netconfcentral logo

ietf-acl@2014-10-10



  module ietf-acl {

    yang-version 1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-acl";

    prefix acl;

    import ietf-yang-types {
      prefix ietf;
    }
    import packet-fields {
      prefix packet-fields;
    }

    organization
      "IETF NETMOD (NETCONF Data Modeling Language) Working Group";

    contact
      "WG Web: http://tools.ietf.org/wg/netmod/
    WG List: netmod@ietf.org

    WG Chair: Juergen Schoenwaelder
    j.schoenwaelder@jacobs-university.de

    WG Chair: Tom Nadeau
    tnadeau@lucidvision.com

    Editor: Dean Bogdanovic
    deanb@juniper.net

    Editor: Kiran Agrahara Sreenivasa
    kkoushik@brocade.com

    Editor: Lisa Huang
    yihuan@cisco.com

    Editor: Dana Blair
    dblair@cisco.com";

    description
      "This YANG module defines a component that describing the
    configuration of Access Control Lists (ACLs).";

    revision "2014-10-10" {
      description
        "Creating base model for netmod.";
      reference
        "RFC 6020: YANG - A Data Modeling Language for the
        Network Configuration Protocol (NETCONF)";

    }


    identity acl-base {
      base 
      description
        "Base acl type for all ACL type identifiers.";
    }

    identity ip-acl {
      base acl:acl-base;
      description "layer 3 ACL type";
    }

    identity eth-acl {
      base acl:acl-base;
      description "layer 2 ACL type";
    }

    typedef acl-type {
      type identityref {
        base acl-base;
      }
      description
        "This type is used to refer to an Access Control List 
      (ACL) type";
    }

    typedef acl-ref {
      type leafref {
        path "/acl:access-lists/acl:access-list/acl:acl-name";
      }
      description
        "This type is used by data models that 
    need to referenced an acl";
    }

    container access-lists {
      description "Access control lists.";
      list access-list {
        key "acl-name";
        description
          "
        An access list (acl) is an ordered list of 
        access list entries (ace). Each ace has a 
        sequence number to define the order, list 
        of match criteria, and a list of actions.  
        Since there are several kinds of acls 
        implementeded with different attributes for 
        each and different for each vendor, this 
        model accomodates customizing acls for 
        each kind and for each vendor.
        ";
        leaf acl-name {
          type string;
          description
            "The name of access-list.
        A device MAY restrict the length and value of
        this name, possibly space and special 
        characters are not allowed.";
        }

        leaf acl-type {
          type acl-type;
          description "Type of ACL";
        }

        container acl-oper-data {
          config false;
          description
            "Overall ACL operational data";
          leaf match-counter {
            type ietf:counter64;
            description
              "Total match count for ACL";
          }

          leaf-list targets {
            type string;
            description
              "List of targets where ACL is applied";
          }
        }  // container acl-oper-data

        container access-list-entries {
          description
            "The access-list-entries container contains
          a list of access-list-entry(ACE).";
          list access-list-entry {
            key "rule-name";
            ordered-by user;
            description
              "List of access list entries(ACE)";
            leaf rule-name {
              type string;
              description "Entry name.";
            }

            container matches {
              description
                "Define match criteria";
              choice ace-type {
                description "Type of ace.";
                case ace-ip {
                  uses packet-fields:acl-ip-header-fields;

                  choice ace-ip-version {
                    description
                      "Choice of IP version.";
                    case ace-ipv4 {
                      uses packet-fields:acl-ipv4-header-fields;
                    }  // case ace-ipv4

                    case ace-ipv6 {
                      uses packet-fields:acl-ipv6-header-fields;
                    }  // case ace-ipv6
                  }  // choice ace-ip-version
                }  // case ace-ip

                case ace-eth {
                  uses packet-fields:acl-eth-header-fields;
                }  // case ace-eth
              }  // choice ace-type

              uses packet-fields:metadata;
            }  // container matches

            container actions {
              description
                "Define action criteria";
              choice packet-handling {
                default 'deny';
                description
                  "Packet handling action.";
                leaf deny {
                  type empty;
                  description "Deny action.";
                }
                leaf permit {
                  type empty;
                  description
                    "Permit action.";
                }
              }  // choice packet-handling
            }  // container actions

            container ace-oper-data {
              config false;
              description
                "Per ace operational data";
              leaf match-counter {
                type ietf:counter64;
                description
                  "Number of matches for an ace";
              }
            }  // container ace-oper-data
          }  // list access-list-entry
        }  // container access-list-entries
      }  // list access-list
    }  // container access-lists
  }  // module ietf-acl