1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
|
submodule openconfig-pf-forwarding-policies {
belongs-to openconfig-policy-forwarding {
prefix "oc-pf";
}
import openconfig-extensions { prefix "oc-ext"; }
import openconfig-packet-match { prefix "oc-pmatch"; }
import openconfig-yang-types { prefix "oc-yang"; }
import openconfig-inet-types { prefix "oc-inet"; }
include openconfig-pf-path-groups;
organization
"OpenConfig working group";
contact
"OpenConfig working group
www.openconfig.net";
description
"This submodule contains configuration and operational state
relating to the definition of policy-forwarding policies.";
oc-ext:openconfig-version "0.2.0";
revision "2017-06-21" {
description
"Amend policy forwarding model based on ACL changes.";
reference "0.2.0";
}
revision "2017-02-28" {
description
"Initial public release of policy forwarding.";
reference "0.1.0";
}
revision "2016-11-08" {
description
"Initial revision";
reference "0.0.1";
}
grouping pf-forwarding-policy-structural {
description
"Structural grouping defining forwarding policies under the
policy- forwarding module.";
container policies {
description
"Forwarding policies defined to enact policy-based forwarding
on the local system.";
list policy {
key "policy-id";
description
"A forwarding policy is defined to have a set of match
criteria, allowing particular fields of a packet's header to
be matched, and a set of forwarding actions which determines
how the local system should forward the packet.";
leaf policy-id {
type leafref {
path "../config/policy-id";
}
description
"Reference to the identifier for the forwarding-policy.";
}
container config {
description
"Configuration options relating to the forwarding
policy.";
uses pf-forwarding-policy-config;
}
container state {
config false;
description
"Operational state parameters relating to the forwarding
policy.";
uses pf-forwarding-policy-config;
}
container rules {
description
"The criteria that should be matched for a packet to be
forwarded according to the policy action.";
list rule {
key "sequence-id";
description
"A match rule for the policy. In the case that multiple
criteria are specified within a single rule, all criteria
must be met for the rule to be applied to a packet.";
leaf sequence-id {
type leafref {
path "../config/sequence-id";
}
description
"A unique sequence identifier for the match rule.";
}
container config {
description
"Configuration parameters relating to the match
rule.";
uses pf-forwarding-policy-rule-config;
}
container state {
config false;
description
"Operational state parameters relating to the match
rule.";
uses pf-forwarding-policy-rule-config;
uses pf-forwarding-policy-rule-state;
}
uses oc-pmatch:ethernet-header-top;
uses oc-pmatch:ipv4-protocol-fields-top;
uses oc-pmatch:ipv6-protocol-fields-top;
uses oc-pmatch:transport-fields-top;
container action {
description
"The forwarding policy action to be applied for
packets matching the rule.";
container config {
description
"Configuration parameters relating to the forwarding
rule's action.";
uses pf-forwarding-policy-action-config;
}
container state {
config false;
description
"Operational state parameters relating to the
forwarding rule's action.";
uses pf-forwarding-policy-action-config;
}
uses pf-forwarding-policy-action-encapsulate-gre;
}
}
}
}
}
}
grouping pf-forwarding-policy-config {
description
"Configuration parameters relating to the forwarding policy.";
leaf policy-id {
type string;
description
"A unique name identifying the forwarding policy. This name is
used when applying the policy to a particular interface.";
}
}
grouping pf-forwarding-policy-rule-config {
description
"Configuration parameters relating to a policy rule.";
leaf sequence-id {
type uint32;
description
"Unique sequence number for the policy rule.";
}
}
grouping pf-forwarding-policy-rule-state {
description
"Operational state parameters relating to a policy rule.";
leaf matched-pkts {
type oc-yang:counter64;
description
"Number of packets matched by the rule.";
}
leaf matched-octets {
type oc-yang:counter64;
description
"Bytes matched by the rule.";
}
}
grouping pf-forwarding-policy-action-config {
description
"Forwarding policy action configuration parameters.";
leaf discard {
type boolean;
default false;
description
"When this leaf is set to true, the local system should drop
packets that match the rule.";
}
leaf decapsulate-gre {
type boolean;
default false;
description
"When this leaf is set to true, the local system should remove
the GRE header from the packet matching the rule. Following
the decapsulation it should subsequently forward the
encapsulated packet according to the relevant lookup (e.g., if
the encapsulated packet is IP, the packet should be routed
according to the IP destination).";
}
leaf network-instance {
type leafref {
// We are at:
// $NIROOT/policy-forwarding/policies/
// policy/rules/rule/action/config/
// network-instance
path "../../../../../../../../config/name";
}
description
"When this leaf is set, packets matching the match criteria
for the forwarding rule should be looked up in the
network-instance that is referenced rather than the
network-instance with which the interface is associated.
Such configuration allows policy-routing into multiple
sub-topologies from a single ingress access interface, or
different send and receive contexts for a particular
interface (sometimes referred to as half-duplex VRF).";
}
leaf path-selection-group {
type leafref {
// We are at:
// $NIROOT/policy-forwarding/policies/
// policy/rules/rule/action/config/to-path-group
path "../../../../../../../path-selection-groups/" +
"path-selection-group/config/group-id";
}
description
"When path-selection-group is set, packets matching the
match criteria for the forwarding rule should be forwarded
only via one of the paths that is specified within the
referenced path-selection-group. The next-hop of the packet
within the routing context should be used to determine between
multiple paths that are specified within the group.";
}
leaf next-hop {
type oc-inet:ip-address;
description
"When an IP next-hop is specified in the next-hop field,
packets matching the match criteria for the forwarding rule
should be forwarded to the next-hop IP address, bypassing any
lookup on the local system.";
}
}
grouping pf-forwarding-policy-action-encapsulate-gre {
description
"Structural grouping covering the encapsulate-gre action of the
policy forwarding rule.";
container encapsulate-gre {
description
"Packets matching the policy rule should be GRE encapsulated
towards the set of targets defined within the target list. Where
more than one target is specified, or the target subnet expands
to more than one endpoint, packets should be load-balanced across
the destination addresses within the subnets.";
container config {
description
"Configuration parameters for the GRE encapsulation rules action.";
uses pf-forwarding-policy-action-gre-config;
}
container state {
description
"Operational state parameters for the GRE encapsulation rule
action.";
config false;
uses pf-forwarding-policy-action-gre-config;
}
container targets {
description
"Surrounding container for the list of GRE tunnel targets that
should be encapsulated towards.";
list target {
key "id";
leaf id {
type leafref {
path "../config/id";
}
description
"Reference to the unique identifier for the target.";
}
description
"Each target specified within this list should be treated as a
endpoint to which packets should be GRE encapsulated. Where the
set of destinations described within a single entry expands to
more than one destination IP address, packets should be load
shared across the destination using the local system's ECMP hashing
mechanisms.";
container config {
description
"Configuration parameters for the GRE target.";
uses pf-forwarding-policy-action-gre-target-config;
}
container state {
description
"Operational state parameters for the GRE target.";
config false;
uses pf-forwarding-policy-action-gre-target-config;
}
}
}
}
}
grouping pf-forwarding-policy-action-gre-config {
description
"Configuration parameters for the encapsulate-gre forwarding
policy action.";
leaf identifying-prefix {
type oc-inet:ip-prefix;
description
"An IP prefix that can be used to identify the group of
GRE endpoints that are being encapsulated towards. Systems
that require an IP identifier for the tunnel set
should use this prefix as the next-hop identifier.";
}
}
grouping pf-forwarding-policy-action-gre-target-config {
description
"Configuration parameters for each target of a GRE Encapsulation
rule";
leaf id {
type string;
description
"A unique identifier for the target.";
}
leaf source {
type oc-inet:ip-address;
description
"The source IP address that should be used when encapsulating
packets from the local system.";
}
leaf destination {
type oc-inet:ip-prefix;
description
"The set of destination addresses that should be encapsulated towards.
Where a subnet is specified, each address within the subnet should be
treated as an independent destination for encapsulated traffic. Packets
should be distributed with ECMP across the set of tunnel destination
addresses.";
}
leaf ip-ttl {
type uint8;
description
"The TTL that should be specified in the IP header of the GRE packet
encapsulating the packet matching the rule.";
}
}
}
|
