3 namespace "urn:opendaylight:params:xml:ns:yang:vpp:acl";
6 revision "2016-12-14" {
8 "Initial revision of vpp-acl model.";
11 import ietf-access-control-list {
15 import vpp-classifier {
16 prefix "vpp-classifier";
23 import ietf-packet-fields {
30 "ACL that can match on any of L2/L3/L4 fields.";
33 typedef interface-mode {
40 grouping acl-base-attributes {
42 "Defines references to classify tables.
43 At least one table reference should be specified.";
46 type vpp-classifier:classify-table-ref;
53 type vpp-classifier:classify-table-ref;
60 type vpp-classifier:classify-table-ref;
67 grouping ietf-acl-base-attributes {
69 "Provides limited support for ietf-acl model.";
71 container access-lists {
73 "Defines references to ietf-acl lists.
74 ACLs are translated into classify tables and sessions when assigned to interface.
76 In case of L2 interfaces, acls are translated into a chain of classify tables and assigned as L2 table.
77 In case of L3 interfaces, acls are translated into ip4 and ip6 chains (eth only rules go to both chains,
78 rest - depending on ip-version).
79 User ordering is preserved in both cases.
81 Assignment update/delete removes all created tables and sessions and repeats process described above.
82 Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first).
84 Read is supported only for acls that were created and assigned by Honeycomb agent
85 (corresponding metadata is present).
88 - mixing ACEs of different type in one list is permited
89 - mixing L2/L3/L4 rules in one ACE is permited
91 Limitations (due to vpp limitations):
92 - egress rules are currently ignored (HONEYCOMB-234)
93 - L4 rules support is limited (every <src,dst> port pair from provided ranges is translated to single classify
94 session; which can very slow or even crash vpp if ranges are big, see HONEYCOMB-260)
95 - ace-ip-version needs to be provided for all aces (consequence of posibility to mix ACEs of different types,
96 and vpp classfier api limitation: common header fields for IP4/IP6 have different offsets)
97 - L2 rules on L3 interfaces are applied only to IP traffic (vpp classfier limitation)
98 - vlan tags are supported only for sub-interfaces defined as exact-match";
109 type acl:access-control-list-ref;
113 leaf default-action {
120 "Default action applied to packet that does not match any of rules defined in assigned ACLs.
121 It is translated to single classify table and applied at the end of assigned chains.";
128 "The way ACLs are translated depends on the interface mode.
129 In case of L2 interfaces (bridge/interconnection)
130 classify tables are assigned as l2_table using input_acl_set_interface (ether type matching is automatically
131 added in case of L3 rules).
132 In case of L3 interfaces, classify tables are assigned as ip4/ip6 tables.
134 It is the user responsibility to choose mode that matches target interface.
140 augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:matches/acl:ace-type {
141 ext:augment-identifier "vpp-acl-type-augmentation";
142 case ace-ip-and-eth {
144 "Access List entry that can define both ip and eth rules.";
145 choice ace-ip-version {
147 "IP version used in this Access List Entry.";
150 uses packet-fields:acl-ipv4-header-fields;
153 uses packet-fields:acl-ipv6-header-fields;
156 uses packet-fields:acl-ip-header-fields;
157 uses packet-fields:acl-eth-header-fields;