summaryrefslogtreecommitdiffstats
path: root/vpp-classifier/api/src/main/yang/ietf-access-control-list.yang
blob: 3083ee2a0bc9a859ee83aa0fcceeb3d214fed703 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
module ietf-access-control-list {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
  prefix acl;
  import ietf-yang-types {
    prefix yang;
  }
  import ietf-packet-fields {
    prefix packet-fields;
  }
  organization "IETF NETMOD (NETCONF Data Modeling Language)
           Working Group";
  contact
    "WG Web: http://tools.ietf.org/wg/netmod/
    WG List: netmod@ietf.org
    WG Chair: Juergen Schoenwaelder
    j.schoenwaelder@jacobs-university.de
    WG Chair: Tom Nadeau
    tnadeau@lucidvision.com
    Editor: Dean Bogdanovic
    ivandean@gmail.com
    Editor: Kiran Agrahara Sreenivasa
    kkoushik@cisco.com
    Editor: Lisa Huang
    lyihuang16@gmail.com
    Editor: Dana Blair
    dblair@cisco.com";
  description
    "This YANG module defines a component that describing the
    configuration of Access Control Lists (ACLs).
    Copyright (c) 2015 IETF Trust and the persons identified as
    the document authors.  All rights reserved.
    Redistribution and use in source and binary forms, with or
    without modification, is permitted pursuant to, and subject
    to the license terms contained in, the Simplified BSD
    License set forth in Section 4.c of the IETF Trust's Legal
    Provisions Relating to IETF Documents
    (http://trustee.ietf.org/license-info).
    This version of this YANG module is part of RFC XXXX; see
    the RFC itself for full legal notices.";
  revision 2016-07-08 {
    description
      "Base model for Network Access Control List (ACL).";
    reference
      "RFC XXXX: Network Access Control List (ACL)
      YANG Data  Model";
  }
  identity acl-base {
    description
      "Base Access Control List type for all Access Control List type
      identifiers.";
  }
  identity ipv4-acl {
    base acl:acl-base;
    description
       "ACL that primarily matches on fields from the IPv4 header
       (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP
       destination port).  An acl of type ipv4-acl does not contain
       matches on fields in the ethernet header or the IPv6 header.";
  }
  identity ipv6-acl {
    base acl:acl-base;
    description
      "ACL that primarily matches on fields from the IPv6 header
      (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP
      destination port). An acl of type ipv6-acl does not contain
      matches on fields in the ethernet header or the IPv4 header.";
  }
  identity eth-acl {
    base acl:acl-base;
    description
      "ACL that primarily matches on fields in the ethernet header,
      like 10/100/1000baseT or WiFi Access Control List. An acl of
      type eth-acl does not contain matches on fields in the IPv4
      header, IPv6 header or layer 4 headers.";
  }
  typedef acl-type {
    type identityref {
      base acl:acl-base;
    }
    description
      "This type is used to refer to an Access Control List
      (ACL) type";
  }
  typedef access-control-list-ref {
    type leafref {
      path "/access-lists/acl/acl-name";
    }
    description
      "This type is used by data models that need to reference an
      Access Control List";
  }
  container access-lists {
    description
      "This is a top level container for Access Control Lists.
      It can have one or more Access Control Lists.";
    list acl {
      key "acl-type acl-name";
      description
        "An Access Control List(ACL) is an ordered list of
        Access List Entries (ACE). Each Access Control Entry has a
        list of match criteria and a list of actions.
        Since there are several kinds of Access Control Lists
        implemented with different attributes for
        different vendors, this
        model accommodates customizing Access Control Lists for
        each kind and for each vendor.";
      leaf acl-name {
        type string;
        description
          "The name of access-list. A device MAY restrict the length 
    	  and value of this name, possibly space and special 
    	  characters are not allowed.";
      }
      leaf acl-type {
        type acl-type;
        description
            "Type of access control list. Indicates the primary intended
            type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc)
            used in the list instance.";
      }
      container acl-oper-data {
        config false;
        description
          "Overall Access Control List operational data";
      }
      container access-list-entries {
        description
          "The access-list-entries container contains
          a list of access-list-entries(ACE).";
        list ace {
          key "rule-name";
          ordered-by user;
          description
            "List of access list entries(ACE)";
          leaf rule-name {
            type string;
            description
              "A unique name identifying this Access List
              Entry(ACE).";
          }
          container matches {
            description
              "Definitions for match criteria for this Access List
        Entry.";
            choice ace-type {
              description
                "Type of access list entry.";
              case ace-ip {
                      description "IP Access List Entry.";
                choice ace-ip-version {
                  description
                    "IP version used in this Access List Entry.";
                  case ace-ipv4 {
                    uses packet-fields:acl-ipv4-header-fields;
                  }
                  case ace-ipv6 {
                    uses packet-fields:acl-ipv6-header-fields;
                  }
                }
                uses packet-fields:acl-ip-header-fields;
              }
              case ace-eth {
                description
                  "Ethernet Access List entry.";
                uses packet-fields:acl-eth-header-fields;
              }
            }
          }
          container actions {
            description
              "Definitions of action criteria for this Access List
        Entry.";
            choice packet-handling {
              default "deny";
              description
                "Packet handling action.";
              case deny {
                leaf deny {
                  type empty;
                  description
                    "Deny action.";
                }
              }
              case permit {
                leaf permit {
                  type empty;
                  description
                    "Permit action.";
                }
              }
            }
          }
          container ace-oper-data {
            config false;
            description
              "Operational data for this Access List Entry.";
            leaf match-counter {
              type yang:counter64;
              description
                "Number of matches for this Access List Entry";
            }
          }
        }
      }
    }
  }
}