From 718e9a3c7cac01860f3e3fe6174fcc1bd33fb4eb Mon Sep 17 00:00:00 2001 From: Michal Cmarada Date: Mon, 19 Nov 2018 14:59:14 +0100 Subject: HC2VPP-291: ACL model bump - bump ACL yang models - fix ACL module implementation and validation - fix ACL Unit tests - update postman collection Change-Id: Iaab64e6d92d17babc3ccef7921b41070c3716516 Signed-off-by: Michal Cmarada --- .../yang/ietf-access-control-list@2016-07-08.yang | 212 ------- .../yang/ietf-access-control-list@2018-10-01.yang | 667 +++++++++++++++++++++ .../src/main/yang/ietf-ethertypes@2018-10-01.yang | 362 +++++++++++ .../main/yang/ietf-packet-fields@2016-07-08.yang | 180 ------ .../main/yang/ietf-packet-fields@2018-10-01.yang | 588 ++++++++++++++++++ .../src/main/yang/interface-acl@2016-12-14.yang | 103 ---- .../src/main/yang/vpp-acl-context@2017-01-04.yang | 2 +- acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang | 284 --------- acl/acl-api/src/main/yang/vpp-acl@2018-10-22.yang | 230 +++++++ 9 files changed, 1848 insertions(+), 780 deletions(-) delete mode 100644 acl/acl-api/src/main/yang/ietf-access-control-list@2016-07-08.yang create mode 100755 acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang create mode 100755 acl/acl-api/src/main/yang/ietf-ethertypes@2018-10-01.yang delete mode 100644 acl/acl-api/src/main/yang/ietf-packet-fields@2016-07-08.yang create mode 100755 acl/acl-api/src/main/yang/ietf-packet-fields@2018-10-01.yang delete mode 100644 acl/acl-api/src/main/yang/interface-acl@2016-12-14.yang delete mode 100644 acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang create mode 100644 acl/acl-api/src/main/yang/vpp-acl@2018-10-22.yang (limited to 'acl/acl-api') diff --git a/acl/acl-api/src/main/yang/ietf-access-control-list@2016-07-08.yang b/acl/acl-api/src/main/yang/ietf-access-control-list@2016-07-08.yang deleted file mode 100644 index bdd0d0ee3..000000000 --- a/acl/acl-api/src/main/yang/ietf-access-control-list@2016-07-08.yang +++ /dev/null @@ -1,212 +0,0 @@ -module ietf-access-control-list { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; - prefix acl; - import ietf-yang-types { - prefix yang; - } - import ietf-packet-fields { - prefix packet-fields; - } - organization "IETF NETMOD (NETCONF Data Modeling Language) - Working Group"; - contact - "WG Web: http://tools.ietf.org/wg/netmod/ - WG List: netmod@ietf.org - WG Chair: Juergen Schoenwaelder - j.schoenwaelder@jacobs-university.de - WG Chair: Tom Nadeau - tnadeau@lucidvision.com - Editor: Dean Bogdanovic - ivandean@gmail.com - Editor: Kiran Agrahara Sreenivasa - kkoushik@cisco.com - Editor: Lisa Huang - lyihuang16@gmail.com - Editor: Dana Blair - dblair@cisco.com"; - description - "This YANG module defines a component that describing the - configuration of Access Control Lists (ACLs). - Copyright (c) 2015 IETF Trust and the persons identified as - the document authors. All rights reserved. - Redistribution and use in source and binary forms, with or - without modification, is permitted pursuant to, and subject - to the license terms contained in, the Simplified BSD - License set forth in Section 4.c of the IETF Trust's Legal - Provisions Relating to IETF Documents - (http://trustee.ietf.org/license-info). - This version of this YANG module is part of RFC XXXX; see - the RFC itself for full legal notices."; - revision 2016-07-08 { - description - "Base model for Network Access Control List (ACL)."; - reference - "RFC XXXX: Network Access Control List (ACL) - YANG Data Model"; - } - identity acl-base { - description - "Base Access Control List type for all Access Control List type - identifiers."; - } - identity ipv4-acl { - base acl:acl-base; - description - "ACL that primarily matches on fields from the IPv4 header - (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP - destination port). An acl of type ipv4-acl does not contain - matches on fields in the ethernet header or the IPv6 header."; - } - identity ipv6-acl { - base acl:acl-base; - description - "ACL that primarily matches on fields from the IPv6 header - (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP - destination port). An acl of type ipv6-acl does not contain - matches on fields in the ethernet header or the IPv4 header."; - } - identity eth-acl { - base acl:acl-base; - description - "ACL that primarily matches on fields in the ethernet header, - like 10/100/1000baseT or WiFi Access Control List. An acl of - type eth-acl does not contain matches on fields in the IPv4 - header, IPv6 header or layer 4 headers."; - } - typedef acl-type { - type identityref { - base acl:acl-base; - } - description - "This type is used to refer to an Access Control List - (ACL) type"; - } - /* - HC2VPP-290: access-control-list-ref was modified to fix pyang errors - TODO(HC2VPP-291): bump ietf-access-control-list version to resolve the issue - */ - typedef access-control-list-ref { - type leafref { - path "/acl:access-lists/acl:acl/acl:acl-name"; - } - description - "This type is used by data models that need to reference an - Access Control List"; - } - container access-lists { - description - "This is a top level container for Access Control Lists. - It can have one or more Access Control Lists."; - list acl { - key "acl-type acl-name"; - description - "An Access Control List(ACL) is an ordered list of - Access List Entries (ACE). Each Access Control Entry has a - list of match criteria and a list of actions. - Since there are several kinds of Access Control Lists - implemented with different attributes for - different vendors, this - model accommodates customizing Access Control Lists for - each kind and for each vendor."; - leaf acl-name { - type string; - description - "The name of access-list. A device MAY restrict the length - and value of this name, possibly space and special - characters are not allowed."; - } - leaf acl-type { - type acl-type; - description - "Type of access control list. Indicates the primary intended - type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc) - used in the list instance."; - } - container acl-oper-data { - config false; - description - "Overall Access Control List operational data"; - } - container access-list-entries { - description - "The access-list-entries container contains - a list of access-list-entries(ACE)."; - list ace { - key "rule-name"; - ordered-by user; - description - "List of access list entries(ACE)"; - leaf rule-name { - type string; - description - "A unique name identifying this Access List - Entry(ACE)."; - } - container matches { - description - "Definitions for match criteria for this Access List - Entry."; - choice ace-type { - description - "Type of access list entry."; - case ace-ip { - description "IP Access List Entry."; - choice ace-ip-version { - description - "IP version used in this Access List Entry."; - case ace-ipv4 { - uses packet-fields:acl-ipv4-header-fields; - } - case ace-ipv6 { - uses packet-fields:acl-ipv6-header-fields; - } - } - uses packet-fields:acl-ip-header-fields; - } - case ace-eth { - description - "Ethernet Access List entry."; - uses packet-fields:acl-eth-header-fields; - } - } - } - container actions { - description - "Definitions of action criteria for this Access List - Entry."; - choice packet-handling { - default "deny"; - description - "Packet handling action."; - case deny { - leaf deny { - type empty; - description - "Deny action."; - } - } - case permit { - leaf permit { - type empty; - description - "Permit action."; - } - } - } - } - container ace-oper-data { - config false; - description - "Operational data for this Access List Entry."; - leaf match-counter { - type yang:counter64; - description - "Number of matches for this Access List Entry"; - } - } - } - } - } - } -} diff --git a/acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang b/acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang new file mode 100755 index 000000000..cc1dcb59f --- /dev/null +++ b/acl/acl-api/src/main/yang/ietf-access-control-list@2018-10-01.yang @@ -0,0 +1,667 @@ +module ietf-access-control-list { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; + prefix acl; + + import ietf-yang-types { + prefix yang; + reference + "RFC 6991 - Common YANG Data Types."; + } + + import ietf-packet-fields { + prefix pf; + reference + "RFC XXXX - Network ACL YANG Model."; + } + + import ietf-interfaces { + prefix if; + reference + "RFC 8343 - A YANG Data Model for Interface Management."; + } + + organization + "IETF NETMOD (Network Modeling Language) + Working Group"; + + contact + "WG Web: http://tools.ietf.org/wg/netmod/ + WG List: netmod@ietf.org + + Editor: Mahesh Jethanandani + mjethanandani@gmail.com + Editor: Lisa Huang + lyihuang16@gmail.com + Editor: Sonal Agarwal + sagarwal12@gmail.com + Editor: Dana Blair + dblair@cisco.com"; + + description + "This YANG module defines a component that describe the + configuration of Access Control Lists (ACLs). + + Copyright (c) 2018 IETF Trust and the persons identified as + the document authors. All rights reserved. + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD + License set forth in Section 4.c of the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info). + + This version of this YANG module is part of RFC XXXX; see + the RFC itself for full legal notices."; + + revision 2018-10-01 { + description + "Initial version."; + reference + "RFC XXX: Network Access Control List (ACL) YANG Data Model."; + } + + /* + * Identities + */ + /* + * Forwarding actions for a packet + */ + identity forwarding-action { + description + "Base identity for actions in the forwarding category"; + } + + identity accept { + base forwarding-action; + description + "Accept the packet"; + } + + identity drop { + base forwarding-action; + description + "Drop packet without sending any ICMP error message"; + } + + identity reject { + base forwarding-action; + description + "Drop the packet and send an ICMP error message to the source"; + } + + /* + * Logging actions for a packet + */ + identity log-action { + description + "Base identity for defining the destination for logging actions"; + } + + identity log-syslog { + base log-action; + description + "System log (syslog) the information for the packet"; + } + + identity log-none { + base log-action; + description + "No logging for the packet"; + } + + /* + * ACL type identities + */ + identity acl-base { + description + "Base Access Control List type for all Access Control List type + identifiers."; + } + + identity ipv4-acl-type { + base acl:acl-base; + if-feature "ipv4"; + description + "An ACL that matches on fields from the IPv4 header + (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP + destination port). An acl of type ipv4 does not contain + matches on fields in the ethernet header or the IPv6 header."; + } + + identity ipv6-acl-type { + base acl:acl-base; + if-feature "ipv6"; + description + "An ACL that matches on fields from the IPv6 header + (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP + destination port). An acl of type ipv6 does not contain + matches on fields in the ethernet header or the IPv4 header."; + } + + identity eth-acl-type { + base acl:acl-base; + if-feature "eth"; + description + "An ACL that matches on fields in the ethernet header, + like 10/100/1000baseT or WiFi Access Control List. An acl of + type ethernet does not contain matches on fields in the IPv4 + header, IPv6 header or layer 4 headers."; + } + + identity mixed-eth-ipv4-acl-type { + base "acl:eth-acl-type"; + base "acl:ipv4-acl-type"; + if-feature "mixed-eth-ipv4"; + description + "An ACL that contains a mix of entries that + match on fields in ethernet headers, + entries that match on IPv4 headers. + Matching on layer 4 header fields may also exist in the + list."; + } + identity mixed-eth-ipv6-acl-type { + base "acl:eth-acl-type"; + base "acl:ipv6-acl-type"; + if-feature "mixed-eth-ipv6"; + description + "ACL that contains a mix of entries that + match on fields in ethernet headers, entries + that match on fields in IPv6 headers. Matching on + layer 4 header fields may also exist in the list."; + } + + identity mixed-eth-ipv4-ipv6-acl-type { + base "acl:eth-acl-type"; + base "acl:ipv4-acl-type"; + base "acl:ipv6-acl-type"; + if-feature "mixed-eth-ipv4-ipv6"; + description + "ACL that contains a mix of entries that + match on fields in ethernet headers, entries + that match on fields in IPv4 headers, and entries + that match on fields in IPv6 headers. Matching on + layer 4 header fields may also exist in the list."; + } + + /* + * Features + */ + + /* + * Features supported by device + */ + feature match-on-eth { + description + "The device can support matching on ethernet headers."; + } + + feature match-on-ipv4 { + description + "The device can support matching on IPv4 headers."; + } + + feature match-on-ipv6 { + description + "The device can support matching on IPv6 headers."; + } + + feature match-on-tcp { + description + "The device can support matching on TCP headers."; + } + + feature match-on-udp { + description + "The device can support matching on UDP headers."; + } + + feature match-on-icmp { + description + "The device can support matching on ICMP (v4 and v6) headers."; + } + + /* + * Header classifications combinations supported by + * device + */ + feature eth { + if-feature "match-on-eth"; + description + "Plain Ethernet ACL supported"; + } + + feature ipv4 { + if-feature "match-on-ipv4"; + description + "Plain IPv4 ACL supported"; + } + + feature ipv6 { + if-feature "match-on-ipv6"; + description + "Plain IPv6 ACL supported"; + } + + feature mixed-eth-ipv4 { + if-feature "match-on-eth and match-on-ipv4"; + description + "Ethernet and IPv4 ACL combinations supported"; + } + + feature mixed-eth-ipv6 { + if-feature "match-on-eth and match-on-ipv6"; + description + "Ethernet and IPv6 ACL combinations supported"; + } + + feature mixed-eth-ipv4-ipv6 { + if-feature "match-on-eth and match-on-ipv4 + and match-on-ipv6"; + description + "Ethernet, IPv4 and IPv6 ACL combinations supported."; + } + + /* + * Stats Features + */ + feature interface-stats { + description + "ACL counters are available and reported only per interface"; + } + + feature acl-aggregate-stats { + description + "ACL counters are aggregated over all interfaces, and reported + only per ACL entry"; + } + + /* + * Attachment point features + */ + feature interface-attachment { + description + "ACLs are set on interfaces."; + } + + /* + * Typedefs + */ + typedef acl-type { + type identityref { + base acl-base; + } + description + "This type is used to refer to an Access Control List + (ACL) type"; + } + + /* + * Groupings + */ + grouping acl-counters { + description + "Common grouping for ACL counters"; + + leaf matched-packets { + type yang:counter64; + config false; + description + "Count of the number of packets matching the current ACL + entry. + + An implementation should provide this counter on a + per-interface per-ACL-entry basis if possible. + + If an implementation only supports ACL counters on a per + entry basis (i.e., not broken out per interface), then the + value should be equal to the aggregate count across all + interfaces. + + An implementation that provides counters on a per entry per + interface basis is not required to also provide an aggregate + count, e.g., per entry -- the user is expected to be able + implement the required aggregation if such a count is + needed."; + } + + leaf matched-octets { + type yang:counter64; + config false; + description + "Count of the number of octets (bytes) matching the current + ACL entry. + + An implementation should provide this counter on a + per-interface per-ACL-entry if possible. + + If an implementation only supports ACL counters per entry + (i.e., not broken out per interface), then the value + should be equal to the aggregate count across all interfaces. + + An implementation that provides counters per entry per + interface is not required to also provide an aggregate count, + e.g., per entry -- the user is expected to be able implement + the required aggregation if such a count is needed."; + } + } + + /* + * Configuration data nodes + */ + container acls { + description + "This is a top level container for Access Control Lists. + It can have one or more acl nodes."; + list acl { + key "name"; + description + "An Access Control List (ACL) is an ordered list of + Access Control Entries (ACE). Each ACE has a + list of match criteria and a list of actions. + Since there are several kinds of Access Control Lists + implemented with different attributes for + different vendors, this model accommodates customizing + Access Control Lists for each kind and, for each vendor."; + leaf name { + type string { + length "1..64"; + } + description + "The name of access list. A device MAY restrict the length + and value of this name, possibly space and special + characters are not allowed."; + } + leaf type { + type acl-type; + description + "Type of access control list. Indicates the primary intended + type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, + etc) used in the list instance."; + } + container aces { + description + "The aces container contains one or more ace nodes."; + list ace { + key "name"; + ordered-by user; + description + "List of Access Control Entries (ACEs)"; + leaf name { + type string { + length "1..64"; + } + description + "A unique name identifying this Access Control + Entry (ACE)."; + } + + container matches { + description + "The rules in this set determine what fields will be + matched upon before any action is taken on them. + The rules are selected based on the feature set + defined by the server and the acl-type defined. + If no matches are defined in a particular container, + then any packet will match that container. If no + matches are specified at all in an ACE, then any + packet will match the ACE."; + + choice l2 { + container eth { + when "derived-from-or-self(/acls/acl/type, " + + "'acl:eth-acl-type')"; + if-feature match-on-eth; + uses pf:acl-eth-header-fields; + description + "Rule set that matches ethernet headers."; + } + description + "Match layer 2 headers, for example ethernet + header fields."; + } + + choice l3 { + container ipv4 { + when "derived-from-or-self(/acls/acl/type, " + + "'acl:ipv4-acl-type')"; + if-feature match-on-ipv4; + uses pf:acl-ip-header-fields; + uses pf:acl-ipv4-header-fields; + description + "Rule set that matches IPv4 headers."; + } + + container ipv6 { + when "derived-from-or-self(/acls/acl/type, " + + "'acl:ipv6-acl-type')"; + if-feature match-on-ipv6; + uses pf:acl-ip-header-fields; + uses pf:acl-ipv6-header-fields; + description + "Rule set that matches IPv6 headers."; + } + description + "Choice of either ipv4 or ipv6 headers"; + } + + choice l4 { + container tcp { + if-feature match-on-tcp; + uses pf:acl-tcp-header-fields; + container source-port { + choice source-port { + case range-or-operator { + uses pf:port-range-or-operator; + description + "Source port definition from range or + operator."; + } + description + "Choice of source port definition using + range/operator or a choice to support future + 'case' statements, such as one enabling a + group of source ports to be referenced."; + } + description + "Source port definition."; + } + container destination-port { + choice destination-port { + case range-or-operator { + uses pf:port-range-or-operator; + description + "Destination port definition from range or + operator."; + } + description + "Choice of destination port definition using + range/operator or a choice to support future + 'case' statements, such as one enabling a + group of destination ports to be referenced."; + } + description + "Destination port definition."; + } + description + "Rule set that matches TCP headers."; + } + + container udp { + if-feature match-on-udp; + uses pf:acl-udp-header-fields; + container source-port { + choice source-port { + case range-or-operator { + uses pf:port-range-or-operator; + description + "Source port definition from range or + operator."; + } + description + "Choice of source port definition using + range/operator or a choice to support future + 'case' statements, such as one enabling a + group of source ports to be referenced."; + } + description + "Source port definition."; + } + container destination-port { + choice destination-port { + case range-or-operator { + uses pf:port-range-or-operator; + description + "Destination port definition from range or + operator."; + } + description + "Choice of destination port definition using + range/operator or a choice to support future + 'case' statements, such as one enabling a + group of destination ports to be referenced."; + } + description + "Destination port definition."; + } + description + "Rule set that matches UDP headers."; + } + + container icmp { + if-feature match-on-icmp; + uses pf:acl-icmp-header-fields; + description + "Rule set that matches ICMP headers."; + } + description + "Choice of TCP, UDP or ICMP headers."; + } + + leaf egress-interface { + type if:interface-ref; + description + "Egress interface. This should not be used if this ACL + is attached as an egress ACL (or the value should + equal the interface to which the ACL is attached)."; + } + + leaf ingress-interface { + type if:interface-ref; + description + "Ingress interface. This should not be used if this ACL + is attached as an ingress ACL (or the value should + equal the interface to which the ACL is attached)"; + } + } + + container actions { + description + "Definitions of action for this ace entry"; + leaf forwarding { + type identityref { + base forwarding-action; + } + mandatory true; + description + "Specifies the forwarding action per ace entry"; + } + + leaf logging { + type identityref { + base log-action; + } + default log-none; + description + "Specifies the log action and destination for + matched packets. Default value is not to log the + packet."; + } + } + container statistics { + if-feature "acl-aggregate-stats"; + config false; + description + "Statistics gathered across all attachment points for the + given ACL."; + uses acl-counters; + } + } + } + } + container attachment-points { + description + "Enclosing container for the list of + attachment-points on which ACLs are set"; + + /* + * Groupings + */ + grouping interface-acl { + description + "Grouping for per-interface ingress ACL data"; + + container acl-sets { + description + "Enclosing container the list of ingress ACLs on the + interface"; + + list acl-set { + key "name"; + ordered-by user; + description + "List of ingress ACLs on the interface"; + + leaf name { + type leafref { + path "/acls/acl/name"; + } + description + "Reference to the ACL name applied on ingress"; + } + + list ace-statistics { + if-feature "interface-stats"; + key "name"; + config false; + description + "List of Access Control Entries (ACEs)"; + leaf name { + type leafref { + path "/acls/acl/aces/ace/name"; + } + description + "The ace name"; + } + uses acl-counters; + } + } + } + } + + list interface { + if-feature interface-attachment; + key "interface-id"; + description + "List of interfaces on which ACLs are set"; + + leaf interface-id { + type if:interface-ref; + description + "Reference to the interface id list key"; + } + + container ingress { + uses interface-acl; + description + "The ACLs applied to ingress interface"; + } + container egress { + uses interface-acl; + description + "The ACLs applied to egress interface"; + } + } + } + } +} diff --git a/acl/acl-api/src/main/yang/ietf-ethertypes@2018-10-01.yang b/acl/acl-api/src/main/yang/ietf-ethertypes@2018-10-01.yang new file mode 100755 index 000000000..c06426912 --- /dev/null +++ b/acl/acl-api/src/main/yang/ietf-ethertypes@2018-10-01.yang @@ -0,0 +1,362 @@ +module ietf-ethertypes { + namespace "urn:ietf:params:xml:ns:yang:ietf-ethertypes"; + prefix ethertypes; + + organization + "IETF NETMOD (NETCONF Data Modeling Language)"; + + contact + "WG Web: + WG List: + + Editor: Mahesh Jethanandani + "; + + description + "This module contains the common definitions for the + Ethertype used by different modules. It is a + placeholder module, till such time that IEEE + starts a project to define these Ethertypes + and publishes a standard. + + At that time this module can be deprecated."; + + revision 2018-10-01 { + description + "Initial revision."; + reference + "RFC XXXX: IETF Ethertype YANG Data Module."; + } + + typedef ethertype { + type union { + type uint16; + type enumeration { + enum ipv4 { + value 2048; + description + "Internet Protocol version 4 (IPv4) with a + hex value of 0x0800."; + reference + "RFC 791: Internet Protocol."; + } + enum arp { + value 2054; + description + "Address Resolution Protocol (ARP) with a + hex value of 0x0806."; + reference + "RFC 826: An Ethernet Address Resolution Protocol."; + } + enum wlan { + value 2114; + description + "Wake-on-LAN. Hex value of 0x0842."; + } + enum trill { + value 8947; + description + "Transparent Interconnection of Lots of Links. + Hex value of 0x22F3."; + reference + "RFC 6325: Routing Bridges (RBridges): Base Protocol + Specification."; + } + enum srp { + value 8938; + description + "Stream Reservation Protocol. Hex value of + 0x22EA."; + reference + "IEEE 801.1Q-2011."; + } + enum decnet { + value 24579; + description + "DECnet Phase IV. Hex value of 0x6003."; + } + enum rarp { + value 32821; + description + "Reverse Address Resolution Protocol. + Hex value 0x8035."; + reference + "RFC 903. A Reverse Address Resolution Protocol."; + } + enum appletalk { + value 32923; + description + "Appletalk (Ethertalk). Hex value 0x809B."; + } + enum aarp { + value 33011; + description + "Appletalk Address Resolution Protocol. Hex value + of 0x80F3."; + } + enum vlan { + value 33024; + description + "VLAN-tagged frame (802.1Q) and Shortest Path + Bridging IEEE 802.1aq with NNI compatibility. + Hex value 0x8100."; + reference + "802.1Q."; + } + enum ipx { + value 33079; + description + "Internetwork Packet Exchange (IPX). Hex value + of 0x8137."; + } + enum qnx { + value 33284; + description + "QNX Qnet. Hex value of 0x8204."; + } + enum ipv6 { + value 34525; + description + "Internet Protocol Version 6 (IPv6). Hex value + of 0x86DD."; + reference + "RFC 8200: Internet Protocol, Version 6 (IPv6) + Specification + RFC 8201: Path MTU Discovery for IPv6."; + } + enum efc { + value 34824; + description + "Ethernet flow control using pause frames. + Hex value of 0x8808"; + reference + "IEEE Std. 802.1Qbb."; + } + enum esp { + value 34825; + description + "Ethernet Slow Protocol. Hex value of 0x8809."; + reference + "IEEE Std. 802.3-2015"; + } + enum cobranet { + value 34841; + description + "CobraNet. Hex value of 0x"; + } + enum mpls-unicast { + value 34887; + description + "MultiProtocol Label Switch (MPLS) unicast traffic. + Hex value of 0x8847."; + reference + "RFC 3031: Multiprotocol Label Switching Architecture."; + } + enum mpls-multicast { + value 34888; + description + "MultiProtocol Label Switch (MPLS) multicast traffic. + Hex value of 0x8848."; + reference + "RFC 3031: Multiprotocol Label Switching Architecture."; + } + enum pppoe-discovery { + value 34915; + description + "Point-to-Point Protocol over Ethernet. Used during + the discovery process. Hex value of 0x8863."; + reference + "RFC 2516: A method for Transmitting PPP over Ethernet + PPPoE."; + } + enum pppoe-session { + value 34916; + description + "Point-to-Point Protocol over Ethernet. Used during + session stage. Hex value of 0x8864."; + reference + "RFC 2516: A method for Transmitting PPP over Ethernet + PPPoE."; + } + enum intel-ans { + value 34925; + description + "Intel Advanced Networking Services. Hex value of + 0x886D."; + } + enum jumbo-frames { + value 34928; + description + "Jumbo frames or Ethernet frames with more than + 1500 bytes of payload, upto 9000 bytes."; + } + enum homeplug { + value 34939; + description + "Family name for the various power line + communications. Hex value of 0x887B."; + } + enum eap { + value 34958; + description + "Ethernet Access Protocol (EAP) over LAN. Hex value + of 0x888E."; + reference + "IEEE 802.1X"; + } + enum profinet { + value 34962; + description + "PROcess FIeld Net (PROFINET). Hex value of 0x8892."; + } + enum hyperscsi { + value 34970; + description + "SCSI over Ethernet. Hex value of 0x889A"; + } + enum aoe { + value 34978; + description + "Advanced Technology Advancement (ATA) over Ethernet. + Hex value of 0x88A2."; + } + enum ethercat { + value 34980; + description + "Ethernet for Control Automation Technology (EtherCAT). + Hex value of 0x88A4."; + } + enum provider-bridging { + value 34984; + description + "Provider Bridging (802.1ad) and Shortest Path Bridging + (801.1aq). Hex value of 0x88A8."; + reference + "IEEE 802.1ad, IEEE 802.1aq)."; + } + enum ethernet-powerlink { + value 34987; + description + "Ethernet Powerlink. Hex value of 0x88AB."; + } + enum goose { + value 35000; + description + "Generic Object Oriented Substation Event (GOOSE). + Hex value of 0x88B8."; + reference + "IEC/ISO 8802-2 and 8802-3."; + } + enum gse { + value 35001; + description + "Generic Substation Events. Hex value of 88B9."; + reference + "IEC 61850."; + } + enum sv { + value 35002; + description + "Sampled Value Transmission. Hex value of 0x88BA."; + reference + "IEC 61850."; + } + enum lldp { + value 35020; + description + "Link Layer Discovery Protocol (LLDP). Hex value of + 0x88CC."; + reference + "IEEE 802.1AB."; + } + enum sercos { + value 35021; + description + "Sercos Interface. Hex value of 0x88CD."; + } + enum wsmp { + value 35036; + description + "WAVE Short Message Protocl (WSMP). Hex value of + 0x88DC."; + } + enum homeplug-av-mme { + value 35041; + description + "HomePlug AV MME. Hex value of 88E1."; + } + enum mrp { + value 35043; + description + "Media Redundancy Protocol (MRP). Hex value of + 0x88E3."; + reference + "IEC62439-2."; + } + enum macsec { + value 35045; + description + "MAC Security. Hex value of 0x88E5."; + reference + "IEEE 802.1AE."; + } + enum pbb { + value 35047; + description + "Provider Backbone Bridges (PBB). Hex value of + 0x88E7."; + reference + "IEEE 802.1ah."; + } + enum cfm { + value 35074; + description + "Connectivity Fault Management (CFM). Hex value of + 0x8902."; + reference + "IEEE 802.1ag."; + } + enum fcoe { + value 35078; + description + "Fiber Channel over Ethernet (FCoE). Hex value of + 0x8906."; + reference + "T11 FC-BB-5."; + } + enum fcoe-ip { + value 35092; + description + "FCoE Initialization Protocol. Hex value of 0x8914."; + } + enum roce { + value 35093; + description + "RDMA over Converged Ethernet (RoCE). Hex value of + 0x8915."; + } + enum tte { + value 35101; + description + "TTEthernet Protocol Control Frame (TTE). Hex value + of 0x891D."; + reference + "SAE AS6802."; + } + enum hsr { + value 35119; + description + "High-availability Seamless Redundancy (HSR). Hex + value of 0x892F."; + reference + "IEC 62439-3:2016."; + } + } + } + description + "The uint16 type placeholder is defined to enable + users to manage their own ethertypes not + covered by the module. Otherwise the module contains + enum definitions for the more commonly used ethertypes."; + } +} diff --git a/acl/acl-api/src/main/yang/ietf-packet-fields@2016-07-08.yang b/acl/acl-api/src/main/yang/ietf-packet-fields@2016-07-08.yang deleted file mode 100644 index 0b1ce5cdd..000000000 --- a/acl/acl-api/src/main/yang/ietf-packet-fields@2016-07-08.yang +++ /dev/null @@ -1,180 +0,0 @@ -module ietf-packet-fields { - yang-version 1.1; - namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; - prefix packet-fields; - import ietf-inet-types { - prefix inet; - } - import ietf-yang-types { - prefix yang; - } - organization "IETF NETMOD (NETCONF Data Modeling Language) Working - Group"; - contact - "WG Web: http://tools.ietf.org/wg/netmod/ - WG List: netmod@ietf.org - WG Chair: Juergen Schoenwaelder - j.schoenwaelder@jacobs-university.de - WG Chair: Tom Nadeau - tnadeau@lucidvision.com - Editor: Dean Bogdanovic - deanb@juniper.net - Editor: Kiran Agrahara Sreenivasa - kkoushik@cisco.com - Editor: Lisa Huang - lyihuang16@gmail.com - Editor: Dana Blair - dblair@cisco.com"; - description - "This YANG module defines groupings that are used by - ietf-access-control-list YANG module. Their usage is not - limited to ietf-access-control-list and can be - used anywhere as applicable. - Copyright (c) 2015 IETF Trust and the persons identified as - the document authors. All rights reserved. - Redistribution and use in source and binary forms, with or - without modification, is permitted pursuant to, and subject - to the license terms contained in, the Simplified BSD - License set forth in Section 4.c of the IETF Trust's Legal - Provisions Relating to IETF Documents - (http://trustee.ietf.org/license-info). - This version of this YANG module is part of RFC XXXX; see - the RFC itself for full legal notices."; - revision 2016-07-08 { - description - "Initial version of packet fields used by - ietf-access-control-list"; - reference - "RFC XXXX: Network Access Control List (ACL) - YANG Data Model"; - } - grouping acl-transport-header-fields { - description - "Transport header fields"; - container source-port-range { - presence "Enables setting source port range"; - description - "Inclusive range representing source ports to be used. - When only lower-port is present, it represents a single port."; - leaf lower-port { - type inet:port-number; - mandatory true; - description - "Lower boundary for port."; - } - leaf upper-port { - type inet:port-number; - must ". >= ../lower-port" { - error-message - "The upper-port must be greater than or equal to lower-port"; - } - description - "Upper boundary for port . If existing, the upper port - must be greater or equal to lower-port."; - } - } - container destination-port-range { - presence "Enables setting destination port range"; - description - "Inclusive range representing destination ports to be used. When - only lower-port is present, it represents a single port."; - leaf lower-port { - type inet:port-number; - mandatory true; - description - "Lower boundary for port."; - } - leaf upper-port { - type inet:port-number; - must ". >= ../lower-port" { - error-message - "The upper-port must be greater than or equal to lower-port"; - } - - description - "Upper boundary for port. If existing, the upper port must - be greater or equal to lower-port"; - } - } - } - grouping acl-ip-header-fields { - description - "IP header fields common to ipv4 and ipv6"; - leaf dscp { - type inet:dscp; - description - "Value of dscp."; - } - leaf protocol { - type uint8; - description - "Internet Protocol number."; - } - uses acl-transport-header-fields; - } - grouping acl-ipv4-header-fields { - description - "Fields in IPv4 header."; - leaf destination-ipv4-network { - type inet:ipv4-prefix; - description - "Destination IPv4 address prefix."; - } - leaf source-ipv4-network { - type inet:ipv4-prefix; - description - "Source IPv4 address prefix."; - } - } - grouping acl-ipv6-header-fields { - description - "Fields in IPv6 header"; - leaf destination-ipv6-network { - type inet:ipv6-prefix; - description - "Destination IPv6 address prefix."; - } - leaf source-ipv6-network { - type inet:ipv6-prefix; - description - "Source IPv6 address prefix."; - } - leaf flow-label { - type inet:ipv6-flow-label; - description - "IPv6 Flow label."; - } - reference - "RFC 4291: IP Version 6 Addressing Architecture - RFC 4007: IPv6 Scoped Address Architecture - RFC 5952: A Recommendation for IPv6 Address Text Representation"; - } - grouping acl-eth-header-fields { - description - "Fields in Ethernet header."; - leaf destination-mac-address { - type yang:mac-address; - description - "Destination IEEE 802 MAC address."; - } - leaf destination-mac-address-mask { - type yang:mac-address; - description - "Destination IEEE 802 MAC address mask."; - } - leaf source-mac-address { - type yang:mac-address; - description - "Source IEEE 802 MAC address."; - } - leaf source-mac-address-mask { - type yang:mac-address; - description - "Source IEEE 802 MAC address mask."; - } - reference - "IEEE 802: IEEE Standard for Local and Metropolitan Area - Networks: Overview and Architecture."; - } - -} \ No newline at end of file diff --git a/acl/acl-api/src/main/yang/ietf-packet-fields@2018-10-01.yang b/acl/acl-api/src/main/yang/ietf-packet-fields@2018-10-01.yang new file mode 100755 index 000000000..dc175d335 --- /dev/null +++ b/acl/acl-api/src/main/yang/ietf-packet-fields@2018-10-01.yang @@ -0,0 +1,588 @@ +module ietf-packet-fields { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; + prefix packet-fields; + + import ietf-inet-types { + prefix inet; + reference + "RFC 6991 - Common YANG Data Types."; + } + + import ietf-yang-types { + prefix yang; + reference + "RFC 6991 - Common YANG Data Types."; + } + + import ietf-ethertypes { + prefix eth; + reference + "RFC XXXX - Network ACL YANG Model."; + } + + organization + "IETF NETMOD (Network Modeling Language) Working + Group"; + + contact + "WG Web: http://tools.ietf.org/wg/netmod/ + WG List: netmod@ietf.org + + Editor: Mahesh Jethanandani + mjethanandani@gmail.com + Editor: Lisa Huang + lyihuang16@gmail.com + Editor: Sonal Agarwal + sagarwal12@gmail.com + Editor: Dana Blair + dblair@cisco.com"; + + description + "This YANG module defines groupings that are used by + ietf-access-control-list YANG module. Their usage is not + limited to ietf-access-control-list and can be + used anywhere as applicable. + + Copyright (c) 2018 IETF Trust and the persons identified as + the document authors. All rights reserved. + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD + License set forth in Section 4.c of the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info). + + This version of this YANG module is part of RFC XXXX; see + the RFC itself for full legal notices."; + + revision 2018-10-01 { + description + "Initial version."; + reference + "RFC XXX: Network Access Control List (ACL) YANG Data Model."; + } + + /* + * Typedefs + */ + typedef operator { + type enumeration { + enum lte { + description + "Less than or equal."; + } + enum gte { + description + "Greater than or equal."; + } + enum eq { + description + "Equal to."; + } + enum neq { + description + "Not equal to."; + } + } + description + "The source and destination port range definitions + can be further qualified using an operator. An + operator is needed only if lower-port is specified + and upper-port is not specified. The operator + therefore further qualifies lower-port only."; + } + + /* + * Groupings + */ + grouping port-range-or-operator { + choice port-range-or-operator { + case range { + leaf lower-port { + type inet:port-number; + must ". <= ../upper-port" { + error-message + "The lower-port must be less than or equal to + upper-port."; + } + mandatory true; + description + "Lower boundry for a port."; + } + leaf upper-port { + type inet:port-number; + mandatory true; + description + "Upper boundry for port."; + } + } + case operator { + leaf operator { + type operator; + default eq; + description + "Operator to be applied on the port below."; + } + leaf port { + type inet:port-number; + mandatory true; + description + "Port number along with operator on which to + match."; + } + } + description + "Choice of specifying a port range or a single + port along with an operator."; + } + description + "Grouping for port definitions in the form of a + choice statement."; + } + + grouping acl-ip-header-fields { + description + "IP header fields common to ipv4 and ipv6"; + reference + "RFC 791: Internet Protocol."; + + leaf dscp { + type inet:dscp; + description + "Differentiated Services Code Point."; + reference + "RFC 2474: Definition of Differentiated services field + (DS field) in the IPv4 and IPv6 headers."; + } + + leaf ecn { + type uint8 { + range 0..3; + } + description + "Explicit Congestion Notification."; + reference + "RFC 3168: Explicit Congestion Notification."; + } + + leaf length { + type uint16; + description + "In IPv4 header field, this field is known as the Total Length. + Total Length is the length of the datagram, measured in octets, + including internet header and data. + + In IPv6 header field, this field is known as the Payload + Length, the length of the IPv6 payload, i.e. the rest of + the packet following the IPv6 header, in octets."; + reference + "RFC 791: Internet Protocol, + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification."; + } + + leaf ttl { + type uint8; + description + "This field indicates the maximum time the datagram is allowed + to remain in the internet system. If this field contains the + value zero, then the datagram must be dropped. + + In IPv6, this field is known as the Hop Limit."; + reference + "RFC 791: Internet Protocol, + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification."; + } + + leaf protocol { + type uint8; + description + "Internet Protocol number. Refers to the protocol of the + payload. In IPv6, this field is known as 'next-header, + and if extension headers are present, the protocol is + present in the 'upper-layer' header."; + reference + "RFC 791: Internet Protocol, + RFC 8200: Internet Protocol, Version 6 (IPv6) Specification."; + } + } + + grouping acl-ipv4-header-fields { + description + "Fields in IPv4 header."; + + leaf ihl { + type uint8 { + range "5..60"; + } + description + "An IPv4 header field, the Internet Header Length (IHL) is + the length of the internet header in 32 bit words, and + thus points to the beginning of the data. Note that the + minimum value for a correct header is 5."; + } + + leaf flags { + type bits { + bit reserved { + position 0; + description + "Reserved. Must be zero."; + } + bit fragment { + position 1; + description + "Setting value to 0 indicates may fragment, while setting + the value to 1 indicates do not fragment."; + } + bit more { + position 2; + description + "Setting the value to 0 indicates this is the last fragment, + and setting the value to 1 indicates more fragments are + coming."; + } + } + description + "Bit definitions for the flags field in IPv4 header."; + } + + leaf offset { + type uint16 { + range "20..65535"; + } + description + "The fragment offset is measured in units of 8 octets (64 bits). + The first fragment has offset zero. The length is 13 bits"; + } + + leaf identification { + type uint16; + description + "An identifying value assigned by the sender to aid in + assembling the fragments of a datagram."; + } + + choice destination-network { + case destination-ipv4-network { + leaf destination-ipv4-network { + type inet:ipv4-prefix; + description + "Destination IPv4 address prefix."; + } + } + description + "Choice of specifying a destination IPv4 address or + referring to a group of IPv4 destination addresses."; + } + choice source-network { + case source-ipv4-network { + leaf source-ipv4-network { + type inet:ipv4-prefix; + description + "Source IPv4 address prefix."; + } + } + description + "Choice of specifying a source IPv4 address or + referring to a group of IPv4 source addresses."; + } + } + + grouping acl-ipv6-header-fields { + description + "Fields in IPv6 header"; + + choice destination-network { + case destination-ipv6-network { + leaf destination-ipv6-network { + type inet:ipv6-prefix; + description + "Destination IPv6 address prefix."; + } + } + description + "Choice of specifying a destination IPv6 address + or referring to a group of IPv6 destination + addresses."; + } + + choice source-network { + case source-ipv6-network { + leaf source-ipv6-network { + type inet:ipv6-prefix; + description + "Source IPv6 address prefix."; + } + } + description + "Choice of specifying a source IPv6 address or + referring to a group of IPv6 source addresses."; + } + + leaf flow-label { + type inet:ipv6-flow-label; + description + "IPv6 Flow label."; + } + reference + "RFC 4291: IP Version 6 Addressing Architecture + RFC 4007: IPv6 Scoped Address Architecture + RFC 5952: A Recommendation for IPv6 Address Text + Representation"; + } + + grouping acl-eth-header-fields { + description + "Fields in Ethernet header."; + + leaf destination-mac-address { + type yang:mac-address; + description + "Destination IEEE 802 MAC address."; + } + leaf destination-mac-address-mask { + type yang:mac-address; + description + "Destination IEEE 802 MAC address mask."; + } + leaf source-mac-address { + type yang:mac-address; + description + "Source IEEE 802 MAC address."; + } + leaf source-mac-address-mask { + type yang:mac-address; + description + "Source IEEE 802 MAC address mask."; + } + leaf ethertype { + type eth:ethertype; + description + "The Ethernet Type (or Length) value represented + in the canonical order defined by IEEE 802. + The canonical representation uses lowercase + characters."; + reference + "IEEE 802-2014 Clause 9.2"; + } + reference + "IEEE 802: IEEE Standard for Local and Metropolitan + Area Networks: Overview and Architecture."; + } + + grouping acl-tcp-header-fields { + description + "Collection of TCP header fields that can be used to + setup a match filter."; + + leaf sequence-number { + type uint32; + description + "Sequence number that appears in the packet."; + } + + leaf acknowledgement-number { + type uint32; + description + "The acknowledgement number that appears in the + packet."; + } + + leaf data-offset { + type uint8 { + range "5..15"; + } + description + "Specifies the size of the TCP header in 32-bit + words. The minimum size header is 5 words and + the maximum is 15 words thus giving the minimum + size of 20 bytes and maximum of 60 bytes, + allowing for up to 40 bytes of options in the + header."; + } + + leaf reserved { + type uint8; + description + "Reserved for future use."; + } + + leaf flags { + type bits { + bit cwr { + position 1; + description + "Congestion Window Reduced (CWR) flag is set by + the sending host to indicate that it received + a TCP segment with the ECE flag set and had + responded in congestion control mechanism."; + reference + "RFC 3168: The Addition of Explicit Congestion + Notification (ECN) to IP."; + } + bit ece { + position 2; + description + "ECN-Echo has a dual role, depending on the value + of the SYN flag. It indicates: + If the SYN flag is set (1), that the TCP peer is ECN + capable. If the SYN flag is clear (0), that a packet + with Congestion Experienced flag set (ECN=11) in IP + header was received during normal transmission + (added to header by RFC 3168). This serves as an + indication of network congestion (or impending + congestion) to the TCP sender."; + reference + "RFC 3168: The Addition of Explicit Congestion + Notification (ECN) to IP."; + } + bit urg { + position 3; + description + "Indicates that the Urgent pointer field is significant."; + } + bit ack { + position 4; + description + "Indicates that the Acknowledgment field is significant. + All packets after the initial SYN packet sent by the + client should have this flag set."; + } + bit psh { + position 5; + description + "Push function. Asks to push the buffered data to the + receiving application."; + } + bit rst { + position 6; + description + "Reset the connection."; + } + bit syn { + position 7; + description + "Synchronize sequence numbers. Only the first packet + sent from each end should have this flag set. Some + other flags and fields change meaning based on this + flag, and some are only valid for when it is set, + and others when it is clear."; + } + bit fin { + position 8; + description + "Last package from sender."; + } + } + description + "Also known as Control Bits. Contains 9 1-bit flags."; + reference + "RFC 793: Transmission Control Protocol (TCP)."; + } + + leaf window-size { + type uint16; + units "bytes"; + description + "The size of the receive window, which specifies + the number of window size units beyond the segment + identified by the sequence number in the acknowledgment + field that the sender of this segment is currently + willing to receive."; + } + + leaf urgent-pointer { + type uint16; + description + "This field is an offset from the sequence number + indicating the last urgent data byte."; + } + + leaf options { + type binary { + length "1..40"; + } + description + "The length of this field is determined by the + data offset field. Options have up to three + fields: Option-Kind (1 byte), Option-Length + (1 byte), Option-Data (variable). The Option-Kind + field indicates the type of option, and is the + only field that is not optional. Depending on + what kind of option we are dealing with, + the next two fields may be set: the Option-Length + field indicates the total length of the option, + and the Option-Data field contains the value of + the option, if applicable."; + } + } + + grouping acl-udp-header-fields { + description + "Collection of UDP header fields that can be used + to setup a match filter."; + + leaf length { + type uint16; + description + "A field that specifies the length in bytes of + the UDP header and UDP data. The minimum + length is 8 bytes because that is the length of + the header. The field size sets a theoretical + limit of 65,535 bytes (8 byte header + 65,527 + bytes of data) for a UDP datagram. However the + actual limit for the data length, which is + imposed by the underlying IPv4 protocol, is + 65,507 bytes (65,535 minus 8 byte UDP header + minus 20 byte IP header). + + In IPv6 jumbograms it is possible to have + UDP packets of size greater than 65,535 bytes. + RFC 2675 specifies that the length field is set + to zero if the length of the UDP header plus + UDP data is greater than 65,535."; + } + } + + grouping acl-icmp-header-fields { + description + "Collection of ICMP header fields that can be + used to setup a match filter."; + + leaf type { + type uint8; + description + "Also known as Control messages."; + reference + "RFC 792: Internet Control Message Protocol (ICMP), + RFC 4443: Internet Control Message Protocol (ICMPv6) + for Internet Protocol Version 6 (IPv6) + Specifciation."; + } + + leaf code { + type uint8; + description + "ICMP subtype. Also known as Control messages."; + reference + "RFC 792: Internet Control Message Protocol (ICMP), + RFC 4443: Internet Control Message Protocol (ICMPv6) + for Internet Protocol Version 6 (IPv6) + Specifciation."; + } + + leaf rest-of-header { + type binary; + description + "Unbounded in length, the contents vary based on the + ICMP type and code. Also referred to as 'Message Body' + in ICMPv6."; + reference + "RFC 792: Internet Control Message Protocol (ICMP), + RFC 4443: Internet Control Message Protocol (ICMPv6) + for Internet Protocol Version 6 (IPv6) + Specifciation."; + } + } +} diff --git a/acl/acl-api/src/main/yang/interface-acl@2016-12-14.yang b/acl/acl-api/src/main/yang/interface-acl@2016-12-14.yang deleted file mode 100644 index f051830fe..000000000 --- a/acl/acl-api/src/main/yang/interface-acl@2016-12-14.yang +++ /dev/null @@ -1,103 +0,0 @@ -module interface-acl { - yang-version 1; - namespace "urn:opendaylight:params:xml:ns:yang:interface:acl"; - prefix "ifc-acl"; - - import ietf-interfaces { - prefix "if"; - } - - import yang-ext { - prefix "ext"; - } - - import ietf-access-control-list { - prefix "acl"; - } - - organization - "FD.io - The Fast Data Project"; - - contact - "Hc2vpp Wiki - Mailing List "; - - description - "This module contains a collection of YANG definitions for - applying ACLs on VPP interfaces. - Uses ACL implementation provided by ACL plugin of VPP. - - Copyright (c) 2016 Cisco and/or its affiliates. - - Licensed under the Apache License, Version 2.0 (the 'License'); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an 'AS IS' BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License."; - - revision "2016-12-14" { - description "Initial revision of interface-acl model"; - } - - grouping vpp-acls-base-attributes { - description - "List of ACLs of vpp-acl type"; // TODO(HC2VPP-201): express constraint in the model if possible - list vpp-acls { - key "type name"; - ordered-by user; - - leaf type { - type acl:acl-type; - } - - // FIXME(HC2VPP-290): define leafref in interface-acl or bump ietf-access-control-list - leaf name { - type acl:access-control-list-ref; - } - } - } - - grouping vpp-macip-acls-base-attributes { - container vpp-macip-acl { - description - "ACL of vpp-macip-acl type"; // TODO(HC2VPP-201): express constraint in the model if possible - - leaf type { - type acl:acl-type; - } - - leaf name { - type acl:access-control-list-ref; - } - } - } - - grouping interface-acl-attributes { - container acl { - container ingress { - uses vpp-acls-base-attributes; - uses vpp-macip-acls-base-attributes; - } - container egress { - uses vpp-acls-base-attributes; - } - } - } - - augment /if:interfaces/if:interface { - ext:augment-identifier "vpp-acl-interface-augmentation"; - uses interface-acl-attributes; - } - - augment /if:interfaces-state/if:interface { - ext:augment-identifier "vpp-acl-interface-state-augmentation"; - uses interface-acl-attributes; - } - -} \ No newline at end of file diff --git a/acl/acl-api/src/main/yang/vpp-acl-context@2017-01-04.yang b/acl/acl-api/src/main/yang/vpp-acl-context@2017-01-04.yang index 016883e1e..34ac3b9f5 100644 --- a/acl/acl-api/src/main/yang/vpp-acl-context@2017-01-04.yang +++ b/acl/acl-api/src/main/yang/vpp-acl-context@2017-01-04.yang @@ -1,6 +1,6 @@ module vpp-acl-context { yang-version 1; - namespace "urn:opendaylight:params:xml:ns:yang:vpp:acl:context"; + namespace "http://fd.io/hc2vpp/yang/vpp/acl/context"; prefix "vac"; import naming-context { diff --git a/acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang b/acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang deleted file mode 100644 index 2f7f82e9c..000000000 --- a/acl/acl-api/src/main/yang/vpp-acl@2017-06-15.yang +++ /dev/null @@ -1,284 +0,0 @@ -module vpp-acl { - yang-version 1; - namespace "urn:opendaylight:params:xml:ns:yang:vpp:acl"; - prefix "vpp-acl"; - - import ietf-access-control-list { - prefix "acl"; - } - - import yang-ext { - prefix "ext"; - } - - import ietf-packet-fields { - prefix packet-fields; - } - - import ietf-inet-types { - prefix inet; - } - - import ietf-yang-types { - prefix yang; - } - - organization - "FD.io - The Fast Data Project"; - - contact - "Hc2vpp Wiki - Mailing List "; - - description - "This module contains a collection of YANG definitions - that extend ietf-access-control-list module - with VPP specific features provided by the VPP ACL plugin. - - Copyright (c) 2016-2017 Cisco and/or its affiliates. - - Licensed under the Apache License, Version 2.0 (the 'License'); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at: - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an 'AS IS' BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License."; - - revision "2017-06-15" { - description - "Renamed stateful/permit leaf to permit-and-reflect"; - } - - revision "2016-12-14" { - description - "Initial revision of vpp-acl model."; - } - - augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:actions/acl:packet-handling { - ext:augment-identifier "stateful-acl-action-augmentation"; - when "../acl:matches/acl:ace-type = 'vpp-acl:vpp-acl'"; - case stateful { - leaf permit-and-reflect { - type empty; - description - "Permits egress TCP/UDP traffic and ingress in reverse direction by creating reflexive ACEs."; - } - } - } - - identity vpp-acl { - base acl:acl-base; - description - "ACL that contains only aces of vpp-ace type."; - } - - identity vpp-macip-acl { - base acl:acl-base; - description - "ACL that contains only aces of vpp-macip-acl type."; - } - - grouping value-range { - description "Defines value range with first and last value defined"; - - leaf first { - type uint8; - mandatory true; - description "Lower boundary for range"; - } - - leaf last { - type uint8; - mandatory true; - description "Upper boundary for range"; - must "last >= first"; - } - } - - grouping acl-icmp-header-fields { - description - "ICMP header fields"; - container icmp-type-range { - presence "Enables setting icmp-type"; - description - "Inclusive range representing icmp types to be used."; - uses value-range; - } - - container icmp-code-range { - presence "Enables setting icmp-code"; - description - "Inclusive range representing icmp codes to be used."; - uses value-range; - } - } - - grouping acl-tcp-header-fields { - description - "TCP header fields"; - leaf tcp-flags-mask { - description - "Binary mask for tcp flags to match. MSB order (FIN at position 0). - Applied as logical AND to tcp flags field of the packet being matched, - before it is compared with tcp-flags-value."; - type uint8; - } - leaf tcp-flags-value { - description - "Binary value for tcp flags to match. MSB order (FIN at position 0). - Before tcp-flags-value is compared with tcp flags field of the packet being matched, - tcp-flags-mask is applied to packet field value."; - type uint8; - } - } - - grouping acl-other-protocol-fields { - description "Used for any other protocol than TCP/UDP/ICMP/ICMPv6"; - leaf protocol { - must "protocol != 1 and protocol != 6 and protocol != 17 and protocol != 58"; - type uint8; - description "Internet Protocol number."; - } - } - - grouping acl-ip-protocol-header-fields { - description - "Defines header fields for TCP/UDP or ICMP protocols"; - choice ip-protocol { - case icmp { - container icmp-nodes { - uses acl-icmp-header-fields; - } - } - case icmp-v6 { - container icmp-v6-nodes { - uses acl-icmp-header-fields; - } - } - case udp { - container udp-nodes { - uses packet-fields:acl-transport-header-fields; - } - } - case tcp { - container tcp-nodes { - uses packet-fields:acl-transport-header-fields; - uses acl-tcp-header-fields; - } - } - case other { - container other-nodes { - uses acl-other-protocol-fields; - } - } - } - } - - augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type { - ext:augment-identifier "vpp-acl-type-augmentation"; - case vpp-ace { - description - "Access List entry that can define: - - IP4/IP6 src/dst ip prefix- Internet Protocol number - - Internet Protocol number - - selected L4 headers: - * ICMP (type range) - * UDP (port range) - * TCP (port range, flags mask, flags value)"; - container vpp-ace-nodes { - choice ace-ip-version { - description - "IP version used in this Access List Entry."; - case ace-ipv4 { - uses packet-fields:acl-ipv4-header-fields; - } - case ace-ipv6 { - uses packet-fields:acl-ipv6-header-fields; - } - } - uses acl-ip-protocol-header-fields; - } - } - } - - grouping vpp-macip-ace-eth-header-fields { - description - "Fields in Ethernet header supported by vpp-macip rule"; - leaf source-mac-address { - type yang:mac-address; - description - "Source IEEE 802 MAC address. - Before source-mac-address is compared with source mac address field of the packet being matched, - source-mac-address-mask is applied to packet field value."; - } - leaf source-mac-address-mask { - type yang:mac-address; - description - "Source IEEE 802 MAC address mask. - Applied as logical AND with source mac address field of the packet being matched, - before it is compared with source-mac-address."; - } - } - - grouping vpp-macip-ace-ipv4-header-fields { - description - "Fields in IPv4 header supported by vpp-macip rule"; - leaf source-ipv4-network { - type inet:ipv4-prefix; - description - "Source IPv4 address prefix."; - } - } - - grouping vpp-macip-ace-ipv6-header-fields { - description - "Fields in IPv6 header supported by vpp-macip rule"; - leaf source-ipv6-network { - type inet:ipv6-prefix; - description - "Source IPv6 address prefix."; - } - } - - augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type { - ext:augment-identifier "vpp-macip-acl-type-augmentation"; - case vpp-macip-ace { - description - "Access List entry that can define: - - IP4/IP6 src ip prefix - - src MAC address mask - - src MAC address value - - can be used only for static ACLs."; - container vpp-macip-ace-nodes { - choice ace-ip-version { - description - "IP version used in this Access List Entry."; - case ace-ipv4 { - uses vpp-macip-ace-ipv4-header-fields; - } - case ace-ipv6 { - uses vpp-macip-ace-ipv6-header-fields; - } - } - uses vpp-macip-ace-eth-header-fields; - } - } - } - - augment /acl:access-lists/acl:acl { - ext:augment-identifier "vpp-acl-augmentation"; - leaf tag { - type string { - length 1..63; - } - description - "ASCII tag that can be used as a placeholder for ACL metadata. Value is stored in vpp, - and returned in read requests. No processing involved."; - } - } -} \ No newline at end of file diff --git a/acl/acl-api/src/main/yang/vpp-acl@2018-10-22.yang b/acl/acl-api/src/main/yang/vpp-acl@2018-10-22.yang new file mode 100644 index 000000000..f94dfa29a --- /dev/null +++ b/acl/acl-api/src/main/yang/vpp-acl@2018-10-22.yang @@ -0,0 +1,230 @@ +module vpp-acl { + yang-version 1; + namespace "http://fd.io/hc2vpp/yang/vpp/acl"; + prefix "vpp-acl"; + + import ietf-access-control-list { + prefix "acl"; + } + + import yang-ext { + prefix "ext"; + } + + import ietf-packet-fields { + prefix packet-fields; + } + + import ietf-inet-types { + prefix inet; + } + + import ietf-yang-types { + prefix yang; + } + + organization + "FD.io - The Fast Data Project"; + + contact + "Hc2vpp Wiki + Mailing List "; + + description + "This module contains a collection of YANG definitions + that extend ietf-access-control-list module + with VPP specific features provided by the VPP ACL plugin. + + Copyright (c) 2016-2017 Cisco and/or its affiliates. + + Licensed under the Apache License, Version 2.0 (the 'License'); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at: + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an 'AS IS' BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License."; + + revision "2018-10-22" { + description + "Updated vpp dependencies to match changes in ietf-access-control-list@2018-10-01 yang model."; + } + + revision "2017-06-15" { + description + "Renamed stateful/permit leaf to permit-and-reflect"; + } + + revision "2016-12-14" { + description + "Initial revision of vpp-acl model."; + } + + identity vpp-acl { + base acl:acl-base; + description + "ACL that contains only aces of vpp-ace type."; + } + + identity vpp-macip-acl { + base acl:acl-base; + description + "ACL that contains only aces of vpp-macip-acl type."; + } + + identity accept-and-reflect { + base acl:forwarding-action; + description + "Permits egress TCP/UDP traffic and ingress in reverse direction by creating reflexive ACEs."; + } + + grouping value-range { + description "Defines value range with first and last value defined"; + + leaf first { + type uint8; + mandatory true; + description "Lower boundary for range"; + } + + leaf last { + type uint8; + mandatory true; + description "Upper boundary for range"; + must "last >= first"; + } + } + + grouping acl-icmp-header-fields { + description + "ICMP header fields"; + container icmp-type-range { + presence "Enables setting icmp-type"; + description + "Inclusive range representing icmp types to be used."; + uses value-range; + } + + container icmp-code-range { + presence "Enables setting icmp-code"; + description + "Inclusive range representing icmp codes to be used."; + uses value-range; + } + } + + grouping acl-tcp-header-fields { + + description "ICMP header fields"; + + leaf flags-mask { + type bits { + bit cwr { + position 1; + description + "Congestion Window Reduced (CWR) flag is set by + the sending host to indicate that it received + a TCP segment with the ECE flag set and had + responded in congestion control mechanism."; + reference + "RFC 3168: The Addition of Explicit Congestion + Notification (ECN) to IP."; + } + bit ece { + position 2; + description + "ECN-Echo has a dual role, depending on the value + of the SYN flag. It indicates: + If the SYN flag is set (1), that the TCP peer is ECN + capable. If the SYN flag is clear (0), that a packet + with Congestion Experienced flag set (ECN=11) in IP + header was received during normal transmission + (added to header by RFC 3168). This serves as an + indication of network congestion (or impending + congestion) to the TCP sender."; + reference + "RFC 3168: The Addition of Explicit Congestion + Notification (ECN) to IP."; + } + bit urg { + position 3; + description + "Indicates that the Urgent pointer field is significant."; + } + bit ack { + position 4; + description + "Indicates that the Acknowledgment field is significant. + All packets after the initial SYN packet sent by the + client should have this flag set."; + } + bit psh { + position 5; + description + "Push function. Asks to push the buffered data to the + receiving application."; + } + bit rst { + position 6; + description + "Reset the connection."; + } + bit syn { + position 7; + description + "Synchronize sequence numbers. Only the first packet + sent from each end should have this flag set. Some + other flags and fields change meaning based on this + flag, and some are only valid for when it is set, + and others when it is clear."; + } + bit fin { + position 8; + description + "Last package from sender."; + } + } + description + "Also known as Control Bits. Contains 9 1-bit flags."; + reference + "RFC 793: Transmission Control Protocol (TCP)."; + } + } + + augment /acl:acls/acl:acl/acl:aces/acl:ace/acl:matches/acl:l4/acl:icmp/acl:icmp { + ext:augment-identifier "vpp-icmp-ace-augmentation"; + container vpp-icmp-ace { + description + "Access List entry that can define: + - icmp code range fields + - icmp type range fields."; + uses acl-icmp-header-fields; + } + } + + augment /acl:acls/acl:acl/acl:aces/acl:ace/acl:matches/acl:l4/acl:tcp/acl:tcp { + ext:augment-identifier "vpp-tcp-ace-augmentation"; + container vpp-tcp-ace { + description + "Access List entry that can define: + - Flag mask"; + uses acl-tcp-header-fields; + } + } + + augment /acl:acls/acl:acl { + ext:augment-identifier "vpp-acl-augmentation"; + leaf tag { + type string { + length 1..63; + } + description + "ASCII tag that can be used as a placeholder for ACL metadata. Value is stored in vpp, + and returned in read requests. No processing involved."; + } + } +} \ No newline at end of file -- cgit 1.2.3-korg