From c5e153510d4ca0c36bce6e97a72631e41fdcc60a Mon Sep 17 00:00:00 2001 From: Jan Srnicek Date: Mon, 12 Dec 2016 17:25:34 +0100 Subject: Acl model improvements Adds case to cover other protocol numbers Adds constraint to not allow stateless mac-ip acl's Change-Id: I9feeba5ac6b6480282cac62e5479c433c92c8d99 Signed-off-by: Jan Srnicek --- acl/acl-api/src/main/yang/vpp-acl.yang | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) (limited to 'acl/acl-api') diff --git a/acl/acl-api/src/main/yang/vpp-acl.yang b/acl/acl-api/src/main/yang/vpp-acl.yang index ff30d5ec5..a81516a90 100644 --- a/acl/acl-api/src/main/yang/vpp-acl.yang +++ b/acl/acl-api/src/main/yang/vpp-acl.yang @@ -30,6 +30,7 @@ module vpp-acl { augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:actions/acl:packet-handling { ext:augment-identifier "stateful-acl-action-augmentation"; + when "../acl:matches/acl:ace-type = 'vpp-acl:vpp-acl'"; case stateful { leaf permit { type empty; @@ -105,6 +106,15 @@ module vpp-acl { } } + grouping acl-other-protocol-fields { + description "Used for any other protocol than TCP/UDP/ICMP/ICMPv6"; + leaf protocol { + must "protocol != 1 and protocol != 6 and protocol != 17 and protocol != 58"; + type uint8; + description "Internet Protocol number."; + } + } + grouping acl-ip-protocol-header-fields { description "Defines header fields for TCP/UDP or ICMP protocols"; @@ -112,6 +122,9 @@ module vpp-acl { case icmp { uses acl-icmp-header-fields; } + case icmp-v6 { + uses acl-icmp-header-fields; + } case udp { uses packet-fields:acl-transport-header-fields; } @@ -119,6 +132,9 @@ module vpp-acl { uses packet-fields:acl-transport-header-fields; uses acl-tcp-header-fields; } + case other { + uses acl-other-protocol-fields; + } } } @@ -144,11 +160,6 @@ module vpp-acl { uses packet-fields:acl-ipv6-header-fields; } } - leaf protocol { - type uint8; - description - "Internet Protocol number."; - } uses acl-ip-protocol-header-fields; } } -- cgit 1.2.3-korg