From 11e154ab3e09464086cad06376a5da25430cf48b Mon Sep 17 00:00:00 2001 From: Marek Gradzki Date: Mon, 10 Oct 2016 13:18:01 +0200 Subject: Move interface acls to separate yang module Change-Id: Ia11eacababd62f719e23af5b64b19c5227d56a45 Signed-off-by: Marek Gradzki --- v3po/api/src/main/yang/v3po.yang | 122 +++-------------------------------- v3po/api/src/main/yang/vpp-acl.yang | 116 +++++++++++++++++++++++++++++++++ v3po/api/src/main/yang/vpp-vlan.yang | 11 ++-- 3 files changed, 133 insertions(+), 116 deletions(-) create mode 100644 v3po/api/src/main/yang/vpp-acl.yang (limited to 'v3po/api/src/main') diff --git a/v3po/api/src/main/yang/v3po.yang b/v3po/api/src/main/yang/v3po.yang index 3e981c3ff..b2d0a74ed 100644 --- a/v3po/api/src/main/yang/v3po.yang +++ b/v3po/api/src/main/yang/v3po.yang @@ -32,11 +32,8 @@ module v3po { import yang-ext { prefix "ext"; } - import vpp-classifier { - prefix "vpp-classifier"; - } - import ietf-access-control-list { - prefix "acl"; + import vpp-acl { + prefix "vpp-acl"; } typedef bridge-domain-ref { @@ -137,13 +134,6 @@ module v3po { } } - typedef interface-mode { - type enumeration { - enum "l2"; - enum "l3"; - } - } - grouping bridge-domain-attributes { leaf flood { type boolean; @@ -430,98 +420,6 @@ module v3po { } } - grouping acl-base-attributes { - description - "Defines references to classify tables. - At least one table reference should be specified."; - container l2-acl { - leaf classify-table { - type vpp-classifier:classify-table-ref; - description - "An L2 ACL table"; - } - } - container ip4-acl { - leaf classify-table { - type vpp-classifier:classify-table-ref; - description - "An IPv4 ACL table"; - } - } - container ip6-acl { - leaf classify-table { - type vpp-classifier:classify-table-ref; - description - "An IPv6 ACL table"; - } - } - } - - grouping ietf-acl-base-attributes { - description - "Provides limited support for ietf-acl model."; - - container access-lists { - description - "Defines references to ietf-acl lists. Before assignment to interface, - ACL lists are merged into 3 type of acls (l2, ip4 and ip6) that are supported by vpp. - Then 3 corresponding chains of tables and sessions are created and assigned to the interface - as l2, ip4 and ip6 classify table chains. - User ordering is preserved in each group separately. - - Assignment update/delete removes all created tables and sessions and repeats process described above. - Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first). - - Read is supported only for acls that were created and assigned by Honeycomb agent - (corresponding metadata are present). - - Limitations (due to vpp limitations): - - egress rules are currently ignored (HONEYCOMB-234) - - L4 rules are currently not supported (limited support will by provided by HONEYCOMB-218) - - mixing L2/L3/L4 rules is currently not supported (limited support will by provided by HONEYCOMB-233) - - L2 only rules on L3 interfaces are not supported (not allowed by vpp, - in the future defining L2/L3 pairs should be partially supported) - - vlan tags are supported only for sub-interfaces defined as exact-match"; - list acl { - key "type name"; - ordered-by user; - - leaf type { - type acl:acl-type; - } - - leaf name { - type acl:access-control-list-ref; - } - } - - leaf default-action { - type enumeration { - enum "deny"; - enum "permit"; - } - default "deny"; - description - "Default action applied to packet that does not match any of rules defined in assigned ACLs. - It is translated to single classify table and applied at the end of assigned chains."; - } - - leaf mode { - type interface-mode; - default l3; - description - "The way ACLs are translated depends on the interface mode. - In case of L2 interfaces (bridge/interconnection) - classify tables are assigned as l2_table using input_acl_set_interface (ether type matching is automatically - added in case of L3 rules). - In case of L3 interfaces, classify tables are assigned as ip4/ip6 tables. - - It is the user responsibility to choose mode that matches target interface. - "; - } - } - } - augment /if:interfaces/if:interface { ext:augment-identifier "vpp-interface-augmentation"; @@ -582,19 +480,19 @@ module v3po { container acl { container ingress { - uses acl-base-attributes; + uses vpp-acl:acl-base-attributes; } container egress { - uses acl-base-attributes; + uses vpp-acl:acl-base-attributes; } } container ietf-acl { container ingress { - uses ietf-acl-base-attributes; + uses vpp-acl:ietf-acl-base-attributes; } container egress { - uses ietf-acl-base-attributes; + uses vpp-acl:ietf-acl-base-attributes; } } } @@ -672,19 +570,19 @@ module v3po { container acl { container ingress { - uses acl-base-attributes; + uses vpp-acl:acl-base-attributes; } container egress { - uses acl-base-attributes; + uses vpp-acl:acl-base-attributes; } } container ietf-acl { container ingress { - uses ietf-acl-base-attributes; + uses vpp-acl:ietf-acl-base-attributes; } container egress { - uses ietf-acl-base-attributes; + uses vpp-acl:ietf-acl-base-attributes; } } } diff --git a/v3po/api/src/main/yang/vpp-acl.yang b/v3po/api/src/main/yang/vpp-acl.yang new file mode 100644 index 000000000..986d2eee3 --- /dev/null +++ b/v3po/api/src/main/yang/vpp-acl.yang @@ -0,0 +1,116 @@ +module vpp-acl { + yang-version 1; + namespace "urn:opendaylight:params:xml:ns:yang:vpp:acl"; + prefix "vpp-acl"; + + revision "2016-12-14" { + description + "Initial revision of vpp-acl model."; + } + + import ietf-access-control-list { + prefix "acl"; + } + + import vpp-classifier { + prefix "vpp-classifier"; + } + + typedef interface-mode { + type enumeration { + enum "l2"; + enum "l3"; + } + } + grouping acl-base-attributes { + description + "Defines references to classify tables. + At least one table reference should be specified."; + container l2-acl { + leaf classify-table { + type vpp-classifier:classify-table-ref; + description + "An L2 ACL table"; + } + } + container ip4-acl { + leaf classify-table { + type vpp-classifier:classify-table-ref; + description + "An IPv4 ACL table"; + } + } + container ip6-acl { + leaf classify-table { + type vpp-classifier:classify-table-ref; + description + "An IPv6 ACL table"; + } + } + } + + grouping ietf-acl-base-attributes { + description + "Provides limited support for ietf-acl model."; + + container access-lists { + description + "Defines references to ietf-acl lists. Before assignment to interface, + ACL lists are merged into 3 type of acls (l2, ip4 and ip6) that are supported by vpp. + Then 3 corresponding chains of tables and sessions are created and assigned to the interface + as l2, ip4 and ip6 classify table chains. + User ordering is preserved in each group separately. + + Assignment update/delete removes all created tables and sessions and repeats process described above. + Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first). + + Read is supported only for acls that were created and assigned by Honeycomb agent + (corresponding metadata are present). + + Limitations (due to vpp limitations): + - egress rules are currently ignored (HONEYCOMB-234) + - L4 rules are currently not supported (limited support will by provided by HONEYCOMB-218) + - mixing L2/L3/L4 rules is currently not supported (limited support will by provided by HONEYCOMB-233) + - L2 only rules on L3 interfaces are not supported (not allowed by vpp, + in the future defining L2/L3 pairs should be partially supported) + - vlan tags are supported only for sub-interfaces defined as exact-match"; + list acl { + key "type name"; + ordered-by user; + + leaf type { + type acl:acl-type; + } + + leaf name { + type acl:access-control-list-ref; + } + } + + leaf default-action { + type enumeration { + enum "deny"; + enum "permit"; + } + default "deny"; + description + "Default action applied to packet that does not match any of rules defined in assigned ACLs. + It is translated to single classify table and applied at the end of assigned chains."; + } + + leaf mode { + type interface-mode; + default l3; + description + "The way ACLs are translated depends on the interface mode. + In case of L2 interfaces (bridge/interconnection) + classify tables are assigned as l2_table using input_acl_set_interface (ether type matching is automatically + added in case of L3 rules). + In case of L3 interfaces, classify tables are assigned as ip4/ip6 tables. + + It is the user responsibility to choose mode that matches target interface. + "; + } + } + } +} \ No newline at end of file diff --git a/v3po/api/src/main/yang/vpp-vlan.yang b/v3po/api/src/main/yang/vpp-vlan.yang index ffe009a2a..cd3d320ee 100644 --- a/v3po/api/src/main/yang/vpp-vlan.yang +++ b/v3po/api/src/main/yang/vpp-vlan.yang @@ -33,6 +33,9 @@ module vpp-vlan { import v3po { prefix v3po; } + import vpp-acl { + prefix vpp-acl; + } typedef sub-interface-status { type enumeration { @@ -167,19 +170,19 @@ module vpp-vlan { container acl { container ingress { - uses v3po:acl-base-attributes; + uses vpp-acl:acl-base-attributes; } container egress { - uses v3po:acl-base-attributes; + uses vpp-acl:acl-base-attributes; } } container ietf-acl { container ingress { - uses v3po:ietf-acl-base-attributes; + uses vpp-acl:ietf-acl-base-attributes; } container egress { - uses v3po:ietf-acl-base-attributes; + uses vpp-acl:ietf-acl-base-attributes; } } } -- cgit 1.2.3-korg