Gitiles
Code Review Sign In
gerrit.cesnet.cz / CzechLight / velia / b5fa10b532334f5070061a96a1c43fc849cf649c / . / yang / ietf-access-control-list@2019-03-04.yang
blob: 8bb0b626144bde08d3cfd421f83ab6f2e27268b4 [file] [log] [blame]
Václav Kubernát637fe802021-01-22 02:43:18 +0100[diff] [blame]1module ietf-access-control-list {
2 yang-version 1.1;
3 namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
4 prefix acl;
5
6 import ietf-yang-types {
7 prefix yang;
8 reference
9 "RFC 6991 - Common YANG Data Types.";
10 }
11
12 import ietf-packet-fields {
13 prefix pf;
14 reference
15 "RFC 8519 - YANG Data Model for Network Access Control
16 Lists (ACLs).";
17 }
18
19 import ietf-interfaces {
20 prefix if;
21 reference
22 "RFC 8343 - A YANG Data Model for Interface Management.";
23 }
24
25 organization
26 "IETF NETMOD (Network Modeling) Working Group.";
27
28 contact
29 "WG Web: <https://datatracker.ietf.org/wg/netmod/>
30 WG List: netmod@ietf.org
31
32 Editor: Mahesh Jethanandani
33 mjethanandani@gmail.com
34 Editor: Lisa Huang
35 huangyi_99@yahoo.com
36 Editor: Sonal Agarwal
37 sagarwal12@gmail.com
38 Editor: Dana Blair
39 dana@blairhome.com";
40
41 description
42 "This YANG module defines a component that describes the
43 configuration and monitoring of Access Control Lists (ACLs).
44
45 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
46 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
47 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
48 are to be interpreted as described in BCP 14 (RFC 2119)
49 (RFC 8174) when, and only when, they appear in all
50 capitals, as shown here.
51
52 Copyright (c) 2019 IETF Trust and the persons identified as
53 the document authors. All rights reserved.
54
55 Redistribution and use in source and binary forms, with or
56 without modification, is permitted pursuant to, and subject
57 to the license terms contained in, the Simplified BSD
58 License set forth in Section 4.c of the IETF Trust's Legal
59 Provisions Relating to IETF Documents
60 (http://trustee.ietf.org/license-info).
61
62 This version of this YANG module is part of RFC 8519; see
63 the RFC itself for full legal notices.";
64
65 revision 2019-03-04 {
66 description
67 "Initial version.";
68 reference
69 "RFC 8519: YANG Data Model for Network Access Control
70 Lists (ACLs).";
71 }
72
73 /*
74 * Identities
75 */
76 /*
77 * Forwarding actions for a packet
78 */
79
80 identity forwarding-action {
81 description
82 "Base identity for actions in the forwarding category.";
83 }
84
85 identity accept {
86 base forwarding-action;
87 description
88 "Accept the packet.";
89 }
90
91 identity drop {
92 base forwarding-action;
93 description
94 "Drop packet without sending any ICMP error message.";
95 }
96
97 identity reject {
98 base forwarding-action;
99 description
100 "Drop the packet and send an ICMP error message to the source.";
101 }
102
103 /*
104 * Logging actions for a packet
105 */
106
107 identity log-action {
108 description
109 "Base identity for defining the destination for logging
110 actions.";
111 }
112
113 identity log-syslog {
114 base log-action;
115 description
116 "System log (syslog) the information for the packet.";
117 }
118 identity log-none {
119 base log-action;
120 description
121 "No logging for the packet.";
122 }
123
124 /*
125 * ACL type identities
126 */
127
128 identity acl-base {
129 description
130 "Base Access Control List type for all Access Control List type
131 identifiers.";
132 }
133
134 identity ipv4-acl-type {
135 base acl:acl-base;
136 if-feature "ipv4";
137 description
138 "An ACL that matches on fields from the IPv4 header
139 (e.g., IPv4 destination address) and Layer 4 headers (e.g., TCP
140 destination port). An ACL of type ipv4 does not contain
141 matches on fields in the Ethernet header or the IPv6 header.";
142 }
143
144 identity ipv6-acl-type {
145 base acl:acl-base;
146 if-feature "ipv6";
147 description
148 "An ACL that matches on fields from the IPv6 header
149 (e.g., IPv6 destination address) and Layer 4 headers (e.g., TCP
150 destination port). An ACL of type ipv6 does not contain
151 matches on fields in the Ethernet header or the IPv4 header.";
152 }
153
154 identity eth-acl-type {
155 base acl:acl-base;
156 if-feature "eth";
157 description
158 "An ACL that matches on fields in the Ethernet header,
159 like 10/100/1000baseT or a Wi-Fi Access Control List. An ACL
160 of type ethernet does not contain matches on fields in the
161 IPv4 header, the IPv6 header, or Layer 4 headers.";
162 }
163
164 identity mixed-eth-ipv4-acl-type {
165 base acl:eth-acl-type;
166 base acl:ipv4-acl-type;
167 if-feature "mixed-eth-ipv4";
168 description
169 "An ACL that contains a mix of entries that match
170 on fields in Ethernet headers and in IPv4 headers.
171 Matching on Layer 4 header fields may also exist in the
172 list.";
173 }
174
175 identity mixed-eth-ipv6-acl-type {
176 base acl:eth-acl-type;
177 base acl:ipv6-acl-type;
178 if-feature "mixed-eth-ipv6";
179 description
180 "An ACL that contains a mix of entries that match on fields
181 in Ethernet headers and in IPv6 headers. Matching
182 on Layer 4 header fields may also exist in the list.";
183 }
184
185 identity mixed-eth-ipv4-ipv6-acl-type {
186 base acl:eth-acl-type;
187 base acl:ipv4-acl-type;
188 base acl:ipv6-acl-type;
189 if-feature "mixed-eth-ipv4-ipv6";
190 description
191 "An ACL that contains a mix of entries that
192 match on fields in Ethernet headers, IPv4 headers, and IPv6
193 headers. Matching on Layer 4 header fields may also exist
194 in the list.";
195 }
196
197 /*
198 * Features
199 */
200
201 /*
202 * Features supported by device
203 */
204 feature match-on-eth {
205 description
206 "The device can support matching on Ethernet headers.";
207 }
208
209 feature match-on-ipv4 {
210 description
211 "The device can support matching on IPv4 headers.";
212 }
213
214 feature match-on-ipv6 {
215 description
216 "The device can support matching on IPv6 headers.";
217 }
218
219 feature match-on-tcp {
220 description
221 "The device can support matching on TCP headers.";
222 }
223
224 feature match-on-udp {
225 description
226 "The device can support matching on UDP headers.";
227 }
228
229 feature match-on-icmp {
230 description
231 "The device can support matching on ICMP (v4 and v6) headers.";
232 }
233
234 /*
235 * Header classifications combinations supported by
236 * device
237 */
238
239 feature eth {
240 if-feature "match-on-eth";
241 description
242 "Plain Ethernet ACL supported.";
243 }
244
245 feature ipv4 {
246 if-feature "match-on-ipv4";
247 description
248 "Plain IPv4 ACL supported.";
249 }
250
251 feature ipv6 {
252 if-feature "match-on-ipv6";
253 description
254 "Plain IPv6 ACL supported.";
255 }
256
257 feature mixed-eth-ipv4 {
258 if-feature "match-on-eth and match-on-ipv4";
259 description
260 "Ethernet and IPv4 ACL combinations supported.";
261 }
262 feature mixed-eth-ipv6 {
263 if-feature "match-on-eth and match-on-ipv6";
264 description
265 "Ethernet and IPv6 ACL combinations supported.";
266 }
267
268 feature mixed-eth-ipv4-ipv6 {
269 if-feature
270 "match-on-eth and match-on-ipv4
271 and match-on-ipv6";
272 description
273 "Ethernet, IPv4, and IPv6 ACL combinations supported.";
274 }
275
276 /*
277 * Stats Features
278 */
279 feature interface-stats {
280 description
281 "ACL counters are available and reported only per interface.";
282 }
283
284 feature acl-aggregate-stats {
285 description
286 "ACL counters are aggregated over all interfaces and reported
287 only per ACL entry.";
288 }
289
290 /*
291 * Attachment point features
292 */
293 feature interface-attachment {
294 description
295 "ACLs are set on interfaces.";
296 }
297
298 /*
299 * Typedefs
300 */
301 typedef acl-type {
302 type identityref {
303 base acl-base;
304 }
305 description
306 "This type is used to refer to an ACL type.";
307 }
308
309 /*
310 * Groupings
311 */
312 grouping acl-counters {
313 description
314 "Common grouping for ACL counters.";
315 leaf matched-packets {
316 type yang:counter64;
317 config false;
318 description
319 "Count of the number of packets matching the current ACL
320 entry.
321
322 An implementation should provide this counter on a
323 per-interface, per-ACL-entry basis if possible.
324
325 If an implementation only supports ACL counters on a per-
326 entry basis (i.e., not broken out per interface), then the
327 value should be equal to the aggregate count across all
328 interfaces.
329
330 An implementation that provides counters on a per-entry, per-
331 interface basis is not required to also provide an aggregate
332 count, e.g., per entry -- the user is expected to be able to
333 implement the required aggregation if such a count is
334 needed.";
335 }
336
337 leaf matched-octets {
338 type yang:counter64;
339 config false;
340 description
341 "Count of the number of octets (bytes) matching the current
342 ACL entry.
343
344 An implementation should provide this counter on a
345 per-interface, per-ACL-entry basis if possible.
346
347 If an implementation only supports ACL counters per entry
348 (i.e., not broken out per interface), then the value
349 should be equal to the aggregate count across all interfaces.
350
351 An implementation that provides counters per entry per
352 interface is not required to also provide an aggregate count,
353 e.g., per entry -- the user is expected to be able to
354 implement the required aggregation if such a count is needed.";
355 }
356 }
357
358 /*
359 * Configuration and monitoring data nodes
360 */
361
362 container acls {
363 description
364 "This is a top-level container for Access Control Lists.
365 It can have one or more acl nodes.";
366 list acl {
367 key "name";
368 description
369 "An ACL is an ordered list of ACEs. Each ACE has a
370 list of match criteria and a list of actions.
371 Since there are several kinds of ACLs implemented
372 with different attributes for different vendors,
373 this model accommodates customizing ACLs for
374 each kind and for each vendor.";
375 leaf name {
376 type string {
377 length "1..64";
378 }
379 description
380 "The name of the access list. A device MAY further
381 restrict the length of this name; space and special
382 characters are not allowed.";
383 }
384 leaf type {
385 type acl-type;
386 description
387 "Type of ACL. Indicates the primary intended
388 type of match criteria (e.g., Ethernet, IPv4, IPv6, mixed,
389 etc.) used in the list instance.";
390 }
391 container aces {
392 description
393 "The aces container contains one or more ACE nodes.";
394 list ace {
395 key "name";
396 ordered-by user;
397 description
398 "List of ACEs.";
399 leaf name {
400 type string {
401 length "1..64";
402 }
403 description
404 "A unique name identifying this ACE.";
405 }
406 container matches {
407 description
408 "The rules in this set determine what fields will be
409 matched upon before any action is taken on them.
410 The rules are selected based on the feature set
411 defined by the server and the acl-type defined.
412 If no matches are defined in a particular container,
413 then any packet will match that container. If no
414 matches are specified at all in an ACE, then any
415 packet will match the ACE.";
416
417 choice l2 {
418 container eth {
419 when "derived-from-or-self(/acls/acl/type, "
420 + "'acl:eth-acl-type')";
421 if-feature "match-on-eth";
422 uses pf:acl-eth-header-fields;
423 description
424 "Rule set that matches Ethernet headers.";
425 }
426 description
427 "Match Layer 2 headers, for example, Ethernet
428 header fields.";
429 }
430
431 choice l3 {
432 container ipv4 {
433 when "derived-from-or-self(/acls/acl/type, "
434 + "'acl:ipv4-acl-type')";
435 if-feature "match-on-ipv4";
436 uses pf:acl-ip-header-fields;
437 uses pf:acl-ipv4-header-fields;
438 description
439 "Rule set that matches IPv4 headers.";
440 }
441
442 container ipv6 {
443 when "derived-from-or-self(/acls/acl/type, "
444 + "'acl:ipv6-acl-type')";
445 if-feature "match-on-ipv6";
446 uses pf:acl-ip-header-fields;
447 uses pf:acl-ipv6-header-fields;
448 description
449 "Rule set that matches IPv6 headers.";
450 }
451 description
452 "Choice of either IPv4 or IPv6 headers";
453 }
454 choice l4 {
455 container tcp {
456 if-feature "match-on-tcp";
457 uses pf:acl-tcp-header-fields;
458 container source-port {
459 choice source-port {
460 case range-or-operator {
461 uses pf:port-range-or-operator;
462 description
463 "Source port definition from range or
464 operator.";
465 }
466 description
467 "Choice of source port definition using
468 range/operator or a choice to support future
469 'case' statements, such as one enabling a
470 group of source ports to be referenced.";
471 }
472 description
473 "Source port definition.";
474 }
475 container destination-port {
476 choice destination-port {
477 case range-or-operator {
478 uses pf:port-range-or-operator;
479 description
480 "Destination port definition from range or
481 operator.";
482 }
483 description
484 "Choice of destination port definition using
485 range/operator or a choice to support future
486 'case' statements, such as one enabling a
487 group of destination ports to be referenced.";
488 }
489 description
490 "Destination port definition.";
491 }
492 description
493 "Rule set that matches TCP headers.";
494 }
495
496 container udp {
497 if-feature "match-on-udp";
498 uses pf:acl-udp-header-fields;
499 container source-port {
500 choice source-port {
501 case range-or-operator {
502 uses pf:port-range-or-operator;
503 description
504 "Source port definition from range or
505 operator.";
506 }
507 description
508 "Choice of source port definition using
509 range/operator or a choice to support future
510 'case' statements, such as one enabling a
511 group of source ports to be referenced.";
512 }
513 description
514 "Source port definition.";
515 }
516 container destination-port {
517 choice destination-port {
518 case range-or-operator {
519 uses pf:port-range-or-operator;
520 description
521 "Destination port definition from range or
522 operator.";
523 }
524 description
525 "Choice of destination port definition using
526 range/operator or a choice to support future
527 'case' statements, such as one enabling a
528 group of destination ports to be referenced.";
529 }
530 description
531 "Destination port definition.";
532 }
533 description
534 "Rule set that matches UDP headers.";
535 }
536
537 container icmp {
538 if-feature "match-on-icmp";
539 uses pf:acl-icmp-header-fields;
540 description
541 "Rule set that matches ICMP headers.";
542 }
543 description
544 "Choice of TCP, UDP, or ICMP headers.";
545 }
546
547 leaf egress-interface {
548 type if:interface-ref;
549 description
550 "Egress interface. This should not be used if this ACL
551 is attached as an egress ACL (or the value should
552 equal the interface to which the ACL is attached).";
553 }
554
555 leaf ingress-interface {
556 type if:interface-ref;
557 description
558 "Ingress interface. This should not be used if this ACL
559 is attached as an ingress ACL (or the value should
560 equal the interface to which the ACL is attached).";
561 }
562 }
563
564 container actions {
565 description
566 "Definition of actions for this ace entry.";
567 leaf forwarding {
568 type identityref {
569 base forwarding-action;
570 }
571 mandatory true;
572 description
573 "Specifies the forwarding action per ace entry.";
574 }
575
576 leaf logging {
577 type identityref {
578 base log-action;
579 }
580 default "log-none";
581 description
582 "Specifies the log action and destination for
583 matched packets. Default value is not to log the
584 packet.";
585 }
586 }
587 container statistics {
588 if-feature "acl-aggregate-stats";
589 config false;
590 description
591 "Statistics gathered across all attachment points for the
592 given ACL.";
593 uses acl-counters;
594 }
595 }
596 }
597 }
598 container attachment-points {
599 description
600 "Enclosing container for the list of
601 attachment points on which ACLs are set.";
602 /*
603 * Groupings
604 */
605 grouping interface-acl {
606 description
607 "Grouping for per-interface ingress ACL data.";
608 container acl-sets {
609 description
610 "Enclosing container for the list of ingress ACLs on the
611 interface.";
612 list acl-set {
613 key "name";
614 ordered-by user;
615 description
616 "List of ingress ACLs on the interface.";
617 leaf name {
618 type leafref {
619 path "/acls/acl/name";
620 }
621 description
622 "Reference to the ACL name applied on the ingress.";
623 }
624 list ace-statistics {
625 if-feature "interface-stats";
626 key "name";
627 config false;
628 description
629 "List of ACEs.";
630 leaf name {
631 type leafref {
632 path "/acls/acl/aces/ace/name";
633 }
634 description
635 "Name of the ace entry.";
636 }
637 uses acl-counters;
638 }
639 }
640 }
641 }
642
643 list interface {
644 if-feature "interface-attachment";
645 key "interface-id";
646 description
647 "List of interfaces on which ACLs are set.";
648
649 leaf interface-id {
650 type if:interface-ref;
651 description
652 "Reference to the interface id list key.";
653 }
654
655 container ingress {
656 uses interface-acl;
657 description
658 "The ACLs applied to the ingress interface.";
659 }
660 container egress {
661 uses interface-acl;
662 description
663 "The ACLs applied to the egress interface.";
664 }
665 }
666 }
667 }
668}