blob: 76e1eda9e49b0f1fd85197d06aed9695db8cf3db (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
|
module vpp-acl {
yang-version 1;
namespace "urn:opendaylight:params:xml:ns:yang:vpp:acl";
prefix "vpp-acl";
revision "2016-12-14" {
description
"Initial revision of vpp-acl model.";
}
import ietf-access-control-list {
prefix "acl";
}
import vpp-classifier {
prefix "vpp-classifier";
}
import yang-ext {
prefix "ext";
}
import ietf-packet-fields {
prefix packet-fields;
}
identity mixed-acl {
base acl:acl-base;
description
"ACL that can match on any of L2/L3/L4 fields.";
}
typedef interface-mode {
type enumeration {
enum "l2";
enum "l3";
}
}
grouping acl-base-attributes {
description
"Defines references to classify tables.
At least one table reference should be specified.";
container l2-acl {
leaf classify-table {
type vpp-classifier:classify-table-ref;
description
"An L2 ACL table";
}
}
container ip4-acl {
leaf classify-table {
type vpp-classifier:classify-table-ref;
description
"An IPv4 ACL table";
}
}
container ip6-acl {
leaf classify-table {
type vpp-classifier:classify-table-ref;
description
"An IPv6 ACL table";
}
}
}
grouping ietf-acl-base-attributes {
description
"Provides limited support for ietf-acl model.";
container access-lists {
description
"Defines references to ietf-acl lists. Before assignment to interface,
ACL lists are merged into 3 type of acls (l2, ip4 and ip6) that are supported by vpp.
Then 3 corresponding chains of tables and sessions are created and assigned to the interface
as l2, ip4 and ip6 classify table chains.
User ordering is preserved in each group separately.
Assignment update/delete removes all created tables and sessions and repeats process described above.
Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first).
Read is supported only for acls that were created and assigned by Honeycomb agent
(corresponding metadata are present).
Limitations (due to vpp limitations):
- egress rules are currently ignored (HONEYCOMB-234)
- L4 rules are currently not supported (limited support will by provided by HONEYCOMB-218)
- mixing L2/L3/L4 rules is currently not supported (limited support will by provided by HONEYCOMB-233)
- L2 only rules on L3 interfaces are not supported (not allowed by vpp,
in the future defining L2/L3 pairs should be partially supported)
- vlan tags are supported only for sub-interfaces defined as exact-match";
list acl {
key "type name";
ordered-by user;
leaf type {
type acl:acl-type;
}
leaf name {
type acl:access-control-list-ref;
}
}
leaf default-action {
type enumeration {
enum "deny";
enum "permit";
}
default "deny";
description
"Default action applied to packet that does not match any of rules defined in assigned ACLs.
It is translated to single classify table and applied at the end of assigned chains.";
}
leaf mode {
type interface-mode;
default l3;
description
"The way ACLs are translated depends on the interface mode.
In case of L2 interfaces (bridge/interconnection)
classify tables are assigned as l2_table using input_acl_set_interface (ether type matching is automatically
added in case of L3 rules).
In case of L3 interfaces, classify tables are assigned as ip4/ip6 tables.
It is the user responsibility to choose mode that matches target interface.
";
}
}
}
augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type {
ext:augment-identifier "vpp-acl-type-augmentation";
case ace-ip-and-eth {
description
"Access List entry that can define both ip and eth rules.";
choice ace-ip-version {
description
"IP version used in this Access List Entry.";
mandatory true;
case ace-ipv4 {
uses packet-fields:acl-ipv4-header-fields;
}
case ace-ipv6 {
uses packet-fields:acl-ipv6-header-fields;
}
}
uses packet-fields:acl-ip-header-fields;
uses packet-fields:acl-eth-header-fields;
}
}
}
|
