File-based IPTables service provides a mechanism to configure ACL using a yaml file. This yaml file contains set of user-defined...
Version: 2018-04-12
module acl-config { yang-version 1; namespace "http://www.dellemc.com/networking/os10/dell-base-acl-config"; prefix acl-config; organization "Dell EMC"; contact "http://www.dell.com/support"; description "File-based IPTables service provides a mechanism to configure ACL using a yaml file. This yaml file contains set of user-defined ACL entries. This model implements these ACL entries and the associated operations. Copyright (c) 2015-2019 by Dell EMC, All rights reserved."; revision "2018-04-12" { description "Fixing pyang IETF errors and adding documentiation to the model."; reference "Network Platform Abstraction"; } list entry { key "name"; description "This element contains all of the created ACLs entry"; leaf name { type string; description "A user created field to identify the entry - if none provided one will be generated. "; } leaf rule { type string; description "This holds the Access Control List (ACL) entry. This field attempts to mimic the standard IP tables rules supporting the following switches: -prio, --priority value The rule priority -i, --in-interface name Input interface name - at this time must be a valid front panel port -o, --out-interface name The output interface name - at this time must be a valid front panel port -j, --jump target This can be one of the following two values. ACCEPT - the packet is accepted DROP - the packet will be dropped -I chain rule-number Insert the rule into the specified chain at the rule-number location (rules are numberd from 1>). The supported chains are: INPUT packets entering the switch OUTPUT packets exiting the switch --dport port The destination port --sport port The source port --tcp-flags Specify the TCP flags like SYNC,RST,ACK,FIN,SYN -p, --protocol protocol Filter based on a port or protocol. The protocols that are supported are included in the /etc/protocols in addition to tcp, udp, icmp or all -d, --destination address[/mask] The destination address which can be either IPv4/IPv6 or hostname -s, --source address[/mask] The source address/mask of the packet which can be IPv4/IPv6 or a hostname -m mac Load the MAC module. The following two options are available after loading the MAC module --mac-source source-mac This combination loads the MAC module and enables MAC filtering on source addresses in the ethernet packet --mac-destination destion-mac This combination loads the MAC module and enables MAC filtering on destination addresses in the ethernet packet Examples: -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m mac --mac-source 00:00:00:00:11:01 --dport 80 -j DROP -A INPUT -p tcp -m mac --mac-source 00:00:00:00:12:02 --dport 22 -j DROP "; } } // list entry rpc reload { description "This triggers a reload of the ACL configuration subsystem. The filename specified will be loaded and the differences applied"; input { leaf filename { type string; description "The name of the file containing the input."; } } output { leaf result { type string; description "The result of the request which may be successful or a failure response."; } } } // rpc reload } // module acl-config
© 2023 YumaWorks, Inc. All rights reserved.