blob: aee9e80bc3ee866e2d72ca0fe31999e47de88a02 [file] [log] [blame]
Thomas Vachuska8ca75a22017-08-24 16:12:59 -07001module openconfig-acl {
2
3 yang-version "1";
4
5 // namespace
6 namespace "http://openconfig.net/yang/acl";
7
8 prefix "oc-acl";
9
10 import openconfig-packet-match { prefix oc-match; }
11 import openconfig-interfaces { prefix oc-if; }
12 import openconfig-yang-types { prefix oc-yang; }
13 import openconfig-extensions { prefix oc-ext; }
14
15 // meta
16 organization "OpenConfig working group";
17
18 contact
19 "OpenConfig working group
20 www.openconfig.net";
21
22 description
23 "This module defines configuration and operational state
24 data for network access control lists (i.e., filters, rules,
25 etc.). ACLs are organized into ACL sets, with each set
26 containing one or more ACL entries. ACL sets are identified
27 by a unique name, while each entry within a set is assigned
28 a sequence-id that determines the order in which the ACL
29 rules are applied to a packet.
30
31 Individual ACL rules specify match criteria based on fields in
32 the packet, along with an action that defines how matching
33 packets should be handled. Entries have a type that indicates
34 the type of match criteria, e.g., MAC layer, IPv4, IPv6, etc.";
35
36 oc-ext:openconfig-version "1.0.0";
37
38 revision "2017-05-26" {
39 description
40 "Separated ACL entries by type";
41 reference "1.0.0";
42 }
43
44 revision "2016-08-08" {
45 description
46 "OpenConfig public release";
47 reference "0.2.0";
48 }
49
50 revision "2016-01-22" {
51 description
52 "Initial revision";
53 reference "TBD";
54 }
55
56
57 identity ACL_TYPE {
58 description
59 "Base identity for types of ACL sets";
60 }
61
62 identity ACL_IPV4 {
63 base ACL_TYPE;
64 description
65 "IP-layer ACLs with IPv4 addresses";
66 }
67
68 identity ACL_IPV6 {
69 base ACL_TYPE;
70 description
71 "IP-layer ACLs with IPv6 addresses";
72 }
73
74 identity ACL_L2 {
75 base ACL_TYPE;
76 description
77 "MAC-layer ACLs";
78 }
79
80 identity ACL_MIXED {
81 base ACL_TYPE;
82 description
83 "Mixed-mode ACL that specifies L2 and L3 protocol
84 fields. This ACL type is not implemented by many
85 routing/switching devices.";
86 }
87
88 // ACL action type
89
90 identity FORWARDING_ACTION {
91 description
92 "Base identity for actions in the forwarding category";
93 }
94
95 identity ACCEPT {
96 base FORWARDING_ACTION;
97 description
98 "Accept the packet";
99 }
100
101 identity DROP {
102 base FORWARDING_ACTION;
103 description
104 "Drop packet without sending any ICMP error message";
105 }
106
107 identity REJECT {
108 base FORWARDING_ACTION;
109 description
110 "Drop the packet and send an ICMP error message to the source";
111 }
112
113 identity LOG_ACTION {
114 description
115 "Base identity for defining the destination for logging
116 actions";
117 }
118
119 identity LOG_SYSLOG {
120 base LOG_ACTION;
121 description
122 "Log the packet in Syslog";
123 }
124
125 identity LOG_NONE {
126 base LOG_ACTION;
127 description
128 "No logging";
129 }
130
131 identity ACL_COUNTER_CAPABILITY {
132 description
133 "Base identity for system to indicate how it is able to report
134 counters";
135 }
136
137 identity INTERFACE_ONLY {
138 base ACL_COUNTER_CAPABILITY;
139 description
140 "ACL counters are available and reported only per interface";
141 }
142
143 identity AGGREGATE_ONLY {
144 base ACL_COUNTER_CAPABILITY;
145 description
146 "ACL counters are aggregated over all interfaces, and reported
147 only per ACL entry";
148 }
149
150 identity INTERFACE_AGGREGATE {
151 base ACL_COUNTER_CAPABILITY;
152 description
153 "ACL counters are reported per interface, and also aggregated
154 and reported per ACL entry.";
155 }
156
157 // grouping statements
158
159 // input interface
160 grouping input-interface-config {
161 description
162 "Config of interface";
163
164 }
165
166 grouping input-interface-state {
167 description
168 "State information of interface";
169 }
170
171 grouping input-interface-top {
172 description
173 "Input interface top level container";
174
175 container input-interface {
176 description
177 "Input interface container";
178
179 container config {
180 description
181 "Config data";
182 uses input-interface-config;
183 }
184
185 container state {
186 config false;
187 description
188 "State information";
189 uses input-interface-config;
190 uses input-interface-state;
191 }
192
193 uses oc-if:interface-ref;
194
195 }
196 }
197
198 // Action Type
199 grouping action-config {
200 description
201 "Config of action type";
202
203
204 leaf forwarding-action {
205 type identityref {
206 base FORWARDING_ACTION;
207 }
208 mandatory true;
209 description
210 "Specifies the forwarding action. One forwarding action
211 must be specified for each ACL entry";
212 }
213
214 leaf log-action {
215 type identityref {
216 base LOG_ACTION;
217 }
218 default LOG_NONE;
219 description
220 "Specifies the log action and destination for
221 matched packets. The default is not to log the
222 packet.";
223 }
224
225
226 }
227
228 grouping action-state {
229 description
230 "State information of action type";
231
232 }
233
234 grouping action-top {
235 description
236 "ACL action type top level container";
237
238 container actions {
239 description
240 "Enclosing container for list of ACL actions associated
241 with an entry";
242
243 container config {
244 description
245 "Config data for ACL actions";
246 uses action-config;
247 }
248
249 container state {
250 config false;
251 description
252 "State information for ACL actions";
253 uses action-config;
254 uses action-state;
255 }
256 }
257 }
258
259 grouping acl-counters-state {
260 description
261 "Common grouping for ACL counters";
262
263 leaf matched-packets {
264 type oc-yang:counter64;
265 description
266 "Count of the number of packets matching the current ACL
267 entry.
268
269 An implementation should provide this counter on a
270 per-interface per-ACL-entry if possible.
271
272 If an implementation only supports ACL counters per entry
273 (i.e., not broken out per interface), then the value
274 should be equal to the aggregate count across all interfaces.
275
276 An implementation that provides counters per entry per
277 interface is not required to also provide an aggregate count,
278 e.g., per entry -- the user is expected to be able implement
279 the required aggregation if such a count is needed.";
280 }
281
282 leaf matched-octets {
283 type oc-yang:counter64;
284 description
285 "Count of the number of octets (bytes) matching the current
286 ACL entry.
287
288 An implementation should provide this counter on a
289 per-interface per-ACL-entry if possible.
290
291 If an implementation only supports ACL counters per entry
292 (i.e., not broken out per interface), then the value
293 should be equal to the aggregate count across all interfaces.
294
295 An implementation that provides counters per entry per
296 interface is not required to also provide an aggregate count,
297 e.g., per entry -- the user is expected to be able implement
298 the required aggregation if such a count is needed.";
299 }
300
301 }
302
303 // Access List Entries
304 grouping access-list-entries-config {
305 description
306 "Access List Entries (ACE) config.";
307
308 leaf sequence-id {
309 type uint32;
310 description
311 "The sequence id determines the order in which ACL entries
312 are applied. The sequence id must be unique for each entry
313 in an ACL set. Target devices should apply the ACL entry
314 rules in the order determined by sequence id, rather than
315 the relying only on order in the list.";
316 }
317
318 leaf description {
319 type string;
320 description
321 "A user-defined description, or comment, for this Access List
322 Entry.";
323 }
324
325 }
326
327 grouping access-list-entries-state {
328 description
329 "Access List Entries state.";
330
331 uses acl-counters-state;
332
333 }
334
335 grouping access-list-entries-top {
336 description
337 "Access list entries to level container";
338
339 container acl-entries {
340 description
341 "Access list entries container";
342
343 list acl-entry {
344 key "sequence-id";
345 description
346 "List of ACL entries comprising an ACL set";
347
348 leaf sequence-id {
349 type leafref {
350 path "../config/sequence-id";
351 }
352 description
353 "references the list key";
354 }
355
356 container config {
357 description
358 "Access list entries config";
359 uses access-list-entries-config;
360 }
361
362 container state {
363 config false;
364 description
365 "State information for ACL entries";
366 uses access-list-entries-config;
367 uses access-list-entries-state;
368 }
369
370 uses oc-match:ethernet-header-top {
371 when "../../config/type='ACL_L2'" {
372 description
373 "MAC-layer fields are valid when the ACL type is L2";
374 }
375 }
376 uses oc-match:ipv4-protocol-fields-top {
377 when "../../config/type='ACL_IPV4'" {
378 description
379 "IPv4-layer fields are valid when the ACL type is
380 IPv4";
381 }
382 }
383 uses oc-match:ipv6-protocol-fields-top {
384 when "../../config/type='ACL_IPV6'" {
385 description
386 "IPv6-layer fields are valid when the ACL type is
387 IPv6";
388 }
389 }
390 uses oc-match:transport-fields-top {
391 when "../../config/type='ACL_IPV6' or " +
392 "../../config/type='ACL_IPV4'" {
393 description
394 "Transport-layer fields are valid when specifying
395 L3 ACL types";
396 }
397 }
398 uses input-interface-top;
399
400 uses action-top;
401 }
402 }
403 }
404
405 grouping acl-set-config {
406 description
407 "Access Control List config";
408
409 leaf name {
410 type string;
411 description
412 "The name of the access-list set";
413 }
414
415 leaf type {
416 type identityref {
417 base ACL_TYPE;
418 }
419 description
420 "The type determines the fields allowed in the ACL entries
421 belonging to the ACL set (e.g., IPv4, IPv6, etc.)";
422 }
423
424 leaf description {
425 type string;
426 description
427 "Description, or comment, for the ACL set";
428 }
429
430 }
431
432 grouping acl-set-state {
433 description
434 "Access Control List state";
435 }
436
437 grouping acl-set-top {
438 description
439 "Access list entries variables top level container";
440
441 container acl-sets {
442 description
443 "Access list entries variables enclosing container";
444
445 list acl-set {
446 key "name type";
447 description
448 "List of ACL sets, each comprising of a list of ACL
449 entries";
450
451 leaf name {
452 type leafref {
453 path "../config/name";
454 }
455 description
456 "Reference to the name list key";
457 }
458
459 leaf type {
460 type leafref {
461 path "../config/type";
462 }
463 description
464 "Reference to the type list key";
465 }
466
467 container config {
468 description
469 "Access list config";
470 uses acl-set-config;
471 }
472
473 container state {
474 config false;
475 description
476 "Access list state information";
477 uses acl-set-config;
478 uses acl-set-state;
479 }
480 uses access-list-entries-top;
481 }
482 }
483 }
484
485 grouping interface-acl-entries-config {
486 description
487 "Configuration data for per-interface ACLs";
488
489 }
490
491 grouping interface-acl-entries-state {
492 description
493 "Operational state data for per-interface ACL entries";
494
495 leaf sequence-id {
496 type leafref {
497 path "/acl/acl-sets/" +
498 "acl-set[name=current()/../../../../set-name]" +
499 "[type=current()/../../../../type]/" +
500 "acl-entries/acl-entry/sequence-id";
501 }
502 description
503 "Reference to an entry in the ACL set applied to an
504 interface";
505 }
506
507 uses acl-counters-state;
508
509 }
510
511 grouping interface-acl-entries-top {
512 description
513 "Top-level grouping for per-interface ACL entries";
514
515 container acl-entries {
516 config false;
517 description
518 "Enclosing container for list of references to ACLs";
519
520 list acl-entry {
521 key "sequence-id";
522 description
523 "List of ACL entries assigned to an interface";
524
525 leaf sequence-id {
526 type leafref {
527 path "../state/sequence-id";
528 }
529 description
530 "Reference to per-interface acl entry key";
531 }
532
533 // no config container since the enclosing container is
534 // read-only
535
536 container state {
537
538 config false;
539
540 description
541 "Operational state data for per-interface ACL entries";
542
543 uses interface-acl-entries-config;
544 uses interface-acl-entries-state;
545 }
546 }
547 }
548 }
549
550 grouping interface-ingress-acl-config {
551 description
552 "Configuration data for per-interface ingress ACLs";
553
554 leaf set-name {
555 type leafref {
556 path "../../../../../../acl-sets/acl-set/config/name";
557 }
558 description
559 "Reference to the ACL set name applied on ingress";
560 }
561
562 leaf type {
563 type leafref {
564 path "../../../../../../acl-sets/acl-set[name=current()/../set-name]" +
565 "/config/type";
566 }
567 description
568 "Reference to the ACL set type applied on ingress";
569 }
570 }
571
572 grouping interface-ingress-acl-state {
573 description
574 "Operational state data for the per-interface ingress ACL";
575 }
576
577 grouping interface-ingress-acl-top {
578 description
579 "Top-level grouping for per-interface ingress ACL data";
580
581 container ingress-acl-sets {
582 description
583 "Enclosing container the list of ingress ACLs on the
584 interface";
585
586 list ingress-acl-set {
587 key "set-name type";
588 description
589 "List of ingress ACLs on the interface";
590
591 leaf set-name {
592 type leafref {
593 path "../config/set-name";
594 }
595 description
596 "Reference to set name list key";
597 }
598
599 leaf type {
600 type leafref {
601 path "../config/type";
602 }
603 description
604 "Reference to type list key";
605 }
606
607 container config {
608 description
609 "Configuration data ";
610
611 uses interface-ingress-acl-config;
612 }
613
614 container state {
615
616 config false;
617
618 description
619 "Operational state data for interface ingress ACLs";
620
621 uses interface-ingress-acl-config;
622 uses interface-ingress-acl-state;
623 }
624
625 uses interface-acl-entries-top;
626 }
627 }
628 }
629
630 grouping interface-egress-acl-config {
631 description
632 "Configuration data for per-interface egress ACLs";
633
634 leaf set-name {
635 type leafref {
636 path "../../../../../../acl-sets/acl-set/config/name";
637 }
638 description
639 "Reference to the ACL set name applied on egress";
640 }
641
642 leaf type {
643 type leafref {
644 path "../../../../../../acl-sets/acl-set[name=current()/../set-name]" +
645 "/config/type";
646 }
647 description
648 "Reference to the ACL set type applied on egress.";
649 }
650 }
651
652 grouping interface-egress-acl-state {
653 description
654 "Operational state data for the per-interface egress ACL";
655 }
656
657 grouping interface-egress-acl-top {
658 description
659 "Top-level grouping for per-interface egress ACL data";
660
661 container egress-acl-sets {
662 description
663 "Enclosing container the list of egress ACLs on the
664 interface";
665
666 list egress-acl-set {
667 key "set-name type";
668 description
669 "List of egress ACLs on the interface";
670
671 leaf set-name {
672 type leafref {
673 path "../config/set-name";
674 }
675 description
676 "Reference to set name list key";
677 }
678
679 leaf type {
680 type leafref {
681 path "../config/type";
682 }
683 description
684 "Reference to type list key";
685 }
686
687 container config {
688 description
689 "Configuration data ";
690
691 uses interface-egress-acl-config;
692 }
693
694 container state {
695
696 config false;
697
698 description
699 "Operational state data for interface egress ACLs";
700
701 uses interface-egress-acl-config;
702 uses interface-egress-acl-state;
703 }
704
705 uses interface-acl-entries-top;
706 }
707 }
708 }
709
710 grouping acl-interfaces-config {
711 description
712 "Configuration data for interface references";
713
714 leaf id {
715 type oc-if:interface-id;
716 description
717 "User-defined identifier for the interface -- a common
718 convention could be '<if name>.<subif index>'";
719 }
720 }
721
722 grouping acl-interfaces-state {
723 description
724 "Operational state data for interface references";
725 }
726
727 grouping acl-interfaces-top {
728 description
729 "Top-level grouping for interface-specific ACL data";
730
731 container interfaces {
732 description
733 "Enclosing container for the list of interfaces on which
734 ACLs are set";
735
736 list interface {
737 key "id";
738 description
739 "List of interfaces on which ACLs are set";
740
741 leaf id {
742 type leafref {
743 path "../config/id";
744 }
745 description
746 "Reference to the interface id list key";
747 }
748
749 container config {
750 description
751 "Configuration for ACL per-interface data";
752
753 uses acl-interfaces-config;
754 }
755
756 container state {
757
758 config false;
759
760 description
761 "Operational state for ACL per-interface data";
762
763 uses acl-interfaces-config;
764 uses acl-interfaces-state;
765 }
766
767 uses oc-if:interface-ref;
768 uses interface-ingress-acl-top;
769 uses interface-egress-acl-top;
770 }
771 }
772 }
773
774 grouping acl-config {
775 description
776 "Global configuration data for ACLs";
777 }
778
779 grouping acl-state {
780 description
781 "Global operational state data for ACLs";
782
783 leaf counter-capability {
784 type identityref {
785 base ACL_COUNTER_CAPABILITY;
786 }
787 description
788 "System reported indication of how ACL counters are reported
789 by the target";
790 }
791 }
792 grouping acl-top {
793 description
794 "Top level grouping for ACL data and structure";
795
796 container acl {
797 description
798 "Top level enclosing container for ACL model config
799 and operational state data";
800
801 container config {
802 description
803 "Global config data for ACLs";
804
805 uses acl-config;
806 }
807
808 container state {
809
810 config false;
811
812 description
813 "Global operational state data for ACLs";
814
815 uses acl-config;
816 uses acl-state;
817 }
818
819 uses acl-set-top;
820 uses acl-interfaces-top;
821 }
822 }
823
824 // data definition statements
825 uses acl-top;
826
827 // augment statements
828
829
830}