diff options
author | Marek Gradzki <mgradzki@cisco.com> | 2016-10-07 15:26:06 +0200 |
---|---|---|
committer | Marek Gradzki <mgradzki@cisco.com> | 2016-10-10 13:02:31 +0000 |
commit | 736fddd689494df2d9cd35f7b7eeb88975620537 (patch) | |
tree | 07b6837cac44beefa19d68e4e6c0997f2e587663 /v3po/api | |
parent | e5693ace363047a353e76a46854bb69d4f47f1f9 (diff) |
HONEYCOMB-246: allow mixing deny/permit rules
- adds classify table on the end of each of the 3 chains to enforce ordering
- updates v3po.yang with default-action leaf
- updates postman collection
Change-Id: If54abec1a6516eaf87aae0e5da9382a6e5dee1f3
Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
Diffstat (limited to 'v3po/api')
-rw-r--r-- | v3po/api/src/main/yang/v3po.yang | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/v3po/api/src/main/yang/v3po.yang b/v3po/api/src/main/yang/v3po.yang index 69e2f73b3..3e981c3ff 100644 --- a/v3po/api/src/main/yang/v3po.yang +++ b/v3po/api/src/main/yang/v3po.yang @@ -7,7 +7,7 @@ module v3po { description "This revision adds the following new features: - ingress/egress ACLs support - - interface-mode type as a part of ietf-acl configuration"; + - default-action and interface-mode type as a part of ietf-acl configuration"; } revision "2015-01-05" { @@ -464,10 +464,10 @@ module v3po { container access-lists { description "Defines references to ietf-acl lists. Before assignment to interface, - ACL lists are merged into 3 type of acls (eth0, ip4 and ip6) that are supported by vpp. - Then corresponding tables and sessions are created and assigned to the interface. - - All ACEs for all assigned ACLs have to use the same packet-handling action (either deny or parmit). + ACL lists are merged into 3 type of acls (l2, ip4 and ip6) that are supported by vpp. + Then 3 corresponding chains of tables and sessions are created and assigned to the interface + as l2, ip4 and ip6 classify table chains. + User ordering is preserved in each group separately. Assignment update/delete removes all created tables and sessions and repeats process described above. Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first). @@ -484,6 +484,7 @@ module v3po { - vlan tags are supported only for sub-interfaces defined as exact-match"; list acl { key "type name"; + ordered-by user; leaf type { type acl:acl-type; @@ -494,6 +495,17 @@ module v3po { } } + leaf default-action { + type enumeration { + enum "deny"; + enum "permit"; + } + default "deny"; + description + "Default action applied to packet that does not match any of rules defined in assigned ACLs. + It is translated to single classify table and applied at the end of assigned chains."; + } + leaf mode { type interface-mode; default l3; |