| module ietf-access-control-list { |
| yang-version 1.1; |
| namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; |
| prefix acl; |
| |
| import ietf-yang-types { |
| prefix yang; |
| reference |
| "RFC 6991 - Common YANG Data Types."; |
| } |
| |
| import ietf-packet-fields { |
| prefix pf; |
| reference |
| "RFC 8519 - YANG Data Model for Network Access Control |
| Lists (ACLs)."; |
| } |
| |
| import ietf-interfaces { |
| prefix if; |
| reference |
| "RFC 8343 - A YANG Data Model for Interface Management."; |
| } |
| |
| organization |
| "IETF NETMOD (Network Modeling) Working Group."; |
| |
| contact |
| "WG Web: <https://datatracker.ietf.org/wg/netmod/> |
| WG List: netmod@ietf.org |
| |
| Editor: Mahesh Jethanandani |
| mjethanandani@gmail.com |
| Editor: Lisa Huang |
| huangyi_99@yahoo.com |
| Editor: Sonal Agarwal |
| sagarwal12@gmail.com |
| Editor: Dana Blair |
| dana@blairhome.com"; |
| |
| description |
| "This YANG module defines a component that describes the |
| configuration and monitoring of Access Control Lists (ACLs). |
| |
| The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', |
| 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', |
| 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document |
| are to be interpreted as described in BCP 14 (RFC 2119) |
| (RFC 8174) when, and only when, they appear in all |
| capitals, as shown here. |
| |
| Copyright (c) 2019 IETF Trust and the persons identified as |
| the document authors. All rights reserved. |
| |
| Redistribution and use in source and binary forms, with or |
| without modification, is permitted pursuant to, and subject |
| to the license terms contained in, the Simplified BSD |
| License set forth in Section 4.c of the IETF Trust's Legal |
| Provisions Relating to IETF Documents |
| (http://trustee.ietf.org/license-info). |
| |
| This version of this YANG module is part of RFC 8519; see |
| the RFC itself for full legal notices."; |
| |
| revision 2019-03-04 { |
| description |
| "Initial version."; |
| reference |
| "RFC 8519: YANG Data Model for Network Access Control |
| Lists (ACLs)."; |
| } |
| |
| /* |
| * Identities |
| */ |
| /* |
| * Forwarding actions for a packet |
| */ |
| |
| identity forwarding-action { |
| description |
| "Base identity for actions in the forwarding category."; |
| } |
| |
| identity accept { |
| base forwarding-action; |
| description |
| "Accept the packet."; |
| } |
| |
| identity drop { |
| base forwarding-action; |
| description |
| "Drop packet without sending any ICMP error message."; |
| } |
| |
| identity reject { |
| base forwarding-action; |
| description |
| "Drop the packet and send an ICMP error message to the source."; |
| } |
| |
| /* |
| * Logging actions for a packet |
| */ |
| |
| identity log-action { |
| description |
| "Base identity for defining the destination for logging |
| actions."; |
| } |
| |
| identity log-syslog { |
| base log-action; |
| description |
| "System log (syslog) the information for the packet."; |
| } |
| identity log-none { |
| base log-action; |
| description |
| "No logging for the packet."; |
| } |
| |
| /* |
| * ACL type identities |
| */ |
| |
| identity acl-base { |
| description |
| "Base Access Control List type for all Access Control List type |
| identifiers."; |
| } |
| |
| identity ipv4-acl-type { |
| base acl:acl-base; |
| if-feature "ipv4"; |
| description |
| "An ACL that matches on fields from the IPv4 header |
| (e.g., IPv4 destination address) and Layer 4 headers (e.g., TCP |
| destination port). An ACL of type ipv4 does not contain |
| matches on fields in the Ethernet header or the IPv6 header."; |
| } |
| |
| identity ipv6-acl-type { |
| base acl:acl-base; |
| if-feature "ipv6"; |
| description |
| "An ACL that matches on fields from the IPv6 header |
| (e.g., IPv6 destination address) and Layer 4 headers (e.g., TCP |
| destination port). An ACL of type ipv6 does not contain |
| matches on fields in the Ethernet header or the IPv4 header."; |
| } |
| |
| identity eth-acl-type { |
| base acl:acl-base; |
| if-feature "eth"; |
| description |
| "An ACL that matches on fields in the Ethernet header, |
| like 10/100/1000baseT or a Wi-Fi Access Control List. An ACL |
| of type ethernet does not contain matches on fields in the |
| IPv4 header, the IPv6 header, or Layer 4 headers."; |
| } |
| |
| identity mixed-eth-ipv4-acl-type { |
| base acl:eth-acl-type; |
| base acl:ipv4-acl-type; |
| if-feature "mixed-eth-ipv4"; |
| description |
| "An ACL that contains a mix of entries that match |
| on fields in Ethernet headers and in IPv4 headers. |
| Matching on Layer 4 header fields may also exist in the |
| list."; |
| } |
| |
| identity mixed-eth-ipv6-acl-type { |
| base acl:eth-acl-type; |
| base acl:ipv6-acl-type; |
| if-feature "mixed-eth-ipv6"; |
| description |
| "An ACL that contains a mix of entries that match on fields |
| in Ethernet headers and in IPv6 headers. Matching |
| on Layer 4 header fields may also exist in the list."; |
| } |
| |
| identity mixed-eth-ipv4-ipv6-acl-type { |
| base acl:eth-acl-type; |
| base acl:ipv4-acl-type; |
| base acl:ipv6-acl-type; |
| if-feature "mixed-eth-ipv4-ipv6"; |
| description |
| "An ACL that contains a mix of entries that |
| match on fields in Ethernet headers, IPv4 headers, and IPv6 |
| headers. Matching on Layer 4 header fields may also exist |
| in the list."; |
| } |
| |
| /* |
| * Features |
| */ |
| |
| /* |
| * Features supported by device |
| */ |
| feature match-on-eth { |
| description |
| "The device can support matching on Ethernet headers."; |
| } |
| |
| feature match-on-ipv4 { |
| description |
| "The device can support matching on IPv4 headers."; |
| } |
| |
| feature match-on-ipv6 { |
| description |
| "The device can support matching on IPv6 headers."; |
| } |
| |
| feature match-on-tcp { |
| description |
| "The device can support matching on TCP headers."; |
| } |
| |
| feature match-on-udp { |
| description |
| "The device can support matching on UDP headers."; |
| } |
| |
| feature match-on-icmp { |
| description |
| "The device can support matching on ICMP (v4 and v6) headers."; |
| } |
| |
| /* |
| * Header classifications combinations supported by |
| * device |
| */ |
| |
| feature eth { |
| if-feature "match-on-eth"; |
| description |
| "Plain Ethernet ACL supported."; |
| } |
| |
| feature ipv4 { |
| if-feature "match-on-ipv4"; |
| description |
| "Plain IPv4 ACL supported."; |
| } |
| |
| feature ipv6 { |
| if-feature "match-on-ipv6"; |
| description |
| "Plain IPv6 ACL supported."; |
| } |
| |
| feature mixed-eth-ipv4 { |
| if-feature "match-on-eth and match-on-ipv4"; |
| description |
| "Ethernet and IPv4 ACL combinations supported."; |
| } |
| feature mixed-eth-ipv6 { |
| if-feature "match-on-eth and match-on-ipv6"; |
| description |
| "Ethernet and IPv6 ACL combinations supported."; |
| } |
| |
| feature mixed-eth-ipv4-ipv6 { |
| if-feature |
| "match-on-eth and match-on-ipv4 |
| and match-on-ipv6"; |
| description |
| "Ethernet, IPv4, and IPv6 ACL combinations supported."; |
| } |
| |
| /* |
| * Stats Features |
| */ |
| feature interface-stats { |
| description |
| "ACL counters are available and reported only per interface."; |
| } |
| |
| feature acl-aggregate-stats { |
| description |
| "ACL counters are aggregated over all interfaces and reported |
| only per ACL entry."; |
| } |
| |
| /* |
| * Attachment point features |
| */ |
| feature interface-attachment { |
| description |
| "ACLs are set on interfaces."; |
| } |
| |
| /* |
| * Typedefs |
| */ |
| typedef acl-type { |
| type identityref { |
| base acl-base; |
| } |
| description |
| "This type is used to refer to an ACL type."; |
| } |
| |
| /* |
| * Groupings |
| */ |
| grouping acl-counters { |
| description |
| "Common grouping for ACL counters."; |
| leaf matched-packets { |
| type yang:counter64; |
| config false; |
| description |
| "Count of the number of packets matching the current ACL |
| entry. |
| |
| An implementation should provide this counter on a |
| per-interface, per-ACL-entry basis if possible. |
| |
| If an implementation only supports ACL counters on a per- |
| entry basis (i.e., not broken out per interface), then the |
| value should be equal to the aggregate count across all |
| interfaces. |
| |
| An implementation that provides counters on a per-entry, per- |
| interface basis is not required to also provide an aggregate |
| count, e.g., per entry -- the user is expected to be able to |
| implement the required aggregation if such a count is |
| needed."; |
| } |
| |
| leaf matched-octets { |
| type yang:counter64; |
| config false; |
| description |
| "Count of the number of octets (bytes) matching the current |
| ACL entry. |
| |
| An implementation should provide this counter on a |
| per-interface, per-ACL-entry basis if possible. |
| |
| If an implementation only supports ACL counters per entry |
| (i.e., not broken out per interface), then the value |
| should be equal to the aggregate count across all interfaces. |
| |
| An implementation that provides counters per entry per |
| interface is not required to also provide an aggregate count, |
| e.g., per entry -- the user is expected to be able to |
| implement the required aggregation if such a count is needed."; |
| } |
| } |
| |
| /* |
| * Configuration and monitoring data nodes |
| */ |
| |
| container acls { |
| description |
| "This is a top-level container for Access Control Lists. |
| It can have one or more acl nodes."; |
| list acl { |
| key "name"; |
| description |
| "An ACL is an ordered list of ACEs. Each ACE has a |
| list of match criteria and a list of actions. |
| Since there are several kinds of ACLs implemented |
| with different attributes for different vendors, |
| this model accommodates customizing ACLs for |
| each kind and for each vendor."; |
| leaf name { |
| type string { |
| length "1..64"; |
| } |
| description |
| "The name of the access list. A device MAY further |
| restrict the length of this name; space and special |
| characters are not allowed."; |
| } |
| leaf type { |
| type acl-type; |
| description |
| "Type of ACL. Indicates the primary intended |
| type of match criteria (e.g., Ethernet, IPv4, IPv6, mixed, |
| etc.) used in the list instance."; |
| } |
| container aces { |
| description |
| "The aces container contains one or more ACE nodes."; |
| list ace { |
| key "name"; |
| ordered-by user; |
| description |
| "List of ACEs."; |
| leaf name { |
| type string { |
| length "1..64"; |
| } |
| description |
| "A unique name identifying this ACE."; |
| } |
| container matches { |
| description |
| "The rules in this set determine what fields will be |
| matched upon before any action is taken on them. |
| The rules are selected based on the feature set |
| defined by the server and the acl-type defined. |
| If no matches are defined in a particular container, |
| then any packet will match that container. If no |
| matches are specified at all in an ACE, then any |
| packet will match the ACE."; |
| |
| choice l2 { |
| container eth { |
| when "derived-from-or-self(/acls/acl/type, " |
| + "'acl:eth-acl-type')"; |
| if-feature "match-on-eth"; |
| uses pf:acl-eth-header-fields; |
| description |
| "Rule set that matches Ethernet headers."; |
| } |
| description |
| "Match Layer 2 headers, for example, Ethernet |
| header fields."; |
| } |
| |
| choice l3 { |
| container ipv4 { |
| when "derived-from-or-self(/acls/acl/type, " |
| + "'acl:ipv4-acl-type')"; |
| if-feature "match-on-ipv4"; |
| uses pf:acl-ip-header-fields; |
| uses pf:acl-ipv4-header-fields; |
| description |
| "Rule set that matches IPv4 headers."; |
| } |
| |
| container ipv6 { |
| when "derived-from-or-self(/acls/acl/type, " |
| + "'acl:ipv6-acl-type')"; |
| if-feature "match-on-ipv6"; |
| uses pf:acl-ip-header-fields; |
| uses pf:acl-ipv6-header-fields; |
| description |
| "Rule set that matches IPv6 headers."; |
| } |
| description |
| "Choice of either IPv4 or IPv6 headers"; |
| } |
| choice l4 { |
| container tcp { |
| if-feature "match-on-tcp"; |
| uses pf:acl-tcp-header-fields; |
| container source-port { |
| choice source-port { |
| case range-or-operator { |
| uses pf:port-range-or-operator; |
| description |
| "Source port definition from range or |
| operator."; |
| } |
| description |
| "Choice of source port definition using |
| range/operator or a choice to support future |
| 'case' statements, such as one enabling a |
| group of source ports to be referenced."; |
| } |
| description |
| "Source port definition."; |
| } |
| container destination-port { |
| choice destination-port { |
| case range-or-operator { |
| uses pf:port-range-or-operator; |
| description |
| "Destination port definition from range or |
| operator."; |
| } |
| description |
| "Choice of destination port definition using |
| range/operator or a choice to support future |
| 'case' statements, such as one enabling a |
| group of destination ports to be referenced."; |
| } |
| description |
| "Destination port definition."; |
| } |
| description |
| "Rule set that matches TCP headers."; |
| } |
| |
| container udp { |
| if-feature "match-on-udp"; |
| uses pf:acl-udp-header-fields; |
| container source-port { |
| choice source-port { |
| case range-or-operator { |
| uses pf:port-range-or-operator; |
| description |
| "Source port definition from range or |
| operator."; |
| } |
| description |
| "Choice of source port definition using |
| range/operator or a choice to support future |
| 'case' statements, such as one enabling a |
| group of source ports to be referenced."; |
| } |
| description |
| "Source port definition."; |
| } |
| container destination-port { |
| choice destination-port { |
| case range-or-operator { |
| uses pf:port-range-or-operator; |
| description |
| "Destination port definition from range or |
| operator."; |
| } |
| description |
| "Choice of destination port definition using |
| range/operator or a choice to support future |
| 'case' statements, such as one enabling a |
| group of destination ports to be referenced."; |
| } |
| description |
| "Destination port definition."; |
| } |
| description |
| "Rule set that matches UDP headers."; |
| } |
| |
| container icmp { |
| if-feature "match-on-icmp"; |
| uses pf:acl-icmp-header-fields; |
| description |
| "Rule set that matches ICMP headers."; |
| } |
| description |
| "Choice of TCP, UDP, or ICMP headers."; |
| } |
| |
| leaf egress-interface { |
| type if:interface-ref; |
| description |
| "Egress interface. This should not be used if this ACL |
| is attached as an egress ACL (or the value should |
| equal the interface to which the ACL is attached)."; |
| } |
| |
| leaf ingress-interface { |
| type if:interface-ref; |
| description |
| "Ingress interface. This should not be used if this ACL |
| is attached as an ingress ACL (or the value should |
| equal the interface to which the ACL is attached)."; |
| } |
| } |
| |
| container actions { |
| description |
| "Definition of actions for this ace entry."; |
| leaf forwarding { |
| type identityref { |
| base forwarding-action; |
| } |
| mandatory true; |
| description |
| "Specifies the forwarding action per ace entry."; |
| } |
| |
| leaf logging { |
| type identityref { |
| base log-action; |
| } |
| default "log-none"; |
| description |
| "Specifies the log action and destination for |
| matched packets. Default value is not to log the |
| packet."; |
| } |
| } |
| container statistics { |
| if-feature "acl-aggregate-stats"; |
| config false; |
| description |
| "Statistics gathered across all attachment points for the |
| given ACL."; |
| uses acl-counters; |
| } |
| } |
| } |
| } |
| container attachment-points { |
| description |
| "Enclosing container for the list of |
| attachment points on which ACLs are set."; |
| /* |
| * Groupings |
| */ |
| grouping interface-acl { |
| description |
| "Grouping for per-interface ingress ACL data."; |
| container acl-sets { |
| description |
| "Enclosing container for the list of ingress ACLs on the |
| interface."; |
| list acl-set { |
| key "name"; |
| ordered-by user; |
| description |
| "List of ingress ACLs on the interface."; |
| leaf name { |
| type leafref { |
| path "/acls/acl/name"; |
| } |
| description |
| "Reference to the ACL name applied on the ingress."; |
| } |
| list ace-statistics { |
| if-feature "interface-stats"; |
| key "name"; |
| config false; |
| description |
| "List of ACEs."; |
| leaf name { |
| type leafref { |
| path "/acls/acl/aces/ace/name"; |
| } |
| description |
| "Name of the ace entry."; |
| } |
| uses acl-counters; |
| } |
| } |
| } |
| } |
| |
| list interface { |
| if-feature "interface-attachment"; |
| key "interface-id"; |
| description |
| "List of interfaces on which ACLs are set."; |
| |
| leaf interface-id { |
| type if:interface-ref; |
| description |
| "Reference to the interface id list key."; |
| } |
| |
| container ingress { |
| uses interface-acl; |
| description |
| "The ACLs applied to the ingress interface."; |
| } |
| container egress { |
| uses interface-acl; |
| description |
| "The ACLs applied to the egress interface."; |
| } |
| } |
| } |
| } |
| } |