blob: 9e2a08a514a8d27496935c0d4d6fd5ae608a7a16 [file] [log] [blame]
Thomas Vachuska6655bee2017-08-24 16:12:59 -07001module openconfig-routing-policy {
2
3 yang-version "1";
4
5 // namespace
6 namespace "http://openconfig.net/yang/routing-policy";
7
8 prefix "oc-rpol";
9
10 // import some basic types
11 import openconfig-inet-types { prefix oc-inet; }
12 import openconfig-interfaces { prefix oc-if; }
13 import openconfig-policy-types { prefix oc-pol-types; }
14 import openconfig-extensions { prefix oc-ext; }
15
16 // meta
17 organization
18 "OpenConfig working group";
19
20 contact
21 "OpenConfig working group
22 netopenconfig@googlegroups.com";
23
24 description
25 "This module describes a YANG model for routing policy
26 configuration. It is a limited subset of all of the policy
27 configuration parameters available in the variety of vendor
28 implementations, but supports widely used constructs for managing
29 how routes are imported, exported, and modified across different
30 routing protocols. This module is intended to be used in
31 conjunction with routing protocol configuration models (e.g.,
32 BGP) defined in other modules.
33
34 Route policy expression:
35
36 Policies are expressed as a set of top-level policy definitions,
37 each of which consists of a sequence of policy statements. Policy
38 statements consist of simple condition-action tuples. Conditions
39 may include mutiple match or comparison operations, and similarly
40 actions may be multitude of changes to route attributes or a
41 final disposition of accepting or rejecting the route.
42
43 Route policy evaluation:
44
45 Policy definitions are referenced in routing protocol
46 configurations using import and export configuration statements.
47 The arguments are members of an ordered list of named policy
48 definitions which comprise a policy chain, and optionally, an
49 explicit default policy action (i.e., reject or accept).
50
51 Evaluation of each policy definition proceeds by evaluating its
52 corresponding individual policy statements in order. When a
53 condition statement in a policy statement is satisfied, the
54 corresponding action statement is executed. If the action
55 statement has either accept-route or reject-route actions, policy
56 evaluation of the current policy definition stops, and no further
57 policy definitions in the chain are evaluated.
58
59 If the condition is not satisfied, then evaluation proceeds to
60 the next policy statement. If none of the policy statement
61 conditions are satisfied, then evaluation of the current policy
62 definition stops, and the next policy definition in the chain is
63 evaluated. When the end of the policy chain is reached, the
64 default route disposition action is performed (i.e., reject-route
65 unless an an alternate default action is specified for the
66 chain).
67
68 Policy 'subroutines' (or nested policies) are supported by
69 allowing policy statement conditions to reference another policy
70 definition which applies conditions and actions from the
71 referenced policy before returning to the calling policy
72 statement and resuming evaluation. If the called policy
73 results in an accept-route (either explicit or by default), then
74 the subroutine returns an effective true value to the calling
75 policy. Similarly, a reject-route action returns false. If the
76 subroutine returns true, the calling policy continues to evaluate
77 the remaining conditions (using a modified route if the
78 subroutine performed any changes to the route).";
79
80 oc-ext:openconfig-version "3.0.0";
81
82 revision "2017-07-14" {
83 description
84 "Replace policy choice node/type with policy-result
85 enumeration;simplified defined set naming;removed generic
86 IGP actions; migrate to OpenConfig types; added mode for
87 prefix sets";
88 reference "3.0.0";
89 }
90
91 revision "2016-05-12" {
92 description
93 "OpenConfig public release";
94 reference "2.0.1";
95 }
96
97
98 // typedef statements
99
100 typedef default-policy-type {
101 // this typedef retained for name compatibiity with default
102 // import and export policy
103 type enumeration {
104 enum ACCEPT_ROUTE {
105 description
106 "Default policy to accept the route";
107 }
108 enum REJECT_ROUTE {
109 description
110 "Default policy to reject the route";
111 }
112 }
113 description
114 "Type used to specify route disposition in
115 a policy chain";
116 }
117
118 typedef policy-result-type {
119 type enumeration {
120 enum ACCEPT_ROUTE {
121 description "Policy accepts the route";
122 }
123 enum REJECT_ROUTE {
124 description "Policy rejects the route";
125 }
126 }
127 description
128 "Type used to specify route disposition in
129 a policy chain";
130 }
131
132
133 // grouping statements
134
135 grouping prefix-set-config {
136 description
137 "Configuration data for prefix sets used in policy
138 definitions.";
139
140 leaf name {
141 type string;
142 description
143 "name / label of the prefix set -- this is used to
144 reference the set in match conditions";
145 }
146
147 leaf mode {
148 type enumeration {
149 enum IPV4 {
150 description
151 "Prefix set contains IPv4 prefixes only";
152 }
153 enum IPV6 {
154 description
155 "Prefix set contains IPv6 prefixes only";
156 }
157 enum MIXED {
158 description
159 "Prefix set contains mixed IPv4 and IPv6 prefixes";
160 }
161 }
162 description
163 "Indicates the mode of the prefix set, in terms of which
164 address families (IPv4, IPv6, or both) are present. The
165 mode provides a hint, but the device must validate that all
166 prefixes are of the indicated type, and is expected to
167 reject the configuration if there is a discrepancy. The
168 MIXED mode may not be supported on devices that require
169 prefix sets to be of only one address family.";
170 }
171
172 }
173
174 grouping prefix-set-state {
175 description
176 "Operational state data for prefix sets";
177 }
178
179 grouping prefix-set-top {
180 description
181 "Top-level data definitions for a list of IPv4 or IPv6
182 prefixes which are matched as part of a policy";
183
184 container prefix-sets {
185 description
186 "Enclosing container ";
187
188 list prefix-set {
189 key "name";
190 description
191 "List of the defined prefix sets";
192
193 leaf name {
194 type leafref {
195 path "../config/name";
196 }
197 description
198 "Reference to prefix name list key";
199 }
200
201 container config {
202 description
203 "Configuration data for prefix sets";
204
205 uses prefix-set-config;
206 }
207
208 container state {
209
210 config false;
211
212 description
213 "Operational state data ";
214
215 uses prefix-set-config;
216 uses prefix-set-state;
217 }
218
219 uses prefix-top;
220 }
221 }
222 }
223
224 grouping prefix-config {
225 description
226 "Configuration data for a prefix definition";
227
228 leaf ip-prefix {
229 type oc-inet:ip-prefix;
230 mandatory true;
231 description
232 "The prefix member in CIDR notation -- while the
233 prefix may be either IPv4 or IPv6, most
234 implementations require all members of the prefix set
235 to be the same address family. Mixing address types in
236 the same prefix set is likely to cause an error.";
237 }
238
239 leaf masklength-range {
240 type string {
241 pattern '^([0-9]+\.\.[0-9]+)|exact$';
242 }
243 description
244 "Defines a range for the masklength, or 'exact' if
245 the prefix has an exact length.
246
247 Example: 10.3.192.0/21 through 10.3.192.0/24 would be
248 expressed as prefix: 10.3.192.0/21,
249 masklength-range: 21..24.
250
251 Example: 10.3.192.0/21 would be expressed as
252 prefix: 10.3.192.0/21,
253 masklength-range: exact";
254 }
255 }
256
257 grouping prefix-state {
258 description
259 "Operational state data for prefix definitions";
260 }
261
262 grouping prefix-top {
263 description
264 "Top-level grouping for prefixes in a prefix list";
265
266 container prefixes {
267 description
268 "Enclosing container for the list of prefixes in a policy
269 prefix list";
270
271 list prefix {
272 key "ip-prefix masklength-range";
273 description
274 "List of prefixes in the prefix set";
275
276 leaf ip-prefix {
277 type leafref {
278 path "../config/ip-prefix";
279 }
280 description
281 "Reference to the ip-prefix list key.";
282 }
283
284 leaf masklength-range {
285 type leafref {
286 path "../config/masklength-range";
287 }
288 description
289 "Reference to the masklength-range list key";
290 }
291
292 container config {
293 description
294 "Configuration data for prefix definition";
295
296 uses prefix-config;
297 }
298
299 container state {
300
301 config false;
302
303 description
304 "Operational state data for prefix definition";
305
306 uses prefix-config;
307 uses prefix-state;
308 }
309 }
310 }
311 }
312
313 grouping neighbor-set-config {
314 description
315 "Configuration data for neighbor set definitions";
316
317 leaf name {
318 type string;
319 description
320 "name / label of the neighbor set -- this is used to
321 reference the set in match conditions";
322 }
323
324 leaf-list address {
325 type oc-inet:ip-address;
326 description
327 "List of IP addresses in the neighbor set";
328 }
329 }
330
331 grouping neighbor-set-state {
332 description
333 "Operational state data for neighbor set definitions";
334 }
335
336 grouping neighbor-set-top {
337 description
338 "Top-level data definition for a list of IPv4 or IPv6
339 neighbors which can be matched in a routing policy";
340
341 container neighbor-sets {
342 description
343 "Enclosing container for the list of neighbor set
344 definitions";
345
346 list neighbor-set {
347 key "name";
348 description
349 "List of defined neighbor sets for use in policies.";
350
351 leaf name {
352 type leafref {
353 path "../config/name";
354 }
355 description
356 "Reference to the neighbor set name list key.";
357 }
358
359 container config {
360 description
361 "Configuration data for neighbor sets.";
362
363 uses neighbor-set-config;
364 }
365
366 container state {
367
368 config false;
369
370 description
371 "Operational state data for neighbor sets.";
372
373 uses neighbor-set-config;
374 uses neighbor-set-state;
375 }
376 }
377 }
378 }
379
380 grouping tag-set-config {
381 description
382 "Configuration data for tag set definitions.";
383
384 leaf name {
385 type string;
386 description
387 "name / label of the tag set -- this is used to reference
388 the set in match conditions";
389 }
390
391 leaf-list tag-value {
392 type oc-pol-types:tag-type;
393 description
394 "Value of the tag set member";
395 }
396 }
397
398 grouping tag-set-state {
399 description
400 "Operational state data for tag set definitions.";
401 }
402
403 grouping tag-set-top {
404 description
405 "Top-level data definitions for a list of tags which can
406 be matched in policies";
407
408 container tag-sets {
409 description
410 "Enclosing container for the list of tag sets.";
411
412 list tag-set {
413 key "name";
414 description
415 "List of tag set definitions.";
416
417 leaf name {
418 type leafref {
419 path "../config/name";
420 }
421 description
422 "Reference to the tag set name list key";
423 }
424
425 container config {
426 description
427 "Configuration data for tag sets";
428
429 uses tag-set-config;
430 }
431
432 container state {
433
434 config false;
435
436 description
437 "Operational state data for tag sets";
438
439 uses tag-set-config;
440 uses tag-set-state;
441 }
442 }
443 }
444 }
445
446 grouping generic-defined-sets {
447 description
448 "Data definitions for pre-defined sets of attributes used in
449 policy match conditions. These sets are generic and can
450 be used in matching conditions in different routing
451 protocols.";
452
453 uses prefix-set-top;
454 uses neighbor-set-top;
455 uses tag-set-top;
456 }
457
458 grouping match-set-options-group {
459 description
460 "Grouping containing options relating to how a particular set
461 should be matched";
462
463 leaf match-set-options {
464 type oc-pol-types:match-set-options-type;
465 description
466 "Optional parameter that governs the behaviour of the
467 match operation";
468 }
469 }
470
471 grouping match-set-options-restricted-group {
472 description
473 "Grouping for a restricted set of match operation modifiers";
474
475 leaf match-set-options {
476 type oc-pol-types:match-set-options-restricted-type;
477 description
478 "Optional parameter that governs the behaviour of the
479 match operation. This leaf only supports matching on ANY
480 member of the set or inverting the match. Matching on ALL is
481 not supported";
482 }
483 }
484
485 grouping match-interface-condition-config {
486 description
487 "Configuration data for interface match condition";
488
489 uses oc-if:interface-ref-common;
490 }
491
492 grouping match-interface-condition-state {
493 description
494 "Operational state data for interface match condition";
495 }
496
497 grouping match-interface-condition-top {
498 description
499 "Top-level grouping for the interface match condition";
500
501 container match-interface {
502 description
503 "Top-level container for interface match conditions";
504
505 container config {
506 description
507 "Configuration data for interface match conditions";
508
509 uses match-interface-condition-config;
510 }
511
512 container state {
513
514 config false;
515
516 description
517 "Operational state data for interface match conditions";
518
519 uses match-interface-condition-config;
520 uses match-interface-condition-state;
521 }
522
523 }
524 }
525
526 grouping prefix-set-condition-config {
527 description
528 "Configuration data for prefix-set conditions";
529
530 leaf prefix-set {
531 type leafref {
532 path "../../../../../../../../defined-sets/" +
533 "prefix-sets/prefix-set/config/name";
534 }
535 description "References a defined prefix set";
536 }
537 uses match-set-options-restricted-group;
538 }
539
540
541 grouping prefix-set-condition-state {
542 description
543 "Operational state data for prefix-set conditions";
544 }
545
546 grouping prefix-set-condition-top {
547 description
548 "Top-level grouping for prefix-set conditions";
549
550 container match-prefix-set {
551 description
552 "Match a referenced prefix-set according to the logic
553 defined in the match-set-options leaf";
554
555 container config {
556 description
557 "Configuration data for a prefix-set condition";
558
559 uses prefix-set-condition-config;
560 }
561
562 container state {
563
564 config false;
565
566 description
567 "Operational state data for a prefix-set condition";
568
569 uses prefix-set-condition-config;
570 uses prefix-set-condition-state;
571 }
572 }
573 }
574
575 grouping neighbor-set-condition-config {
576 description
577 "Configuration data for neighbor-set conditions";
578
579 leaf neighbor-set {
580 type leafref {
581 path "../../../../../../../../defined-sets/neighbor-sets/" +
582 "neighbor-set/name";
583 //TODO: require-instance should be added when it's
584 //supported in YANG 1.1
585 //require-instance true;
586 }
587 description "References a defined neighbor set";
588 }
589
590 uses match-set-options-restricted-group;
591 }
592
593 grouping neighbor-set-condition-state {
594 description
595 "Operational state data for neighbor-set conditions";
596 }
597
598 grouping neighbor-set-condition-top {
599 description
600 "Top-level grouping for neighbor-set conditions";
601
602 container match-neighbor-set {
603 description
604 "Match a referenced neighbor set according to the logic
605 defined in the match-set-options-leaf";
606
607 container config {
608 description
609 "Configuration data ";
610
611 uses neighbor-set-condition-config;
612 }
613
614 container state {
615
616 config false;
617
618 description
619 "Operational state data ";
620
621 uses neighbor-set-condition-config;
622 uses neighbor-set-condition-state;
623 }
624 }
625 }
626
627 grouping tag-set-condition-config {
628 description
629 "Configuration data for tag-set condition statements";
630
631 leaf tag-set {
632 type leafref {
633 path "../../../../../../../../defined-sets/tag-sets/tag-set" +
634 "/name";
635 //TODO: require-instance should be added when it's
636 //supported in YANG 1.1
637 //require-instance true;
638 }
639 description "References a defined tag set";
640 }
641 uses match-set-options-restricted-group;
642 }
643
644 grouping tag-set-condition-state {
645 description
646 "Operational state data for tag-set condition statements";
647 }
648
649 grouping tag-set-condition-top {
650 description
651 "Top-level grouping for tag-set conditions";
652
653 container match-tag-set {
654 description
655 "Match a referenced tag set according to the logic defined
656 in the match-options-set leaf";
657
658 container config {
659 description
660 "Configuration data for tag-set conditions";
661
662 uses tag-set-condition-config;
663 }
664
665 container state {
666
667 config false;
668
669 description
670 "Operational state data tag-set conditions";
671
672 uses tag-set-condition-config;
673 uses tag-set-condition-state;
674 }
675 }
676 }
677
678 grouping generic-conditions {
679 description "Condition statement definitions for checking
680 membership in a generic defined set";
681
682 uses match-interface-condition-top;
683 uses prefix-set-condition-top;
684 uses neighbor-set-condition-top;
685 uses tag-set-condition-top;
686
687 }
688
689 grouping generic-actions {
690 description
691 "Definitions for common set of policy action statements that
692 manage the disposition or control flow of the policy";
693
694 leaf policy-result {
695 type policy-result-type;
696 description
697 "Select the final disposition for the route, either
698 accept or reject.";
699 }
700 }
701
702
703 grouping policy-conditions-config {
704 description
705 "Configuration data for general policy conditions, i.e., those
706 not related to match-sets";
707
708 leaf call-policy {
709 type leafref {
710 path "../../../../../../../" +
711 "oc-rpol:policy-definitions/" +
712 "oc-rpol:policy-definition/oc-rpol:name";
713 //TODO: require-instance should be added when
714 //it is supported in YANG 1.1
715 //require-instance true;
716 }
717 description
718 "Applies the statements from the specified policy
719 definition and then returns control the current
720 policy statement. Note that the called policy may
721 itself call other policies (subject to
722 implementation limitations). This is intended to
723 provide a policy 'subroutine' capability. The
724 called policy should contain an explicit or a
725 default route disposition that returns an
726 effective true (accept-route) or false
727 (reject-route), otherwise the behavior may be
728 ambiguous and implementation dependent";
729 }
730
731 leaf install-protocol-eq {
732 type identityref {
733 base oc-pol-types:INSTALL_PROTOCOL_TYPE;
734 }
735 description
736 "Condition to check the protocol / method used to install
737 the route into the local routing table";
738 }
739 }
740
741 grouping policy-conditions-state {
742 description
743 "Operational state data for policy conditions";
744 }
745
746 grouping policy-conditions-top {
747 description
748 "Top-level grouping for policy conditions";
749
750 container conditions {
751 description
752 "Condition statements for the current policy statement";
753
754 container config {
755 description
756 "Configuration data for policy conditions";
757
758 uses policy-conditions-config;
759 }
760
761 container state {
762
763 config false;
764
765 description
766 "Operational state data for policy conditions";
767
768 uses policy-conditions-config;
769 uses policy-conditions-state;
770 }
771 uses generic-conditions;
772 }
773 }
774
775 grouping policy-statements-config {
776 description
777 "Configuration data for policy statements";
778
779 leaf name {
780 type string;
781 description
782 "name of the policy statement";
783 }
784 }
785
786 grouping policy-statements-state {
787 description
788 "Operational state data for policy statements";
789 }
790
791
792
793 grouping policy-actions-config {
794 description
795 "Configuration data for policy actions";
796
797 uses generic-actions;
798 }
799
800 grouping policy-actions-state {
801 description
802 "Operational state data for policy actions";
803 }
804
805 grouping policy-actions-top {
806 description
807 "Top-level grouping for policy actions";
808
809 container actions {
810 description
811 "Top-level container for policy action statements";
812
813 container config {
814 description
815 "Configuration data for policy actions";
816
817 uses policy-actions-config;
818 }
819
820 container state {
821
822 config false;
823
824 description
825 "Operational state data for policy actions";
826
827 uses policy-actions-config;
828 uses policy-actions-state;
829 }
830 }
831 }
832
833 grouping policy-statements-top {
834 description
835 "Top-level grouping for the policy statements list";
836
837 container statements {
838 description
839 "Enclosing container for policy statements";
840
841 list statement {
842 key "name";
843 // TODO: names of policy statements within a policy
844 // definition should probably be optional, however, YANG
845 // requires a unique id for lists
846 ordered-by user;
847 description
848 "Policy statements group conditions and actions
849 within a policy definition. They are evaluated in
850 the order specified (see the description of policy
851 evaluation at the top of this module.";
852
853 leaf name {
854 type leafref {
855 path "../config/name";
856 }
857 description
858 "Reference to list key";
859 }
860
861 container config {
862 description
863 "Configuration data for policy statements";
864
865 uses policy-statements-config;
866 }
867
868 container state {
869
870 config false;
871
872 description
873 "Operational state data for policy statements";
874
875 uses policy-statements-config;
876 uses policy-statements-state;
877 }
878
879 uses policy-conditions-top;
880 uses policy-actions-top;
881 }
882 }
883 }
884
885 grouping defined-sets-top {
886 description
887 "Top-level grouping for defined set definitions";
888
889 container defined-sets {
890 description
891 "Predefined sets of attributes used in policy match
892 statements";
893
894 uses generic-defined-sets;
895 }
896 }
897
898 grouping policy-definitions-config {
899 description
900 "Configuration data for policy definitions";
901
902 leaf name {
903 type string;
904 description
905 "Name of the top-level policy definition -- this name
906 is used in references to the current policy";
907 }
908 }
909
910 grouping policy-definitions-state {
911 description
912 "Operational state data for policy definitions";
913 }
914
915 grouping policy-definitions-top {
916 description
917 "Top-level grouping for the policy definition list";
918
919 container policy-definitions {
920 description
921 "Enclosing container for the list of top-level policy
922 definitions";
923
924 list policy-definition {
925 key "name";
926 description
927 "List of top-level policy definitions, keyed by unique
928 name. These policy definitions are expected to be
929 referenced (by name) in policy chains specified in import
930 or export configuration statements.";
931
932 leaf name {
933 type leafref {
934 path "../config/name";
935 }
936 description
937 "Reference to the list key";
938 }
939
940 container config {
941 description
942 "Configuration data for policy defintions";
943
944 uses policy-definitions-config;
945 }
946
947 container state {
948
949 config false;
950
951 description
952 "Operational state data for policy definitions";
953
954 uses policy-definitions-config;
955 uses policy-definitions-state;
956 }
957
958 uses policy-statements-top;
959 }
960 }
961 }
962
963 grouping routing-policy-top {
964 description
965 "Top level container for OpenConfig routing policy";
966
967 container routing-policy {
968 description
969 "Top-level container for all routing policy configuration";
970
971
972 uses defined-sets-top;
973
974 uses policy-definitions-top;
975 }
976 }
977
978 grouping apply-policy-import-config {
979 description
980 "Configuration data for applying import policies";
981
982 leaf-list import-policy {
983 type leafref {
984 path "/oc-rpol:routing-policy/oc-rpol:policy-definitions/" +
985 "oc-rpol:policy-definition/oc-rpol:name";
986 //TODO: require-instance should be added when it's
987 //supported in YANG 1.1
988 //require-instance true;
989 }
990 ordered-by user;
991 description
992 "list of policy names in sequence to be applied on
993 receiving a routing update in the current context, e.g.,
994 for the current peer group, neighbor, address family,
995 etc.";
996 }
997
998 leaf default-import-policy {
999 type default-policy-type;
1000 default REJECT_ROUTE;
1001 description
1002 "explicitly set a default policy if no policy definition
1003 in the import policy chain is satisfied.";
1004 }
1005
1006 }
1007
1008 grouping apply-policy-export-config {
1009 description
1010 "Configuration data for applying export policies";
1011
1012 leaf-list export-policy {
1013 type leafref {
1014 path "/oc-rpol:routing-policy/oc-rpol:policy-definitions/" +
1015 "oc-rpol:policy-definition/oc-rpol:name";
1016 //TODO: require-instance should be added when it's
1017 //supported in YANG 1.1
1018 //require-instance true;
1019 }
1020 ordered-by user;
1021 description
1022 "list of policy names in sequence to be applied on
1023 sending a routing update in the current context, e.g.,
1024 for the current peer group, neighbor, address family,
1025 etc.";
1026 }
1027
1028 leaf default-export-policy {
1029 type default-policy-type;
1030 default REJECT_ROUTE;
1031 description
1032 "explicitly set a default policy if no policy definition
1033 in the export policy chain is satisfied.";
1034 }
1035 }
1036
1037
1038 grouping apply-policy-config {
1039 description
1040 "Configuration data for routing policies";
1041
1042 uses apply-policy-import-config;
1043 uses apply-policy-export-config;
1044
1045 }
1046
1047
1048
1049 grouping apply-policy-state {
1050 description
1051 "Operational state associated with routing policy";
1052
1053 //TODO: identify additional state data beyond the intended
1054 //policy configuration.
1055 }
1056
1057 grouping apply-policy-group {
1058 description
1059 "Top level container for routing policy applications. This
1060 grouping is intended to be used in routing models where
1061 needed.";
1062
1063 container apply-policy {
1064 description
1065 "Anchor point for routing policies in the model.
1066 Import and export policies are with respect to the local
1067 routing table, i.e., export (send) and import (receive),
1068 depending on the context.";
1069
1070 container config {
1071 description
1072 "Policy configuration data.";
1073
1074 uses apply-policy-config;
1075 }
1076
1077 container state {
1078
1079 config false;
1080 description
1081 "Operational state for routing policy";
1082
1083 uses apply-policy-config;
1084 uses apply-policy-state;
1085 }
1086 }
1087 }
1088
1089 uses routing-policy-top;
1090
1091}