
File-based IPTables service provides a mechanism to configure ACL using a yaml file. This yaml file contains set of user-defined...

  • Version: 2018-04-12


      module acl-config {
        yang-version 1;
        prefix acl-config;
        organization "Dell EMC";
        contact "";
          "File-based IPTables service provides a mechanism to configure
                     ACL using a yaml file. This yaml file contains set of user-defined ACL entries.
                     This model implements these ACL entries and the associated operations.
                     Copyright (c) 2015-2019 by Dell EMC, All rights reserved.";
        revision "2018-04-12" {
            "Fixing pyang IETF errors and adding documentiation to the model.";
            "Network Platform Abstraction";
        list entry {
          key "name";
            "This element contains all of the created ACLs entry";
          leaf name {
            type string;
              "A user created field to identify the entry - if none provided one will be generated. ";
          leaf rule {
            type string;
              "This holds the Access Control List (ACL) entry.  This field attempts to mimic the standard
                    IP tables rules supporting the following switches:
                    -prio, --priority value
                        The rule priority
                    -i, --in-interface name
                        Input interface name - at this time must be a valid front panel port
                    -o, --out-interface name
                        The output interface name - at this time must be a valid front panel port
                    -j, --jump target
                        This can be one of the following two values.
                        ACCEPT - the packet is accepted
                        DROP - the packet will be dropped
                    -I chain rule-number
                        Insert the rule into the specified chain at the rule-number location (rules are numberd from 1>).
                        The supported chains are:
                            INPUT packets entering the switch
                            OUTPUT packets exiting the switch
                    --dport port
                        The destination port
                    --sport port
                        The source port
                        Specify the TCP flags like SYNC,RST,ACK,FIN,SYN
                    -p, --protocol protocol
                        Filter based on a port or protocol.  The protocols that are supported are included in
                        the /etc/protocols in addition to tcp, udp, icmp or all
                    -d, --destination address[/mask]
                        The destination address which can be either IPv4/IPv6 or hostname
                    -s, --source address[/mask]
                        The source address/mask of the packet which can be IPv4/IPv6 or a hostname
                    -m mac
                        Load the MAC module.  The following two options are available after loading the MAC module
                        --mac-source source-mac
                            This combination loads the MAC module and enables MAC filtering on source addresses in the
                            ethernet packet
                        --mac-destination destion-mac
                            This combination loads the MAC module and enables MAC filtering on destination addresses in the
                            ethernet packet
                         -A INPUT -p tcp --dport 80 -j ACCEPT
                         -A INPUT -p tcp -m mac --mac-source 00:00:00:00:11:01 --dport 80 -j DROP
                         -A INPUT -p tcp -m mac --mac-source 00:00:00:00:12:02 --dport 22 -j DROP
        }  // list entry
        rpc reload {
            "This triggers a reload of the ACL configuration subsystem.  The filename specified will be loaded
                and the differences applied";
          input {
            leaf filename {
              type string;
                "The name of the file containing the input.";
          output {
            leaf result {
              type string;
                "The result of the request which may be successful or a failure response.";
        }  // rpc reload
      }  // module acl-config

© 2024 YumaWorks, Inc. All rights reserved.