summaryrefslogtreecommitdiffstats
path: root/v3po/api
diff options
context:
space:
mode:
authorMarek Gradzki <mgradzki@cisco.com>2016-10-07 15:26:06 +0200
committerMarek Gradzki <mgradzki@cisco.com>2016-10-10 13:02:31 +0000
commit736fddd689494df2d9cd35f7b7eeb88975620537 (patch)
tree07b6837cac44beefa19d68e4e6c0997f2e587663 /v3po/api
parente5693ace363047a353e76a46854bb69d4f47f1f9 (diff)
HONEYCOMB-246: allow mixing deny/permit rules
- adds classify table on the end of each of the 3 chains to enforce ordering - updates v3po.yang with default-action leaf - updates postman collection Change-Id: If54abec1a6516eaf87aae0e5da9382a6e5dee1f3 Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
Diffstat (limited to 'v3po/api')
-rw-r--r--v3po/api/src/main/yang/v3po.yang22
1 files changed, 17 insertions, 5 deletions
diff --git a/v3po/api/src/main/yang/v3po.yang b/v3po/api/src/main/yang/v3po.yang
index 69e2f73b3..3e981c3ff 100644
--- a/v3po/api/src/main/yang/v3po.yang
+++ b/v3po/api/src/main/yang/v3po.yang
@@ -7,7 +7,7 @@ module v3po {
description
"This revision adds the following new features:
- ingress/egress ACLs support
- - interface-mode type as a part of ietf-acl configuration";
+ - default-action and interface-mode type as a part of ietf-acl configuration";
}
revision "2015-01-05" {
@@ -464,10 +464,10 @@ module v3po {
container access-lists {
description
"Defines references to ietf-acl lists. Before assignment to interface,
- ACL lists are merged into 3 type of acls (eth0, ip4 and ip6) that are supported by vpp.
- Then corresponding tables and sessions are created and assigned to the interface.
-
- All ACEs for all assigned ACLs have to use the same packet-handling action (either deny or parmit).
+ ACL lists are merged into 3 type of acls (l2, ip4 and ip6) that are supported by vpp.
+ Then 3 corresponding chains of tables and sessions are created and assigned to the interface
+ as l2, ip4 and ip6 classify table chains.
+ User ordering is preserved in each group separately.
Assignment update/delete removes all created tables and sessions and repeats process described above.
Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first).
@@ -484,6 +484,7 @@ module v3po {
- vlan tags are supported only for sub-interfaces defined as exact-match";
list acl {
key "type name";
+ ordered-by user;
leaf type {
type acl:acl-type;
@@ -494,6 +495,17 @@ module v3po {
}
}
+ leaf default-action {
+ type enumeration {
+ enum "deny";
+ enum "permit";
+ }
+ default "deny";
+ description
+ "Default action applied to packet that does not match any of rules defined in assigned ACLs.
+ It is translated to single classify table and applied at the end of assigned chains.";
+ }
+
leaf mode {
type interface-mode;
default l3;