module ietf-access-control-list { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; prefix acl; import ietf-yang-types { prefix yang; } import ietf-packet-fields { prefix packet-fields; } organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: http://tools.ietf.org/wg/netmod/ WG List: netmod@ietf.org WG Chair: Juergen Schoenwaelder j.schoenwaelder@jacobs-university.de WG Chair: Tom Nadeau tnadeau@lucidvision.com Editor: Dean Bogdanovic ivandean@gmail.com Editor: Kiran Agrahara Sreenivasa kkoushik@cisco.com Editor: Lisa Huang lyihuang16@gmail.com Editor: Dana Blair dblair@cisco.com"; description "This YANG module defines a component that describing the configuration of Access Control Lists (ACLs). Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision 2016-07-08 { description "Base model for Network Access Control List (ACL)."; reference "RFC XXXX: Network Access Control List (ACL) YANG Data Model"; } identity acl-base { description "Base Access Control List type for all Access Control List type identifiers."; } identity ipv4-acl { base acl:acl-base; description "ACL that primarily matches on fields from the IPv4 header (e.g. IPv4 destination address) and layer 4 headers (e.g. TCP destination port). An acl of type ipv4-acl does not contain matches on fields in the ethernet header or the IPv6 header."; } identity ipv6-acl { base acl:acl-base; description "ACL that primarily matches on fields from the IPv6 header (e.g. IPv6 destination address) and layer 4 headers (e.g. TCP destination port). An acl of type ipv6-acl does not contain matches on fields in the ethernet header or the IPv4 header."; } identity eth-acl { base acl:acl-base; description "ACL that primarily matches on fields in the ethernet header, like 10/100/1000baseT or WiFi Access Control List. An acl of type eth-acl does not contain matches on fields in the IPv4 header, IPv6 header or layer 4 headers."; } typedef acl-type { type identityref { base acl:acl-base; } description "This type is used to refer to an Access Control List (ACL) type"; } typedef access-control-list-ref { type leafref { path "/access-lists/acl/acl-name"; } description "This type is used by data models that need to reference an Access Control List"; } container access-lists { description "This is a top level container for Access Control Lists. It can have one or more Access Control Lists."; list acl { key "acl-type acl-name"; description "An Access Control List(ACL) is an ordered list of Access List Entries (ACE). Each Access Control Entry has a list of match criteria and a list of actions. Since there are several kinds of Access Control Lists implemented with different attributes for different vendors, this model accommodates customizing Access Control Lists for each kind and for each vendor."; leaf acl-name { type string; description "The name of access-list. A device MAY restrict the length and value of this name, possibly space and special characters are not allowed."; } leaf acl-type { type acl-type; description "Type of access control list. Indicates the primary intended type of match criteria (e.g. ethernet, IPv4, IPv6, mixed, etc) used in the list instance."; } container acl-oper-data { config false; description "Overall Access Control List operational data"; } container access-list-entries { description "The access-list-entries container contains a list of access-list-entries(ACE)."; list ace { key "rule-name"; ordered-by user; description "List of access list entries(ACE)"; leaf rule-name { type string; description "A unique name identifying this Access List Entry(ACE)."; } container matches { description "Definitions for match criteria for this Access List Entry."; choice ace-type { description "Type of access list entry."; case ace-ip { description "IP Access List Entry."; choice ace-ip-version { description "IP version used in this Access List Entry."; case ace-ipv4 { uses packet-fields:acl-ipv4-header-fields; } case ace-ipv6 { uses packet-fields:acl-ipv6-header-fields; } } uses packet-fields:acl-ip-header-fields; } case ace-eth { description "Ethernet Access List entry."; uses packet-fields:acl-eth-header-fields; } } } container actions { description "Definitions of action criteria for this Access List Entry."; choice packet-handling { default "deny"; description "Packet handling action."; case deny { leaf deny { type empty; description "Deny action."; } } case permit { leaf permit { type empty; description "Permit action."; } } } } container ace-oper-data { config false; description "Operational data for this Access List Entry."; leaf match-counter { type yang:counter64; description "Number of matches for this Access List Entry"; } } } } } } }