Acl model improvements

Adds case to cover other protocol numbers
Adds constraint to not allow stateless mac-ip acl's

Change-Id: I9feeba5ac6b6480282cac62e5479c433c92c8d99
Signed-off-by: Jan Srnicek <[email protected]>

diff --git a/acl/acl-api/src/main/yang/vpp-acl.yang b/acl/acl-api/src/main/yang/vpp-acl.yang
index ff30d5e..a81516a 100644 (file)
--- a/acl/acl-api/src/main/yang/vpp-acl.yang
+++ b/acl/acl-api/src/main/yang/vpp-acl.yang
@@ -30,6 +30,7 @@ module vpp-acl {
 
   augment /acl:access-lists/acl:acl/acl:access-list-entries/acl:ace/acl:actions/acl:packet-handling {
     ext:augment-identifier "stateful-acl-action-augmentation";
+    when "../acl:matches/acl:ace-type = 'vpp-acl:vpp-acl'";
     case stateful {
       leaf permit {
         type empty;
@@ -105,6 +106,15 @@ module vpp-acl {
     }
   }
 
+  grouping acl-other-protocol-fields {
+    description "Used for any other protocol than TCP/UDP/ICMP/ICMPv6";
+      leaf protocol {
+        must "protocol != 1 and protocol != 6 and protocol != 17 and protocol != 58";
+        type uint8;
+        description "Internet Protocol number.";
+    }
+  }
+
   grouping acl-ip-protocol-header-fields {
     description
       "Defines header fields for TCP/UDP or ICMP protocols";
@@ -112,6 +122,9 @@ module vpp-acl {
       case icmp {
         uses acl-icmp-header-fields;
       }
+      case icmp-v6 {
+        uses acl-icmp-header-fields;
+      }
       case udp {
         uses packet-fields:acl-transport-header-fields;
       }
@@ -119,6 +132,9 @@ module vpp-acl {
         uses packet-fields:acl-transport-header-fields;
         uses acl-tcp-header-fields;
       }
+      case other {
+        uses acl-other-protocol-fields;
+      }
     }
   }
 
@@ -144,11 +160,6 @@ module vpp-acl {
           uses packet-fields:acl-ipv6-header-fields;
         }
       }
-      leaf protocol {
-        type uint8;
-        description
-          "Internet Protocol number.";
-      }
       uses acl-ip-protocol-header-fields;
     }
   }