diff options
author | Marek Gradzki <mgradzki@cisco.com> | 2016-10-04 13:08:51 +0200 |
---|---|---|
committer | Marek Gradzki <mgradzki@cisco.com> | 2016-10-05 11:54:27 +0000 |
commit | cf15cfe3593ec4c02cdb1121649bf95d19814e0c (patch) | |
tree | 5f1efd684679d725eaee116746540262d43536f1 /v3po/api/src | |
parent | 5d1054b26f144948be321f30204b4b2a7cbbc03e (diff) |
HONEYCOMB-238: provide interface mode as a part of ietf-acl configuration
- L2 only rules for L3 interfaces are not allowed by vpp
- describes other limitations of ietf-acl model implementation
Change-Id: If7e79e4bbfe3113b82e3411d9a951c409799a29f
Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
Diffstat (limited to 'v3po/api/src')
-rw-r--r-- | v3po/api/src/main/yang/v3po.yang | 33 |
1 files changed, 32 insertions, 1 deletions
diff --git a/v3po/api/src/main/yang/v3po.yang b/v3po/api/src/main/yang/v3po.yang index 96844b885..f17ee9ae1 100644 --- a/v3po/api/src/main/yang/v3po.yang +++ b/v3po/api/src/main/yang/v3po.yang @@ -130,6 +130,13 @@ module v3po { } } + typedef interface-mode { + type enumeration { + enum "l2"; + enum "l3"; + } + } + grouping bridge-domain-attributes { leaf flood { type boolean; @@ -453,11 +460,21 @@ module v3po { ACL lists are merged into 3 type of acls (eth0, ip4 and ip6) that are supported by vpp. Then corresponding tables and sessions are created and assigned to the interface. + All ACEs for all assigned ACLs have to use the same packet-handling action (either deny or parmit). + Assignment update/delete removes all created tables and sessions and repeats process described above. Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first). Read is supported only for acls that were created and assigned by Honeycomb agent - (corresponding metadata are present)."; + (corresponding metadata are present). + + Limitations (due to vpp limitations): + - egress rules are currently ignored (HONEYCOMB-234) + - L4 rules are currently not supported (limited support will by provided by HONEYCOMB-218) + - mixing L2/L3/L4 rules is currently not supported (limited support will by provided by HONEYCOMB-233) + - L2 only rules on L3 interfaces are not supported (not allowed by vpp, + in the future defining L2/L3 pairs should be partially supported) + - vlan tags are supported only for sub-interfaces defined as exact-match"; list acl { key "type name"; @@ -469,6 +486,20 @@ module v3po { type acl:access-control-list-ref; } } + + leaf mode { + type interface-mode; + default l3; + description + "The way ACLs are translated depends on the interface mode. + In case of L2 interfaces (bridge/interconnection) + classify tables are assigned as l2_table using input_acl_set_interface (ether type matching is automatically + added in case of L3 rules). + In case of L3 interfaces, classify tables are assigned as ip4/ip6 tables. + + It is the user responsibility to choose mode that matches target interface. + "; + } } } |