nat-type;
+ description
+ "Identity for NPTv6 support.";
+ reference
+ "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
+ }
+
+ /*
+ * Grouping
+ */
+
+ grouping port-number {
+ description
+ "Individual port or a range of ports.
+ When only start-port-number is present,
+ it represents a single port number.";
+
+ leaf start-port-number {
+ type inet:port-number;
+ description
+ "Beginning of the port range.";
+ reference
+ "Section 3.2.9 of RFC 8045.";
+ }
+
+ leaf end-port-number {
+ type inet:port-number;
+
+ must ". >= ../start-port-number"
+ {
+ error-message
+ "The end-port-number must be greater than or
+ equal to start-port-number.";
+ }
+ description
+ "End of the port range.";
+ reference
+ "Section 3.2.10 of RFC 8045.";
+ }
+ }
+
+ grouping port-set {
+ description
+ "Indicates a set of ports.
+
+ It may be a simple port range, or use the Port Set ID (PSID)
+ algorithm to represent a range of transport layer
+ ports which will be used by a NAPT.";
+
+ choice port-type {
+ default port-range;
+ description
+ "Port type: port-range or port-set-algo.";
+ case port-range {
+ uses port-number;
+ }
+
+ case port-set-algo {
+ leaf psid-offset {
+ type uint8 {
+ range 0..15;
+ }
+
+ description
+ "The number of offset bits (a.k.a., 'a' bits).
+
+ Specifies the numeric value for the excluded port
+ range/offset bits.
+
+ Allowed values are between 0 and 15 ";
+
+ reference
+ "Section 5.1 of RFC 7597";
+ }
+
+ leaf psid-len {
+ type uint8 {
+ range 0..15;
+ }
+ mandatory true;
+
+ description
+ "The length of PSID, representing the sharing
+ ratio for an IPv4 address.
+
+ (also known as 'k').
+
+ The address-sharing ratio would be 2^k.";
+ reference
+ "Section 5.1 of RFC 7597";
+ }
+
+ leaf psid {
+ type uint16;
+ mandatory true;
+ description
+ "Port Set Identifier (PSID) value, which
+ identifies a set of ports algorithmically.";
+ reference
+ "Section 5.1 of RFC 7597";
+ }
+ }
+ reference
+ "Section 7597: Mapping of Address and Port with
+ Encapsulation (MAP-E)";
+ }
+ }
+
+ grouping mapping-entry {
+ description
+ "NAT mapping entry.
+
+ If an attribute is not stored in the mapping/session table,
+ this means the corresponding fields of a packet that
+ matches this entry is not rewritten by the NAT or this
+ information is not required for NAT filtering purposes.";
+
+ leaf index {
+ type uint32;
+ description
+ "A unique identifier of a mapping entry. This identifier can be
+ automatically assigned by the NAT instance or be explicitly
+ configured.";
+ }
+
+ leaf type {
+ type enumeration {
+ enum "static" {
+ description
+ "The mapping entry is explicitly configured
+ (e.g., via command-line interface).";
+ }
+
+ enum "dynamic-implicit" {
+ description
+ "This mapping is created implicitly as a side effect
+ of processing a packet that requires a new mapping.";
+
+ }
+
+ enum "dynamic-explicit" {
+ description
+ "This mapping is created as a result of an explicit
+ request, e.g., a PCP message.";
+
+ }
+ }
+ description
+ "Indicates the type of a mapping entry. E.g.,
+ a mapping can be: static, implicit dynamic
+ or explicit dynamic.";
+ }
+
+ leaf transport-protocol {
+ type uint8;
+ description
+ "Upper-layer protocol associated with this mapping.
+ Values are taken from the IANA protocol registry.
+ For example, this field contains 6 (TCP) for a TCP
+ mapping or 17 (UDP) for a UDP mapping.
+
+ If this leaf is not instantiated, then the mapping
+ applies to any protocol.";
+ }
+
+ leaf internal-src-address {
+ // TODO(HC2VPP-325): original model uses inet:ip-prefix;
+ type inet:ip-address;
+ description
+ "Corresponds to the source IPv4/IPv6 address/prefix
+ of the packet received on an internal
+ interface.";
+ }
+
+ container internal-src-port {
+ description
+ "Corresponds to the source port of the packet received
+ on an internal interface.
+
+ It is used also to indicate the internal source ICMP
+ identifier.
+
+ As a reminder, all the ICMP Query messages contain
+ an 'Identifier' field, which is referred to in this
+ document as the 'ICMP Identifier'.";
+
+ uses port-number;
+ }
+
+ leaf external-src-address {
+ // TODO(HC2VPP-325): original model uses inet:ip-prefix;
+ type inet:ipv4-address;
+ description
+ "Source IP address/prefix of the packet sent on an
+ external interface of the NAT.";
+ }
+
+ container external-src-port {
+ description
+ "Source port of the packet sent on an external
+ interface of the NAT.
+ It is used also to indicate the external source ICMP
+ identifier.";
+
+ uses port-number;
+ }
+
+ leaf internal-dst-address {
+ // TODO(HC2VPP-325): original model uses inet:ip-prefix;
+ type inet:ipv4-prefix;
+ description
+ "Corresponds to the destination IP address/prefix
+ of the packet received on an internal interface
+ of the NAT.
+
+ For example, some NAT implementations support
+ the translation of both source and destination
+ addresses and ports, sometimes referred to
+ as 'Twice NAT'.";
+ }
+
+ container internal-dst-port {
+ description
+ "Corresponds to the destination port of the
+ IP packet received on the internal interface.
+
+ It is used also to include the internal
+ destination ICMP identifier.";
+
+ uses port-number;
+ }
+
+ leaf external-dst-address {
+ // TODO(HC2VPP-325): original model uses inet:ip-prefix;
+ type inet:ipv4-address;
+ description
+ "Corresponds to the destination IP address/prefix
+ of the packet sent on an external interface
+ of the NAT.";
+ }
+
+ container external-dst-port {
+ description
+ "Corresponds to the destination port number of
+ the packet sent on the external interface
+ of the NAT.
+
+ It is used also to include the external
+ destination ICMP identifier.";
+
+ uses port-number;
+ }
+
+ leaf lifetime {
+ type uint32;
+ units "seconds";
+ description
+ "When specified, it is used to track the connection that is
+ fully-formed (e.g., once the three-way handshake
+ TCP is completed) or the duration for maintaining
+ an explicit mapping alive. The mapping entry will be
+ removed by the NAT instance once this lifetime is expired.
+
+ When reported in a get operation, the lifetime indicates
+ the remaining validity lifetime.
+
+ Static mappings may not be associated with a
+ lifetime. If no lifetime is associated with a
+ static mapping, an explicit action is required to
+ remove that mapping.";
+ }
+ }
+
+ /*
+ * NAT Module
+ */
+
+ container nat {
+ description
+ "NAT module";
+
+ container instances {
+ description
+ "NAT instances";
+
+ list instance {
+ key "id";
+
+ description
+ "A NAT instance. This identifier can be automatically assigned
+ or explicitly configured.";
+
+ leaf id {
+ type uint32;
+ must ". >= 1";
+ description
+ "NAT instance identifier.
+
+ The identifier must be greater than zero.";
+ reference
+ "RFC 7659: Definitions of Managed Objects for Network
+ Address Translators (NATs)";
+ }
+
+ leaf name {
+ type string;
+ description
+ "A name associated with the NAT instance.";
+ reference
+ "RFC 7659: Definitions of Managed Objects for Network
+ Address Translators (NATs)";
+ }
+
+ leaf enable {
+ type boolean;
+ description
+ "Status of the NAT instance.";
+ }
+
+ container capabilities {
+ config false;
+
+ description
+ "NAT capabilities";
+
+ leaf-list nat-flavor {
+ type identityref {
+ base nat-type;
+ }
+ description
+ "Supported translation type(s).";
+ }
+
+ leaf-list per-interface-binding {
+ type enumeration {
+ enum "unsupported" {
+ description
+ "No capability to associate a NAT binding with
+ an extra identifier.";
+ }
+
+ enum "layer-2" {
+ description
+ "The NAT instance is able to associate a mapping with
+ a layer-2 identifier.";
+ }
+
+ enum "dslite" {
+ description
+ "The NAT instance is able to associate a mapping with
+ an IPv6 address (a.k.a., DS-Lite).";
+ }
+ }
+ description
+ "Indicates the capability of a NAT to associate a particular
+ NAT session not only with the five tuples used for the
+ transport connection on both sides of the NAT but also with
+ the internal interface on which the user device is
+ connected to the NAT.";
+ reference
+ "Section 4 of RFC 6619";
+ }
+
+ list transport-protocols {
+ key protocol-id;
+
+ description
+ "List of supported protocols.";
+
+ leaf protocol-id {
+ type uint8;
+ mandatory true;
+ description
+ "Upper-layer protocol associated with this mapping.
+
+ Values are taken from the IANA protocol registry:
+ https://www.iana.org/assignments/protocol-numbers/
+ protocol-numbers.xhtml
+
+ For example, this field contains 6 (TCP) for a TCP
+ mapping or 17 (UDP) for a UDP mapping.";
+ }
+
+ leaf protocol-name {
+ type string;
+ description
+ "The name of the Upper-layer protocol associated
+ with this mapping.
+
+ Values are taken from the IANA protocol registry:
+ https://www.iana.org/assignments/protocol-numbers/
+ protocol-numbers.xhtml
+
+ For example, TCP, UDP, DCCP, and SCTP.";
+ }
+ }
+
+ leaf restricted-port-support {
+ type boolean;
+ description
+ "Indicates source port NAT restriction support.";
+ reference
+ "RFC 7596: Lightweight 4over6: An Extension to
+ the Dual-Stack Lite Architecture.";
+ }
+
+ leaf static-mapping-support {
+ type boolean;
+ description
+ "Indicates whether static mappings are supported.";
+ }
+
+ leaf port-randomization-support {
+ type boolean;
+ description
+ "Indicates whether port randomization is supported.";
+ reference
+ "Section 4.2.1 of RFC 4787.";
+ }
+
+ leaf port-range-allocation-support {
+ type boolean;
+ description
+ "Indicates whether port range allocation is supported.";
+ reference
+ "Section 1.1 of RFC 7753.";
+ }
+
+ leaf port-preservation-suport {
+ type boolean;
+ description
+ "Indicates whether port preservation is supported.";
+ reference
+ "Section 4.2.1 of RFC 4787.";
+ }
+
+ leaf port-parity-preservation-support {
+ type boolean;
+ description
+ "Indicates whether port parity preservation is
+ supported.";
+ reference
+ "Section 8 of RFC 7857.";
+ }
+
+ leaf address-roundrobin-support {
+ type boolean;
+ description
+ "Indicates whether address allocation round robin is
+ supported.";
+ }
+
+ leaf paired-address-pooling-support {
+ type boolean;
+ description
+ "Indicates whether paired-address-pooling is
+ supported";
+ reference
+ "REQ-2 of RFC 4787.";
+ }
+
+ leaf endpoint-independent-mapping-support {
+ type boolean;
+ description
+ "Indicates whether endpoint-independent-
+ mapping is supported.";
+ reference
+ "Section 4 of RFC 4787.";
+ }
+
+ leaf address-dependent-mapping-support {
+ type boolean;
+ description
+ "Indicates whether address-dependent-mapping is
+ supported.";
+ reference
+ "Section 4 of RFC 4787.";
+ }
+
+ leaf address-and-port-dependent-mapping-support {
+ type boolean;
+ description
+ "Indicates whether address-and-port-dependent-mapping is
+ supported.";
+ reference
+ "Section 4 of RFC 4787.";
+ }
+
+ leaf endpoint-independent-filtering-support {
+ type boolean;
+ description
+ "Indicates whether endpoint-independent-filtering is
+ supported.";
+ reference
+ "Section 5 of RFC 4787.";
+ }
+
+ leaf address-dependent-filtering {
+ type boolean;
+ description
+ "Indicates whether address-dependent-filtering is
+ supported.";
+ reference
+ "Section 5 of RFC 4787.";
+ }
+
+ leaf address-and-port-dependent-filtering {
+ type boolean;
+ description
+ "Indicates whether address-and-port-dependent is
+ supported.";
+ reference
+ "Section 5 of RFC 4787.";
+ }
+
+ leaf fragment-behavior {
+ type enumeration {
+ enum "unsupported" {
+ description
+ "No capability to translate incoming fragments.
+ All received fragments are dropped.";
+ }
+
+ enum "in-order" {
+ description
+ "The NAT instance is able to translate fragments only if
+ they are received in order. That is, in particular the
+ header is in the first packet. Fragments received
+ out of order are dropped. ";
+ }
+
+ enum "out-of-order" {
+ description
+ "The NAT instance is able to translate a fragment even
+ if it is received out of order.
+
+ This behavior is recommended.";
+ reference
+ "REQ-14 of RFC 4787";
+ }
+ }
+ description
+ "The fragment behavior is the NAT instance's capability to
+ translate fragments received on the external interface of
+ the NAT.";
+ }
+ }
+
+ leaf type {
+ type identityref {
+ base nat-type;
+ }
+ description
+ "Specify the translation type. Particularly useful when
+ multiple translation flavors are supported.
+
+ If one type is supported by a NAT, this parameter is by
+ default set to that type.";
+ }
+
+ leaf per-interface-binding {
+ type enumeration {
+ enum "disabled" {
+ description
+ "Disable the capability to associate an extra identifier
+ with NAT mappings.";
+ }
+
+ enum "layer-2" {
+ description
+ "The NAT instance is able to associate a mapping with
+ a layer-2 identifier.";
+ }
+
+ enum "dslite" {
+ description
+ "The NAT instance is able to associate a mapping with
+ an IPv6 address (a.k.a., DS-Lite).";
+ }
+ }
+ description
+ "A NAT that associates a particular NAT session not only with
+ the five tuples used for the transport connection on both
+ sides of the NAT but also with the internal interface on
+ which the user device is connected to the NAT.
+
+ If supported, this mode of operation should be configurable,
+ and it should be disabled by default in general-purpose NAT
+ devices.
+
+ If one single per-interface binding behavior is supported by
+ a NAT, this parameter is by default set to that behavior.";
+ reference
+ "Section 4 of RFC 6619";
+ }
+
+ list nat-pass-through {
+ if-feature "basic-nat44 or napt44 or dst-nat";
+ key id;
+
+ description
+ "IP prefix NAT pass through.";
+
+ leaf id {
+ type uint32;
+ description
+ "An identifier of the IP prefix pass through.";
+ }
+
+ leaf prefix {
+ type inet:ip-prefix;
+ mandatory true;
+ description
+ "The IP addresses that match should not be translated.
+
+ It must be possible to administratively turn
+ off translation for specific destination addresses
+ and/or ports.";
+ reference
+ "REQ#6 of RFC 6888.";
+ }
+
+ leaf port {
+ type inet:port-number;
+ description
+ "It must be possible to administratively turn off
+ translation for specific destination addresses
+ and/or ports.
+
+ If no prefix is defined, the NAT pass through bound
+ to a given port applies for any destination address.";
+ reference
+ "REQ#6 of RFC 6888.";
+ }
+ }
+
+ list policy {
+ key id;
+ description
+ "NAT parameters for a given instance";
+
+ leaf id {
+ type uint32;
+ description
+ "An identifier of the NAT policy. It must be unique
+ within the NAT instance.";
+ }
+
+ container clat-parameters {
+ if-feature clat;
+ description
+ "CLAT parameters.";
+
+ list clat-ipv6-prefixes {
+ key ipv6-prefix;
+ description
+ "464XLAT double translation treatment is stateless when a
+ dedicated /64 is available for translation on the CLAT.
+ Otherwise, the CLAT will have both stateful and stateless
+ since it requires NAT44 from the LAN to a single IPv4
+ address and then stateless translation to a single
+ IPv6 address.";
+ reference
+ "RFC 6877: 464XLAT: Combination of Stateful and Stateless
+ Translation";
+
+ leaf ipv6-prefix {
+ type inet:ipv6-prefix;
+ description
+ "An IPv6 prefix used for CLAT.";
+ }
+ }
+
+ list ipv4-prefixes {
+ key ipv4-prefix;
+ description
+ "Pool of IPv4 addresses used for CLAT.
+ 192.0.0.0/29 is the IPv4 service continuity prefix.";
+ reference
+ "RFC 7335: IPv4 Service Continuity Prefix";
+
+ leaf ipv4-prefix {
+ type inet:ipv4-prefix;
+ description
+ "464XLAT double translation treatment is
+ stateless when a dedicated /64 is available
+ for translation on the CLAT. Otherwise, the
+ CLAT will have both stateful and stateless
+ since it requires NAT44 from the LAN to
+ a single IPv4 address and then stateless
+ translation to a single IPv6 address.
+ The CLAT performs NAT44 for all IPv4 LAN
+ packets so that all the LAN-originated IPv4
+ packets appear from a single IPv4 address
+ and are then statelessly translated to one
+ interface IPv6 address that is claimed by
+ the CLAT.
+
+ An IPv4 address from this pool is also
+ provided to an application that makes
+ use of literals.";
+
+ reference
+ "RFC 6877: 464XLAT: Combination of Stateful and Stateless
+ Translation";
+ }
+ }
+ }
+
+ list nptv6-prefixes {
+ if-feature nptv6;
+ key internal-ipv6-prefix ;
+ description
+ "Provides one or a list of (internal IPv6 prefix,
+ external IPv6 prefix) required for NPTv6.
+
+ In its simplest form, NPTv6 interconnects two network
+ links, one of which is an 'internal' network link
+ attached to a leaf network within a single
+ administrative domain and the other of which is an
+ 'external' network with connectivity to the global
+ Internet.";
+ reference
+ "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
+
+ leaf internal-ipv6-prefix {
+ type inet:ipv6-prefix;
+ mandatory true;
+ description
+ "An IPv6 prefix used by an internal interface of NPTv6.";
+ reference
+ "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
+ }
+
+ leaf external-ipv6-prefix {
+ type inet:ipv6-prefix;
+ mandatory true;
+ description
+ "An IPv6 prefix used by the external interface of NPTv6.";
+ reference
+ "RFC 6296: IPv6-to-IPv6 Network Prefix Translation";
+ }
+ }
+
+ list eam {
+ if-feature eam;
+ key ipv4-prefix;
+ description
+ "The Explicit Address Mapping Table, a conceptual
+ table in which each row represents an EAM.
+
+ Each EAM describes a mapping between IPv4 and IPv6
+ prefixes/addresses.";
+ reference
+ "Section 3.1 of RFC 7757.";
+
+ leaf ipv4-prefix {
+ type inet:ipv4-prefix;
+ mandatory true;
+ description
+ "The IPv4 prefix of an EAM.";
+ reference
+ "Section 3.2 of RFC 7757.";
+ }
+
+ leaf ipv6-prefix {
+ type inet:ipv6-prefix;
+ mandatory true;
+ description
+ "The IPv6 prefix of an EAM.";
+ reference
+ "Section 3.2 of RFC 7757.";
+ }
+ }
+
+ list nat64-prefixes {
+ if-feature "siit or nat64 or clat";
+ key nat64-prefix;
+ description
+ "Provides one or a list of NAT64 prefixes
+ with or without a list of destination IPv4 prefixes.
+ It allows mapping IPv4 address ranges to IPv6 prefixes.
+
+ For example:
+ 192.0.2.0/24 is mapped to 2001:db8:122:300::/56.
+ 198.51.100.0/24 is mapped to 2001:db8:122::/48.";
+ reference
+ "Section 5.1 of RFC 7050.";
+
+ leaf nat64-prefix {
+ type inet:ipv6-prefix;
+ mandatory true;
+ description
+ "A NAT64 prefix. Can be Network-Specific Prefix (NSP) or
+ Well-Known Prefix (WKP).
+
+ Organizations deploying stateless IPv4/IPv6 translation
+ should assign a Network-Specific Prefix to their
+ IPv4/IPv6 translation service.
+
+ For stateless NAT64, IPv4-translatable IPv6 addresses
+ must use the selected Network-Specific Prefix.
+
+ Both IPv4-translatable IPv6 addresses and IPv4-converted
+ IPv6 addresses should use the same prefix.";
+ reference
+ "Sections 3.3 and 3.4 of RFC 6052.";
+ }
+
+ list destination-ipv4-prefix {
+ key ipv4-prefix;
+ description
+ "An IPv4 prefix/address.";
+
+ leaf ipv4-prefix {
+ type inet:ipv4-prefix;
+ description
+ "An IPv4 address/prefix.";
+ }
+ }
+
+ leaf stateless-enable {
+ type boolean;
+ default false;
+ description
+ "Enable explicitly stateless NAT64.";
+ }
+ }
+
+ list external-ip-address-pool {
+ if-feature "basic-nat44 or napt44 or nat64";
+ key pool-id;
+
+ description
+ "Pool of external IP addresses used to service internal
+ hosts.
+
+ A pool is a set of IP prefixes.";
+
+ leaf pool-id {
+ type uint32;
+ must ". >= 1";
+ description
+ "An identifier that uniquely identifies the address pool
+ within a NAT instance.
+
+ The identifier must be greater than zero.";
+ reference
+ "RFC 7659: Definitions of Managed Objects for
+ Network Address Translators (NATs)";
+ }
+
+ leaf external-ip-pool {
+ type inet:ipv4-prefix;
+ mandatory true;
+ description
+ "An IPv4 prefix used for NAT purposes.";
+ }
+ }
+
+ container port-set-restrict {
+ if-feature "napt44 or nat64";
+ description
+ "Configures contiguous and non-contiguous port ranges.
+
+ The port set is used to restrict the external source
+ port numbers used by the translator.";
+
+ uses port-set;
+ }
+
+ leaf dst-nat-enable {
+ if-feature "basic-nat44 or napt44";
+ type boolean;
+ default false;
+ description
+ "Enable/Disable destination NAT.
+ A NAT44 may be configured to enable Destination
+ NAT, too.";
+ }
+
+ list dst-ip-address-pool {
+ if-feature dst-nat;
+ key pool-id;
+ description
+ "Pool of IP addresses used for destination NAT.";
+
+ leaf pool-id {
+ type uint32;
+ description
+ "An identifier of the address pool.";
+ }
+
+ leaf dst-in-ip-pool {
+ type inet:ip-prefix;
+ description
+ "Is used to identify an internal destination
+ IP prefix/address to be translated.";
+ }
+
+ leaf dst-out-ip-pool {
+ type inet:ip-prefix;
+ mandatory true;
+ description
+ "IP address/prefix used for destination NAT.";
+ }
+ }
+
+ list transport-protocols {
+ if-feature "napt44 or nat64 or dst-nat";
+ key protocol-id;
+
+ description
+ "Configure the transport protocols to be handled by
+ the translator.
+
+ TCP and UDP are supported by default.";
+
+ leaf protocol-id {
+ type uint8;
+ mandatory true;
+ description
+ "Upper-layer protocol associated with this mapping.
+
+ Values are taken from the IANA protocol registry:
+ https://www.iana.org/assignments/protocol-numbers/
+ protocol-numbers.xhtml
+
+ For example, this field contains 6 (TCP) for a TCP
+ mapping or 17 (UDP) for a UDP mapping.";
+ }
+
+ leaf protocol-name {
+ type string;
+ description
+ "The name of the Upper-layer protocol associated
+ with this mapping.
+
+ Values are taken from the IANA protocol registry:
+ https://www.iana.org/assignments/protocol-numbers/
+ protocol-numbers.xhtml
+
+ For example, TCP, UDP, DCCP, and SCTP.";
+ }
+ }
+
+ leaf subscriber-mask-v6 {
+ type uint8 {
+ range "0 .. 128";
+ }
+
+ description
+ "The subscriber mask is an integer that indicates
+ the length of significant bits to be applied on
+ the source IPv6 address (internal side) to
+ unambiguously identify a user device (e.g., CPE).
+
+ Subscriber mask is a system-wide configuration
+ parameter that is used to enforce generic
+ per-subscriber policies (e.g., port-quota).
+
+ The enforcement of these generic policies does not
+ require the configuration of every subscriber's
+ prefix.
+
+ Example: suppose the 2001:db8:100:100::/56 prefix
+ is assigned to a NAT64 serviced CPE. Suppose also
+ that 2001:db8:100:100::1 is the IPv6 address used
+ by the client that resides in that CPE. When the
+ NAT64 receives a packet from this client,
+ it applies the subscriber-mask-v6 (e.g., 56) on
+ the source IPv6 address to compute the associated
+ prefix for this client (2001:db8:100:100::/56).
+ Then, the NAT64 enforces policies based on that
+ prefix (2001:db8:100:100::/56), not on the exact
+ source IPv6 address.";
+ }
+
+ list subscriber-match {
+ if-feature "basic-nat44 or napt44 or dst-nat";
+ key match-id;
+
+ description
+ "IP prefix match.
+ A subscriber is identified by a subnet.";
+
+ leaf match-id {
+ type uint32;
+ description
+ "An identifier of the subscriber match.";
+ }
+
+ leaf subnet {
+ type inet:ip-prefix;
+ mandatory true;
+ description
+ "The IP address subnets that match
+ should be translated. E.g., all addresses
+ that belong to the 192.0.2.0/24 prefix must
+ be processed by the NAT.";
+ }
+ }
+
+ leaf address-allocation-type {
+ type enumeration {
+ enum "arbitrary" {
+ if-feature "basic-nat44 or napt44 or nat64";
+ description
+ "Arbitrary pooling behavior means that the NAT
+ instance may create the new port mapping using any
+ address in the pool that has a free port for the
+ protocol concerned.";
+ }
+
+ enum "roundrobin" {
+ if-feature "basic-nat44 or napt44 or nat64";
+ description
+ "Round robin allocation.";
+ }
+
+ enum "paired" {
+ if-feature "napt44 or nat64";
+ description
+ "Paired address pooling informs the NAT
+ that all the flows from an internal IP
+ address must be assigned the same external
+ address. This is the recommended behavior for
+ NAPT/NAT64.";
+ reference
+ "RFC 4787: Network Address Translation (NAT)
+ Behavioral Requirements for Unicast UDP";
+ }
+ }
+ description
+ "Specifies how external IP addresses are allocated.";
+ }
+
+ leaf port-allocation-type {
+ if-feature "napt44 or nat64";
+ type enumeration {
+ enum "random" {
+ description
+ "Port randomization is enabled. A NAT port allocation
+ scheme should make it hard for attackers to guess
+ port numbers";
+ reference
+ "REQ-15 of RFC 6888";
+ }
+
+ enum "port-preservation" {
+ description
+ "Indicates whether the NAT should preserve the internal
+ port number.";
+ }
+
+ enum "port-parity-preservation" {
+ description
+ "Indicates whether the NAT should preserve the port
+ parity of the internal port number.";
+ }
+
+ enum "port-range-allocation" {
+ description
+ "Indicates whether the NAT assigns a range of ports
+ for an internal host. This scheme allows to minimize
+ log volume.";
+ reference
+ "REQ-14 of RFC 6888";
+ }
+ }
+ description
+ "Indicates the type of port allocation.";
+ }
+
+ leaf mapping-type {
+ if-feature "napt44 or nat64";
+ type enumeration {
+ enum "eim" {
+ description
+ "endpoint-independent-mapping.";
+ reference
+ "Section 4 of RFC 4787.";
+ }
+
+ enum "adm" {
+ description
+ "address-dependent-mapping.";
+ reference
+ "Section 4 of RFC 4787.";
+ }
+
+ enum "edm" {
+ description
+ "address-and-port-dependent-mapping.";
+ reference
+ "Section 4 of RFC 4787.";
+ }
+ }
+ description
+ "Indicates the type of a NAT mapping.";
+ }
+
+ leaf filtering-type {
+ if-feature "napt44 or nat64";
+ type enumeration {
+ enum "eif" {
+ description
+ "endpoint-independent-filtering.";
+ reference
+ "Section 5 of RFC 4787.";
+ }
+
+ enum "adf" {
+ description
+ "address-dependent-filtering.";
+ reference
+ "Section 5 of RFC 4787.";
+ }
+
+ enum "edf" {
+ description
+ "address-and-port-dependent-filtering";
+ reference
+ "Section 5 of RFC 4787.";
+ }
+ }
+ description
+ "Indicates the type of a NAT filtering.";
+ }
+
+ leaf fragment-behavior {
+ if-feature "napt44 or nat64";
+ type enumeration {
+ enum "drop-all" {
+ description
+ "All received fragments are dropped.";
+ }
+
+ enum "in-order" {
+ description
+ "Translate fragments only if they are received
+ in order.";
+ }
+
+ enum "out-of-order" {
+ description
+ "Translate a fragment even if it is received out
+ of order.
+
+ This behavior is recommended.";
+ reference
+ "REQ-14 of RFC 4787";
+ }
+ }
+ description
+ "The fragment behavior instructs the NAT about the
+ behavior to follow to translate fragments received
+ on the external interface of the NAT.";
+ }
+
+ list port-quota {
+ if-feature "napt44 or nat64";
+ key quota-type;
+ description
+ "Configures a port quota to be assigned per subscriber.
+ It corresponds to the maximum number of ports to be
+ used by a subscriber.";
+
+ leaf port-limit {
+ type uint16;
+ description
+ "Configures a port quota to be assigned per subscriber.
+ It corresponds to the maximum number of ports to be
+ used by a subscriber.";
+ reference
+ "REQ-4 of RFC 6888.";
+ }
+
+ leaf quota-type {
+ type uint8;
+ description
+ "Indicates whether the port quota applies to
+ all protocols (0) or to a specific protocol.";
+ }
+ }
+
+ container port-set {
+
+ when "../port-allocation-type = 'port-range-allocation'";
+
+ if-feature "napt44 or nat64";
+ description
+ "Manages port-set assignments.";
+
+ leaf port-set-size {
+ type uint16;
+ // TODO(HC2VPP-328)
+ // mandatory true;
+ description
+ "Indicates the size of assigned port sets.";
+ }
+
+ leaf port-set-timeout {
+ type uint32;
+ units "seconds";
+ description
+ "inactivity timeout for port sets.";
+ }
+ }
+
+ container timers {
+ if-feature "napt44 or nat64";
+ description
+ "Configure values of various timeouts.";
+
+ leaf udp-timeout {
+ type uint32;
+ units "seconds";
+ default 300;
+ description
+ "UDP inactivity timeout. That is the time a mapping
+ will stay active without packets traversing the NAT.";
+ reference
+ "RFC 4787: Network Address Translation (NAT)
+ Behavioral Requirements for Unicast UDP";
+ }
+
+ leaf tcp-idle-timeout {
+ type uint32;
+ units "seconds";
+ default 7440;
+ description
+ "TCP Idle timeout should be 2 hours and 4 minutes.";
+ reference
+ "RFC 5382: NAT Behavioral Requirements for TCP";
+ }
+
+ leaf tcp-trans-open-timeout {
+ type uint32;
+ units "seconds";
+ default 240;
+ description
+ "The value of the transitory open connection
+ idle-timeout.
+
+ A NAT should provide different configurable
+ parameters for configuring the open and
+ closing idle timeouts.
+
+ To accommodate deployments that consider
+ a partially open timeout of 4 minutes as being
+ excessive from a security standpoint, a NAT may
+ allow the configured timeout to be less than
+ 4 minutes.
+
+ However, a minimum default transitory connection
+ idle-timeout of 4 minutes is recommended.";
+ reference
+ "Section 2.1 of RFC 7857.";
+ }
+
+ leaf tcp-trans-close-timeout {
+ type uint32;
+ units "seconds";
+ default 240;
+ description
+ "The value of the transitory close connection
+ idle-timeout.
+
+ A NAT should provide different configurable
+ parameters for configuring the open and
+ closing idle timeouts.";
+ reference
+ "Section 2.1 of RFC 7857.";
+ }
+
+ leaf tcp-in-syn-timeout {
+ type uint32;
+ units "seconds";
+ default 6;
+ description
+ "A NAT must not respond to an unsolicited
+ inbound SYN packet for at least 6 seconds
+ after the packet is received. If during
+ this interval the NAT receives and translates
+ an outbound SYN for the connection the NAT
+ must silently drop the original unsolicited
+ inbound SYN packet.";
+ reference
+ "RFC 5382 NAT Behavioral Requirements for TCP";
+ }
+
+ leaf fragment-min-timeout {
+ when "../../fragment-behavior='out-of-order'";
+ type uint32;
+ units "seconds";
+ default 2;
+ description
+ "As long as the NAT has available resources,
+ the NAT allows the fragments to arrive
+ over fragment-min-timeout interval.
+ The default value is inspired from RFC6146.";
+ }
+
+ leaf icmp-timeout {
+ type uint32;
+ units "seconds";
+ default 60;
+ description
+ "An ICMP Query session timer must not expire
+ in less than 60 seconds. It is recommended
+ that the ICMP Query session timer be made
+ configurable";
+ reference
+ "RFC 5508: NAT Behavioral Requirements for ICMP";
+ }
+
+ list per-port-timeout {
+ key port-number;
+ description
+ "Some NATs are configurable with short timeouts
+ for some ports, e.g., as 10 seconds on
+ port 53 (DNS) and 123 (NTP) and longer timeouts
+ on other ports.";
+
+ leaf port-number {
+ type inet:port-number;
+ description
+ "A port number.";
+ }
+
+ leaf timeout {
+ type uint32;
+ units "seconds";
+ mandatory true;
+ description
+ "Timeout for this port number";
+ }
+ }
+
+ leaf hold-down-timeout {
+ type uint32;
+ units "seconds";
+ default 120;
+ description
+ "Hold down timer.
+
+ Ports in the hold down pool are not reassigned until
+ hold-down-timeout expires.
+
+ The length of time and the maximum number of ports in
+ this state must be configurable by the administrator.
+
+ This is necessary in order to prevent collisions
+ between old and new mappings and sessions. It ensures
+ that all established sessions are broken instead of
+ redirected to a different peer.";
+ reference
+ "REQ#8 of RFC 6888.";
+ }
+
+ leaf hold-down-max {
+ type uint32;
+ description
+ "Maximum ports in the Hold down timer pool.
+
+ Ports in the hold down pool are not reassigned
+ until hold-down-timeout expires.
+
+ The length of time and the maximum
+ number of ports in this state must be
+ configurable by the administrator.
+ This is necessary in order
+ to prevent collisions between old
+ and new mappings and sessions. It ensures
+ that all established sessions are broken
+ instead of redirected to a different peer.";
+ reference
+ "REQ#8 of RFC 6888.";
+ }
+ }
+
+ leaf fragments-limit{
+ when "../fragment-behavior='out-of-order'";
+ type uint32;
+ description
+ "Limits the number of out of order fragments that can
+ be handled.";
+ reference
+ "Section 11 of RFC 4787.";
+ }
+
+ list algs {
+ key name;
+ description
+ "ALG-related features.";
+
+ leaf name {
+ type string;
+ description
+ "The name of the ALG.";
+ }
+
+ leaf transport-protocol {
+ type uint32;
+ description
+ "The transport protocol used by the ALG
+ (e.g., TCP, UDP).";
+ }
+
+ container dst-transport-port {
+ uses port-number;
+ description
+ "The destination port number(s) used by the ALG.
+ For example,
+ - 21 for the FTP ALG
+ - 53 for the DNS ALG.";
+ }
+
+ container src-transport-port {
+ uses port-number;
+ description
+ "The source port number(s) used by the ALG.";
+ }
+
+ leaf status {
+ type boolean;
+ description
+ "Enable/disable the ALG.";
+ }
+ }
+
+ leaf all-algs-enable {
+ type boolean;
+ description
+ "Enable/disable all ALGs.
+
+ When specified, this parameter overrides the one
+ that may be indicated, eventually, by the 'status'
+ of an individual ALG.";
+ }
+
+ container notify-pool-usage {
+ if-feature "basic-nat44 or napt44 or nat64";
+ description
+ "Notification of pool usage when certain criteria
+ are met.";
+
+ leaf pool-id {
+ type uint32;
+ description
+ "Pool-ID for which the notification criteria
+ is defined";
+ }
+
+ leaf high-threshold {
+ type percent;
+ description
+ "Notification must be generated when the defined high
+ threshold is reached.
+
+ For example, if a notification is required when the
+ pool utilization reaches 90%, this configuration
+ parameter must be set to 90.
+
+ 0% indicates that no high threshold is enabled.";
+ }
+
+ leaf low-threshold {
+ type percent;
+ must ". >= ../high-threshold" {
+ error-message
+ "The upper port number must be greater than or
+ equal to lower port number.";
+ }
+ description
+ "Notification must be generated when the defined low
+ threshold is reached.
+
+ For example, if a notification is required when the
+ pool utilization reaches below 10%, this
+ configuration parameter must be set to 10";
+ }
+
+ leaf notify-interval {
+ type uint32 {
+ range "1 .. 3600";
+ }
+ units "seconds";
+ default '20';
+ description
+ "Minimum number of seconds between successive
+ notifications for this pool.";
+
+ reference
+ "RFC 7659: Definitions of Managed Objects for
+ Network Address Translators (NATs)";
+ }
+ }
+
+ container external-realm {
+ description
+ "Identifies the external realm of the NAT instance.";
+
+ choice realm-type {
+ description
+ "Can be an interface, VRF instance, etc.";
+
+ case interface {
+ description
+ "External interface.";
+
+ leaf external-interface {
+ type if:interface-ref;
+ description
+ "Name of the external interface.";
+ }
+ }
+ }
+ }
+ }
+
+ container mapping-limits {
+ if-feature "napt44 or nat64";
+ description
+ "Information about the configuration parameters that
+ limits the mappings based upon various criteria.";
+
+ leaf limit-subscribers {
+ type uint32;
+ description
+ "Maximum number of subscribers that can be serviced
+ by a NAT instance.
+
+ A subscriber is identified by a given prefix.";
+ reference
+ "RFC 7659: Definitions of Managed Objects for
+ Network Address Translators (NATs)";
+ }
+
+ leaf limit-address-mappings {
+ type uint32;
+ description
+ "Maximum number of address mappings that can be
+ handled by a NAT instance.
+
+ When this limit is reached, packets that would
+ normally trigger translation, will be dropped.";
+ reference
+ "RFC 7659: Definitions of Managed Objects
+ for Network Address Translators
+ (NATs)";
+ }
+
+ leaf limit-port-mappings {
+ type uint32;
+ description
+ "Maximum number of port mappings that can be handled
+ by a NAT instance.
+
+ When this limit is reached, packets that would
+ normally trigger translation, will be dropped.";
+ reference
+ "RFC 7659: Definitions of Managed Objects for
+ Network Address Translators (NATs)";
+ }
+
+ list limit-per-protocol {
+ if-feature "napt44 or nat64 or dst-nat";
+ key protocol-id;
+
+ description
+ "Configure limits per transport protocol";
+
+ leaf protocol-id {
+ type uint8;
+ mandatory true;
+ description
+ "Upper-layer protocol associated with this mapping.
+
+ Values are taken from the IANA protocol registry:
+ https://www.iana.org/assignments/protocol-numbers/
+ protocol-numbers.xhtml
+
+ For example, this field contains 6 (TCP) for a TCP
+ mapping or 17 (UDP) for a UDP mapping.";
+ }
+
+ leaf limit {
+ type uint32;
+ description
+ "Maximum number of protocol-specific NAT mappings
+ per instance.";
+ }
+ }
+ }
+
+ container connection-limits {
+ if-feature "basic-nat44 or napt44 or nat64";
+ description
+ "Information about the configuration parameters that
+ rate limit the translation based upon various criteria.";
+
+ leaf limit-per-subscriber {
+ type uint32;
+ units "bits/second";
+ description
+ "Rate-limit the number of new mappings and sessions
+ per subscriber.";
+ }
+
+ leaf limit-per-instance {
+ type uint32;
+ units "bits/second";
+ // TODO(HC2VPP-328)
+ // mandatory true;
+ description
+ "Rate-limit the number of new mappings and sessions
+ per instance.";
+ }
+
+ list limit-per-protocol {
+ if-feature "napt44 or nat64";
+ key protocol-id;
+ description
+ "Configure limits per transport protocol";
+
+ leaf protocol-id {
+ type uint8;
+ mandatory true;
+ description
+ "Upper-layer protocol associated with this mapping.
+
+ Values are taken from the IANA protocol registry:
+ https://www.iana.org/assignments/protocol-numbers/
+ protocol-numbers.xhtml
+
+ For example, this field contains 6 (TCP) for a TCP
+ mapping or 17 (UDP) for a UDP mapping.";
+ }
+
+ leaf limit {
+ type uint32;
+ description
+ "Rate-limit the number of protocol-specific mappings
+ and sessions per instance.";
+ }
+ }
+ }
+
+ container notification-limits {
+ description "Sets notification limits.";
+
+ leaf notify-interval {
+ if-feature "basic-nat44 or napt44 or nat64";
+ type uint32 {
+ range "1 .. 3600";
+ }
+ units "seconds";
+ default '10';
+ description
+ "Minimum number of seconds between successive
+ notifications for this NAT instance.";
+ reference
+ "RFC 7659: Definitions of Managed Objects
+ for Network Address Translators (NATs)";
+ }
+
+ leaf notify-addresses-usage {
+ if-feature "basic-nat44 or napt44 or nat64";
+ type percent;
+ description
+ "Notification of address mappings usage over
+ the whole NAT instance.
+
+ Notification must be generated when the defined
+ threshold is reached.
+
+ For example, if a notification is required when
+ the address mappings utilization reaches 90%,
+ this configuration parameter must be set
+ to 90.";
+ }
+
+ leaf notify-ports-usage {
+ if-feature "napt44 or nat64";
+ type percent;
+ description
+ "Notification of port mappings usage over the
+ whole NAT instance.
+
+ Notification must be generated when the defined
+ threshold is reached.
+
+ For example, if a notification is required when
+ the port mappings utilization reaches 90%, this
+ configuration parameter must be set to 90.";
+ }
+
+ leaf notify-subscribers-limit {
+ if-feature "basic-nat44 or napt44 or nat64";
+ type uint32;
+ description
+ "Notification of active subscribers per NAT
+ instance.
+
+ Notification must be generated when the defined
+ threshold is reached.";
+ }
+ }
+
+ leaf logging-enable {
+ if-feature "basic-nat44 or napt44 or nat64";
+ type boolean;
+ description
+ "Enable logging features.";
+ reference
+ "Section 2.3 of RFC 6908 and REQ-12 of RFC 6888.";
+ }
+
+ container mapping-table {
+ if-feature "basic-nat44 or napt44 " +
+ "or nat64 or clat or dst-nat";
+ description
+ "NAT mapping table. Applicable for functions which maintain
+ static and/or dynamic mappings, such as NAT44, Destination
+ NAT, NAT64, or CLAT.";
+
+ list mapping-entry {
+ key "index";
+ description "NAT mapping entry.";
+ uses mapping-entry;
+ }
+ }
+
+ container statistics {
+ config false;
+
+ description
+ "Statistics related to the NAT instance.";
+
+ leaf discontinuity-time {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "The time on the most recent occasion at which the NAT
+ instance suffered a discontinuity. This must be
+ initialized when the NAT instance is configured
+ or rebooted.";
+ }
+
+ container traffic-statistics {
+ description
+ "Generic traffic statistics.";
+
+ leaf sent-packets {
+ type yang:zero-based-counter64;
+ description
+ "Number of packets sent.";
+ }
+
+ leaf sent-bytes {
+ type yang:zero-based-counter64;
+ units 'bytes';
+ description
+ "Counter for sent traffic in bytes.";
+ }
+
+ leaf rcvd-packets {
+ type yang:zero-based-counter64;
+ description
+ "Number of received packets.";
+ }
+
+ leaf rcvd-bytes {
+ type yang:zero-based-counter64;
+ units 'bytes';
+ description
+ "Counter for received traffic in bytes.";
+ }
+
+ leaf dropped-packets {
+ type yang:zero-based-counter64;
+ description
+ "Number of dropped packets.";
+ }
+
+ leaf dropped-bytes {
+ type yang:zero-based-counter64;
+ units 'bytes';
+ description
+ "Counter for dropped traffic in bytes.";
+ }
+
+ leaf dropped-fragments {
+ if-feature "napt44 or nat64";
+ type yang:zero-based-counter64;
+ description
+ "Number of dropped fragments on the external realm.";
+ }
+
+ leaf dropped-address-limit-packets {
+ if-feature "basic-nat44 or napt44 or nat64";
+ type yang:zero-based-counter64;
+ description
+ "Number of dropped packets because an address limit
+ is reached.";
+ }
+
+ leaf dropped-address-limit-bytes {
+ if-feature "basic-nat44 or napt44 or nat64";
+ type yang:zero-based-counter64;
+ units 'bytes';
+ description
+ "Counter of dropped packets because an address limit
+ is reached, in bytes.";
+ }
+
+ leaf dropped-address-packets {
+ if-feature "basic-nat44 or napt44 or nat64";
+ type yang:zero-based-counter64;
+ description
+ "Number of dropped packets because no address is
+ available for allocation.";
+ }
+
+ leaf dropped-address-bytes {
+ if-feature "basic-nat44 or napt44 or nat64";
+ type yang:zero-based-counter64;
+ units 'bytes';
+ description
+ "Counter of dropped packets because no address is
+ available for allocation, in bytes.";
+ }
+
+ leaf dropped-port-limit-packets {
+ if-feature "napt44 or nat64";
+ type yang:zero-based-counter64;
+ description
+ "Number of dropped packets because a port limit
+ is reached.";
+ }
+
+ leaf dropped-port-limit-bytes {
+ if-feature "napt44 or nat64";
+ type yang:zero-based-counter64;
+ units 'bytes';
+ description
+ "Counter of dropped packets because a port limit
+ is reached, in bytes.";
+ }
+
+ leaf dropped-port-packets {
+ if-feature "napt44 or nat64";
+ type yang:zero-based-counter64;
+ description
+ "Number of dropped packets because no port is
+ available for allocation.";
+ }
+
+ leaf dropped-port-bytes {
+ if-feature "napt44 or nat64";
+ type yang:zero-based-counter64;
+ units 'bytes';
+ description
+ "Counter of dropped packets because no port is
+ available for allocation, in bytes.";
+ }
+
+ leaf dropped-subscriber-limit-packets {
+ if-feature "basic-nat44 or napt44 or nat64";
+ type yang:zero-based-counter64;
+ description
+ "Number of dropped packets because the subscriber
+ limit per instance is reached.";
+ }
+
+ leaf dropped-subscriber-limit-bytes {
+ if-feature "basic-nat44 or napt44 or nat64";
+ type yang:zero-based-counter64;
+ units 'bytes';
+ description
+ "Counter of dropped packets because the subscriber
+ limit per instance is reached, in bytes.";
+ }
+ }
+
+ container mappings-statistics {
+ description
+ "Mappings statistics.";
+
+ leaf total-active-subscribers {
+ if-feature "basic-nat44 or napt44 or nat64";
+ type yang:gauge32;
+ description
+ "Total number of active subscribers (that is,
+ subscribers for which the NAT maintains active
+ mappings.
+
+ A subscriber is identified by a subnet,
+ subscriber-mask, etc.";
+ }
+
+ leaf total-address-mappings {
+ if-feature "basic-nat44 or napt44 " +
+ "or nat64 or clat or dst-nat";
+ type yang:gauge32;
+ description
+ "Total number of address mappings present at a given
+ time. It includes both static and dynamic mappings.";
+ reference
+ "Section 3.3.8 of RFC 7659";
+ }
+
+ leaf total-port-mappings {
+ if-feature "napt44 or nat64";
+ type yang:gauge32;
+ description
+ "Total number of NAT port mappings present at
+ a given time. It includes both static and dynamic
+ mappings.";
+ reference
+ "Section 3.3.9 of RFC 7659";
+ }
+
+ list total-per-protocol {
+ if-feature "napt44 or nat64";
+ key protocol-id;
+ description
+ "Total mappings for each enabled/supported protocol.";
+
+ leaf protocol-id {
+ type uint8;
+ mandatory true;
+ description
+ "Upper-layer protocol associated with this mapping.
+ For example, this field contains 6 (TCP) for a TCP
+ mapping or 17 (UDP) for a UDP mapping.";
+ }
+
+ leaf total {
+ type yang:gauge32;
+ description
+ "Total number of a protocol-specific mappings present
+ at a given time. The protocol is identified by
+ protocol-id.";
+ }
+ }
+ }
+
+ container pools-stats {
+ if-feature "basic-nat44 or napt44 or nat64";
+ description
+ "Statistics related to address/prefix pools
+ usage";
+
+ leaf addresses-allocated {
+ type yang:gauge32;
+ description
+ "Number of all allocated addresses.";
+ }
+
+ leaf addresses-free {
+ type yang:gauge32;
+ description
+ "Number of unallocated addresses of all pools at
+ a given time. The sum of unallocated and allocated
+ addresses is the total number of addresses of
+ the pools.";
+ }
+
+ container ports-stats {
+ if-feature "napt44 or nat64";
+
+ description
+ "Statistics related to port numbers usage.";
+
+ leaf ports-allocated {
+ type yang:gauge32;
+ description
+ "Number of allocated ports from all pools.";
+ }
+
+ leaf ports-free {
+ type yang:gauge32;
+ description
+ "Number of unallocated addresses from all pools.";
+ }
+ }
+
+ list per-pool-stats {
+ if-feature "basic-nat44 or napt44 or nat64";
+ key "pool-id";
+ description
+ "Statistics related to address/prefix pool usage";
+
+ leaf pool-id {
+ type uint32;
+ description
+ "Unique Identifier that represents a pool of
+ addresses/prefixes.";
+ }
+
+ leaf discontinuity-time {
+ type yang:date-and-time;
+ mandatory true;
+ description
+ "The time on the most recent occasion at which this
+ pool counters suffered a discontinuity. This must
+ be initialized when the address pool is
+ configured.";
+ }
+
+ container pool-stats {
+ description
+ "Statistics related to address/prefix pool usage";
+
+ leaf addresses-allocated {
+ type yang:gauge32;
+ description
+ "Number of allocated addresses from this pool.";
+ }
+
+ leaf addresses-free {
+ type yang:gauge32;
+ description
+ "Number of unallocated addresses in this pool.";
+ }
+ }
+
+ container port-stats {
+ if-feature "napt44 or nat64";
+ description
+ "Statistics related to port numbers usage.";
+
+ leaf ports-allocated {
+ type yang:gauge32;
+ description
+ "Number of allocated ports from this pool.";
+ }
+
+ leaf ports-free {
+ type yang:gauge32;
+ description
+ "Number of unallocated addresses from this pool.";
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ /*
+ * Notifications
+ */
+
+ notification nat-pool-event {
+ if-feature "basic-nat44 or napt44 or nat64";
+ description
+ "Notifications must be generated when the defined high/low
+ threshold is reached. Related configuration parameters
+ must be provided to trigger the notifications.";
+
+ leaf id {
+ type leafref {
+ path "/nat/instances/instance/id";
+ }
+ mandatory true;
+ description
+ "NAT instance Identifier.";
+ }
+
+ leaf policy-id {
+ type leafref {
+ path "/nat/instances/instance/policy/id";
+ }
+
+ description
+ "Policy Identifier.";
+ }
+
+ leaf pool-id {
+ type leafref {
+ path "/nat/instances/instance/policy/" +
+ "external-ip-address-pool/pool-id";
+ }
+ mandatory true;
+ description
+ "Pool Identifier.";
+ }
+
+ leaf notify-pool-threshold {
+ type percent;
+ mandatory true;
+ description
+ "A threshold (high-threshold or low-threshold) has
+ been fired.";
+ }
+ }
+
+ notification nat-instance-event {
+ if-feature "basic-nat44 or napt44 or nat64";
+ description
+ "Notifications must be generated when notify-addresses-usage
+ and/or notify-ports-usage threshold are reached.";
+
+ leaf id {
+ type leafref {
+ path "/nat/instances/instance/id";
+ }
+ mandatory true;
+ description
+ "NAT instance Identifier.";
+ }
+
+ leaf notify-subscribers-threshold {
+ type uint32;
+ description
+ "The notify-subscribers-limit threshold has been fired.";
+ }
+
+ leaf notify-addresses-threshold {
+ type percent;
+ description
+ "The notify-addresses-usage threshold has been fired.";
+ }
+
+ leaf notify-ports-threshold {
+ type percent;
+ description
+ "The notify-ports-usage threshold has been fired.";
+ }
+ }
+}