| ietf-access-control-list@2019-01-28.yang | ietf-access-control-list@2019-01-28-formatted.yang | |||
|---|---|---|---|---|
| module ietf-access-control-list { | module ietf-access-control-list { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; | namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; | |||
| prefix acl; | prefix acl; | |||
| import ietf-yang-types { | import ietf-yang-types { | |||
| prefix yang; | prefix yang; | |||
| reference | reference | |||
| "RFC 6991 - Common YANG Data Types."; | "RFC 6991 - Common YANG Data Types."; | |||
| } | } | |||
| import ietf-packet-fields { | import ietf-packet-fields { | |||
| prefix pf; | prefix pf; | |||
| reference | reference | |||
| "RFC 8519 - YANG Data Model for Network Access Control | "RFC 8519 - YANG Data Model for Network Access Control | |||
| Lists (ACLs)."; | Lists (ACLs)."; | |||
| } | } | |||
| import ietf-interfaces { | import ietf-interfaces { | |||
| prefix if; | prefix if; | |||
| reference | reference | |||
| "RFC 8343 - A YANG Data Model for Interface Management."; | "RFC 8343 - A YANG Data Model for Interface Management."; | |||
| } | } | |||
| organization | organization | |||
| "IETF NETMOD (Network Modeling) Working Group."; | "IETF NETMOD (Network Modeling) Working Group."; | |||
| contact | contact | |||
| "WG Web: <https://datatracker.ietf.org/wg/netmod/> | "WG Web: <https://datatracker.ietf.org/wg/netmod/> | |||
| WG List: netmod@ietf.org | WG List: netmod@ietf.org | |||
| Editor: Mahesh Jethanandani | Editor: Mahesh Jethanandani | |||
| mjethanandani@gmail.com | mjethanandani@gmail.com | |||
| Editor: Lisa Huang | Editor: Lisa Huang | |||
| lyihuang16@gmail.com | lyihuang16@gmail.com | |||
| Editor: Sonal Agarwal | Editor: Sonal Agarwal | |||
| sagarwal12@gmail.com | sagarwal12@gmail.com | |||
| skipping to change at line 157 ¶ | skipping to change at line 155 ¶ | |||
| base acl:acl-base; | base acl:acl-base; | |||
| if-feature "eth"; | if-feature "eth"; | |||
| description | description | |||
| "An ACL that matches on fields in the Ethernet header, | "An ACL that matches on fields in the Ethernet header, | |||
| like 10/100/1000baseT or a Wi-Fi Access Control List. An ACL | like 10/100/1000baseT or a Wi-Fi Access Control List. An ACL | |||
| of type ethernet does not contain matches on fields in the | of type ethernet does not contain matches on fields in the | |||
| IPv4 header, the IPv6 header, or Layer 4 headers."; | IPv4 header, the IPv6 header, or Layer 4 headers."; | |||
| } | } | |||
| identity mixed-eth-ipv4-acl-type { | identity mixed-eth-ipv4-acl-type { | |||
| base "acl:eth-acl-type"; | base acl:eth-acl-type; | |||
| base "acl:ipv4-acl-type"; | base acl:ipv4-acl-type; | |||
| if-feature "mixed-eth-ipv4"; | if-feature "mixed-eth-ipv4"; | |||
| description | description | |||
| "An ACL that contains a mix of entries that match | "An ACL that contains a mix of entries that match | |||
| on fields in Ethernet headers and in IPv4 headers. | on fields in Ethernet headers and in IPv4 headers. | |||
| Matching on Layer 4 header fields may also exist in the | Matching on Layer 4 header fields may also exist in the | |||
| list."; | list."; | |||
| } | } | |||
| identity mixed-eth-ipv6-acl-type { | identity mixed-eth-ipv6-acl-type { | |||
| base "acl:eth-acl-type"; | base acl:eth-acl-type; | |||
| base "acl:ipv6-acl-type"; | base acl:ipv6-acl-type; | |||
| if-feature "mixed-eth-ipv6"; | if-feature "mixed-eth-ipv6"; | |||
| description | description | |||
| "An ACL that contains a mix of entries that match on fields | "An ACL that contains a mix of entries that match on fields | |||
| in Ethernet headers and in IPv6 headers. Matching | in Ethernet headers and in IPv6 headers. Matching | |||
| on Layer 4 header fields may also exist in the list."; | on Layer 4 header fields may also exist in the list."; | |||
| } | } | |||
| identity mixed-eth-ipv4-ipv6-acl-type { | identity mixed-eth-ipv4-ipv6-acl-type { | |||
| base "acl:eth-acl-type"; | base acl:eth-acl-type; | |||
| base "acl:ipv4-acl-type"; | base acl:ipv4-acl-type; | |||
| base "acl:ipv6-acl-type"; | base acl:ipv6-acl-type; | |||
| if-feature "mixed-eth-ipv4-ipv6"; | if-feature "mixed-eth-ipv4-ipv6"; | |||
| description | description | |||
| "An ACL that contains a mix of entries that | "An ACL that contains a mix of entries that | |||
| match on fields in Ethernet headers, IPv4 headers, and IPv6 | match on fields in Ethernet headers, IPv4 headers, and IPv6 | |||
| headers. Matching on Layer 4 header fields may also exist | headers. Matching on Layer 4 header fields may also exist | |||
| in the list."; | in the list."; | |||
| } | } | |||
| /* | /* | |||
| * Features | * Features | |||
| skipping to change at line 261 ¶ | skipping to change at line 260 ¶ | |||
| "Ethernet and IPv4 ACL combinations supported."; | "Ethernet and IPv4 ACL combinations supported."; | |||
| } | } | |||
| feature mixed-eth-ipv6 { | feature mixed-eth-ipv6 { | |||
| if-feature "match-on-eth and match-on-ipv6"; | if-feature "match-on-eth and match-on-ipv6"; | |||
| description | description | |||
| "Ethernet and IPv6 ACL combinations supported."; | "Ethernet and IPv6 ACL combinations supported."; | |||
| } | } | |||
| feature mixed-eth-ipv4-ipv6 { | feature mixed-eth-ipv4-ipv6 { | |||
| if-feature "match-on-eth and match-on-ipv4 | if-feature | |||
| and match-on-ipv6"; | "match-on-eth and match-on-ipv4 | |||
| and match-on-ipv6"; | ||||
| description | description | |||
| "Ethernet, IPv4, and IPv6 ACL combinations supported."; | "Ethernet, IPv4, and IPv6 ACL combinations supported."; | |||
| } | } | |||
| /* | /* | |||
| * Stats Features | * Stats Features | |||
| */ | */ | |||
| feature interface-stats { | feature interface-stats { | |||
| description | description | |||
| "ACL counters are available and reported only per interface."; | "ACL counters are available and reported only per interface."; | |||
| } | } | |||
| feature acl-aggregate-stats { | feature acl-aggregate-stats { | |||
| description | description | |||
| "ACL counters are aggregated over all interfaces and reported | "ACL counters are aggregated over all interfaces and reported | |||
| only per ACL entry."; | only per ACL entry."; | |||
| } | } | |||
| skipping to change at line 408 ¶ | skipping to change at line 410 ¶ | |||
| container matches { | container matches { | |||
| description | description | |||
| "The rules in this set determine what fields will be | "The rules in this set determine what fields will be | |||
| matched upon before any action is taken on them. | matched upon before any action is taken on them. | |||
| The rules are selected based on the feature set | The rules are selected based on the feature set | |||
| defined by the server and the acl-type defined. | defined by the server and the acl-type defined. | |||
| If no matches are defined in a particular container, | If no matches are defined in a particular container, | |||
| then any packet will match that container. If no | then any packet will match that container. If no | |||
| matches are specified at all in an ACE, then any | matches are specified at all in an ACE, then any | |||
| packet will match the ACE."; | packet will match the ACE."; | |||
| choice l2 { | choice l2 { | |||
| container eth { | container eth { | |||
| when "derived-from-or-self(/acls/acl/type, " + | when "derived-from-or-self(/acls/acl/type, " | |||
| "'acl:eth-acl-type')"; | + "'acl:eth-acl-type')"; | |||
| if-feature match-on-eth; | if-feature "match-on-eth"; | |||
| uses pf:acl-eth-header-fields; | uses pf:acl-eth-header-fields; | |||
| description | description | |||
| "Rule set that matches Ethernet headers."; | "Rule set that matches Ethernet headers."; | |||
| } | } | |||
| description | description | |||
| "Match Layer 2 headers, for example, Ethernet | "Match Layer 2 headers, for example, Ethernet | |||
| header fields."; | header fields."; | |||
| } | } | |||
| choice l3 { | choice l3 { | |||
| container ipv4 { | container ipv4 { | |||
| when "derived-from-or-self(/acls/acl/type, " + | when "derived-from-or-self(/acls/acl/type, " | |||
| "'acl:ipv4-acl-type')"; | + "'acl:ipv4-acl-type')"; | |||
| if-feature match-on-ipv4; | if-feature "match-on-ipv4"; | |||
| uses pf:acl-ip-header-fields; | uses pf:acl-ip-header-fields; | |||
| uses pf:acl-ipv4-header-fields; | uses pf:acl-ipv4-header-fields; | |||
| description | description | |||
| "Rule set that matches IPv4 headers."; | "Rule set that matches IPv4 headers."; | |||
| } | } | |||
| container ipv6 { | container ipv6 { | |||
| when "derived-from-or-self(/acls/acl/type, " + | when "derived-from-or-self(/acls/acl/type, " | |||
| "'acl:ipv6-acl-type')"; | + "'acl:ipv6-acl-type')"; | |||
| if-feature match-on-ipv6; | if-feature "match-on-ipv6"; | |||
| uses pf:acl-ip-header-fields; | uses pf:acl-ip-header-fields; | |||
| uses pf:acl-ipv6-header-fields; | uses pf:acl-ipv6-header-fields; | |||
| description | description | |||
| "Rule set that matches IPv6 headers."; | "Rule set that matches IPv6 headers."; | |||
| } | } | |||
| description | description | |||
| "Choice of either IPv4 or IPv6 headers"; | "Choice of either IPv4 or IPv6 headers"; | |||
| } | } | |||
| choice l4 { | choice l4 { | |||
| container tcp { | container tcp { | |||
| if-feature match-on-tcp; | if-feature "match-on-tcp"; | |||
| uses pf:acl-tcp-header-fields; | uses pf:acl-tcp-header-fields; | |||
| container source-port { | container source-port { | |||
| choice source-port { | choice source-port { | |||
| case range-or-operator { | case range-or-operator { | |||
| uses pf:port-range-or-operator; | uses pf:port-range-or-operator; | |||
| description | description | |||
| "Source port definition from range or | "Source port definition from range or | |||
| operator."; | operator."; | |||
| } | } | |||
| description | description | |||
| skipping to change at line 488 ¶ | skipping to change at line 486 ¶ | |||
| range/operator or a choice to support future | range/operator or a choice to support future | |||
| 'case' statements, such as one enabling a | 'case' statements, such as one enabling a | |||
| group of destination ports to be referenced."; | group of destination ports to be referenced."; | |||
| } | } | |||
| description | description | |||
| "Destination port definition."; | "Destination port definition."; | |||
| } | } | |||
| description | description | |||
| "Rule set that matches TCP headers."; | "Rule set that matches TCP headers."; | |||
| } | } | |||
| container udp { | container udp { | |||
| if-feature match-on-udp; | if-feature "match-on-udp"; | |||
| uses pf:acl-udp-header-fields; | uses pf:acl-udp-header-fields; | |||
| container source-port { | container source-port { | |||
| choice source-port { | choice source-port { | |||
| case range-or-operator { | case range-or-operator { | |||
| uses pf:port-range-or-operator; | uses pf:port-range-or-operator; | |||
| description | description | |||
| "Source port definition from range or | "Source port definition from range or | |||
| operator."; | operator."; | |||
| } | } | |||
| description | description | |||
| skipping to change at line 529 ¶ | skipping to change at line 526 ¶ | |||
| range/operator or a choice to support future | range/operator or a choice to support future | |||
| 'case' statements, such as one enabling a | 'case' statements, such as one enabling a | |||
| group of destination ports to be referenced."; | group of destination ports to be referenced."; | |||
| } | } | |||
| description | description | |||
| "Destination port definition."; | "Destination port definition."; | |||
| } | } | |||
| description | description | |||
| "Rule set that matches UDP headers."; | "Rule set that matches UDP headers."; | |||
| } | } | |||
| container icmp { | container icmp { | |||
| if-feature match-on-icmp; | if-feature "match-on-icmp"; | |||
| uses pf:acl-icmp-header-fields; | uses pf:acl-icmp-header-fields; | |||
| description | description | |||
| "Rule set that matches ICMP headers."; | "Rule set that matches ICMP headers."; | |||
| } | } | |||
| description | description | |||
| "Choice of TCP, UDP, or ICMP headers."; | "Choice of TCP, UDP, or ICMP headers."; | |||
| } | } | |||
| leaf egress-interface { | leaf egress-interface { | |||
| type if:interface-ref; | type if:interface-ref; | |||
| description | description | |||
| "Egress interface. This should not be used if this ACL | "Egress interface. This should not be used if this ACL | |||
| is attached as an egress ACL (or the value should | is attached as an egress ACL (or the value should | |||
| equal the interface to which the ACL is attached)."; | equal the interface to which the ACL is attached)."; | |||
| } | } | |||
| leaf ingress-interface { | leaf ingress-interface { | |||
| type if:interface-ref; | type if:interface-ref; | |||
| description | description | |||
| "Ingress interface. This should not be used if this ACL | "Ingress interface. This should not be used if this ACL | |||
| is attached as an ingress ACL (or the value should | is attached as an ingress ACL (or the value should | |||
| equal the interface to which the ACL is attached)."; | equal the interface to which the ACL is attached)."; | |||
| } | } | |||
| } | } | |||
| container actions { | container actions { | |||
| description | description | |||
| "Definition of actions for this ace entry."; | "Definition of actions for this ace entry."; | |||
| leaf forwarding { | leaf forwarding { | |||
| type identityref { | type identityref { | |||
| base forwarding-action; | base forwarding-action; | |||
| } | } | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Specifies the forwarding action per ace entry."; | "Specifies the forwarding action per ace entry."; | |||
| skipping to change at line 568 ¶ | skipping to change at line 561 ¶ | |||
| description | description | |||
| "Definition of actions for this ace entry."; | "Definition of actions for this ace entry."; | |||
| leaf forwarding { | leaf forwarding { | |||
| type identityref { | type identityref { | |||
| base forwarding-action; | base forwarding-action; | |||
| } | } | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Specifies the forwarding action per ace entry."; | "Specifies the forwarding action per ace entry."; | |||
| } | } | |||
| leaf logging { | leaf logging { | |||
| type identityref { | type identityref { | |||
| base log-action; | base log-action; | |||
| } | } | |||
| default log-none; | default "log-none"; | |||
| description | description | |||
| "Specifies the log action and destination for | "Specifies the log action and destination for | |||
| matched packets. Default value is not to log the | matched packets. Default value is not to log the | |||
| packet."; | packet."; | |||
| } | } | |||
| } | } | |||
| container statistics { | container statistics { | |||
| if-feature "acl-aggregate-stats"; | if-feature "acl-aggregate-stats"; | |||
| config false; | config false; | |||
| description | description | |||
| skipping to change at line 642 ¶ | skipping to change at line 629 ¶ | |||
| description | description | |||
| "Name of the ace entry."; | "Name of the ace entry."; | |||
| } | } | |||
| uses acl-counters; | uses acl-counters; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| list interface { | list interface { | |||
| if-feature interface-attachment; | if-feature "interface-attachment"; | |||
| key "interface-id"; | key "interface-id"; | |||
| description | description | |||
| "List of interfaces on which ACLs are set."; | "List of interfaces on which ACLs are set."; | |||
| leaf interface-id { | leaf interface-id { | |||
| type if:interface-ref; | type if:interface-ref; | |||
| description | description | |||
| "Reference to the interface id list key."; | "Reference to the interface id list key."; | |||
| } | } | |||
| container ingress { | container ingress { | |||
| uses interface-acl; | uses interface-acl; | |||
| description | description | |||
| "The ACLs applied to the ingress interface."; | "The ACLs applied to the ingress interface."; | |||
| } | } | |||
| container egress { | container egress { | |||
| uses interface-acl; | uses interface-acl; | |||
| description | description | |||
| "The ACLs applied to the egress interface."; | "The ACLs applied to the egress interface."; | |||
| } | } | |||
| End of changes. 29 change blocks. | ||||
| 40 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||