From a2ead5e4781ed729e3e6968b83bd4ec76cfc67aa Mon Sep 17 00:00:00 2001 From: Marek Gradzki Date: Mon, 15 Aug 2016 15:03:10 +0200 Subject: HONEYCOMB-139: yang model for ietf-acl draft revision 8 Change-Id: I9250e07f3811036f483959aa841897380bcb7669 Signed-off-by: Marek Gradzki --- .../src/main/yang/ietf-access-control-list.yang | 208 +++++++++++++++++++++ v3po/api/src/main/yang/ietf-packet-fields.yang | 180 ++++++++++++++++++ v3po/api/src/main/yang/v3po.yang | 36 ++++ v3po/api/src/main/yang/vpp-vlan.yang | 4 + 4 files changed, 428 insertions(+) create mode 100644 v3po/api/src/main/yang/ietf-access-control-list.yang create mode 100644 v3po/api/src/main/yang/ietf-packet-fields.yang (limited to 'v3po') diff --git a/v3po/api/src/main/yang/ietf-access-control-list.yang b/v3po/api/src/main/yang/ietf-access-control-list.yang new file mode 100644 index 000000000..3083ee2a0 --- /dev/null +++ b/v3po/api/src/main/yang/ietf-access-control-list.yang @@ -0,0 +1,208 @@ +module ietf-access-control-list { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; + prefix acl; + import ietf-yang-types { + prefix yang; + } + import ietf-packet-fields { + prefix packet-fields; + } + organization "IETF NETMOD (NETCONF Data Modeling Language) + Working Group"; + contact + "WG Web: http://tools.ietf.org/wg/netmod/ + WG List: netmod@ietf.org + WG Chair: Juergen Schoenwaelder + j.schoenwaelder@jacobs-university.de + WG Chair: Tom Nadeau + tnadeau@lucidvision.com + Editor: Dean Bogdanovic + ivandean@gmail.com + Editor: Kiran Agrahara Sreenivasa + kkoushik@cisco.com + Editor: Lisa Huang + lyihuang16@gmail.com + Editor: Dana Blair + dblair@cisco.com"; + description + "This YANG module defines a component that describing the + configuration of Access Control Lists (ACLs). + Copyright (c) 2015 IETF Trust and the persons identified as + the document authors. All rights reserved. + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD + License set forth in Section 4.c of the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info). + This version of this YANG module is part of RFC XXXX; see + the RFC itself for full legal notices."; + revision 2016-07-08 { + description + "Base model for Network Access Control List (ACL)."; + reference + "RFC XXXX: Network Access Control List (ACL) + YANG Data Model"; + } + identity acl-base { + description + "Base Access Control List type for all Access Control List type + identifiers."; + } + identity ipv4-acl { + base acl:acl-base; + description + "ACL that primarily matches on fields from the IPv4 header + (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP + destination port). An acl of type ipv4-acl does not contain + matches on fields in the ethernet header or the IPv6 header."; + } + identity ipv6-acl { + base acl:acl-base; + description + "ACL that primarily matches on fields from the IPv6 header + (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP + destination port). An acl of type ipv6-acl does not contain + matches on fields in the ethernet header or the IPv4 header."; + } + identity eth-acl { + base acl:acl-base; + description + "ACL that primarily matches on fields in the ethernet header, + like 10/100/1000baseT or WiFi Access Control List. An acl of + type eth-acl does not contain matches on fields in the IPv4 + header, IPv6 header or layer 4 headers."; + } + typedef acl-type { + type identityref { + base acl:acl-base; + } + description + "This type is used to refer to an Access Control List + (ACL) type"; + } + typedef access-control-list-ref { + type leafref { + path "/access-lists/acl/acl-name"; + } + description + "This type is used by data models that need to reference an + Access Control List"; + } + container access-lists { + description + "This is a top level container for Access Control Lists. + It can have one or more Access Control Lists."; + list acl { + key "acl-type acl-name"; + description + "An Access Control List(ACL) is an ordered list of + Access List Entries (ACE). Each Access Control Entry has a + list of match criteria and a list of actions. + Since there are several kinds of Access Control Lists + implemented with different attributes for + different vendors, this + model accommodates customizing Access Control Lists for + each kind and for each vendor."; + leaf acl-name { + type string; + description + "The name of access-list. A device MAY restrict the length + and value of this name, possibly space and special + characters are not allowed."; + } + leaf acl-type { + type acl-type; + description + "Type of access control list. Indicates the primary intended + type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc) + used in the list instance."; + } + container acl-oper-data { + config false; + description + "Overall Access Control List operational data"; + } + container access-list-entries { + description + "The access-list-entries container contains + a list of access-list-entries(ACE)."; + list ace { + key "rule-name"; + ordered-by user; + description + "List of access list entries(ACE)"; + leaf rule-name { + type string; + description + "A unique name identifying this Access List + Entry(ACE)."; + } + container matches { + description + "Definitions for match criteria for this Access List + Entry."; + choice ace-type { + description + "Type of access list entry."; + case ace-ip { + description "IP Access List Entry."; + choice ace-ip-version { + description + "IP version used in this Access List Entry."; + case ace-ipv4 { + uses packet-fields:acl-ipv4-header-fields; + } + case ace-ipv6 { + uses packet-fields:acl-ipv6-header-fields; + } + } + uses packet-fields:acl-ip-header-fields; + } + case ace-eth { + description + "Ethernet Access List entry."; + uses packet-fields:acl-eth-header-fields; + } + } + } + container actions { + description + "Definitions of action criteria for this Access List + Entry."; + choice packet-handling { + default "deny"; + description + "Packet handling action."; + case deny { + leaf deny { + type empty; + description + "Deny action."; + } + } + case permit { + leaf permit { + type empty; + description + "Permit action."; + } + } + } + } + container ace-oper-data { + config false; + description + "Operational data for this Access List Entry."; + leaf match-counter { + type yang:counter64; + description + "Number of matches for this Access List Entry"; + } + } + } + } + } + } +} diff --git a/v3po/api/src/main/yang/ietf-packet-fields.yang b/v3po/api/src/main/yang/ietf-packet-fields.yang new file mode 100644 index 000000000..0b1ce5cdd --- /dev/null +++ b/v3po/api/src/main/yang/ietf-packet-fields.yang @@ -0,0 +1,180 @@ +module ietf-packet-fields { + yang-version 1.1; + namespace "urn:ietf:params:xml:ns:yang:ietf-packet-fields"; + prefix packet-fields; + import ietf-inet-types { + prefix inet; + } + import ietf-yang-types { + prefix yang; + } + organization "IETF NETMOD (NETCONF Data Modeling Language) Working + Group"; + contact + "WG Web: http://tools.ietf.org/wg/netmod/ + WG List: netmod@ietf.org + WG Chair: Juergen Schoenwaelder + j.schoenwaelder@jacobs-university.de + WG Chair: Tom Nadeau + tnadeau@lucidvision.com + Editor: Dean Bogdanovic + deanb@juniper.net + Editor: Kiran Agrahara Sreenivasa + kkoushik@cisco.com + Editor: Lisa Huang + lyihuang16@gmail.com + Editor: Dana Blair + dblair@cisco.com"; + description + "This YANG module defines groupings that are used by + ietf-access-control-list YANG module. Their usage is not + limited to ietf-access-control-list and can be + used anywhere as applicable. + Copyright (c) 2015 IETF Trust and the persons identified as + the document authors. All rights reserved. + Redistribution and use in source and binary forms, with or + without modification, is permitted pursuant to, and subject + to the license terms contained in, the Simplified BSD + License set forth in Section 4.c of the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info). + This version of this YANG module is part of RFC XXXX; see + the RFC itself for full legal notices."; + revision 2016-07-08 { + description + "Initial version of packet fields used by + ietf-access-control-list"; + reference + "RFC XXXX: Network Access Control List (ACL) + YANG Data Model"; + } + grouping acl-transport-header-fields { + description + "Transport header fields"; + container source-port-range { + presence "Enables setting source port range"; + description + "Inclusive range representing source ports to be used. + When only lower-port is present, it represents a single port."; + leaf lower-port { + type inet:port-number; + mandatory true; + description + "Lower boundary for port."; + } + leaf upper-port { + type inet:port-number; + must ". >= ../lower-port" { + error-message + "The upper-port must be greater than or equal to lower-port"; + } + description + "Upper boundary for port . If existing, the upper port + must be greater or equal to lower-port."; + } + } + container destination-port-range { + presence "Enables setting destination port range"; + description + "Inclusive range representing destination ports to be used. When + only lower-port is present, it represents a single port."; + leaf lower-port { + type inet:port-number; + mandatory true; + description + "Lower boundary for port."; + } + leaf upper-port { + type inet:port-number; + must ". >= ../lower-port" { + error-message + "The upper-port must be greater than or equal to lower-port"; + } + + description + "Upper boundary for port. If existing, the upper port must + be greater or equal to lower-port"; + } + } + } + grouping acl-ip-header-fields { + description + "IP header fields common to ipv4 and ipv6"; + leaf dscp { + type inet:dscp; + description + "Value of dscp."; + } + leaf protocol { + type uint8; + description + "Internet Protocol number."; + } + uses acl-transport-header-fields; + } + grouping acl-ipv4-header-fields { + description + "Fields in IPv4 header."; + leaf destination-ipv4-network { + type inet:ipv4-prefix; + description + "Destination IPv4 address prefix."; + } + leaf source-ipv4-network { + type inet:ipv4-prefix; + description + "Source IPv4 address prefix."; + } + } + grouping acl-ipv6-header-fields { + description + "Fields in IPv6 header"; + leaf destination-ipv6-network { + type inet:ipv6-prefix; + description + "Destination IPv6 address prefix."; + } + leaf source-ipv6-network { + type inet:ipv6-prefix; + description + "Source IPv6 address prefix."; + } + leaf flow-label { + type inet:ipv6-flow-label; + description + "IPv6 Flow label."; + } + reference + "RFC 4291: IP Version 6 Addressing Architecture + RFC 4007: IPv6 Scoped Address Architecture + RFC 5952: A Recommendation for IPv6 Address Text Representation"; + } + grouping acl-eth-header-fields { + description + "Fields in Ethernet header."; + leaf destination-mac-address { + type yang:mac-address; + description + "Destination IEEE 802 MAC address."; + } + leaf destination-mac-address-mask { + type yang:mac-address; + description + "Destination IEEE 802 MAC address mask."; + } + leaf source-mac-address { + type yang:mac-address; + description + "Source IEEE 802 MAC address."; + } + leaf source-mac-address-mask { + type yang:mac-address; + description + "Source IEEE 802 MAC address mask."; + } + reference + "IEEE 802: IEEE Standard for Local and Metropolitan Area + Networks: Overview and Architecture."; + } + +} \ No newline at end of file diff --git a/v3po/api/src/main/yang/v3po.yang b/v3po/api/src/main/yang/v3po.yang index 9ef133979..e99da965c 100644 --- a/v3po/api/src/main/yang/v3po.yang +++ b/v3po/api/src/main/yang/v3po.yang @@ -28,6 +28,9 @@ module v3po { import vpp-classifier { prefix "vpp-classifier"; } + import ietf-access-control-list { + prefix "acl"; + } typedef bridge-domain-ref { type leafref { @@ -424,6 +427,31 @@ module v3po { } } + grouping ietf-acl-base-attributes { + description + "Provides limited support for ietf-acl model."; + + container access-lists { + description + "Defines references to ietf-acl lists. Before assignment to interface, + ACL lists are merged into 3 type of acls (eth0, ip4 and ip6) that are supported by vpp. + Then corresponding tables and sessions are created and assigned to the interface. + + Assignment update/delete removes all created tables and sessions and repeats process described above. + Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first). + + Read is supported only for acls that were created and assigned by Honeycomb agent + (corresponding metadata are present)."; + list acl { + key "reference"; + + leaf reference { + type acl:access-control-list-ref; + } + } + } + } + augment /if:interfaces/if:interface { ext:augment-identifier "vpp-interface-augmentation"; @@ -481,6 +509,10 @@ module v3po { container acl { uses acl-base-attributes; } + + container ietf-acl { + uses ietf-acl-base-attributes; + } } container vpp { @@ -553,6 +585,10 @@ module v3po { container acl { uses acl-base-attributes; } + + container ietf-acl { + uses ietf-acl-base-attributes; + } } augment /if:interfaces-state/if:interface/if:statistics { diff --git a/v3po/api/src/main/yang/vpp-vlan.yang b/v3po/api/src/main/yang/vpp-vlan.yang index bd3f265ec..15c2af29a 100644 --- a/v3po/api/src/main/yang/vpp-vlan.yang +++ b/v3po/api/src/main/yang/vpp-vlan.yang @@ -162,6 +162,10 @@ module vpp-vlan { container acl { uses v3po:acl-base-attributes; } + + container ietf-acl { + uses v3po:ietf-acl-base-attributes; + } } grouping sub-interface-config-attributes { -- cgit 1.2.3-korg