blob: 42550d95d92b33514f020c49924087f4c3f992c3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
module vpp-classfier-acl {
yang-version 1;
namespace "urn:opendaylight:params:xml:ns:yang:vpp:classfier:acl";
prefix "vpp-classfier-acl";
revision "2016-12-14" {
description
"Initial revision of vpp-classfier-acl model.";
}
import ietf-access-control-list {
prefix "acl";
}
import vpp-classifier {
prefix "vpp-classifier";
}
import yang-ext {
prefix "ext";
}
import ietf-packet-fields {
prefix packet-fields;
}
identity mixed-acl {
base acl:acl-base;
description
"ACL that can match on any of L2/L3/L4 fields.";
}
typedef interface-mode {
type enumeration {
enum "l2";
enum "l3";
}
}
grouping acl-base-attributes {
description
"Defines references to classify tables.
At least one table reference should be specified.";
container l2-acl {
leaf classify-table {
type vpp-classifier:classify-table-ref;
description
"An L2 ACL table";
}
}
container ip4-acl {
leaf classify-table {
type vpp-classifier:classify-table-ref;
description
"An IPv4 ACL table";
}
}
container ip6-acl {
leaf classify-table {
type vpp-classifier:classify-table-ref;
description
"An IPv6 ACL table";
}
}
}
grouping ietf-acl-base-attributes {
description
"Provides limited support for ietf-acl model.";
container access-lists {
description
"Defines references to ietf-acl lists.
ACLs are translated into classify tables and sessions when assigned to interface.
In case of L2 interfaces, acls are translated into a chain of classify tables and assigned as L2 table.
In case of L3 interfaces, acls are translated into ip4 and ip6 chains (eth only rules go to both chains,
rest - depending on ip-version).
User ordering is preserved in both cases.
Assignment update/delete removes all created tables and sessions and repeats process described above.
Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first).
Read is supported only for acls that were created and assigned by Honeycomb agent
(corresponding metadata is present).
Extensions:
- mixing ACEs of different type in one list is permited
- mixing L2/L3/L4 rules in one ACE is permited
Limitations (due to vpp limitations):
- egress rules are currently ignored (HONEYCOMB-234)
- L4 rules support is limited (every <src,dst> port pair from provided ranges is translated to single classify
session; which can very slow or even crash vpp if ranges are big, see HONEYCOMB-260)
- ace-ip-version needs to be provided for all aces (consequence of posibility to mix ACEs of different types,
and vpp classfier api limitation: common header fields for IP4/IP6 have different offsets)
- L2 rules on L3 interfaces are applied only to IP traffic (vpp classfier limitation)
- vlan tags are supported only for sub-interfaces defined as exact-match";
list acl {
key "type name";
ordered-by user;
leaf type {
type acl:acl-type;
}
leaf name {
type acl:access-control-list-ref;
}
}
leaf default-action {
type enumeration {
enum "deny";
enum "permit";
}
default "deny";
description
"Default action applied to packet that does not match any of rules defined in assigned ACLs.
It is translated to single classify table and applied at the end of assigned chains.";
}
leaf mode {
type interface-mode;
default l3;
description
"The way ACLs are translated depends on the interface mode.
In case of L2 interfaces (bridge/interconnection)
classify tables are assigned as l2_table using input_acl_set_interface (ether type matching is automatically
added in case of L3 rules).
In case of L3 interfaces, classify tables are assigned as ip4/ip6 tables.
It is the user responsibility to choose mode that matches target interface.
";
}
}
}
augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type {
ext:augment-identifier "vpp-classfier-acl-type-augmentation";
case ace-ip-and-eth {
description
"Access List entry that can define both ip and eth rules.";
container ace-ip-and-eth-nodes {
choice ace-ip-version {
description
"IP version used in this Access List Entry.";
mandatory true;
case ace-ipv4 {
uses packet-fields:acl-ipv4-header-fields;
}
case ace-ipv6 {
uses packet-fields:acl-ipv6-header-fields;
}
}
uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-eth-header-fields;
}
}
}
}
|