diff options
Diffstat (limited to 'acl/acl-api/src')
-rw-r--r-- | acl/acl-api/src/main/yang/interface-acl.yang | 98 | ||||
-rw-r--r-- | acl/acl-api/src/main/yang/vpp-acl.yang | 209 |
2 files changed, 307 insertions, 0 deletions
diff --git a/acl/acl-api/src/main/yang/interface-acl.yang b/acl/acl-api/src/main/yang/interface-acl.yang new file mode 100644 index 000000000..29b85e860 --- /dev/null +++ b/acl/acl-api/src/main/yang/interface-acl.yang @@ -0,0 +1,98 @@ +module interface-acl { + yang-version 1; + namespace "urn:opendaylight:params:xml:ns:yang:interface:acl"; + prefix "ifc-acl"; + + revision "2016-12-14" { + description "Initial revision of interface-acl model"; + } + + import ietf-interfaces { + prefix "if"; + } + import yang-ext { + prefix "ext"; + } + import ietf-yang-types { + prefix "yang"; + } + + import vpp-acl { + prefix "vpp-acl"; + } + + import ietf-access-control-list { + prefix "acl"; + } + + description "Augmentations to interfaces model to apply acls exposed by acl plugin of vpp"; + + grouping vpp-acl-base-attributes { + leaf tag { + type yang:hex-string { + length 64; + } + description + "Placeholder for ACL metadata. Value is stored in vpp, and returned in read requests. No processing involved."; + } + } + + grouping vpp-acls-base-attributes { + description + "List of ACLs of vpp-acl type"; // TODO express constraint in the model if possible + list vpp-acls { + key "type name"; + ordered-by user; + + leaf type { + type acl:acl-type; + } + + leaf name { + type acl:access-control-list-ref; + } + + uses vpp-acl-base-attributes; + } + } + + grouping vpp-macip-acls-base-attributes { + container vpp-macip-acl { + description + "ACL of vpp-macip-acl type"; // TODO express constraint in the model if possible + + leaf type { + type acl:acl-type; + } + + leaf name { + type acl:access-control-list-ref; + } + + uses vpp-acl-base-attributes; + } + } + + grouping interface-acl-attributes { + container acl { + container ingress { + uses vpp-acls-base-attributes; + uses vpp-macip-acls-base-attributes; + } + container egress { + uses vpp-acls-base-attributes; + } + } + } + + augment /if:interfaces/if:interface { + ext:augment-identifier "vpp-acl-interface-augmentation"; + uses interface-acl-attributes; + } + + augment /if:interfaces-state/if:interface { + ext:augment-identifier "vpp-acl-interface-state-augmentation"; + uses interface-acl-attributes; + } + +}
\ No newline at end of file diff --git a/acl/acl-api/src/main/yang/vpp-acl.yang b/acl/acl-api/src/main/yang/vpp-acl.yang new file mode 100644 index 000000000..dad5e71a8 --- /dev/null +++ b/acl/acl-api/src/main/yang/vpp-acl.yang @@ -0,0 +1,209 @@ +module vpp-acl { + yang-version 1; + namespace "urn:opendaylight:params:xml:ns:yang:vpp:acl"; + prefix "vpp-acl"; + + revision "2016-12-14" { + description + "Initial revision of vpp-acl model."; + } + + import ietf-access-control-list { + prefix "acl"; + } + + import yang-ext { + prefix "ext"; + } + + import ietf-packet-fields { + prefix packet-fields; + } + + import ietf-inet-types { + prefix inet; + } + + import ietf-yang-types { + prefix yang; + } + + augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:actions/acl:packet-handling { + ext:augment-identifier "stateful-acl-action-augmentation"; + case stateful { + leaf permit { + type empty; + description + "Permits egress TCP/UDP traffic and ingress in reverse direction by creating reflexive ACEs."; + } + } + } + + identity vpp-acl { + base acl:acl-base; + description + "ACL that contains only aces of vpp-ace type."; + } + + identity vpp-macip-acl { + base acl:acl-base; + description + "ACL that contains only aces of vpp-macip-acl type."; + } + + grouping acl-icmp-header-fields { + description + "ICMP header fields"; + container icmp-type-range { + presence "Enables setting icmp-type"; + description + "Inclusive range representing icmp types to be used."; + leaf first-icmp-type { + type uint8; + mandatory true; + description + "Lower boundary for icmp type."; + } + leaf last-icmp-type { + type uint8; + mandatory true; + must ". >= ../lower-port" { + error-message + "The first-icmp-type must be greater than or equal to first-icmp-type"; + } + description + "Upper boundary for icmp type"; + } + } + } + + grouping acl-tcp-header-fields { + description + "TCP header fields"; + leaf tcp-flags-mask { + description + "Binary mask for tcp flags to match. MSB order (FIN at position 0). + Applied as logical AND to tcp flags field of the packet being matched, + before it is compared with tcp-flags-value."; + type uint8; + } + leaf tcp-flags-value { + description + "Binary value for tcp flags to match. MSB order (FIN at position 0). + Before tcp-flags-value is compared with tcp flags field of the packet being matched, + tcp-flags-mask is applied to packet field value."; + type uint8; + } + } + + grouping acl-ip-protocol-header-fields { + description + "Defines header fields for TCP/UDP or ICMP protocols"; + choice ip-protocol { + case icmp { + uses acl-icmp-header-fields; + } + case udp { + uses packet-fields:acl-transport-header-fields; + } + case tcp { + uses packet-fields:acl-transport-header-fields; + uses acl-tcp-header-fields; + } + } + } + + augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type { + ext:augment-identifier "vpp-acl-type-augmentation"; + case vpp-ace { + description + "Access List entry that can define: + - IP4/IP6 src/dst ip prefix- Internet Protocol number + - Internet Protocol number + - selected L4 headers: + * ICMP (type range) + * UDP (port range) + * TCP (port range, flags mask, flags value)"; + choice ace-ip-version { + description + "IP version used in this Access List Entry."; + mandatory true; + case ace-ipv4 { + uses packet-fields:acl-ipv4-header-fields; + } + case ace-ipv6 { + uses packet-fields:acl-ipv6-header-fields; + } + } + leaf protocol { + type uint8; + description + "Internet Protocol number."; + } + uses acl-ip-protocol-header-fields; + } + } + + grouping vpp-macip-ace-eth-header-fields { + description + "Fields in Ethernet header supported by vpp-macip rule"; + leaf source-mac-address { + type yang:mac-address; + description + "Source IEEE 802 MAC address. + Before source-mac-address is compared with source mac address field of the packet being matched, + source-mac-address-mask is applied to packet field value."; + } + leaf source-mac-address-mask { + type yang:mac-address; + description + "Source IEEE 802 MAC address mask. + Applied as logical AND with source mac address field of the packet being matched, + before it is compared with source-mac-address."; + } + } + + grouping vpp-macip-ace-ipv4-header-fields { + description + "Fields in IPv4 header supported by vpp-macip rule"; + leaf source-ipv4-network { + type inet:ipv4-prefix; + description + "Source IPv4 address prefix."; + } + } + + grouping vpp-macip-ace-ipv6-header-fields { + description + "Fields in IPv6 header supported by vpp-macip rule"; + leaf source-ipv6-network { + type inet:ipv6-prefix; + description + "Source IPv6 address prefix."; + } + } + + augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type { + ext:augment-identifier "vpp-macip-acl-type-augmentation"; + case vpp-macip-ace { + description + "Access List entry that can define: + - IP4/IP6 src ip prefix + - src MAC address mask + - src MAC address value + - can be used only for static ACLs."; + choice ace-ip-version { + description + "IP version used in this Access List Entry."; + mandatory true; + case ace-ipv4 { + uses vpp-macip-ace-ipv4-header-fields; + } + case ace-ipv6 { + uses vpp-macip-ace-ipv6-header-fields; + } + } + uses vpp-macip-ace-eth-header-fields; + } + } +}
\ No newline at end of file |