From 736fddd689494df2d9cd35f7b7eeb88975620537 Mon Sep 17 00:00:00 2001
From: Marek Gradzki <mgradzki@cisco.com>
Date: Fri, 7 Oct 2016 15:26:06 +0200
Subject: HONEYCOMB-246: allow mixing deny/permit rules

- adds classify table on the end of each of the 3 chains to enforce ordering
- updates v3po.yang with default-action leaf
- updates postman collection

Change-Id: If54abec1a6516eaf87aae0e5da9382a6e5dee1f3
Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
---
 v3po/api/src/main/yang/v3po.yang | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

(limited to 'v3po/api/src/main')

diff --git a/v3po/api/src/main/yang/v3po.yang b/v3po/api/src/main/yang/v3po.yang
index 69e2f73b3..3e981c3ff 100644
--- a/v3po/api/src/main/yang/v3po.yang
+++ b/v3po/api/src/main/yang/v3po.yang
@@ -7,7 +7,7 @@ module v3po {
     description
       "This revision adds the following new features:
        - ingress/egress ACLs support
-       - interface-mode type as a part of ietf-acl configuration";
+       - default-action and interface-mode type as a part of ietf-acl configuration";
   }
 
   revision "2015-01-05" {
@@ -464,10 +464,10 @@ module v3po {
     container access-lists {
       description
         "Defines references to ietf-acl lists. Before assignment to interface,
-        ACL lists are merged into 3 type of acls (eth0, ip4 and ip6) that are supported by vpp.
-        Then corresponding tables and sessions are created and assigned to the interface.
-
-        All ACEs for all assigned ACLs have to use the same packet-handling action (either deny or parmit).
+        ACL lists are merged into 3 type of acls (l2, ip4 and ip6) that are supported by vpp.
+        Then 3 corresponding chains of tables and sessions are created and assigned to the interface
+        as l2, ip4 and ip6 classify table chains.
+        User ordering is preserved in each group separately.
 
         Assignment update/delete removes all created tables and sessions and repeats process described above.
         Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first).
@@ -484,6 +484,7 @@ module v3po {
         - vlan tags are supported only for sub-interfaces defined as exact-match";
       list acl {
         key "type name";
+        ordered-by user;
 
         leaf type {
           type acl:acl-type;
@@ -494,6 +495,17 @@ module v3po {
         }
       }
 
+      leaf default-action {
+        type enumeration {
+          enum "deny";
+          enum "permit";
+         }
+         default "deny";
+        description
+          "Default action applied to packet that does not match any of rules defined in assigned ACLs.
+           It is translated to single classify table and applied at the end of assigned chains.";
+      }
+
       leaf mode {
         type interface-mode;
         default l3;
-- 
cgit 1.2.3-korg