diff options
Diffstat (limited to 'vpp-classifier/api/src/main/yang')
7 files changed, 922 insertions, 0 deletions
diff --git a/vpp-classifier/api/src/main/yang/ietf-access-control-list.yang b/vpp-classifier/api/src/main/yang/ietf-access-control-list.yang new file mode 100644 index 000000000..3083ee2a0 --- /dev/null +++ b/vpp-classifier/api/src/main/yang/ietf-access-control-list.yang @@ -0,0 +1,208 @@ +module ietf-access-control-list { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; + prefix acl; + import ietf-yang-types { + prefix yang; + } + import ietf-packet-fields { + prefix packet-fields; + } + organization "IETF NETMOD (NETCONF Data Modeling Language) + Working Group"; + contact + "WG Web: http://tools.ietf.org/wg/netmod/ + WG List: netmod@ietf.org + WG Chair: Juergen Schoenwaelder + j.schoenwaelder@jacobs-university.de + WG Chair: Tom Nadeau + tnadeau@lucidvision.com + Editor: Dean Bogdanovic + ivandean@gmail.com + Editor: Kiran Agrahara Sreenivasa + kkoushik@cisco.com + Editor: Lisa Huang + lyihuang16@gmail.com + Editor: Dana Blair + dblair@cisco.com"; + description + "This YANG module defines a component that describing the + configuration of Access Control Lists (ACLs). + Copyright (c) 2015 IETF Trust and the persons identified as + the document authors. All rights reserved. + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD + License set forth in Section 4.c of the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info). + This version of this YANG module is part of RFC XXXX; see + the RFC itself for full legal notices."; + revision 2016-07-08 { + description + "Base model for Network Access Control List (ACL)."; + reference + "RFC XXXX: Network Access Control List (ACL) + YANG Data Model"; + } + identity acl-base { + description + "Base Access Control List type for all Access Control List type + identifiers."; + } + identity ipv4-acl { + base acl:acl-base; + description + "ACL that primarily matches on fields from the IPv4 header + (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP + destination port). An acl of type ipv4-acl does not contain + matches on fields in the ethernet header or the IPv6 header."; + } + identity ipv6-acl { + base acl:acl-base; + description + "ACL that primarily matches on fields from the IPv6 header + (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP + destination port). An acl of type ipv6-acl does not contain + matches on fields in the ethernet header or the IPv4 header."; + } + identity eth-acl { + base acl:acl-base; + description + "ACL that primarily matches on fields in the ethernet header, + like 10/100/1000baseT or WiFi Access Control List. An acl of + type eth-acl does not contain matches on fields in the IPv4 + header, IPv6 header or layer 4 headers."; + } + typedef acl-type { + type identityref { + base acl:acl-base; + } + description + "This type is used to refer to an Access Control List + (ACL) type"; + } + typedef access-control-list-ref { + type leafref { + path "/access-lists/acl/acl-name"; + } + description + "This type is used by data models that need to reference an + Access Control List"; + } + container access-lists { + description + "This is a top level container for Access Control Lists. + It can have one or more Access Control Lists."; + list acl { + key "acl-type acl-name"; + description + "An Access Control List(ACL) is an ordered list of + Access List Entries (ACE). Each Access Control Entry has a + list of match criteria and a list of actions. + Since there are several kinds of Access Control Lists + implemented with different attributes for + different vendors, this + model accommodates customizing Access Control Lists for + each kind and for each vendor."; + leaf acl-name { + type string; + description + "The name of access-list. A device MAY restrict the length + and value of this name, possibly space and special + characters are not allowed."; + } + leaf acl-type { + type acl-type; + description + "Type of access control list. Indicates the primary intended + type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc) + used in the list instance."; + } + container acl-oper-data { + config false; + description + "Overall Access Control List operational data"; + } + container access-list-entries { + description + "The access-list-entries container contains + a list of access-list-entries(ACE)."; + list ace { + key "rule-name"; + ordered-by user; + description + "List of access list entries(ACE)"; + leaf rule-name { + type string; + description + "A unique name identifying this Access List + Entry(ACE)."; + } + container matches { + description + "Definitions for match criteria for this Access List + Entry."; + choice ace-type { + description + "Type of access list entry."; + case ace-ip { + description "IP Access List Entry."; + choice ace-ip-version { + description + "IP version used in this Access List Entry."; + case ace-ipv4 { + uses packet-fields:acl-ipv4-header-fields; + } + case ace-ipv6 { + uses packet-fields:acl-ipv6-header-fields; + } + } + uses packet-fields:acl-ip-header-fields; + } + case ace-eth { + description + "Ethernet Access List entry."; + uses packet-fields:acl-eth-header-fields; + } + } + } + container actions { + description + "Definitions of action criteria for this Access List + Entry."; + choice packet-handling { + default "deny"; + description + "Packet handling action."; + case deny { + leaf deny { + type empty; + description + "Deny action."; + } + } + case permit { + leaf permit { + type empty; + description + "Permit action."; + } + } + } + } + container ace-oper-data { + config false; + description + "Operational data for this Access List Entry."; + leaf match-counter { + type yang:counter64; + description + "Number of matches for this Access List Entry"; + } + } + } + } + } + } +} diff --git a/vpp-classifier/api/src/main/yang/ietf-packet-fields.yang b/vpp-classifier/api/src/main/yang/ietf-packet-fields.yang new file mode 100644 index 000000000..0b1ce5cdd --- /dev/null +++ b/vpp-classifier/api/src/main/yang/ietf-packet-fields.yang @@ -0,0 +1,180 @@ +module ietf-packet-fields { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; + prefix packet-fields; + import ietf-inet-types { + prefix inet; + } + import ietf-yang-types { + prefix yang; + } + organization "IETF NETMOD (NETCONF Data Modeling Language) Working + Group"; + contact + "WG Web: http://tools.ietf.org/wg/netmod/ + WG List: netmod@ietf.org + WG Chair: Juergen Schoenwaelder + j.schoenwaelder@jacobs-university.de + WG Chair: Tom Nadeau + tnadeau@lucidvision.com + Editor: Dean Bogdanovic + deanb@juniper.net + Editor: Kiran Agrahara Sreenivasa + kkoushik@cisco.com + Editor: Lisa Huang + lyihuang16@gmail.com + Editor: Dana Blair + dblair@cisco.com"; + description + "This YANG module defines groupings that are used by + ietf-access-control-list YANG module. Their usage is not + limited to ietf-access-control-list and can be + used anywhere as applicable. + Copyright (c) 2015 IETF Trust and the persons identified as + the document authors. All rights reserved. + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD + License set forth in Section 4.c of the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info). + This version of this YANG module is part of RFC XXXX; see + the RFC itself for full legal notices."; + revision 2016-07-08 { + description + "Initial version of packet fields used by + ietf-access-control-list"; + reference + "RFC XXXX: Network Access Control List (ACL) + YANG Data Model"; + } + grouping acl-transport-header-fields { + description + "Transport header fields"; + container source-port-range { + presence "Enables setting source port range"; + description + "Inclusive range representing source ports to be used. + When only lower-port is present, it represents a single port."; + leaf lower-port { + type inet:port-number; + mandatory true; + description + "Lower boundary for port."; + } + leaf upper-port { + type inet:port-number; + must ". >= ../lower-port" { + error-message + "The upper-port must be greater than or equal to lower-port"; + } + description + "Upper boundary for port . If existing, the upper port + must be greater or equal to lower-port."; + } + } + container destination-port-range { + presence "Enables setting destination port range"; + description + "Inclusive range representing destination ports to be used. When + only lower-port is present, it represents a single port."; + leaf lower-port { + type inet:port-number; + mandatory true; + description + "Lower boundary for port."; + } + leaf upper-port { + type inet:port-number; + must ". >= ../lower-port" { + error-message + "The upper-port must be greater than or equal to lower-port"; + } + + description + "Upper boundary for port. If existing, the upper port must + be greater or equal to lower-port"; + } + } + } + grouping acl-ip-header-fields { + description + "IP header fields common to ipv4 and ipv6"; + leaf dscp { + type inet:dscp; + description + "Value of dscp."; + } + leaf protocol { + type uint8; + description + "Internet Protocol number."; + } + uses acl-transport-header-fields; + } + grouping acl-ipv4-header-fields { + description + "Fields in IPv4 header."; + leaf destination-ipv4-network { + type inet:ipv4-prefix; + description + "Destination IPv4 address prefix."; + } + leaf source-ipv4-network { + type inet:ipv4-prefix; + description + "Source IPv4 address prefix."; + } + } + grouping acl-ipv6-header-fields { + description + "Fields in IPv6 header"; + leaf destination-ipv6-network { + type inet:ipv6-prefix; + description + "Destination IPv6 address prefix."; + } + leaf source-ipv6-network { + type inet:ipv6-prefix; + description + "Source IPv6 address prefix."; + } + leaf flow-label { + type inet:ipv6-flow-label; + description + "IPv6 Flow label."; + } + reference + "RFC 4291: IP Version 6 Addressing Architecture + RFC 4007: IPv6 Scoped Address Architecture + RFC 5952: A Recommendation for IPv6 Address Text Representation"; + } + grouping acl-eth-header-fields { + description + "Fields in Ethernet header."; + leaf destination-mac-address { + type yang:mac-address; + description + "Destination IEEE 802 MAC address."; + } + leaf destination-mac-address-mask { + type yang:mac-address; + description + "Destination IEEE 802 MAC address mask."; + } + leaf source-mac-address { + type yang:mac-address; + description + "Source IEEE 802 MAC address."; + } + leaf source-mac-address-mask { + type yang:mac-address; + description + "Source IEEE 802 MAC address mask."; + } + reference + "IEEE 802: IEEE Standard for Local and Metropolitan Area + Networks: Overview and Architecture."; + } + +}
\ No newline at end of file diff --git a/vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang b/vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang new file mode 100644 index 000000000..ccf3e286a --- /dev/null +++ b/vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang @@ -0,0 +1,183 @@ +module vpp-classifier-acl { + yang-version 1; + namespace "urn:opendaylight:params:xml:ns:yang:vpp:classifier:acl"; + prefix "vpp-classifier-acl"; + + revision "2016-12-14" { + description + "Initial revision of vpp-classfier-acl model."; + } + + import ietf-access-control-list { + prefix "acl"; + } + + import vpp-classifier { + prefix "vpp-classifier"; + } + + import yang-ext { + prefix "ext"; + } + + import ietf-packet-fields { + prefix packet-fields; + } + + identity mixed-acl { + base acl:acl-base; + description + "ACL that can match on any of L2/L3/L4 fields."; + } + + typedef interface-mode { + type enumeration { + enum "l2"; + enum "l3"; + } + } + + grouping acl-base-attributes { + description + "Defines references to classify tables. + At least one table reference should be specified."; + container l2-acl { + leaf classify-table { + type vpp-classifier:classify-table-ref; + description + "An L2 ACL table"; + } + } + container ip4-acl { + leaf classify-table { + type vpp-classifier:classify-table-ref; + description + "An IPv4 ACL table"; + } + } + container ip6-acl { + leaf classify-table { + type vpp-classifier:classify-table-ref; + description + "An IPv6 ACL table"; + } + } + } + + grouping ietf-acl-base-attributes { + description + "Provides limited support for ietf-acl model."; + + container access-lists { + description + "Defines references to ietf-acl lists. + ACLs are translated into classify tables and sessions when assigned to interface. + + In case of L2 interfaces, acls are translated into a chain of classify tables and assigned as L2 table. + In case of L3 interfaces, acls are translated into ip4 and ip6 chains (eth only rules go to both chains, + rest - depending on ip-version). + User ordering is preserved in both cases. + + Assignment update/delete removes all created tables and sessions and repeats process described above. + Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first). + + Read is supported only for acls that were created and assigned by Honeycomb agent + (corresponding metadata is present). + + Extensions: + - mixing ACEs of different type in one list is permited + - mixing L2/L3/L4 rules in one ACE is permited + + Limitations (due to vpp limitations): + - egress rules are currently ignored (HONEYCOMB-234) + - L4 rules support is limited (every <src,dst> port pair from provided ranges is translated to single classify + session; which can very slow or even crash vpp if ranges are big, see HONEYCOMB-260) + - ace-ip-version needs to be provided for all aces (consequence of posibility to mix ACEs of different types, + and vpp classfier api limitation: common header fields for IP4/IP6 have different offsets) + - L2 rules on L3 interfaces are applied only to IP traffic (vpp classfier limitation) + - vlan tags are supported only for sub-interfaces defined as exact-match"; + + list acl { + key "type name"; + ordered-by user; + + leaf type { + type acl:acl-type; + } + + leaf name { + type acl:access-control-list-ref; + } + } + + leaf default-action { + type enumeration { + enum "deny"; + enum "permit"; + } + default "deny"; + description + "Default action applied to packet that does not match any of rules defined in assigned ACLs. + It is translated to single classify table and applied at the end of assigned chains."; + } + + leaf mode { + type interface-mode; + default l3; + description + "The way ACLs are translated depends on the interface mode. + In case of L2 interfaces (bridge/interconnection) + classify tables are assigned as l2_table using input_acl_set_interface (ether type matching is automatically + added in case of L3 rules). + In case of L3 interfaces, classify tables are assigned as ip4/ip6 tables. + + It is the user responsibility to choose mode that matches target interface. + "; + } + } + } + + grouping vpp-acl-attributes { + container acl { + container ingress { + uses vpp-classifier-acl:acl-base-attributes; + } + container egress { + uses vpp-classifier-acl:acl-base-attributes; + } + } + + container ietf-acl { + container ingress { + uses vpp-classifier-acl:ietf-acl-base-attributes; + } + container egress { + uses vpp-classifier-acl:ietf-acl-base-attributes; + } + } + } + + augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type { + ext:augment-identifier "vpp-classfier-acl-type-augmentation"; + case ace-ip-and-eth { + description + "Access List entry that can define both ip and eth rules."; + container ace-ip-and-eth-nodes { + + choice ace-ip-version { + description + "IP version used in this Access List Entry."; + mandatory true; + case ace-ipv4 { + uses packet-fields:acl-ipv4-header-fields; + } + case ace-ipv6 { + uses packet-fields:acl-ipv6-header-fields; + } + } + uses packet-fields:acl-ip-header-fields; + uses packet-fields:acl-eth-header-fields; + } + } + } +}
\ No newline at end of file diff --git a/vpp-classifier/api/src/main/yang/vpp-classifier-context.yang b/vpp-classifier/api/src/main/yang/vpp-classifier-context.yang new file mode 100644 index 000000000..01eae862d --- /dev/null +++ b/vpp-classifier/api/src/main/yang/vpp-classifier-context.yang @@ -0,0 +1,68 @@ +module vpp-classifier-context { + yang-version 1; + namespace "urn:opendaylight:params:xml:ns:yang:vpp:classifier"; + prefix "vpp-classifier-context"; + + description + "This module contains vpp classfier metadata definition"; + + revision "2016-09-09" { + description + "Initial revision."; + } + + container vpp-classifier-context { + + config "false"; + + description + "Classify tables and sessions contain relative node indexes. Management agent like Honeycomb, + needs to use node names instead (indexes might change after vpp restart). + VPP does not provide relative index to node name conversion (https://jira.fd.io/browse/VPP-219), + also finding base node that is needed to perform the conversion + is not allways possible (https://jira.fd.io/browse/VPP-220). + + Therefore Honeycomb needs to provide relative node to index mapping. + "; + + list classify-table-context { + key "name"; + unique "index"; + + leaf name { + type string; + description + "Name of the classify table."; + } + + leaf index { + type int32; + description + "Classify table index used by VPP."; + } + + leaf classifier-node-name { + type string; + description + "Name of VPP node the table is defined for."; + } + + list node-context { + key "name"; + unique "index"; + + leaf name { + type string; + description + "Name of vpp node (neighbour of classifier-node-name)"; + } + + leaf index { + type int32; + description + "Inted of the vpp node relative to classifier-node-name"; + } + } + } + } +}
\ No newline at end of file diff --git a/vpp-classifier/api/src/main/yang/vpp-classifier.yang b/vpp-classifier/api/src/main/yang/vpp-classifier.yang new file mode 100644 index 000000000..beb4def85 --- /dev/null +++ b/vpp-classifier/api/src/main/yang/vpp-classifier.yang @@ -0,0 +1,215 @@ +module vpp-classifier { + yang-version 1; + namespace "urn:opendaylight:params:xml:ns:yang:vpp:classifier"; + prefix "vpp-classifier"; + + revision "2016-12-14" { + description + "This revision adds the following new features: + - updates order of union types for opaque-index"; + } + + revision "2015-06-03" { + description + "Initial revision of model for VPP packet classifier. + The model can be used ony to implement ACLs. + Other classify table usages are not supported yet, + see https://jira.fd.io/browse/VPP-203 for details."; + reference + "https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers"; + } + + import ietf-yang-types { + prefix "yang"; + } + + typedef classify-table-ref { + type leafref { + path "/vpp-classifier:vpp-classifier/classify-table/name"; + } + description + "This type is used by data models that need to reference + configured classify tables."; + } + + typedef packet-handling-action { + type enumeration { + enum "deny" { + // by VPP convention, first neighbour node (at index 0) is a drop node + value 0; + } + enum "permit" { + value -1; // indicates that the next node not set + } + } + } + + typedef vpp-node-name { + type string; + } + + typedef vpp-node { + type union { + type packet-handling-action; + type vpp-node-name; + } + description + "Defines VPP node reference using packet handling action or relative node name + (if definition in terms of packet handling action is not possible)."; + } + + typedef opaque-index { + type union { + type uint32; + type vpp-node; + } + description + "Defines opaque-index type - metadata that can be attached to session-hit packets. + Vpp nodes can't be referenced by index, because node indexes might change after vpp restart."; + } + + grouping classify-session-attributes { + description + "Defines classify session attributes that are mapped to classify_add_del_session + and classify_session_details messages parameters."; + + leaf hit_next { + type vpp-node; + mandatory true; + description + "Vpp node to which packet will be send when it produces a match."; + } + leaf opaque_index { + type opaque-index; + } + leaf advance { + type int32; + default 0; + description + "Nodes like ip4/6-classify use the parameter to \"consume\" networking layer. + Example: tunnel decapsulation."; + } + } + + grouping classify-table-base-attributes { + description + "Defines classify table attributes that are mapped to classify_add_del_table message parameters."; + + leaf classifier-node { + type vpp-node-name; + description + "Name of VPP node the table is defined for."; + } + leaf nbuckets { + mandatory true; + type uint32; + description + "Used by classifier hashing algorithm. It is not possible to resize the bucket array, + therefore suggested value is approximate number of expected entries."; + } + leaf skip_n_vectors { + type uint32; + default 0; + description + "Number of 16 byte vectors to be skipped before applying mask."; + } + leaf next_table { + type classify-table-ref; + description + "Reference to the next classify table. Required when multiple table chaining is used."; + } + leaf miss_next { + mandatory true; + type vpp-node; + description + "Vpp node to which packet will be send when it falis to produce a match"; + } + leaf mask { + type yang:hex-string; + mandatory true; + description + "Defines match mask (multiple of 16 bytes)"; + } + + list classify-session { + key "match"; + + leaf match { + type yang:hex-string; + description + "Defines actual value to be matched that is + a byte vector, which length is multiple of 16 bytes"; + + must "string-length(match) = string-length(../../mask)" { + error-message + "Match length is not equal to classify table mask length."; + description + "Match length must be equal to classify table mask length."; + } + } + + uses classify-session-attributes; + } + } + + grouping classify-table-config-attributes { + description + "Defines classify table config only attributes (present in classify_add_del_table message + but not in classify_table_info_reply)."; + + // TODO(HC2VPP-10): move to classify-table-base-attributes + // after https://jira.fd.io/browse/VPP-208 is fixed + leaf memory_size { + type uint32; + // mandatory true; // TODO(HC2VPP-10): uncomment + description + "Memory size for classify table and its entries."; + } + } + + grouping classify-table-operational-attributes { + description + "Defines classify table operational attributes (present in classify_table_info_reply message + but not in classify_add_del_table)."; + + leaf active_sessions { + type uint32; + config false; + description + "Number of sessions defined for the classify table."; + } + } + + container vpp-classifier { + list classify-table { + key "name"; + + leaf name { + type string; + description + "Hides classify table identifier managed by vpp."; + } + + uses classify-table-base-attributes; + uses classify-table-config-attributes; + } + } + + container vpp-classifier-state { + config false; + + list classify-table { + key "name"; + + leaf name { + type string; + description + "Hides classify table identifier managed by vpp."; + } + + uses classify-table-base-attributes; + uses classify-table-operational-attributes; + } + } + +} diff --git a/vpp-classifier/api/src/main/yang/vpp-interface-acl.yang b/vpp-classifier/api/src/main/yang/vpp-interface-acl.yang new file mode 100644 index 000000000..1932e9c97 --- /dev/null +++ b/vpp-classifier/api/src/main/yang/vpp-interface-acl.yang @@ -0,0 +1,32 @@ +module vpp-interface-acl { + yang-version 1; + namespace "urn:opendaylight:params:xml:ns:yang:vpp:interface:acl"; + prefix "vpp-ifc-acl"; + + revision "2016-12-14" { + description + "Initial revision of vpp-acl model."; + } + + import ietf-interfaces { + prefix "if"; + } + + import vpp-classifier-acl { + prefix "vpp-classifier-acl"; + } + + import yang-ext { + prefix "ext"; + } + + augment /if:interfaces/if:interface { + ext:augment-identifier "vpp-interface-acl-augmentation"; + uses vpp-classifier-acl:vpp-acl-attributes; + } + + augment /if:interfaces-state/if:interface { + ext:augment-identifier "vpp-interface-acl-state-augmentation"; + uses vpp-classifier-acl:vpp-acl-attributes; + } +}
\ No newline at end of file diff --git a/vpp-classifier/api/src/main/yang/vpp-subinterface-acl.yang b/vpp-classifier/api/src/main/yang/vpp-subinterface-acl.yang new file mode 100644 index 000000000..892a64586 --- /dev/null +++ b/vpp-classifier/api/src/main/yang/vpp-subinterface-acl.yang @@ -0,0 +1,36 @@ +module vpp-subinterface-acl { + yang-version 1; + namespace "urn:opendaylight:params:xml:ns:yang:vpp:subinterface:acl"; + prefix "vpp-subifc-acl"; + + revision "2016-12-14" { + description + "Initial revision of vpp-acl model."; + } + + import ietf-interfaces { + prefix "if"; + } + + import vpp-vlan { + prefix "vpp-vlan"; + } + + import vpp-classifier-acl { + prefix "vpp-classifier-acl"; + } + + import yang-ext { + prefix "ext"; + } + + augment /if:interfaces/if:interface/vpp-vlan:sub-interfaces/vpp-vlan:sub-interface { + ext:augment-identifier "vpp-subinterface-acl-augmentation"; + uses vpp-classifier-acl:vpp-acl-attributes; + } + + augment /if:interfaces-state/if:interface/vpp-vlan:sub-interfaces/vpp-vlan:sub-interface { + ext:augment-identifier "vpp-subinterface-acl-state-augmentation"; + uses vpp-classifier-acl:vpp-acl-attributes; + } +}
\ No newline at end of file |