summaryrefslogtreecommitdiffstats
path: root/vpp-classifier/api/src
diff options
context:
space:
mode:
authorMarek Gradzki <mgradzki@cisco.com>2017-05-03 07:56:25 +0200
committerMarek Gradzki <mgradzki@cisco.com>2017-05-03 08:08:11 +0200
commit27bf27b264e722f3545d0700fca592835df37528 (patch)
treedf106273a5fcc723896e7d084d37f19b7d0cd155 /vpp-classifier/api/src
parent413f905bf434211c2f21c79a5061051bc085e160 (diff)
HC2VPP-14: move ietf acl models from vpp-classfier to acl module
Change-Id: Idcb2697c5ef06d9d4a62a5de4bc5a56e0212f6a8 Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
Diffstat (limited to 'vpp-classifier/api/src')
-rw-r--r--vpp-classifier/api/src/main/yang/ietf-access-control-list.yang208
-rw-r--r--vpp-classifier/api/src/main/yang/ietf-packet-fields.yang180
-rw-r--r--vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang125
3 files changed, 5 insertions, 508 deletions
diff --git a/vpp-classifier/api/src/main/yang/ietf-access-control-list.yang b/vpp-classifier/api/src/main/yang/ietf-access-control-list.yang
deleted file mode 100644
index 3083ee2a0..000000000
--- a/vpp-classifier/api/src/main/yang/ietf-access-control-list.yang
+++ /dev/null
@@ -1,208 +0,0 @@
-module ietf-access-control-list {
- yang-version 1.1;
- namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
- prefix acl;
- import ietf-yang-types {
- prefix yang;
- }
- import ietf-packet-fields {
- prefix packet-fields;
- }
- organization "IETF NETMOD (NETCONF Data Modeling Language)
- Working Group";
- contact
- "WG Web: http://tools.ietf.org/wg/netmod/
- WG List: netmod@ietf.org
- WG Chair: Juergen Schoenwaelder
- j.schoenwaelder@jacobs-university.de
- WG Chair: Tom Nadeau
- tnadeau@lucidvision.com
- Editor: Dean Bogdanovic
- ivandean@gmail.com
- Editor: Kiran Agrahara Sreenivasa
- kkoushik@cisco.com
- Editor: Lisa Huang
- lyihuang16@gmail.com
- Editor: Dana Blair
- dblair@cisco.com";
- description
- "This YANG module defines a component that describing the
- configuration of Access Control Lists (ACLs).
- Copyright (c) 2015 IETF Trust and the persons identified as
- the document authors. All rights reserved.
- Redistribution and use in source and binary forms, with or
- without modification, is permitted pursuant to, and subject
- to the license terms contained in, the Simplified BSD
- License set forth in Section 4.c of the IETF Trust's Legal
- Provisions Relating to IETF Documents
- (http://trustee.ietf.org/license-info).
- This version of this YANG module is part of RFC XXXX; see
- the RFC itself for full legal notices.";
- revision 2016-07-08 {
- description
- "Base model for Network Access Control List (ACL).";
- reference
- "RFC XXXX: Network Access Control List (ACL)
- YANG Data Model";
- }
- identity acl-base {
- description
- "Base Access Control List type for all Access Control List type
- identifiers.";
- }
- identity ipv4-acl {
- base acl:acl-base;
- description
- "ACL that primarily matches on fields from the IPv4 header
- (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP
- destination port). An acl of type ipv4-acl does not contain
- matches on fields in the ethernet header or the IPv6 header.";
- }
- identity ipv6-acl {
- base acl:acl-base;
- description
- "ACL that primarily matches on fields from the IPv6 header
- (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
- destination port). An acl of type ipv6-acl does not contain
- matches on fields in the ethernet header or the IPv4 header.";
- }
- identity eth-acl {
- base acl:acl-base;
- description
- "ACL that primarily matches on fields in the ethernet header,
- like 10/100/1000baseT or WiFi Access Control List. An acl of
- type eth-acl does not contain matches on fields in the IPv4
- header, IPv6 header or layer 4 headers.";
- }
- typedef acl-type {
- type identityref {
- base acl:acl-base;
- }
- description
- "This type is used to refer to an Access Control List
- (ACL) type";
- }
- typedef access-control-list-ref {
- type leafref {
- path "/access-lists/acl/acl-name";
- }
- description
- "This type is used by data models that need to reference an
- Access Control List";
- }
- container access-lists {
- description
- "This is a top level container for Access Control Lists.
- It can have one or more Access Control Lists.";
- list acl {
- key "acl-type acl-name";
- description
- "An Access Control List(ACL) is an ordered list of
- Access List Entries (ACE). Each Access Control Entry has a
- list of match criteria and a list of actions.
- Since there are several kinds of Access Control Lists
- implemented with different attributes for
- different vendors, this
- model accommodates customizing Access Control Lists for
- each kind and for each vendor.";
- leaf acl-name {
- type string;
- description
- "The name of access-list. A device MAY restrict the length
- and value of this name, possibly space and special
- characters are not allowed.";
- }
- leaf acl-type {
- type acl-type;
- description
- "Type of access control list. Indicates the primary intended
- type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc)
- used in the list instance.";
- }
- container acl-oper-data {
- config false;
- description
- "Overall Access Control List operational data";
- }
- container access-list-entries {
- description
- "The access-list-entries container contains
- a list of access-list-entries(ACE).";
- list ace {
- key "rule-name";
- ordered-by user;
- description
- "List of access list entries(ACE)";
- leaf rule-name {
- type string;
- description
- "A unique name identifying this Access List
- Entry(ACE).";
- }
- container matches {
- description
- "Definitions for match criteria for this Access List
- Entry.";
- choice ace-type {
- description
- "Type of access list entry.";
- case ace-ip {
- description "IP Access List Entry.";
- choice ace-ip-version {
- description
- "IP version used in this Access List Entry.";
- case ace-ipv4 {
- uses packet-fields:acl-ipv4-header-fields;
- }
- case ace-ipv6 {
- uses packet-fields:acl-ipv6-header-fields;
- }
- }
- uses packet-fields:acl-ip-header-fields;
- }
- case ace-eth {
- description
- "Ethernet Access List entry.";
- uses packet-fields:acl-eth-header-fields;
- }
- }
- }
- container actions {
- description
- "Definitions of action criteria for this Access List
- Entry.";
- choice packet-handling {
- default "deny";
- description
- "Packet handling action.";
- case deny {
- leaf deny {
- type empty;
- description
- "Deny action.";
- }
- }
- case permit {
- leaf permit {
- type empty;
- description
- "Permit action.";
- }
- }
- }
- }
- container ace-oper-data {
- config false;
- description
- "Operational data for this Access List Entry.";
- leaf match-counter {
- type yang:counter64;
- description
- "Number of matches for this Access List Entry";
- }
- }
- }
- }
- }
- }
-}
diff --git a/vpp-classifier/api/src/main/yang/ietf-packet-fields.yang b/vpp-classifier/api/src/main/yang/ietf-packet-fields.yang
deleted file mode 100644
index 0b1ce5cdd..000000000
--- a/vpp-classifier/api/src/main/yang/ietf-packet-fields.yang
+++ /dev/null
@@ -1,180 +0,0 @@
-module ietf-packet-fields {
- yang-version 1.1;
- namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields";
- prefix packet-fields;
- import ietf-inet-types {
- prefix inet;
- }
- import ietf-yang-types {
- prefix yang;
- }
- organization "IETF NETMOD (NETCONF Data Modeling Language) Working
- Group";
- contact
- "WG Web: http://tools.ietf.org/wg/netmod/
- WG List: netmod@ietf.org
- WG Chair: Juergen Schoenwaelder
- j.schoenwaelder@jacobs-university.de
- WG Chair: Tom Nadeau
- tnadeau@lucidvision.com
- Editor: Dean Bogdanovic
- deanb@juniper.net
- Editor: Kiran Agrahara Sreenivasa
- kkoushik@cisco.com
- Editor: Lisa Huang
- lyihuang16@gmail.com
- Editor: Dana Blair
- dblair@cisco.com";
- description
- "This YANG module defines groupings that are used by
- ietf-access-control-list YANG module. Their usage is not
- limited to ietf-access-control-list and can be
- used anywhere as applicable.
- Copyright (c) 2015 IETF Trust and the persons identified as
- the document authors. All rights reserved.
- Redistribution and use in source and binary forms, with or
- without modification, is permitted pursuant to, and subject
- to the license terms contained in, the Simplified BSD
- License set forth in Section 4.c of the IETF Trust's Legal
- Provisions Relating to IETF Documents
- (http://trustee.ietf.org/license-info).
- This version of this YANG module is part of RFC XXXX; see
- the RFC itself for full legal notices.";
- revision 2016-07-08 {
- description
- "Initial version of packet fields used by
- ietf-access-control-list";
- reference
- "RFC XXXX: Network Access Control List (ACL)
- YANG Data Model";
- }
- grouping acl-transport-header-fields {
- description
- "Transport header fields";
- container source-port-range {
- presence "Enables setting source port range";
- description
- "Inclusive range representing source ports to be used.
- When only lower-port is present, it represents a single port.";
- leaf lower-port {
- type inet:port-number;
- mandatory true;
- description
- "Lower boundary for port.";
- }
- leaf upper-port {
- type inet:port-number;
- must ". >= ../lower-port" {
- error-message
- "The upper-port must be greater than or equal to lower-port";
- }
- description
- "Upper boundary for port . If existing, the upper port
- must be greater or equal to lower-port.";
- }
- }
- container destination-port-range {
- presence "Enables setting destination port range";
- description
- "Inclusive range representing destination ports to be used. When
- only lower-port is present, it represents a single port.";
- leaf lower-port {
- type inet:port-number;
- mandatory true;
- description
- "Lower boundary for port.";
- }
- leaf upper-port {
- type inet:port-number;
- must ". >= ../lower-port" {
- error-message
- "The upper-port must be greater than or equal to lower-port";
- }
-
- description
- "Upper boundary for port. If existing, the upper port must
- be greater or equal to lower-port";
- }
- }
- }
- grouping acl-ip-header-fields {
- description
- "IP header fields common to ipv4 and ipv6";
- leaf dscp {
- type inet:dscp;
- description
- "Value of dscp.";
- }
- leaf protocol {
- type uint8;
- description
- "Internet Protocol number.";
- }
- uses acl-transport-header-fields;
- }
- grouping acl-ipv4-header-fields {
- description
- "Fields in IPv4 header.";
- leaf destination-ipv4-network {
- type inet:ipv4-prefix;
- description
- "Destination IPv4 address prefix.";
- }
- leaf source-ipv4-network {
- type inet:ipv4-prefix;
- description
- "Source IPv4 address prefix.";
- }
- }
- grouping acl-ipv6-header-fields {
- description
- "Fields in IPv6 header";
- leaf destination-ipv6-network {
- type inet:ipv6-prefix;
- description
- "Destination IPv6 address prefix.";
- }
- leaf source-ipv6-network {
- type inet:ipv6-prefix;
- description
- "Source IPv6 address prefix.";
- }
- leaf flow-label {
- type inet:ipv6-flow-label;
- description
- "IPv6 Flow label.";
- }
- reference
- "RFC 4291: IP Version 6 Addressing Architecture
- RFC 4007: IPv6 Scoped Address Architecture
- RFC 5952: A Recommendation for IPv6 Address Text Representation";
- }
- grouping acl-eth-header-fields {
- description
- "Fields in Ethernet header.";
- leaf destination-mac-address {
- type yang:mac-address;
- description
- "Destination IEEE 802 MAC address.";
- }
- leaf destination-mac-address-mask {
- type yang:mac-address;
- description
- "Destination IEEE 802 MAC address mask.";
- }
- leaf source-mac-address {
- type yang:mac-address;
- description
- "Source IEEE 802 MAC address.";
- }
- leaf source-mac-address-mask {
- type yang:mac-address;
- description
- "Source IEEE 802 MAC address mask.";
- }
- reference
- "IEEE 802: IEEE Standard for Local and Metropolitan Area
- Networks: Overview and Architecture.";
- }
-
-} \ No newline at end of file
diff --git a/vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang b/vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang
index f817dad81..6dc028e16 100644
--- a/vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang
+++ b/vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang
@@ -3,13 +3,14 @@ module vpp-classifier-acl {
namespace "urn:opendaylight:params:xml:ns:yang:vpp:classifier:acl";
prefix "vpp-classifier-acl";
- revision "2017-03-15" {
+ revision "2017-05-03" {
description
- "Initial revision of vpp-classifier-acl model.";
+ "Removed support for ietf based acls.";
}
- import ietf-access-control-list {
- prefix "acl";
+ revision "2017-03-15" {
+ description
+ "Initial revision of vpp-classifier-acl model.";
}
import vpp-classifier {
@@ -20,16 +21,6 @@ module vpp-classifier-acl {
prefix "ext";
}
- import ietf-packet-fields {
- prefix packet-fields;
- }
-
- identity mixed-acl {
- base acl:acl-base;
- description
- "ACL that can match on any of L2/L3/L4 fields.";
- }
-
typedef interface-mode {
type enumeration {
enum "l2";
@@ -64,79 +55,6 @@ module vpp-classifier-acl {
}
}
- grouping ietf-acl-base-attributes {
- description
- "Provides limited support for ietf-acl model.";
-
- container access-lists {
- description
- "Defines references to ietf-acl lists.
- ACLs are translated into classify tables and sessions when assigned to interface.
-
- In case of L2 interfaces, acls are translated into a chain of classify tables and assigned as L2 table.
- In case of L3 interfaces, acls are translated into ip4 and ip6 chains (eth only rules go to both chains,
- rest - depending on ip-version).
- User ordering is preserved in both cases.
-
- Assignment update/delete removes all created tables and sessions and repeats process described above.
- Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first).
-
- Read is supported only for acls that were created and assigned by Honeycomb agent
- (corresponding metadata is present).
-
- Extensions:
- - mixing ACEs of different type in one list is permited
- - mixing L2/L3/L4 rules in one ACE is permited
-
- Limitations (due to vpp limitations):
- - egress rules are currently ignored (HONEYCOMB-234)
- - L4 rules support is limited (every <src,dst> port pair from provided ranges is translated to single classify
- session; which can very slow or even crash vpp if ranges are big, see HONEYCOMB-260)
- - ace-ip-version needs to be provided for all aces (consequence of posibility to mix ACEs of different types,
- and vpp classfier api limitation: common header fields for IP4/IP6 have different offsets)
- - L2 rules on L3 interfaces are applied only to IP traffic (vpp classfier limitation)
- - vlan tags are supported only for sub-interfaces defined as exact-match";
-
- list acl {
- key "type name";
- ordered-by user;
-
- leaf type {
- type acl:acl-type;
- }
-
- leaf name {
- type acl:access-control-list-ref;
- }
- }
-
- leaf default-action {
- type enumeration {
- enum "deny";
- enum "permit";
- }
- default "deny";
- description
- "Default action applied to packet that does not match any of rules defined in assigned ACLs.
- It is translated to single classify table and applied at the end of assigned chains.";
- }
-
- leaf mode {
- type interface-mode;
- default l3;
- description
- "The way ACLs are translated depends on the interface mode.
- In case of L2 interfaces (bridge/interconnection)
- classify tables are assigned as l2_table using input_acl_set_interface (ether type matching is automatically
- added in case of L3 rules).
- In case of L3 interfaces, classify tables are assigned as ip4/ip6 tables.
-
- It is the user responsibility to choose mode that matches target interface.
- ";
- }
- }
- }
-
grouping vpp-acl-attributes {
container acl {
container ingress {
@@ -146,38 +64,5 @@ module vpp-classifier-acl {
uses vpp-classifier-acl:acl-base-attributes;
}
}
-
- container ietf-acl {
- container ingress {
- uses vpp-classifier-acl:ietf-acl-base-attributes;
- }
- container egress {
- uses vpp-classifier-acl:ietf-acl-base-attributes;
- }
- }
- }
-
- augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type {
- ext:augment-identifier "vpp-classfier-acl-type-augmentation";
- case ace-ip-and-eth {
- description
- "Access List entry that can define both ip and eth rules.";
- container ace-ip-and-eth-nodes {
-
- choice ace-ip-version {
- description
- "IP version used in this Access List Entry.";
- mandatory true;
- case ace-ipv4 {
- uses packet-fields:acl-ipv4-header-fields;
- }
- case ace-ipv6 {
- uses packet-fields:acl-ipv6-header-fields;
- }
- }
- uses packet-fields:acl-ip-header-fields;
- uses packet-fields:acl-eth-header-fields;
- }
- }
}
} \ No newline at end of file