From 718e9a3c7cac01860f3e3fe6174fcc1bd33fb4eb Mon Sep 17 00:00:00 2001 From: Michal Cmarada Date: Mon, 19 Nov 2018 14:59:14 +0100 Subject: HC2VPP-291: ACL model bump - bump ACL yang models - fix ACL module implementation and validation - fix ACL Unit tests - update postman collection Change-Id: Iaab64e6d92d17babc3ccef7921b41070c3716516 Signed-off-by: Michal Cmarada --- acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang | 284 ---------------------- 1 file changed, 284 deletions(-) delete mode 100644 acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang (limited to 'acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang') diff --git a/acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang b/acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang deleted file mode 100644 index 2f7f82e9c..000000000 --- a/acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang +++ /dev/null @@ -1,284 +0,0 @@ -module vpp-acl { - yang-version 1; - namespace "urn:opendaylight:params:xml:ns:yang:vpp:acl"; - prefix "vpp-acl"; - - import ietf-access-control-list { - prefix "acl"; - } - - import yang-ext { - prefix "ext"; - } - - import ietf-packet-fields { - prefix packet-fields; - } - - import ietf-inet-types { - prefix inet; - } - - import ietf-yang-types { - prefix yang; - } - - organization - "FD.io - The Fast Data Project"; - - contact - "Hc2vpp Wiki - Mailing List "; - - description - "This module contains a collection of YANG definitions - that extend ietf-access-control-list module - with VPP specific features provided by the VPP ACL plugin. - - Copyright (c) 2016-2017 Cisco and/or its affiliates. - - Licensed under the Apache License, Version 2.0 (the 'License'); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an 'AS IS' BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License."; - - revision "2017-06-15" { - description - "Renamed stateful/permit leaf to permit-and-reflect"; - } - - revision "2016-12-14" { - description - "Initial revision of vpp-acl model."; - } - - augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:actions/acl:packet-handling { - ext:augment-identifier "stateful-acl-action-augmentation"; - when "../acl:matches/acl:ace-type = 'vpp-acl:vpp-acl'"; - case stateful { - leaf permit-and-reflect { - type empty; - description - "Permits egress TCP/UDP traffic and ingress in reverse direction by creating reflexive ACEs."; - } - } - } - - identity vpp-acl { - base acl:acl-base; - description - "ACL that contains only aces of vpp-ace type."; - } - - identity vpp-macip-acl { - base acl:acl-base; - description - "ACL that contains only aces of vpp-macip-acl type."; - } - - grouping value-range { - description "Defines value range with first and last value defined"; - - leaf first { - type uint8; - mandatory true; - description "Lower boundary for range"; - } - - leaf last { - type uint8; - mandatory true; - description "Upper boundary for range"; - must "last >= first"; - } - } - - grouping acl-icmp-header-fields { - description - "ICMP header fields"; - container icmp-type-range { - presence "Enables setting icmp-type"; - description - "Inclusive range representing icmp types to be used."; - uses value-range; - } - - container icmp-code-range { - presence "Enables setting icmp-code"; - description - "Inclusive range representing icmp codes to be used."; - uses value-range; - } - } - - grouping acl-tcp-header-fields { - description - "TCP header fields"; - leaf tcp-flags-mask { - description - "Binary mask for tcp flags to match. MSB order (FIN at position 0). - Applied as logical AND to tcp flags field of the packet being matched, - before it is compared with tcp-flags-value."; - type uint8; - } - leaf tcp-flags-value { - description - "Binary value for tcp flags to match. MSB order (FIN at position 0). - Before tcp-flags-value is compared with tcp flags field of the packet being matched, - tcp-flags-mask is applied to packet field value."; - type uint8; - } - } - - grouping acl-other-protocol-fields { - description "Used for any other protocol than TCP/UDP/ICMP/ICMPv6"; - leaf protocol { - must "protocol != 1 and protocol != 6 and protocol != 17 and protocol != 58"; - type uint8; - description "Internet Protocol number."; - } - } - - grouping acl-ip-protocol-header-fields { - description - "Defines header fields for TCP/UDP or ICMP protocols"; - choice ip-protocol { - case icmp { - container icmp-nodes { - uses acl-icmp-header-fields; - } - } - case icmp-v6 { - container icmp-v6-nodes { - uses acl-icmp-header-fields; - } - } - case udp { - container udp-nodes { - uses packet-fields:acl-transport-header-fields; - } - } - case tcp { - container tcp-nodes { - uses packet-fields:acl-transport-header-fields; - uses acl-tcp-header-fields; - } - } - case other { - container other-nodes { - uses acl-other-protocol-fields; - } - } - } - } - - augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type { - ext:augment-identifier "vpp-acl-type-augmentation"; - case vpp-ace { - description - "Access List entry that can define: - - IP4/IP6 src/dst ip prefix- Internet Protocol number - - Internet Protocol number - - selected L4 headers: - * ICMP (type range) - * UDP (port range) - * TCP (port range, flags mask, flags value)"; - container vpp-ace-nodes { - choice ace-ip-version { - description - "IP version used in this Access List Entry."; - case ace-ipv4 { - uses packet-fields:acl-ipv4-header-fields; - } - case ace-ipv6 { - uses packet-fields:acl-ipv6-header-fields; - } - } - uses acl-ip-protocol-header-fields; - } - } - } - - grouping vpp-macip-ace-eth-header-fields { - description - "Fields in Ethernet header supported by vpp-macip rule"; - leaf source-mac-address { - type yang:mac-address; - description - "Source IEEE 802 MAC address. - Before source-mac-address is compared with source mac address field of the packet being matched, - source-mac-address-mask is applied to packet field value."; - } - leaf source-mac-address-mask { - type yang:mac-address; - description - "Source IEEE 802 MAC address mask. - Applied as logical AND with source mac address field of the packet being matched, - before it is compared with source-mac-address."; - } - } - - grouping vpp-macip-ace-ipv4-header-fields { - description - "Fields in IPv4 header supported by vpp-macip rule"; - leaf source-ipv4-network { - type inet:ipv4-prefix; - description - "Source IPv4 address prefix."; - } - } - - grouping vpp-macip-ace-ipv6-header-fields { - description - "Fields in IPv6 header supported by vpp-macip rule"; - leaf source-ipv6-network { - type inet:ipv6-prefix; - description - "Source IPv6 address prefix."; - } - } - - augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type { - ext:augment-identifier "vpp-macip-acl-type-augmentation"; - case vpp-macip-ace { - description - "Access List entry that can define: - - IP4/IP6 src ip prefix - - src MAC address mask - - src MAC address value - - can be used only for static ACLs."; - container vpp-macip-ace-nodes { - choice ace-ip-version { - description - "IP version used in this Access List Entry."; - case ace-ipv4 { - uses vpp-macip-ace-ipv4-header-fields; - } - case ace-ipv6 { - uses vpp-macip-ace-ipv6-header-fields; - } - } - uses vpp-macip-ace-eth-header-fields; - } - } - } - - augment /acl:access-lists/acl:acl { - ext:augment-identifier "vpp-acl-augmentation"; - leaf tag { - type string { - length 1..63; - } - description - "ASCII tag that can be used as a placeholder for ACL metadata. Value is stored in vpp, - and returned in read requests. No processing involved."; - } - } -} \ No newline at end of file -- cgit 1.2.3-korg