aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/yang/openconfig/openconfig-acl@2018-11-21.yang
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/yang/openconfig/openconfig-acl@2018-11-21.yang')
-rw-r--r--src/plugins/yang/openconfig/openconfig-acl@2018-11-21.yang847
1 files changed, 847 insertions, 0 deletions
diff --git a/src/plugins/yang/openconfig/openconfig-acl@2018-11-21.yang b/src/plugins/yang/openconfig/openconfig-acl@2018-11-21.yang
new file mode 100644
index 0000000..fe80988
--- /dev/null
+++ b/src/plugins/yang/openconfig/openconfig-acl@2018-11-21.yang
@@ -0,0 +1,847 @@
+module openconfig-acl {
+
+ yang-version "1";
+
+ // namespace
+ namespace "http://openconfig.net/yang/acl";
+
+ prefix "oc-acl";
+
+ import openconfig-packet-match { prefix oc-match; }
+ import openconfig-interfaces { prefix oc-if; }
+ import openconfig-yang-types { prefix oc-yang; }
+ import openconfig-extensions { prefix oc-ext; }
+
+ // meta
+ organization "OpenConfig working group";
+
+ contact
+ "OpenConfig working group
+ www.openconfig.net";
+
+ description
+ "This module defines configuration and operational state
+ data for network access control lists (i.e., filters, rules,
+ etc.). ACLs are organized into ACL sets, with each set
+ containing one or more ACL entries. ACL sets are identified
+ by a unique name, while each entry within a set is assigned
+ a sequence-id that determines the order in which the ACL
+ rules are applied to a packet. Note that ACLs are evaluated
+ in ascending order based on the sequence-id (low to high).
+
+ Individual ACL rules specify match criteria based on fields in
+ the packet, along with an action that defines how matching
+ packets should be handled. Entries have a type that indicates
+ the type of match criteria, e.g., MAC layer, IPv4, IPv6, etc.";
+
+ oc-ext:openconfig-version "1.0.2";
+
+ revision "2018-11-21" {
+ description
+ "Add OpenConfig module metadata extensions.";
+ reference "1.0.2";
+ }
+
+ revision "2018-04-24" {
+ description
+ "Clarified order of ACL evaluation";
+ reference "1.0.1";
+ }
+
+ revision "2017-05-26" {
+ description
+ "Separated ACL entries by type";
+ reference "1.0.0";
+ }
+
+ revision "2016-08-08" {
+ description
+ "OpenConfig public release";
+ reference "0.2.0";
+ }
+
+ revision "2016-01-22" {
+ description
+ "Initial revision";
+ reference "TBD";
+ }
+
+ // OpenConfig specific extensions for module metadata.
+ oc-ext:regexp-posix;
+ oc-ext:catalog-organization "openconfig";
+ oc-ext:origin "openconfig";
+
+ identity ACL_TYPE {
+ description
+ "Base identity for types of ACL sets";
+ }
+
+ identity ACL_IPV4 {
+ base ACL_TYPE;
+ description
+ "IP-layer ACLs with IPv4 addresses";
+ }
+
+ identity ACL_IPV6 {
+ base ACL_TYPE;
+ description
+ "IP-layer ACLs with IPv6 addresses";
+ }
+
+ identity ACL_L2 {
+ base ACL_TYPE;
+ description
+ "MAC-layer ACLs";
+ }
+
+ identity ACL_MIXED {
+ base ACL_TYPE;
+ description
+ "Mixed-mode ACL that specifies L2 and L3 protocol
+ fields. This ACL type is not implemented by many
+ routing/switching devices.";
+ }
+
+ // ACL action type
+
+ identity FORWARDING_ACTION {
+ description
+ "Base identity for actions in the forwarding category";
+ }
+
+ identity ACCEPT {
+ base FORWARDING_ACTION;
+ description
+ "Accept the packet";
+ }
+
+ identity DROP {
+ base FORWARDING_ACTION;
+ description
+ "Drop packet without sending any ICMP error message";
+ }
+
+ identity REJECT {
+ base FORWARDING_ACTION;
+ description
+ "Drop the packet and send an ICMP error message to the source";
+ }
+
+ identity LOG_ACTION {
+ description
+ "Base identity for defining the destination for logging
+ actions";
+ }
+
+ identity LOG_SYSLOG {
+ base LOG_ACTION;
+ description
+ "Log the packet in Syslog";
+ }
+
+ identity LOG_NONE {
+ base LOG_ACTION;
+ description
+ "No logging";
+ }
+
+ identity ACL_COUNTER_CAPABILITY {
+ description
+ "Base identity for system to indicate how it is able to report
+ counters";
+ }
+
+ identity INTERFACE_ONLY {
+ base ACL_COUNTER_CAPABILITY;
+ description
+ "ACL counters are available and reported only per interface";
+ }
+
+ identity AGGREGATE_ONLY {
+ base ACL_COUNTER_CAPABILITY;
+ description
+ "ACL counters are aggregated over all interfaces, and reported
+ only per ACL entry";
+ }
+
+ identity INTERFACE_AGGREGATE {
+ base ACL_COUNTER_CAPABILITY;
+ description
+ "ACL counters are reported per interface, and also aggregated
+ and reported per ACL entry.";
+ }
+
+ // grouping statements
+
+ // input interface
+ grouping input-interface-config {
+ description
+ "Config of interface";
+
+ }
+
+ grouping input-interface-state {
+ description
+ "State information of interface";
+ }
+
+ grouping input-interface-top {
+ description
+ "Input interface top level container";
+
+ container input-interface {
+ description
+ "Input interface container";
+
+ container config {
+ description
+ "Config data";
+ uses input-interface-config;
+ }
+
+ container state {
+ config false;
+ description
+ "State information";
+ uses input-interface-config;
+ uses input-interface-state;
+ }
+
+ uses oc-if:interface-ref;
+
+ }
+ }
+
+ // Action Type
+ grouping action-config {
+ description
+ "Config of action type";
+
+
+ leaf forwarding-action {
+ type identityref {
+ base FORWARDING_ACTION;
+ }
+ mandatory true;
+ description
+ "Specifies the forwarding action. One forwarding action
+ must be specified for each ACL entry";
+ }
+
+ leaf log-action {
+ type identityref {
+ base LOG_ACTION;
+ }
+ default LOG_NONE;
+ description
+ "Specifies the log action and destination for
+ matched packets. The default is not to log the
+ packet.";
+ }
+
+
+ }
+
+ grouping action-state {
+ description
+ "State information of action type";
+
+ }
+
+ grouping action-top {
+ description
+ "ACL action type top level container";
+
+ container actions {
+ description
+ "Enclosing container for list of ACL actions associated
+ with an entry";
+
+ container config {
+ description
+ "Config data for ACL actions";
+ uses action-config;
+ }
+
+ container state {
+ config false;
+ description
+ "State information for ACL actions";
+ uses action-config;
+ uses action-state;
+ }
+ }
+ }
+
+ grouping acl-counters-state {
+ description
+ "Common grouping for ACL counters";
+
+ leaf matched-packets {
+ type oc-yang:counter64;
+ description
+ "Count of the number of packets matching the current ACL
+ entry.
+
+ An implementation should provide this counter on a
+ per-interface per-ACL-entry if possible.
+
+ If an implementation only supports ACL counters per entry
+ (i.e., not broken out per interface), then the value
+ should be equal to the aggregate count across all interfaces.
+
+ An implementation that provides counters per entry per
+ interface is not required to also provide an aggregate count,
+ e.g., per entry -- the user is expected to be able implement
+ the required aggregation if such a count is needed.";
+ }
+
+ leaf matched-octets {
+ type oc-yang:counter64;
+ description
+ "Count of the number of octets (bytes) matching the current
+ ACL entry.
+
+ An implementation should provide this counter on a
+ per-interface per-ACL-entry if possible.
+
+ If an implementation only supports ACL counters per entry
+ (i.e., not broken out per interface), then the value
+ should be equal to the aggregate count across all interfaces.
+
+ An implementation that provides counters per entry per
+ interface is not required to also provide an aggregate count,
+ e.g., per entry -- the user is expected to be able implement
+ the required aggregation if such a count is needed.";
+ }
+
+ }
+
+ // Access List Entries
+ grouping access-list-entries-config {
+ description
+ "Access List Entries (ACE) config.";
+
+ leaf sequence-id {
+ type uint32;
+ description
+ "The sequence id determines the order in which ACL entries
+ are applied. The sequence id must be unique for each entry
+ in an ACL set. Target devices should apply the ACL entry
+ rules in ascending order determined by sequence id (low to
+ high), rather than the relying only on order in the list.";
+ }
+
+ leaf description {
+ type string;
+ description
+ "A user-defined description, or comment, for this Access List
+ Entry.";
+ }
+
+ }
+
+ grouping access-list-entries-state {
+ description
+ "Access List Entries state.";
+
+ uses acl-counters-state;
+
+ }
+
+ grouping access-list-entries-top {
+ description
+ "Access list entries to level container";
+
+ container acl-entries {
+ description
+ "Access list entries container";
+
+ list acl-entry {
+ key "sequence-id";
+ description
+ "List of ACL entries comprising an ACL set";
+
+ leaf sequence-id {
+ type leafref {
+ path "../config/sequence-id";
+ }
+ description
+ "references the list key";
+ }
+
+ container config {
+ description
+ "Access list entries config";
+ uses access-list-entries-config;
+ }
+
+ container state {
+ config false;
+ description
+ "State information for ACL entries";
+ uses access-list-entries-config;
+ uses access-list-entries-state;
+ }
+
+ uses oc-match:ethernet-header-top {
+ when "../../config/type='ACL_L2'" {
+ description
+ "MAC-layer fields are valid when the ACL type is L2";
+ }
+ }
+ uses oc-match:ipv4-protocol-fields-top {
+ when "../../config/type='ACL_IPV4'" {
+ description
+ "IPv4-layer fields are valid when the ACL type is
+ IPv4";
+ }
+ }
+ uses oc-match:ipv6-protocol-fields-top {
+ when "../../config/type='ACL_IPV6'" {
+ description
+ "IPv6-layer fields are valid when the ACL type is
+ IPv6";
+ }
+ }
+ uses oc-match:transport-fields-top {
+ when "../../config/type='ACL_IPV6' or " +
+ "../../config/type='ACL_IPV4'" {
+ description
+ "Transport-layer fields are valid when specifying
+ L3 ACL types";
+ }
+ }
+ uses input-interface-top;
+
+ uses action-top;
+ }
+ }
+ }
+
+ grouping acl-set-config {
+ description
+ "Access Control List config";
+
+ leaf name {
+ type string;
+ description
+ "The name of the access-list set";
+ }
+
+ leaf type {
+ type identityref {
+ base ACL_TYPE;
+ }
+ description
+ "The type determines the fields allowed in the ACL entries
+ belonging to the ACL set (e.g., IPv4, IPv6, etc.)";
+ }
+
+ leaf description {
+ type string;
+ description
+ "Description, or comment, for the ACL set";
+ }
+
+ }
+
+ grouping acl-set-state {
+ description
+ "Access Control List state";
+ }
+
+ grouping acl-set-top {
+ description
+ "Access list entries variables top level container";
+
+ container acl-sets {
+ description
+ "Access list entries variables enclosing container";
+
+ list acl-set {
+ key "name type";
+ description
+ "List of ACL sets, each comprising of a list of ACL
+ entries";
+
+ leaf name {
+ type leafref {
+ path "../config/name";
+ }
+ description
+ "Reference to the name list key";
+ }
+
+ leaf type {
+ type leafref {
+ path "../config/type";
+ }
+ description
+ "Reference to the type list key";
+ }
+
+ container config {
+ description
+ "Access list config";
+ uses acl-set-config;
+ }
+
+ container state {
+ config false;
+ description
+ "Access list state information";
+ uses acl-set-config;
+ uses acl-set-state;
+ }
+ uses access-list-entries-top;
+ }
+ }
+ }
+
+ grouping interface-acl-entries-config {
+ description
+ "Configuration data for per-interface ACLs";
+
+ }
+
+ grouping interface-acl-entries-state {
+ description
+ "Operational state data for per-interface ACL entries";
+
+ leaf sequence-id {
+ type leafref {
+ path "/acl/acl-sets/" +
+ "acl-set[name=current()/../../../../set-name]" +
+ "[type=current()/../../../../type]/" +
+ "acl-entries/acl-entry/sequence-id";
+ }
+ description
+ "Reference to an entry in the ACL set applied to an
+ interface";
+ }
+
+ uses acl-counters-state;
+
+ }
+
+ grouping interface-acl-entries-top {
+ description
+ "Top-level grouping for per-interface ACL entries";
+
+ container acl-entries {
+ config false;
+ description
+ "Enclosing container for list of references to ACLs";
+
+ list acl-entry {
+ key "sequence-id";
+ description
+ "List of ACL entries assigned to an interface";
+
+ leaf sequence-id {
+ type leafref {
+ path "../state/sequence-id";
+ }
+ description
+ "Reference to per-interface acl entry key";
+ }
+
+ // no config container since the enclosing container is
+ // read-only
+
+ container state {
+
+ config false;
+
+ description
+ "Operational state data for per-interface ACL entries";
+
+ uses interface-acl-entries-config;
+ uses interface-acl-entries-state;
+ }
+ }
+ }
+ }
+
+ grouping interface-ingress-acl-config {
+ description
+ "Configuration data for per-interface ingress ACLs";
+
+ leaf set-name {
+ type leafref {
+ path "../../../../../../acl-sets/acl-set/config/name";
+ }
+ description
+ "Reference to the ACL set name applied on ingress";
+ }
+
+ leaf type {
+ type leafref {
+ path "../../../../../../acl-sets/acl-set[name=current()/../set-name]" +
+ "/config/type";
+ }
+ description
+ "Reference to the ACL set type applied on ingress";
+ }
+ }
+
+ grouping interface-ingress-acl-state {
+ description
+ "Operational state data for the per-interface ingress ACL";
+ }
+
+ grouping interface-ingress-acl-top {
+ description
+ "Top-level grouping for per-interface ingress ACL data";
+
+ container ingress-acl-sets {
+ description
+ "Enclosing container the list of ingress ACLs on the
+ interface";
+
+ list ingress-acl-set {
+ key "set-name type";
+ description
+ "List of ingress ACLs on the interface";
+
+ leaf set-name {
+ type leafref {
+ path "../config/set-name";
+ }
+ description
+ "Reference to set name list key";
+ }
+
+ leaf type {
+ type leafref {
+ path "../config/type";
+ }
+ description
+ "Reference to type list key";
+ }
+
+ container config {
+ description
+ "Configuration data ";
+
+ uses interface-ingress-acl-config;
+ }
+
+ container state {
+
+ config false;
+
+ description
+ "Operational state data for interface ingress ACLs";
+
+ uses interface-ingress-acl-config;
+ uses interface-ingress-acl-state;
+ }
+
+ uses interface-acl-entries-top;
+ }
+ }
+ }
+
+ grouping interface-egress-acl-config {
+ description
+ "Configuration data for per-interface egress ACLs";
+
+ leaf set-name {
+ type leafref {
+ path "../../../../../../acl-sets/acl-set/config/name";
+ }
+ description
+ "Reference to the ACL set name applied on egress";
+ }
+
+ leaf type {
+ type leafref {
+ path "../../../../../../acl-sets/acl-set[name=current()/../set-name]" +
+ "/config/type";
+ }
+ description
+ "Reference to the ACL set type applied on egress.";
+ }
+ }
+
+ grouping interface-egress-acl-state {
+ description
+ "Operational state data for the per-interface egress ACL";
+ }
+
+ grouping interface-egress-acl-top {
+ description
+ "Top-level grouping for per-interface egress ACL data";
+
+ container egress-acl-sets {
+ description
+ "Enclosing container the list of egress ACLs on the
+ interface";
+
+ list egress-acl-set {
+ key "set-name type";
+ description
+ "List of egress ACLs on the interface";
+
+ leaf set-name {
+ type leafref {
+ path "../config/set-name";
+ }
+ description
+ "Reference to set name list key";
+ }
+
+ leaf type {
+ type leafref {
+ path "../config/type";
+ }
+ description
+ "Reference to type list key";
+ }
+
+ container config {
+ description
+ "Configuration data ";
+
+ uses interface-egress-acl-config;
+ }
+
+ container state {
+
+ config false;
+
+ description
+ "Operational state data for interface egress ACLs";
+
+ uses interface-egress-acl-config;
+ uses interface-egress-acl-state;
+ }
+
+ uses interface-acl-entries-top;
+ }
+ }
+ }
+
+ grouping acl-interfaces-config {
+ description
+ "Configuration data for interface references";
+
+ leaf id {
+ type oc-if:interface-id;
+ description
+ "User-defined identifier for the interface -- a common
+ convention could be '<if name>.<subif index>'";
+ }
+ }
+
+ grouping acl-interfaces-state {
+ description
+ "Operational state data for interface references";
+ }
+
+ grouping acl-interfaces-top {
+ description
+ "Top-level grouping for interface-specific ACL data";
+
+ container interfaces {
+ description
+ "Enclosing container for the list of interfaces on which
+ ACLs are set";
+
+ list interface {
+ key "id";
+ description
+ "List of interfaces on which ACLs are set";
+
+ leaf id {
+ type leafref {
+ path "../config/id";
+ }
+ description
+ "Reference to the interface id list key";
+ }
+
+ container config {
+ description
+ "Configuration for ACL per-interface data";
+
+ uses acl-interfaces-config;
+ }
+
+ container state {
+
+ config false;
+
+ description
+ "Operational state for ACL per-interface data";
+
+ uses acl-interfaces-config;
+ uses acl-interfaces-state;
+ }
+
+ uses oc-if:interface-ref;
+ uses interface-ingress-acl-top;
+ uses interface-egress-acl-top;
+ }
+ }
+ }
+
+ grouping acl-config {
+ description
+ "Global configuration data for ACLs";
+ }
+
+ grouping acl-state {
+ description
+ "Global operational state data for ACLs";
+
+ leaf counter-capability {
+ type identityref {
+ base ACL_COUNTER_CAPABILITY;
+ }
+ description
+ "System reported indication of how ACL counters are reported
+ by the target";
+ }
+ }
+ grouping acl-top {
+ description
+ "Top level grouping for ACL data and structure";
+
+ container acl {
+ description
+ "Top level enclosing container for ACL model config
+ and operational state data";
+
+ container config {
+ description
+ "Global config data for ACLs";
+
+ uses acl-config;
+ }
+
+ container state {
+
+ config false;
+
+ description
+ "Global operational state data for ACLs";
+
+ uses acl-config;
+ uses acl-state;
+ }
+
+ uses acl-set-top;
+ uses acl-interfaces-top;
+ }
+ }
+
+ // data definition statements
+ uses acl-top;
+
+ // augment statements
+
+
+}