netconfcentral logo

ietf-acl

HTML

ietf-acl@2014-10-10



  module ietf-acl {

    yang-version 1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-acl";

    prefix acl;

    import ietf-yang-types {
      prefix ietf;
    }
    import packet-fields {
      prefix packet-fields;
    }

    organization
      "IETF NETMOD (NETCONF Data Modeling Language) Working Group";

    contact
      "WG Web: http://tools.ietf.org/wg/netmod/
    WG List: netmod@ietf.org

    WG Chair: Juergen Schoenwaelder
    j.schoenwaelder@jacobs-university.de

    WG Chair: Tom Nadeau
    tnadeau@lucidvision.com

    Editor: Dean Bogdanovic
    deanb@juniper.net

    Editor: Kiran Agrahara Sreenivasa
    kkoushik@brocade.com

    Editor: Lisa Huang
    yihuan@cisco.com

    Editor: Dana Blair
    dblair@cisco.com";

    description
      "This YANG module defines a component that describing the
    configuration of Access Control Lists (ACLs).";

    revision "2014-10-10" {
      description
        "Creating base model for netmod.";
      reference
        "RFC 6020: YANG - A Data Modeling Language for the
        Network Configuration Protocol (NETCONF)";

    }


    identity acl-base {
      base 
      description
        "Base acl type for all ACL type identifiers.";
    }

    identity ip-acl {
      base acl:acl-base;
      description "layer 3 ACL type";
    }

    identity eth-acl {
      base acl:acl-base;
      description "layer 2 ACL type";
    }

    typedef acl-type {
      type identityref {
        base acl-base;
      }
      description
        "This type is used to refer to an Access Control List 
      (ACL) type";
    }

    typedef acl-ref {
      type leafref {
        path "/acl:access-lists/acl:access-list/acl:acl-name";
      }
      description
        "This type is used by data models that 
    need to referenced an acl";
    }

    container access-lists {
      description "Access control lists.";
      list access-list {
        key "acl-name";
        description
          "
        An access list (acl) is an ordered list of 
        access list entries (ace). Each ace has a 
        sequence number to define the order, list 
        of match criteria, and a list of actions.  
        Since there are several kinds of acls 
        implementeded with different attributes for 
        each and different for each vendor, this 
        model accomodates customizing acls for 
        each kind and for each vendor.
        ";
        leaf acl-name {
          type string;
          description
            "The name of access-list.
        A device MAY restrict the length and value of
        this name, possibly space and special 
        characters are not allowed.";
        }

        leaf acl-type {
          type acl-type;
          description "Type of ACL";
        }

        container acl-oper-data {
          config false;
          description
            "Overall ACL operational data";
          leaf match-counter {
            type ietf:counter64;
            description
              "Total match count for ACL";
          }

          leaf-list targets {
            type string;
            description
              "List of targets where ACL is applied";
          }
        }  // container acl-oper-data

        container access-list-entries {
          description
            "The access-list-entries container contains
          a list of access-list-entry(ACE).";
          list access-list-entry {
            key "rule-name";
            ordered-by user;
            description
              "List of access list entries(ACE)";
            leaf rule-name {
              type string;
              description "Entry name.";
            }

            container matches {
              description
                "Define match criteria";
              choice ace-type {
                description "Type of ace.";
                case ace-ip {
                  uses packet-fields:acl-ip-header-fields;

                  choice ace-ip-version {
                    description
                      "Choice of IP version.";
                    case ace-ipv4 {
                      uses packet-fields:acl-ipv4-header-fields;
                    }  // case ace-ipv4

                    case ace-ipv6 {
                      uses packet-fields:acl-ipv6-header-fields;
                    }  // case ace-ipv6
                  }  // choice ace-ip-version
                }  // case ace-ip

                case ace-eth {
                  uses packet-fields:acl-eth-header-fields;
                }  // case ace-eth
              }  // choice ace-type

              uses packet-fields:metadata;
            }  // container matches

            container actions {
              description
                "Define action criteria";
              choice packet-handling {
                default 'deny';
                description
                  "Packet handling action.";
                leaf deny {
                  type empty;
                  description "Deny action.";
                }
                leaf permit {
                  type empty;
                  description
                    "Permit action.";
                }
              }  // choice packet-handling
            }  // container actions

            container ace-oper-data {
              config false;
              description
                "Per ace operational data";
              leaf match-counter {
                type ietf:counter64;
                description
                  "Number of matches for an ace";
              }
            }  // container ace-oper-data
          }  // list access-list-entry
        }  // container access-list-entries
      }  // list access-list
    }  // container access-lists
  }  // module ietf-acl

Summary

  
  
Organization IETF NETMOD (NETCONF Data Modeling Language) Working Group
  
Module ietf-acl
Version 2014-10-10
File ietf-acl.yang
  
Prefix acl
Namespace urn:ietf:params:xml:ns:yang:ietf-acl
  
Cooked /cookedmodules/ietf-acl/2014-10-10
YANG /src/ietf-acl@2014-10-10.yang
XSD /xsd/ietf-acl@2014-10-10.xsd
  
Abstract This YANG module defines a component that describing the configuration of Access Control Lists (ACLs).
  
Contact
WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org

WG Chair: Juergen Schoenwaelder
j.schoenwaelder@jacobs-university.de

WG Chair: Tom Nadeau
tnadeau@lucidvision.com

Editor: Dean Bogdanovic
deanb@juniper.net

Editor: Kiran Agrahara Sreenivasa
kkoushik@brocade.com

Editor: Lisa Huang
yihuan@cisco.com

Editor: Dana Blair
dblair@cisco.com

Description

 
This YANG module defines a component that describing the
configuration of Access Control Lists (ACLs).

Typedefs

Typedef Base type Abstract
acl-ref leafref This type is used by data models that need to referenced an acl
acl-type identityref This type is used to refer to an Access Control List (ACL) type

Objects

Type Key
Mandatory config
Optional config
Not config
Object Type Abstract
access-lists container Access control lists.
   access-list list An access list (acl) is an ordered list of access list entries (ace). Each ace has a sequence number to define the order, list of match criteria, and a list of actions. Since there are several kinds of acls implementeded with different attributes for eac...
      access-list-entries container The access-list-entries container contains a list of access-list-entry(ACE).
         access-list-entry list List of access list entries(ACE)
            ace-oper-data container Per ace operational data
               match-counter leaf Number of matches for an ace
            actions container Define action criteria
               packet-handling choice Packet handling action.
                  deny case deny
                     deny leaf Deny action.
                  permit case permit
                     permit leaf Permit action.
            matches container Define match criteria
               absolute container Absolute time and date that the associated function starts going into effect.
                  active leaf Specify the associated function active or inactive state when starts going into effect
                  end leaf Absolute end time and date
                  start leaf Start time and date
               ace-type choice Type of ace.
                  ace-eth case destination-mac-address destination-mac-address-mask source-mac-address source-mac-address-mask
                     destination-mac-address leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-eth/destination-mac-address
                     destination-mac-address-mask leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-eth/destination-mac-address-mask
                     source-mac-address leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-eth/source-mac-address
                     source-mac-address-mask leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-eth/source-mac-address-mask
                  ace-ip case source-port-range destination-port-range dscp ip-protocolace-ip-version
                     ace-ip-version choice Choice of IP version.
                        ace-ipv4 case destination-ipv4-address source-ipv4-address
                           destination-ipv4-address leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-ip/ace-ip-version/ace-ipv4/destination-ipv4-address
                           source-ipv4-address leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-ip/ace-ip-version/ace-ipv4/source-ipv4-address
                        ace-ipv6 case destination-ipv6-address source-ipv6-address flow-label
                           destination-ipv6-address leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-ip/ace-ip-version/ace-ipv6/destination-ipv6-address
                           flow-label leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-ip/ace-ip-version/ace-ipv6/flow-label
                           source-ipv6-address leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-ip/ace-ip-version/ace-ipv6/source-ipv6-address
                     destination-port-range container inclusive range of destination ports
                        lower-port leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-ip/destination-port-range/lower-port
                        upper-port leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-ip/destination-port-range/upper-port
                     dscp leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-ip/dscp
                     ip-protocol leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-ip/ip-protocol
                     source-port-range container inclusive range of source ports
                        lower-port leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-ip/source-port-range/lower-port
                        upper-port leaf OID: /access-lists/access-list/access-list-entries/access-list-entry/matches/ace-type/ace-ip/source-port-range/upper-port
               input-interface leaf Packet was received on this interface
            rule-name leaf Entry name.
      acl-name leaf The name of access-list. A device MAY restrict the length and value of this name, possibly space and special characters are not allowed.
      acl-oper-data container Overall ACL operational data
         match-counter leaf Total match count for ACL
         targets leaf-list List of targets where ACL is applied
      acl-type leaf Type of ACL