summaryrefslogtreecommitdiffstats
path: root/vpp-classifier/api/src/main/yang
diff options
context:
space:
mode:
Diffstat (limited to 'vpp-classifier/api/src/main/yang')
-rw-r--r--vpp-classifier/api/src/main/yang/ietf-access-control-list.yang208
-rw-r--r--vpp-classifier/api/src/main/yang/ietf-packet-fields.yang180
-rw-r--r--vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang183
-rw-r--r--vpp-classifier/api/src/main/yang/vpp-classifier-context.yang68
-rw-r--r--vpp-classifier/api/src/main/yang/vpp-classifier.yang215
-rw-r--r--vpp-classifier/api/src/main/yang/vpp-interface-acl.yang32
-rw-r--r--vpp-classifier/api/src/main/yang/vpp-subinterface-acl.yang36
7 files changed, 922 insertions, 0 deletions
diff --git a/vpp-classifier/api/src/main/yang/ietf-access-control-list.yang b/vpp-classifier/api/src/main/yang/ietf-access-control-list.yang
new file mode 100644
index 000000000..3083ee2a0
--- /dev/null
+++ b/vpp-classifier/api/src/main/yang/ietf-access-control-list.yang
@@ -0,0 +1,208 @@
+module ietf-access-control-list {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
+ prefix acl;
+ import ietf-yang-types {
+ prefix yang;
+ }
+ import ietf-packet-fields {
+ prefix packet-fields;
+ }
+ organization "IETF NETMOD (NETCONF Data Modeling Language)
+ Working Group";
+ contact
+ "WG Web: http://tools.ietf.org/wg/netmod/
+ WG List: netmod@ietf.org
+ WG Chair: Juergen Schoenwaelder
+ j.schoenwaelder@jacobs-university.de
+ WG Chair: Tom Nadeau
+ tnadeau@lucidvision.com
+ Editor: Dean Bogdanovic
+ ivandean@gmail.com
+ Editor: Kiran Agrahara Sreenivasa
+ kkoushik@cisco.com
+ Editor: Lisa Huang
+ lyihuang16@gmail.com
+ Editor: Dana Blair
+ dblair@cisco.com";
+ description
+ "This YANG module defines a component that describing the
+ configuration of Access Control Lists (ACLs).
+ Copyright (c) 2015 IETF Trust and the persons identified as
+ the document authors. All rights reserved.
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD
+ License set forth in Section 4.c of the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+ This version of this YANG module is part of RFC XXXX; see
+ the RFC itself for full legal notices.";
+ revision 2016-07-08 {
+ description
+ "Base model for Network Access Control List (ACL).";
+ reference
+ "RFC XXXX: Network Access Control List (ACL)
+ YANG Data Model";
+ }
+ identity acl-base {
+ description
+ "Base Access Control List type for all Access Control List type
+ identifiers.";
+ }
+ identity ipv4-acl {
+ base acl:acl-base;
+ description
+ "ACL that primarily matches on fields from the IPv4 header
+ (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP
+ destination port). An acl of type ipv4-acl does not contain
+ matches on fields in the ethernet header or the IPv6 header.";
+ }
+ identity ipv6-acl {
+ base acl:acl-base;
+ description
+ "ACL that primarily matches on fields from the IPv6 header
+ (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
+ destination port). An acl of type ipv6-acl does not contain
+ matches on fields in the ethernet header or the IPv4 header.";
+ }
+ identity eth-acl {
+ base acl:acl-base;
+ description
+ "ACL that primarily matches on fields in the ethernet header,
+ like 10/100/1000baseT or WiFi Access Control List. An acl of
+ type eth-acl does not contain matches on fields in the IPv4
+ header, IPv6 header or layer 4 headers.";
+ }
+ typedef acl-type {
+ type identityref {
+ base acl:acl-base;
+ }
+ description
+ "This type is used to refer to an Access Control List
+ (ACL) type";
+ }
+ typedef access-control-list-ref {
+ type leafref {
+ path "/access-lists/acl/acl-name";
+ }
+ description
+ "This type is used by data models that need to reference an
+ Access Control List";
+ }
+ container access-lists {
+ description
+ "This is a top level container for Access Control Lists.
+ It can have one or more Access Control Lists.";
+ list acl {
+ key "acl-type acl-name";
+ description
+ "An Access Control List(ACL) is an ordered list of
+ Access List Entries (ACE). Each Access Control Entry has a
+ list of match criteria and a list of actions.
+ Since there are several kinds of Access Control Lists
+ implemented with different attributes for
+ different vendors, this
+ model accommodates customizing Access Control Lists for
+ each kind and for each vendor.";
+ leaf acl-name {
+ type string;
+ description
+ "The name of access-list. A device MAY restrict the length
+ and value of this name, possibly space and special
+ characters are not allowed.";
+ }
+ leaf acl-type {
+ type acl-type;
+ description
+ "Type of access control list. Indicates the primary intended
+ type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc)
+ used in the list instance.";
+ }
+ container acl-oper-data {
+ config false;
+ description
+ "Overall Access Control List operational data";
+ }
+ container access-list-entries {
+ description
+ "The access-list-entries container contains
+ a list of access-list-entries(ACE).";
+ list ace {
+ key "rule-name";
+ ordered-by user;
+ description
+ "List of access list entries(ACE)";
+ leaf rule-name {
+ type string;
+ description
+ "A unique name identifying this Access List
+ Entry(ACE).";
+ }
+ container matches {
+ description
+ "Definitions for match criteria for this Access List
+ Entry.";
+ choice ace-type {
+ description
+ "Type of access list entry.";
+ case ace-ip {
+ description "IP Access List Entry.";
+ choice ace-ip-version {
+ description
+ "IP version used in this Access List Entry.";
+ case ace-ipv4 {
+ uses packet-fields:acl-ipv4-header-fields;
+ }
+ case ace-ipv6 {
+ uses packet-fields:acl-ipv6-header-fields;
+ }
+ }
+ uses packet-fields:acl-ip-header-fields;
+ }
+ case ace-eth {
+ description
+ "Ethernet Access List entry.";
+ uses packet-fields:acl-eth-header-fields;
+ }
+ }
+ }
+ container actions {
+ description
+ "Definitions of action criteria for this Access List
+ Entry.";
+ choice packet-handling {
+ default "deny";
+ description
+ "Packet handling action.";
+ case deny {
+ leaf deny {
+ type empty;
+ description
+ "Deny action.";
+ }
+ }
+ case permit {
+ leaf permit {
+ type empty;
+ description
+ "Permit action.";
+ }
+ }
+ }
+ }
+ container ace-oper-data {
+ config false;
+ description
+ "Operational data for this Access List Entry.";
+ leaf match-counter {
+ type yang:counter64;
+ description
+ "Number of matches for this Access List Entry";
+ }
+ }
+ }
+ }
+ }
+ }
+}
diff --git a/vpp-classifier/api/src/main/yang/ietf-packet-fields.yang b/vpp-classifier/api/src/main/yang/ietf-packet-fields.yang
new file mode 100644
index 000000000..0b1ce5cdd
--- /dev/null
+++ b/vpp-classifier/api/src/main/yang/ietf-packet-fields.yang
@@ -0,0 +1,180 @@
+module ietf-packet-fields {
+ yang-version 1.1;
+ namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields";
+ prefix packet-fields;
+ import ietf-inet-types {
+ prefix inet;
+ }
+ import ietf-yang-types {
+ prefix yang;
+ }
+ organization "IETF NETMOD (NETCONF Data Modeling Language) Working
+ Group";
+ contact
+ "WG Web: http://tools.ietf.org/wg/netmod/
+ WG List: netmod@ietf.org
+ WG Chair: Juergen Schoenwaelder
+ j.schoenwaelder@jacobs-university.de
+ WG Chair: Tom Nadeau
+ tnadeau@lucidvision.com
+ Editor: Dean Bogdanovic
+ deanb@juniper.net
+ Editor: Kiran Agrahara Sreenivasa
+ kkoushik@cisco.com
+ Editor: Lisa Huang
+ lyihuang16@gmail.com
+ Editor: Dana Blair
+ dblair@cisco.com";
+ description
+ "This YANG module defines groupings that are used by
+ ietf-access-control-list YANG module. Their usage is not
+ limited to ietf-access-control-list and can be
+ used anywhere as applicable.
+ Copyright (c) 2015 IETF Trust and the persons identified as
+ the document authors. All rights reserved.
+ Redistribution and use in source and binary forms, with or
+ without modification, is permitted pursuant to, and subject
+ to the license terms contained in, the Simplified BSD
+ License set forth in Section 4.c of the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info).
+ This version of this YANG module is part of RFC XXXX; see
+ the RFC itself for full legal notices.";
+ revision 2016-07-08 {
+ description
+ "Initial version of packet fields used by
+ ietf-access-control-list";
+ reference
+ "RFC XXXX: Network Access Control List (ACL)
+ YANG Data Model";
+ }
+ grouping acl-transport-header-fields {
+ description
+ "Transport header fields";
+ container source-port-range {
+ presence "Enables setting source port range";
+ description
+ "Inclusive range representing source ports to be used.
+ When only lower-port is present, it represents a single port.";
+ leaf lower-port {
+ type inet:port-number;
+ mandatory true;
+ description
+ "Lower boundary for port.";
+ }
+ leaf upper-port {
+ type inet:port-number;
+ must ". >= ../lower-port" {
+ error-message
+ "The upper-port must be greater than or equal to lower-port";
+ }
+ description
+ "Upper boundary for port . If existing, the upper port
+ must be greater or equal to lower-port.";
+ }
+ }
+ container destination-port-range {
+ presence "Enables setting destination port range";
+ description
+ "Inclusive range representing destination ports to be used. When
+ only lower-port is present, it represents a single port.";
+ leaf lower-port {
+ type inet:port-number;
+ mandatory true;
+ description
+ "Lower boundary for port.";
+ }
+ leaf upper-port {
+ type inet:port-number;
+ must ". >= ../lower-port" {
+ error-message
+ "The upper-port must be greater than or equal to lower-port";
+ }
+
+ description
+ "Upper boundary for port. If existing, the upper port must
+ be greater or equal to lower-port";
+ }
+ }
+ }
+ grouping acl-ip-header-fields {
+ description
+ "IP header fields common to ipv4 and ipv6";
+ leaf dscp {
+ type inet:dscp;
+ description
+ "Value of dscp.";
+ }
+ leaf protocol {
+ type uint8;
+ description
+ "Internet Protocol number.";
+ }
+ uses acl-transport-header-fields;
+ }
+ grouping acl-ipv4-header-fields {
+ description
+ "Fields in IPv4 header.";
+ leaf destination-ipv4-network {
+ type inet:ipv4-prefix;
+ description
+ "Destination IPv4 address prefix.";
+ }
+ leaf source-ipv4-network {
+ type inet:ipv4-prefix;
+ description
+ "Source IPv4 address prefix.";
+ }
+ }
+ grouping acl-ipv6-header-fields {
+ description
+ "Fields in IPv6 header";
+ leaf destination-ipv6-network {
+ type inet:ipv6-prefix;
+ description
+ "Destination IPv6 address prefix.";
+ }
+ leaf source-ipv6-network {
+ type inet:ipv6-prefix;
+ description
+ "Source IPv6 address prefix.";
+ }
+ leaf flow-label {
+ type inet:ipv6-flow-label;
+ description
+ "IPv6 Flow label.";
+ }
+ reference
+ "RFC 4291: IP Version 6 Addressing Architecture
+ RFC 4007: IPv6 Scoped Address Architecture
+ RFC 5952: A Recommendation for IPv6 Address Text Representation";
+ }
+ grouping acl-eth-header-fields {
+ description
+ "Fields in Ethernet header.";
+ leaf destination-mac-address {
+ type yang:mac-address;
+ description
+ "Destination IEEE 802 MAC address.";
+ }
+ leaf destination-mac-address-mask {
+ type yang:mac-address;
+ description
+ "Destination IEEE 802 MAC address mask.";
+ }
+ leaf source-mac-address {
+ type yang:mac-address;
+ description
+ "Source IEEE 802 MAC address.";
+ }
+ leaf source-mac-address-mask {
+ type yang:mac-address;
+ description
+ "Source IEEE 802 MAC address mask.";
+ }
+ reference
+ "IEEE 802: IEEE Standard for Local and Metropolitan Area
+ Networks: Overview and Architecture.";
+ }
+
+} \ No newline at end of file
diff --git a/vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang b/vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang
new file mode 100644
index 000000000..ccf3e286a
--- /dev/null
+++ b/vpp-classifier/api/src/main/yang/vpp-classifier-acl.yang
@@ -0,0 +1,183 @@
+module vpp-classifier-acl {
+ yang-version 1;
+ namespace "urn:opendaylight:params:xml:ns:yang:vpp:classifier:acl";
+ prefix "vpp-classifier-acl";
+
+ revision "2016-12-14" {
+ description
+ "Initial revision of vpp-classfier-acl model.";
+ }
+
+ import ietf-access-control-list {
+ prefix "acl";
+ }
+
+ import vpp-classifier {
+ prefix "vpp-classifier";
+ }
+
+ import yang-ext {
+ prefix "ext";
+ }
+
+ import ietf-packet-fields {
+ prefix packet-fields;
+ }
+
+ identity mixed-acl {
+ base acl:acl-base;
+ description
+ "ACL that can match on any of L2/L3/L4 fields.";
+ }
+
+ typedef interface-mode {
+ type enumeration {
+ enum "l2";
+ enum "l3";
+ }
+ }
+
+ grouping acl-base-attributes {
+ description
+ "Defines references to classify tables.
+ At least one table reference should be specified.";
+ container l2-acl {
+ leaf classify-table {
+ type vpp-classifier:classify-table-ref;
+ description
+ "An L2 ACL table";
+ }
+ }
+ container ip4-acl {
+ leaf classify-table {
+ type vpp-classifier:classify-table-ref;
+ description
+ "An IPv4 ACL table";
+ }
+ }
+ container ip6-acl {
+ leaf classify-table {
+ type vpp-classifier:classify-table-ref;
+ description
+ "An IPv6 ACL table";
+ }
+ }
+ }
+
+ grouping ietf-acl-base-attributes {
+ description
+ "Provides limited support for ietf-acl model.";
+
+ container access-lists {
+ description
+ "Defines references to ietf-acl lists.
+ ACLs are translated into classify tables and sessions when assigned to interface.
+
+ In case of L2 interfaces, acls are translated into a chain of classify tables and assigned as L2 table.
+ In case of L3 interfaces, acls are translated into ip4 and ip6 chains (eth only rules go to both chains,
+ rest - depending on ip-version).
+ User ordering is preserved in both cases.
+
+ Assignment update/delete removes all created tables and sessions and repeats process described above.
+ Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first).
+
+ Read is supported only for acls that were created and assigned by Honeycomb agent
+ (corresponding metadata is present).
+
+ Extensions:
+ - mixing ACEs of different type in one list is permited
+ - mixing L2/L3/L4 rules in one ACE is permited
+
+ Limitations (due to vpp limitations):
+ - egress rules are currently ignored (HONEYCOMB-234)
+ - L4 rules support is limited (every <src,dst> port pair from provided ranges is translated to single classify
+ session; which can very slow or even crash vpp if ranges are big, see HONEYCOMB-260)
+ - ace-ip-version needs to be provided for all aces (consequence of posibility to mix ACEs of different types,
+ and vpp classfier api limitation: common header fields for IP4/IP6 have different offsets)
+ - L2 rules on L3 interfaces are applied only to IP traffic (vpp classfier limitation)
+ - vlan tags are supported only for sub-interfaces defined as exact-match";
+
+ list acl {
+ key "type name";
+ ordered-by user;
+
+ leaf type {
+ type acl:acl-type;
+ }
+
+ leaf name {
+ type acl:access-control-list-ref;
+ }
+ }
+
+ leaf default-action {
+ type enumeration {
+ enum "deny";
+ enum "permit";
+ }
+ default "deny";
+ description
+ "Default action applied to packet that does not match any of rules defined in assigned ACLs.
+ It is translated to single classify table and applied at the end of assigned chains.";
+ }
+
+ leaf mode {
+ type interface-mode;
+ default l3;
+ description
+ "The way ACLs are translated depends on the interface mode.
+ In case of L2 interfaces (bridge/interconnection)
+ classify tables are assigned as l2_table using input_acl_set_interface (ether type matching is automatically
+ added in case of L3 rules).
+ In case of L3 interfaces, classify tables are assigned as ip4/ip6 tables.
+
+ It is the user responsibility to choose mode that matches target interface.
+ ";
+ }
+ }
+ }
+
+ grouping vpp-acl-attributes {
+ container acl {
+ container ingress {
+ uses vpp-classifier-acl:acl-base-attributes;
+ }
+ container egress {
+ uses vpp-classifier-acl:acl-base-attributes;
+ }
+ }
+
+ container ietf-acl {
+ container ingress {
+ uses vpp-classifier-acl:ietf-acl-base-attributes;
+ }
+ container egress {
+ uses vpp-classifier-acl:ietf-acl-base-attributes;
+ }
+ }
+ }
+
+ augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type {
+ ext:augment-identifier "vpp-classfier-acl-type-augmentation";
+ case ace-ip-and-eth {
+ description
+ "Access List entry that can define both ip and eth rules.";
+ container ace-ip-and-eth-nodes {
+
+ choice ace-ip-version {
+ description
+ "IP version used in this Access List Entry.";
+ mandatory true;
+ case ace-ipv4 {
+ uses packet-fields:acl-ipv4-header-fields;
+ }
+ case ace-ipv6 {
+ uses packet-fields:acl-ipv6-header-fields;
+ }
+ }
+ uses packet-fields:acl-ip-header-fields;
+ uses packet-fields:acl-eth-header-fields;
+ }
+ }
+ }
+} \ No newline at end of file
diff --git a/vpp-classifier/api/src/main/yang/vpp-classifier-context.yang b/vpp-classifier/api/src/main/yang/vpp-classifier-context.yang
new file mode 100644
index 000000000..01eae862d
--- /dev/null
+++ b/vpp-classifier/api/src/main/yang/vpp-classifier-context.yang
@@ -0,0 +1,68 @@
+module vpp-classifier-context {
+ yang-version 1;
+ namespace "urn:opendaylight:params:xml:ns:yang:vpp:classifier";
+ prefix "vpp-classifier-context";
+
+ description
+ "This module contains vpp classfier metadata definition";
+
+ revision "2016-09-09" {
+ description
+ "Initial revision.";
+ }
+
+ container vpp-classifier-context {
+
+ config "false";
+
+ description
+ "Classify tables and sessions contain relative node indexes. Management agent like Honeycomb,
+ needs to use node names instead (indexes might change after vpp restart).
+ VPP does not provide relative index to node name conversion (https://jira.fd.io/browse/VPP-219),
+ also finding base node that is needed to perform the conversion
+ is not allways possible (https://jira.fd.io/browse/VPP-220).
+
+ Therefore Honeycomb needs to provide relative node to index mapping.
+ ";
+
+ list classify-table-context {
+ key "name";
+ unique "index";
+
+ leaf name {
+ type string;
+ description
+ "Name of the classify table.";
+ }
+
+ leaf index {
+ type int32;
+ description
+ "Classify table index used by VPP.";
+ }
+
+ leaf classifier-node-name {
+ type string;
+ description
+ "Name of VPP node the table is defined for.";
+ }
+
+ list node-context {
+ key "name";
+ unique "index";
+
+ leaf name {
+ type string;
+ description
+ "Name of vpp node (neighbour of classifier-node-name)";
+ }
+
+ leaf index {
+ type int32;
+ description
+ "Inted of the vpp node relative to classifier-node-name";
+ }
+ }
+ }
+ }
+} \ No newline at end of file
diff --git a/vpp-classifier/api/src/main/yang/vpp-classifier.yang b/vpp-classifier/api/src/main/yang/vpp-classifier.yang
new file mode 100644
index 000000000..beb4def85
--- /dev/null
+++ b/vpp-classifier/api/src/main/yang/vpp-classifier.yang
@@ -0,0 +1,215 @@
+module vpp-classifier {
+ yang-version 1;
+ namespace "urn:opendaylight:params:xml:ns:yang:vpp:classifier";
+ prefix "vpp-classifier";
+
+ revision "2016-12-14" {
+ description
+ "This revision adds the following new features:
+ - updates order of union types for opaque-index";
+ }
+
+ revision "2015-06-03" {
+ description
+ "Initial revision of model for VPP packet classifier.
+ The model can be used ony to implement ACLs.
+ Other classify table usages are not supported yet,
+ see https://jira.fd.io/browse/VPP-203 for details.";
+ reference
+ "https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers";
+ }
+
+ import ietf-yang-types {
+ prefix "yang";
+ }
+
+ typedef classify-table-ref {
+ type leafref {
+ path "/vpp-classifier:vpp-classifier/classify-table/name";
+ }
+ description
+ "This type is used by data models that need to reference
+ configured classify tables.";
+ }
+
+ typedef packet-handling-action {
+ type enumeration {
+ enum "deny" {
+ // by VPP convention, first neighbour node (at index 0) is a drop node
+ value 0;
+ }
+ enum "permit" {
+ value -1; // indicates that the next node not set
+ }
+ }
+ }
+
+ typedef vpp-node-name {
+ type string;
+ }
+
+ typedef vpp-node {
+ type union {
+ type packet-handling-action;
+ type vpp-node-name;
+ }
+ description
+ "Defines VPP node reference using packet handling action or relative node name
+ (if definition in terms of packet handling action is not possible).";
+ }
+
+ typedef opaque-index {
+ type union {
+ type uint32;
+ type vpp-node;
+ }
+ description
+ "Defines opaque-index type - metadata that can be attached to session-hit packets.
+ Vpp nodes can't be referenced by index, because node indexes might change after vpp restart.";
+ }
+
+ grouping classify-session-attributes {
+ description
+ "Defines classify session attributes that are mapped to classify_add_del_session
+ and classify_session_details messages parameters.";
+
+ leaf hit_next {
+ type vpp-node;
+ mandatory true;
+ description
+ "Vpp node to which packet will be send when it produces a match.";
+ }
+ leaf opaque_index {
+ type opaque-index;
+ }
+ leaf advance {
+ type int32;
+ default 0;
+ description
+ "Nodes like ip4/6-classify use the parameter to \"consume\" networking layer.
+ Example: tunnel decapsulation.";
+ }
+ }
+
+ grouping classify-table-base-attributes {
+ description
+ "Defines classify table attributes that are mapped to classify_add_del_table message parameters.";
+
+ leaf classifier-node {
+ type vpp-node-name;
+ description
+ "Name of VPP node the table is defined for.";
+ }
+ leaf nbuckets {
+ mandatory true;
+ type uint32;
+ description
+ "Used by classifier hashing algorithm. It is not possible to resize the bucket array,
+ therefore suggested value is approximate number of expected entries.";
+ }
+ leaf skip_n_vectors {
+ type uint32;
+ default 0;
+ description
+ "Number of 16 byte vectors to be skipped before applying mask.";
+ }
+ leaf next_table {
+ type classify-table-ref;
+ description
+ "Reference to the next classify table. Required when multiple table chaining is used.";
+ }
+ leaf miss_next {
+ mandatory true;
+ type vpp-node;
+ description
+ "Vpp node to which packet will be send when it falis to produce a match";
+ }
+ leaf mask {
+ type yang:hex-string;
+ mandatory true;
+ description
+ "Defines match mask (multiple of 16 bytes)";
+ }
+
+ list classify-session {
+ key "match";
+
+ leaf match {
+ type yang:hex-string;
+ description
+ "Defines actual value to be matched that is
+ a byte vector, which length is multiple of 16 bytes";
+
+ must "string-length(match) = string-length(../../mask)" {
+ error-message
+ "Match length is not equal to classify table mask length.";
+ description
+ "Match length must be equal to classify table mask length.";
+ }
+ }
+
+ uses classify-session-attributes;
+ }
+ }
+
+ grouping classify-table-config-attributes {
+ description
+ "Defines classify table config only attributes (present in classify_add_del_table message
+ but not in classify_table_info_reply).";
+
+ // TODO(HC2VPP-10): move to classify-table-base-attributes
+ // after https://jira.fd.io/browse/VPP-208 is fixed
+ leaf memory_size {
+ type uint32;
+ // mandatory true; // TODO(HC2VPP-10): uncomment
+ description
+ "Memory size for classify table and its entries.";
+ }
+ }
+
+ grouping classify-table-operational-attributes {
+ description
+ "Defines classify table operational attributes (present in classify_table_info_reply message
+ but not in classify_add_del_table).";
+
+ leaf active_sessions {
+ type uint32;
+ config false;
+ description
+ "Number of sessions defined for the classify table.";
+ }
+ }
+
+ container vpp-classifier {
+ list classify-table {
+ key "name";
+
+ leaf name {
+ type string;
+ description
+ "Hides classify table identifier managed by vpp.";
+ }
+
+ uses classify-table-base-attributes;
+ uses classify-table-config-attributes;
+ }
+ }
+
+ container vpp-classifier-state {
+ config false;
+
+ list classify-table {
+ key "name";
+
+ leaf name {
+ type string;
+ description
+ "Hides classify table identifier managed by vpp.";
+ }
+
+ uses classify-table-base-attributes;
+ uses classify-table-operational-attributes;
+ }
+ }
+
+}
diff --git a/vpp-classifier/api/src/main/yang/vpp-interface-acl.yang b/vpp-classifier/api/src/main/yang/vpp-interface-acl.yang
new file mode 100644
index 000000000..1932e9c97
--- /dev/null
+++ b/vpp-classifier/api/src/main/yang/vpp-interface-acl.yang
@@ -0,0 +1,32 @@
+module vpp-interface-acl {
+ yang-version 1;
+ namespace "urn:opendaylight:params:xml:ns:yang:vpp:interface:acl";
+ prefix "vpp-ifc-acl";
+
+ revision "2016-12-14" {
+ description
+ "Initial revision of vpp-acl model.";
+ }
+
+ import ietf-interfaces {
+ prefix "if";
+ }
+
+ import vpp-classifier-acl {
+ prefix "vpp-classifier-acl";
+ }
+
+ import yang-ext {
+ prefix "ext";
+ }
+
+ augment /if:interfaces/if:interface {
+ ext:augment-identifier "vpp-interface-acl-augmentation";
+ uses vpp-classifier-acl:vpp-acl-attributes;
+ }
+
+ augment /if:interfaces-state/if:interface {
+ ext:augment-identifier "vpp-interface-acl-state-augmentation";
+ uses vpp-classifier-acl:vpp-acl-attributes;
+ }
+} \ No newline at end of file
diff --git a/vpp-classifier/api/src/main/yang/vpp-subinterface-acl.yang b/vpp-classifier/api/src/main/yang/vpp-subinterface-acl.yang
new file mode 100644
index 000000000..892a64586
--- /dev/null
+++ b/vpp-classifier/api/src/main/yang/vpp-subinterface-acl.yang
@@ -0,0 +1,36 @@
+module vpp-subinterface-acl {
+ yang-version 1;
+ namespace "urn:opendaylight:params:xml:ns:yang:vpp:subinterface:acl";
+ prefix "vpp-subifc-acl";
+
+ revision "2016-12-14" {
+ description
+ "Initial revision of vpp-acl model.";
+ }
+
+ import ietf-interfaces {
+ prefix "if";
+ }
+
+ import vpp-vlan {
+ prefix "vpp-vlan";
+ }
+
+ import vpp-classifier-acl {
+ prefix "vpp-classifier-acl";
+ }
+
+ import yang-ext {
+ prefix "ext";
+ }
+
+ augment /if:interfaces/if:interface/vpp-vlan:sub-interfaces/vpp-vlan:sub-interface {
+ ext:augment-identifier "vpp-subinterface-acl-augmentation";
+ uses vpp-classifier-acl:vpp-acl-attributes;
+ }
+
+ augment /if:interfaces-state/if:interface/vpp-vlan:sub-interfaces/vpp-vlan:sub-interface {
+ ext:augment-identifier "vpp-subinterface-acl-state-augmentation";
+ uses vpp-classifier-acl:vpp-acl-attributes;
+ }
+} \ No newline at end of file