The NAS ACL (Access Control Lists) layer provides the applications with a uniform interface to the TCAM based Policy Engine of t...
Version: 2018-11-30
module dell-base-acl { yang-version 1; namespace "http://www.dellemc.com/networking/os10/dell-base-acl"; prefix base-acl; import ietf-inet-types { prefix inet; } import dell-base-common { prefix base-cmn; } import ietf-yang-types { prefix yang; } import ietf-interfaces { prefix if; } organization "Dell EMC"; contact "http://www.dell.com/support"; description "The NAS ACL (Access Control Lists) layer provides the applications with a uniform interface to the TCAM based Policy Engine of the hardware. This YANG model defines various types of the ACL entries (match rules and actions) and various associated operations. Copyright (c) 2015-2019 by Dell EMC, All rights reserved."; revision "2018-11-30" { description "Support ACL logging and extend the user defined trap to obj id"; reference "Network Platform Abstraction"; } revision "2018-11-28" { description "Added new match type to support multicast lookup status and marking"; reference "Network Platform Abstraction"; } revision "2018-09-20" { description "Added support for new match type to filter packets based on type of bridge that is used to forward the packet. User could set the filtering bridge type as either 1Q or 1D."; reference "Network Platform Abstraction"; } revision "2018-08-10" { description "This revision adds the support for ACL table application profile configuration and retrieval, ACL table usage retrieval for the switch NPU."; reference "Network Platform Abstraction"; } revision "2018-06-15" { description "Fixing IETF error for enum value type."; reference "Network Platform Abstraction"; } revision "2018-04-12" { description "Fixing pyang IETF errors and adding documentiation to the model."; reference "Network Platform Abstraction"; } revision "2017-11-09" { description "Add method to clear acl entries for a next-hop group"; reference "Network Platform Abstraction"; } revision "2017-11-03" { description "Add matching qualifier of Drop-bit"; reference "Network Platform Abstraction"; } revision "2014-12-01" { description "Initial revision"; reference "Network Platform Abstraction"; } typedef udf-match-bytes { type binary { length "16"; } description "Sequence of bytes that matches an ACL rule"; } typedef counter-type { type enumeration { enum "PACKET" { value 1; } enum "BYTE" { value 2; } } description "The type of a counter, based on either the number of packets or bytes per second"; } typedef match-type { type enumeration { enum "SRC_IPV6" { value 1; description "Match based on Src IPv6 Address"; } enum "DST_IPV6" { value 2; description "Match based on Dst IPv6 Address"; } enum "SRC_MAC" { value 3; description "Match based on Src MAC Address"; } enum "DST_MAC" { value 4; description "Match based on Dst MAC Address"; } enum "SRC_IP" { value 5; description "Match based on Src IPv4 Address"; } enum "DST_IP" { value 6; description "Match based on Dst IPv4 Address"; } enum "IN_PORTS" { value 7; status obsolete; description "Match packets incoming on any of the specified list of Ports"; } enum "OUT_PORTS" { value 8; status obsolete; description "Match packets outgoing on any of the specified list of Ports"; } enum "IN_PORT" { value 9; status obsolete; description "Match packets incoming on specified Port"; } enum "OUT_PORT" { value 10; status obsolete; description "Match packets outgoing on specified Port"; } enum "OUTER_VLAN_ID" { value 11; description "Match based on Outer Vlan-Id"; } enum "OUTER_VLAN_PRI" { value 12; description "Match based on Outer Vlan-Priority"; } enum "OUTER_VLAN_CFI" { value 13; description "Match based on Outer Vlan CFI or DEI bit"; } enum "INNER_VLAN_ID" { value 14; description "Match based on Inner Vlan-Id"; } enum "INNER_VLAN_PRI" { value 15; description "Match based on Inner Vlan-Priority"; } enum "INNER_VLAN_CFI" { value 16; description "Match based on Inner Vlan CFI or DEI bit"; } enum "L4_SRC_PORT" { value 17; description "Match based on L4 Src Port"; } enum "L4_DST_PORT" { value 18; description "Match based on L4 Dst Port"; } enum "ETHER_TYPE" { value 19; description "Match based on EtherType"; } enum "IP_PROTOCOL" { value 20; description "Match based on IP Protocol"; } enum "DSCP" { value 21; description "Match based on Ip Dscp"; } enum "TTL" { value 22; description "Match based on Ip Ttl"; } enum "TOS" { value 23; description "Match based on Ip Tos"; } enum "IP_FLAGS" { value 24; description "Match based on Ip Flags"; } enum "TCP_FLAGS" { value 25; description "Match based on Tcp Flags"; } enum "IP_TYPE" { value 26; description "Match based on Packet type - IPv4 or IPv6 or ARP"; } enum "IP_FRAG" { value 27; description "Match based on IP Fragment"; } enum "IPV6_FLOW_LABEL" { value 28; description "Match based on IPv6 Flow label"; } enum "TC" { value 29; description "Match packets by the QoS Traffic Class assigned to them"; } enum "ECN" { value 30; description "Match based on IP ECN bits"; } enum "ICMP_TYPE" { value 31; description "Match based on ICMP Type field"; } enum "ICMP_CODE" { value 32; description "Match based on ICMP Code field"; } enum "SRC_PORT" { value 33; status obsolete; description "Match packets incoming on specified Port or LAG"; } enum "DST_PORT" { value 34; status obsolete; description "Match packets outgoing on specified Port or LAG"; } enum "NEIGHBOR_DST_HIT" { value 35; description "Packet destination IP address match in neighbor table"; } enum "ROUTE_DST_HIT" { value 36; description "Packet destination IP address match in routing table"; } enum "IN_INTFS" { value 37; description "Match packets incoming on any of the specified list of Interfaces"; } enum "OUT_INTFS" { value 38; description "Match packets outgoing on any of the specified list of Interfaces"; } enum "IN_INTF" { value 39; description "Match packets incoming on specified Interface"; } enum "OUT_INTF" { value 40; description "Match packets outgoing on specified Interface"; } enum "SRC_INTF" { value 41; description "Match packets incoming on specified Front-panel or LAG interface"; } enum "UDF" { value 42; description "Match packets based on UDF byte list"; } enum "IPV6_NEXT_HEADER" { value 43; description "Match IPv6 packets based on next header byte"; } enum "RANGE_CHECK" { value 44; description "Match based on range settings"; } enum "FDB_DST_HIT" { value 45; description "Match destination MAC address with that present in the FDB"; } enum "DROP_MARKED" { value 46; description "Match based on marked Drop-bit"; } enum "BRIDGE_TYPE" { value 47; description "Match packet based on forwarding bridge type"; } enum "MCAST_ROUTE_DST_HIT" { value 48; description "Multicast packet destination IP address match in IPMC routing table"; } enum "ROUTER_INTERFACE_USER_MARK" { value 49; description "Match packet from marked L3 interface with specific class ID"; } } description "Enumeration of all possible packet fields that can be used to match packets."; } typedef packet-action-type { type enumeration { enum "DROP" { value 1; description "Do NOT forward packet in the data path (does not affect CPU copy behavior)"; } enum "FORWARD" { value 2; description "Forward Packet in the data path - overrides lower priority DROP action (does not affect CPU copy behavior)"; } enum "COPY_TO_CPU" { value 3; description "Copy Packet to CPU (does not affect data path forwarding behavior)"; } enum "COPY_TO_CPU_CANCEL" { value 4; description "Overrides lower priority Copy Packet to CPU action (does not affect data path forwarding behavior)"; } enum "TRAP_TO_CPU" { value 5; description "Copy Packet to CPU + Drop"; } enum "COPY_TO_CPU_AND_FORWARD" { value 6; description "Copy Packet to CPU + Forward"; } enum "COPY_TO_CPU_CANCEL_AND_DROP" { value 7; description "Copy Packet to CPU Cancel + Drop"; } enum "COPY_TO_CPU_CANCEL_AND_FORWARD" { value 8; description "Copy Packet to CPU Cancel + Forward"; } } description "Enumeration of packet actions"; } typedef action-type { type enumeration { enum "REDIRECT_PORT" { value 1; status obsolete; description "Redirect Packet to Port or LAG (Link Aggregated Trunk)."; } enum "REDIRECT_IP_NEXTHOP" { value 2; description "Redirect Packet to NextHop"; } enum "PACKET_ACTION" { value 3; description "Drop, Forward and Trap or Copy to CPU"; } enum "FLOOD" { value 4; description "Flood Packet to all ports in Vlan"; } enum "MIRROR_INGRESS" { value 5; description "Ingress Mirror"; } enum "MIRROR_EGRESS" { value 6; description "Egress Mirror"; } enum "SET_COUNTER" { value 7; description "Associate Counter for ACL entry hit stats"; } enum "SET_POLICER" { value 8; description "Assosiate with policer"; } enum "DECREMENT_TTL" { value 9; description "Decrement TTL"; } enum "SET_TC" { value 10; description "Assign a new QoS Traffic class for the packet"; } enum "SET_INNER_VLAN_ID" { value 11; description "Set Packet Inner Vlan-Id"; } enum "SET_INNER_VLAN_PRI" { value 12; description "Set Packet Inner Vlan-Priority"; } enum "SET_OUTER_VLAN_ID" { value 13; description "Set Packet Outer Vlan-Id"; } enum "SET_OUTER_VLAN_PRI" { value 14; description "Set Packet Outer Vlan-Priority"; } enum "SET_SRC_MAC" { value 15; description "Set Packet Src MAC Address"; } enum "SET_DST_MAC" { value 16; description "Set Packet Dst MAC Address"; } enum "SET_SRC_IP" { value 17; description "Set Packet Src IPv4 Address"; } enum "SET_DST_IP" { value 18; description "Set Packet Src IPv4 Address"; } enum "SET_SRC_IPV6" { value 19; description "Set Packet Src IPv6 Address"; } enum "SET_DST_IPV6" { value 20; description "Set Packet Src IPv6 Address"; } enum "SET_DSCP" { value 21; description "Set Packet DSCP"; } enum "SET_L4_SRC_PORT" { value 22; description "Set Packet L4 Src Port"; } enum "SET_L4_DST_PORT" { value 23; description "Set Packet L4 Src Port"; } enum "SET_CPU_QUEUE" { value 24; description "Select the CPU queue for packets sent to CPU Port"; } enum "EGRESS_MASK" { value 25; status obsolete; description "Block packets that are destined to the given port list"; } enum "REDIRECT_PORT_LIST" { value 26; status obsolete; description "Redirect packets to the given port list"; } enum "REDIRECT_INTF" { value 27; description "Redirect Packet to Front panel or LAG (Link Aggregated Trunk)."; } enum "EGRESS_INTF_MASK" { value 28; description "Block packets that are destined to the given interface list"; } enum "REDIRECT_INTF_LIST" { value 29; description "Redirect packets to the given interface list"; } enum "SET_USER_TRAP_ID" { value 30; description "Set user defined trap id"; } enum "SET_PACKET_COLOR" { value 31; description "Set packet color"; } } description "Enumeration of all possible actions to be performed on the matched packets."; } typedef match-ip-frag { type enumeration { enum "ANY" { value 1; description "Any Fragment of Fragmented Packet"; } enum "NON_FRAG" { value 2; description "Non-Fragmented Packet"; } enum "NON_FRAG_OR_HEAD" { value 3; description "Non-Fragmented or First Fragment"; } enum "HEAD" { value 4; description "First Fragment of Fragmented Packet"; } enum "NON_HEAD" { value 5; description "Not the First Fragment"; } } description "Types of IP fragments that can be matched with an ACL entry."; } typedef match-ip-type { type enumeration { enum "ANY" { value 1; description "Don't care"; } enum "IP" { value 2; description "IPv4 and IPv6 packets"; } enum "NON_IP" { value 3; description "Non-Ip packet"; } enum "IPV4ANY" { value 4; description "Any IPv4 packet"; } enum "NON_IPV4" { value 5; description "Anything but IPv4 packets"; } enum "IPV6ANY" { value 6; description "IPv6 packet"; } enum "NON_IPV6" { value 7; description "Anything but IPv6 packets"; } enum "ARP" { value 8; description "ARP/RARP"; } enum "ARP_REQUEST" { value 9; description "ARP Request"; } enum "ARP_REPLY" { value 10; description "ARP Reply"; } } description "Enumeration of all possible IP headers of packets to be matched"; } typedef stage { type enumeration { enum "INGRESS" { value 1; description "Ingress Stage"; } enum "EGRESS" { value 2; description "Egress Stage"; } } description "Types of packet forwarding pipeline stages (ingress or egress)"; } typedef vlan-dot1p-field { type uint8 { range "0..7"; } description "Possible values of Class of Service"; } typedef vlan-cfi-field { type uint8 { range "0..1"; } description "Possible values of Canonical Form Indicator"; } typedef packet-color { type enumeration { enum "GREEN" { value 1; description "Green"; } enum "YELLOW" { value 2; description "Yellow"; } enum "RED" { value 3; description "Red"; } } description "Enumeration of packet color types based on RFC 2697"; } typedef bridge-type { type enumeration { enum "BRIDGE_1Q" { value 1; description "VLAN aware bridge"; } enum "BRIDGE_1D" { value 2; description "Not VLAN aware bridge"; } } description "Enumeration of bridge type by which packet is forwarded"; } list table { key "id"; description "An Acl-Table is an ordered list of Acl-Entries. A packet is evaluated against each Acl-Entry in the Acl-Table sequentially in order of descending Entry priority to look for a match. The evaluation within a table stops as soon as the first matching ACL entry is identified - the subsequent Acl-entries in the same Acl-Table are ignored for the packet. There can be multiple ACL Tables - the evaluation is then repeated for each ACL table. The ACL actions from all ACL tables are aggregated and then applied to the packet. Conflicting actions are resolved by using Table priority"; leaf switch-id { type base-cmn:logical-switch-id; status obsolete; description "Logical Switch to which this ACL Table belongs. The concept of logical switch is obsolete and this attribute is ignored."; } leaf id { type base-cmn:base-obj-id-type; description "Unique Id generated upon Create request. Subsequent Modify or Delete requests required the Table ID to be passed in."; } leaf priority { type uint32; mandatory true; description "Table priority - determines the Relative priority given to actions from an acl-entry matched in this table compared to conflicting actions from acl entries matched in other tables for the same packet. Numerically larger number indicates higher table priority. Actions from tables with higher priority override conflicting actions from lower priority tables."; } leaf size { type uint32; description "The maximum number entries allowed to be created in this table."; } leaf stage { type stage; mandatory true; description "Stage value - ingress,egress"; } leaf-list allowed-match-fields { type match-type; min-elements 1; description "restrict the allowed fields that can be used to match packets by acl-entries belonging to this table"; } leaf-list allowed-actions { type action-type; description "list of allowed actions that could be performed on matched packets by acl-entries belonging to this table. This attribute is optional and is only required by specific platforms. If it's not specified, by default all actions are allowed"; } leaf-list udf-group-list { type base-cmn:base-obj-id-type; description "List of UDF Group ID associated with this table"; } leaf-list npu-id-list { type base-cmn:npu-id; description "Optional subset of NPUs on which this ACL Table needs to be installed. If this attribute is not specified then the Table is installed on all NPUs to which the Table belongs."; } leaf name { type string { length "32"; } description "Optional user provided name for ACL table. User could use name as identity other than ID to retrieve table information if name is given when ACL table being created"; } } // list table list entry { key "table-id id"; description "Each Acl-Entry contains a rule and a set of actions. The rule is used to selectively apply the actions only on packets matching the rule. The rule defines the filters to match packets by specifying a list of packet fields and the expected values for each of them. The action defines the list of actions to be taken once a packet matches all the filters specified in the rule. Each Acl-Entry is uniquely identified by the Acl-Table to which it belongs and its entry id within this table. An existing ACL entry can be modified to add/remove/update match filters or actions in two ways - - Overwrite mode By forming CPS Object out of the top-level ACL Entry object using the Table ID and Entry ID as keys and providing the complete list of Match filters and/or Actions as embedded attributes of this object. The existing ACL entry will be overwritten with the new ACL entry defined by such an object. . -emental mode By forming CPS Object out of the inner Match filter or Action sub-object using the Table ID, Entry ID and Match-Type or Action-Type as keys and providing the values for a single Match Filter or single Action as direct attributes in this object. Only a single Match Filter or Action can be added/modified/ removed in this way. Only the inner level attributes defined within the Match or Action subobject below can be present in this incremental CPS Object."; leaf switch-id { type base-cmn:logical-switch-id; status obsolete; description "Logical Switch to which this ACL Entry belongs. The concept of logical switch is obsolete and this attribute is ignored."; } leaf table-id { type base-cmn:base-obj-id-type; description "ACL-Table to which this Entry belongs."; } leaf id { type base-cmn:base-obj-id-type; description "Unique Entry Id generated upon Create request. Scope of this ID is within the ACL Table. Subsequent Modify or Delete requests require the Entry ID to be passed in."; } leaf priority { type uint32; mandatory true; description "Entry Priority - Determines the order of evaluation of Entries within an Acl-Table. Entries with numerically larger number have higher priority and are evaluated first within the table."; } leaf-list npu-id-list { type base-cmn:npu-id; description "Optional subset of NPUs on which this ACL entry needs to be installed. If this attribute is not specified then the entry is installed on all NPUs on which the Table to which the Entry belongs is installed."; } list match { key "type"; min-elements 1; description "Match-filters are a list of packet field, value pairs. A packet is considered to match an Acl-Entry ONLY when the values specified for all the packet fields match those in the actual packet. Only those fields that are in the allowed-fields list of the Acl-Table to which this Acl-Entry belongs can be used here. An existing ACL entry can be incrementally modified to add, delete or modify a single Match filter by forming a CPS object out of this inner Match subobject using the Match Type as additional key element. Such a CPS Object should NOT contain any attributes defined outside this sub-object including the top level match attribute."; leaf type { type match-type; description "Attribute type to be matched"; } container SRC_IPV6_VALUE { when "../type = 'SRC_IPV6'"; description "Value for Src IPv6 Address"; leaf addr { type base-cmn:ipv6-address; mandatory true; description "IPv6 Address to be matched with the ACL entries"; } leaf mask { type base-cmn:ipv6-address; mandatory true; description "Netmask"; } } // container SRC_IPV6_VALUE container DST_IPV6_VALUE { when "../type = 'DST_IPV6'"; description "Value for Dest IPv6 Address"; leaf addr { type base-cmn:ipv6-address; mandatory true; description "IPv6 Address to be matched with the ACL entries"; } leaf mask { type base-cmn:ipv6-address; mandatory true; description "Netmask"; } } // container DST_IPV6_VALUE container SRC_MAC_VALUE { when "../type = 'SRC_MAC'"; description "Value for Src MAC Address"; leaf addr { type base-cmn:mac-address; mandatory true; description "MAC address to be matched with the ACL entries"; } leaf mask { type base-cmn:mac-address; mandatory true; description "MAC address mask"; } } // container SRC_MAC_VALUE container DST_MAC_VALUE { when "../type = 'DST_MAC'"; description "Value for Dst MAC Address"; leaf addr { type base-cmn:mac-address; mandatory true; description "MAC address to be matched with the ACL entries"; } leaf mask { type base-cmn:mac-address; mandatory true; description "MAC address mask"; } } // container DST_MAC_VALUE container SRC_IP_VALUE { when "../type = 'SRC_IP'"; description "Value for Src IPv4 Address"; leaf addr { type base-cmn:ipv4-address; mandatory true; description "IPv4 Address to be matched with the ACL entries"; } leaf mask { type base-cmn:ipv4-address; mandatory true; description "Netmask"; } } // container SRC_IP_VALUE container DST_IP_VALUE { when "../type = 'DST_IP'"; description "Value for Dst IPv4 Address"; leaf addr { type base-cmn:ipv4-address; mandatory true; description "IPv4 Address to be matched with the ACL entries"; } leaf mask { type base-cmn:ipv4-address; mandatory true; description "Netmask"; } } // container DST_IP_VALUE leaf-list IN_PORTS_VALUE { when "../type = 'IN_PORTS'"; type base-cmn:logical-ifindex; status obsolete; description "This field does not refer to a packet field. Its presence means that this Acl-Entry should ONLY be applied to packets that are received from any 1 of the ports specified in this list."; } leaf-list OUT_PORTS_VALUE { when "../type = 'OUT_PORTS'"; type base-cmn:logical-ifindex; status obsolete; description "This field does not refer to a packet field. Its presence means that this Acl-Entry should ONLY be applied to packets that will be transmitted out on any 1 of the ports specified in this list."; } leaf IN_PORT_VALUE { when "../type = 'IN_PORT'"; type base-cmn:logical-ifindex; status obsolete; description "This field does not refer to a packet field. Its presence means that this Acl-Entry should ONLY be applied to packets that are received from the port specified."; } leaf OUT_PORT_VALUE { when "../type = 'OUT_PORT'"; type base-cmn:logical-ifindex; status obsolete; description "This field does not refer to a packet field. Its presence means that this Acl-Entry should ONLY be applied to packets that will be transmitted out on the port specified."; } container OUTER_VLAN_ID_VALUE { when "../type = 'OUTER_VLAN_ID'"; description "This field should be matched against the 12 LSB bits of the IEEE 802.1Q Vlan tag in the packet. Valid range: 0-4095 inclusive"; leaf data { type uint16; mandatory true; description "16 Bits of data to be matched with the ACL entries"; } leaf mask { type uint16; description "Netmask"; } } // container OUTER_VLAN_ID_VALUE container OUTER_VLAN_PRI_VALUE { when "../type = 'OUTER_VLAN_PRI'"; description "This field should be matched against the 3 MSB bits of the IEEE 802.1Q Vlan tag in the packet. Valid range: 0-7 inclusive"; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container OUTER_VLAN_PRI_VALUE leaf OUTER_VLAN_CFI_VALUE { when "../type = 'OUTER_VLAN_CFI'"; type vlan-cfi-field; description "This field should be matched against the 4th MSB bit of the IEEE 802.1Q Vlan tag in the packet."; } container INNER_VLAN_ID_VALUE { when "../type = 'INNER_VLAN_ID'"; description "This field should be matched against the 12 LSB bits of the inner IEEE 802.1Q Vlan tag in a double tagged packet. Valid range: 0-4095 inclusive"; leaf data { type uint16; mandatory true; description "16 Bits of data to be matched with the ACL entries"; } leaf mask { type uint16; description "Netmask"; } } // container INNER_VLAN_ID_VALUE container INNER_VLAN_PRI_VALUE { when "../type = 'INNER_VLAN_PRI'"; description "This field should be matched against the 3 MSB bits of the inner IEEE 802.1Q Vlan tag in a double tagged packet. Valid range: 0-7 inclusive"; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container INNER_VLAN_PRI_VALUE leaf INNER_VLAN_CFI_VALUE { when "../type = 'INNER_VLAN_CFI'"; type vlan-cfi-field; description "This field should be matched against the 4th MSB bit of the inner IEEE 802.1Q Vlan tag in a double tagged packet."; } container L4_SRC_PORT_VALUE { when "../type = 'L4_SRC_PORT'"; description "Value of L4 Source Port to match"; leaf data { type uint16; mandatory true; description "16 Bits of data to be matched with the ACL entries"; } leaf mask { type uint16; description "Netmask"; } } // container L4_SRC_PORT_VALUE container L4_DST_PORT_VALUE { when "../type = 'L4_DST_PORT'"; description "Value of L4 Dest Port to match"; leaf data { type uint16; mandatory true; description "16 Bits of data to be matched with the ACL entries"; } leaf mask { type uint16; description "Netmask"; } } // container L4_DST_PORT_VALUE container ETHER_TYPE_VALUE { when "../type = 'ETHER_TYPE'"; description "Value for EtherType"; leaf data { type uint16; mandatory true; description "16 Bits of data to be matched with the ACL entries"; } leaf mask { type uint16; description "Netmask"; } } // container ETHER_TYPE_VALUE container IP_PROTOCOL_VALUE { when "../type = 'IP_PROTOCOL'"; description "Match packets with given value in IP Protocol field"; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container IP_PROTOCOL_VALUE container DSCP_VALUE { when "../type = 'DSCP'"; description "Match packets with given dscp value. Valid range: 0-63 inclusive"; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container DSCP_VALUE container TTL_VALUE { when "../type = 'TTL'"; description "Value for Ip Ttl"; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container TTL_VALUE container TOS_VALUE { when "../type = 'TOS'"; description "Value for Ip Tos"; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container TOS_VALUE container IP_FLAGS_VALUE { when "../type = 'IP_FLAGS'"; description "Value for Ip Flags. Valid range: 0-63 inclusive"; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container IP_FLAGS_VALUE container TCP_FLAGS_VALUE { when "../type = 'TCP_FLAGS'"; description "Value for Tcp Flags"; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container TCP_FLAGS_VALUE leaf IP_TYPE_VALUE { when "../type = 'IP_TYPE'"; type match-ip-type; description "Value for IP types"; } leaf IP_FRAG_VALUE { when "../type = 'IP_FRAG'"; type match-ip-frag; description "Value for Fragment position in the IP packet"; } container IPV6_FLOW_LABEL_VALUE { when "../type = 'IPV6_FLOW_LABEL'"; description "Value for Ipv6 Flow label. Valid range: 0x0-0xfffff inclusive"; leaf data { type uint32; mandatory true; description "32 Bits of data to be matched with the ACL entries"; } leaf mask { type uint32; description "Netmask"; } } // container IPV6_FLOW_LABEL_VALUE container TC_VALUE { when "../type = 'TC'"; description "Match packets based on the QoS Traffic class assigned to them"; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container TC_VALUE container ECN_VALUE { when "../type = 'ECN'"; description "Value for ECN. Valid range: 0-3 inclusive"; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container ECN_VALUE container ICMP_TYPE_VALUE { when "../type = 'ICMP_TYPE'"; description "Value for ICMP Type."; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container ICMP_TYPE_VALUE container ICMP_CODE_VALUE { when "../type = 'ICMP_CODE'"; description "Value for ICMP Code."; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container ICMP_CODE_VALUE leaf SRC_PORT_VALUE { when "../type = 'SRC_PORT'"; type base-cmn:logical-ifindex; status obsolete; description "This field does not refer to a packet field. Its presence means that this Acl-Entry should ONLY be applied to packets that are received from the port specified."; } leaf DST_PORT_VALUE { when "../type = 'DST_PORT'"; type base-cmn:logical-ifindex; status obsolete; description "This field does not refer to a packet field. Its presence means that this Acl-Entry should ONLY be applied to packets that will be transmitted out on the port specified."; } leaf-list IN_INTFS_VALUE { when "../type = 'IN_INTFS'"; type if:interface-ref; description "This field does not refer to a packet field. Its presence means that this Acl-Entry should ONLY be applied to packets that are received from any 1 of the ports specified in this list."; } leaf-list OUT_INTFS_VALUE { when "../type = 'OUT_INTFS'"; type if:interface-ref; description "This field does not refer to a packet field. Its presence means that this Acl-Entry should ONLY be applied to packets that will be transmitted out on any 1 of the ports specified in this list."; } leaf IN_INTF_VALUE { when "../type = 'IN_INTF'"; type if:interface-ref; description "This field does not refer to a packet field. Its presence means that this Acl-Entry should ONLY be applied to packets that are received from the port specified."; } leaf OUT_INTF_VALUE { when "../type = 'OUT_INTF'"; type if:interface-ref; description "This field does not refer to a packet field. Its presence means that this Acl-Entry should ONLY be applied to packets that will be transmitted out on the port specified."; } leaf SRC_INTF_VALUE { when "../type = 'SRC_INTF'"; type if:interface-ref; description "This field does not refer to a packet field. Its presence means that this Acl-Entry should ONLY be applied to packets that are received from the port specified."; } container UDF_VALUE { when "../type = 'UDF'"; description "Value for UDF byte array."; leaf udf-group-id { type base-cmn:base-obj-id-type; mandatory true; description "Group ID"; } leaf match-data { type udf-match-bytes; mandatory true; description "Data"; } leaf match-mask { type udf-match-bytes; description "Mask"; } } // container UDF_VALUE container IPV6_NEXT_HEADER_VALUE { when "../type = 'IPV6_NEXT_HEADER'"; description "Value for IPv6 next header byte."; leaf data { type uint8; mandatory true; description "8 Bits of data to be matched with the ACL entries"; } leaf mask { type uint8; description "Netmask"; } } // container IPV6_NEXT_HEADER_VALUE leaf-list RANGE_CHECK_VALUE { when "../type = 'RANGE_CHECK'"; type base-cmn:base-obj-id-type; description "List of ACL range checker IDs."; } leaf NEIGHBOR_DST_HIT_VALUE { when "../type = 'NEIGHBOR_DST_HIT'"; type boolean; description "Value to specify packet destination IP address match or not match in neighbor table"; } leaf ROUTE_DST_HIT_VALUE { when "../type = 'ROUTE_DST_HIT'"; type boolean; description "Value to specify packet destination IP address match or not match in routing table"; } leaf FDB_DST_HIT_VALUE { when "../type = 'FDB_DST_HIT'"; type boolean; description "Value to specify packet destination MAC address match or not match FDB"; } leaf DROP_MARKED_VALUE { when "../type = 'DROP_MARKED'"; type boolean; description "Value to specify packet drop-bit match or not match"; } leaf BRIDGE_TYPE_VALUE { when "../type = 'BRIDGE_TYPE'"; type bridge-type; description "Value to specify packet forwarding bridge type to be matched"; } leaf MCAST_ROUTE_DST_HIT_VALUE { when "../type = 'MCAST_ROUTE_DST_HIT'"; type boolean; description "Value to specify multicast packet destination IP address match or not match in IPMC routing table"; } } // list match list action { key "type"; description "List of actions to be performed on packets matching this Acl-Entry. An existing ACL entry can be incrementally modified to add, delete or modify a single Action by forming a CPS object out of this inner Action subobject using the Action Type as additional key element. Such a CPS Object should NOT contain any attributes defined outside this sub-object including the top level action attribute."; leaf type { type action-type; description "Type of actions to be performed"; } leaf REDIRECT_PORT_VALUE { when "../type = 'REDIRECT_PORT'"; type base-cmn:logical-ifindex; status obsolete; description "Port or LAG trunk to Redirect Packet on"; } container IP_NEXTHOP_GROUP_VALUE { when "../type = 'REDIRECT_IP_NEXTHOP'"; description "This refers to the next-hop group id defined in the Routing data model. Packets will be redirected to the next-hop router referred by this group-id."; leaf id { type uint32; status obsolete; description "Refers to the Next-Hop group entry defined in the Routing data model. Multiple ACL entries can refer to the same next-hop group ID."; } leaf vrf_id { type uint32; mandatory true; description "VRF ID"; } leaf af { type base-cmn:af-type; mandatory true; description "Address Family"; } leaf dest-addr { type base-cmn:ip-address; mandatory true; description "Route/Nexthop address to be tracked"; } leaf data { type base-cmn:ip-nexthop-group-opaque-data; mandatory true; description "Opaque blob containing hardware specific data for the Next-Hop Group defined in the Routing data model."; } } // container IP_NEXTHOP_GROUP_VALUE leaf PACKET_ACTION_VALUE { when "../type = 'PACKET_ACTION'"; type packet-action-type; description "Drop or allow or copy packet to CPU"; } list MIRROR_INGRESS_VALUE { when "../type = 'MIRROR_INGRESS'"; key "index"; description "This refers to the mirroring session defined in the mirroring data model. It can take a list of ingress mirroring sessions. To add/remove sessions to an existing Mirroring action the entire modified list needs to be provided. The existing action will be overwritten with the new list of mirroring sessions."; leaf index { type uint32; mandatory true; description "Refers to the Mirror session entry defined in Mirroring data model. Yang Ref: dell-base-mirror/entry/id Multiple ACL entries can refer to the same mirroring session."; } leaf data { type base-cmn:mirror-opaque-data; mandatory true; description "Opaque blob containing hardware specific mirroring data. Yang Ref: dell-base-mirror/entry/opaque-data To get the opaque data, the Application needs to do a GET operation on the above Mirroring attribute only AFTER a successful Observed state change is published for the Mirroring configuration. NOTE: The Application has to perform this GET every time the Mirroring session is configured on a new NPU. It then needs to pass this blob as an attribute to the ACL Entry object."; } } // list MIRROR_INGRESS_VALUE list MIRROR_EGRESS_VALUE { when "../type = 'MIRROR_EGRESS'"; key "index"; description "This refers to the mirroring session defined in the mirroring data model. It can take a list of egress mirroring sessions. To add/remove sessions to an existing Mirroring action the entire modified list needs to be provided. The existing action will be overwritten with the new list of mirroring sessions."; leaf index { type uint32; mandatory true; description "Refers to the Mirror session entry defined in Mirroring data model. Yang Ref: dell-base-mirror/entry/id Multiple ACL entries can refer to the same mirroring session."; } leaf data { type base-cmn:mirror-opaque-data; mandatory true; description "Opaque blob containing hardware specific mirroring data. Yang Ref: dell-base-mirror/entry/opaque-data To get the opaque data, the Application needs to do a GET operation on the above Mirroring attribute only AFTER a successful Observed state change is published for the Mirroring configuration. NOTE: The Application has to perform this GET every time the Mirroring session is configured on a new NPU. It then needs to pass this blob as an attribute to the ACL Entry object."; } } // list MIRROR_EGRESS_VALUE leaf COUNTER_VALUE { when "../type = 'SET_COUNTER'"; type base-cmn:base-obj-id-type; description "This refers to the ACL counter object id Yang Ref: dell-base-acl/counter/id. This counter should belong to the same ACL Table as the Entry"; } container POLICER_VALUE { when "../type = 'SET_POLICER'"; description "QOS Policer profile to be applied on the packets"; leaf index { type base-cmn:base-obj-id-type; mandatory true; description "Refers to the policer entry defined in QoS data model. Yang Ref: dell-base-qos/meter/id. Multiple ACL entries can refer to the same policer in which case packets matching all those ACL entries are cumulatively metered to the specified rate."; } leaf data { type base-cmn:qos-meter-opaque-data; mandatory true; description "Opaque blob containing hardware specific meter data. Yang Ref: dell-base-qos/meter/data. To get the opaque data, the Application needs to do a GET operation on the above QoS Meter attribute only AFTER a successful Observed state change is published for the Meter configuration. The Application has to perform this GET every time the Meter is configured on a new NPU. It then needs to pass this blob as an attribute to the ACL Entry object. Dependency - The Meter should have been successfully configured on all the NPUs specified in the ACL entry"; } } // container POLICER_VALUE leaf NEW_TC_VALUE { when "../type = 'SET_TC'"; type base-cmn:traffic-class; description "New QoS Traffic Class value to be assigned to packets matching this ACL entry. This determines the type of Quality of Service this packet receives at egress"; } leaf NEW_INNER_VLAN_ID_VALUE { when "../type = 'SET_INNER_VLAN_ID'"; type base-cmn:vlan-id; description "Value for action Set Packet Inner Vlan-Id. Valid range: 1-4095 inclusive"; } leaf NEW_INNER_VLAN_PRI_VALUE { when "../type = 'SET_INNER_VLAN_PRI'"; type base-cmn:dot1p; description "Value for action Mark Inner Vlan Dot1p. Valid range: 0-7 inclusive"; } leaf NEW_OUTER_VLAN_ID_VALUE { when "../type = 'SET_OUTER_VLAN_ID'"; type base-cmn:vlan-id; description "Value for action Set Packet Outer Vlan-Id. Valid range: 1-4095 inclusive"; } leaf NEW_OUTER_VLAN_PRI_VALUE { when "../type = 'SET_OUTER_VLAN_PRI'"; type base-cmn:dot1p; description "Value for action Mark Dot1p. Valid range: 0-7 inclusive"; } leaf NEW_SRC_MAC_VALUE { when "../type = 'SET_SRC_MAC'"; type base-cmn:mac-address; description "Value for action Set Packet Src MAC Address"; } leaf NEW_DST_MAC_VALUE { when "../type = 'SET_DST_MAC'"; type base-cmn:mac-address; description "Value for action Set Packet Dst MAC Address"; } leaf NEW_SRC_IP_VALUE { when "../type = 'SET_SRC_IP'"; type base-cmn:ipv4-address; description "Value for action Set Packet Src IPv4 Address"; } leaf NEW_DST_IP_VALUE { when "../type = 'SET_DST_IP'"; type base-cmn:ipv4-address; description "Value for action Set Packet Src IPv4 Address"; } leaf NEW_SRC_IPV6_VALUE { when "../type = 'SET_SRC_IPV6'"; type base-cmn:ipv6-address; description "Value for action Set Packet Src IPv6 Address"; } leaf NEW_DST_IPV6_VALUE { when "../type = 'SET_DST_IPV6'"; type base-cmn:ipv6-address; description "Value for action Set Packet Src IPv6 Address"; } leaf NEW_DSCP_VALUE { when "../type = 'SET_DSCP'"; type inet:dscp; description "Value for action Set Packet DSCP. Valid range: 0-63 inclusive"; } leaf NEW_L4_SRC_PORT_VALUE { when "../type = 'SET_L4_SRC_PORT'"; type inet:port-number; description "Value for action Set Packet L4 Src Port"; } leaf NEW_L4_DST_PORT_VALUE { when "../type = 'SET_L4_DST_PORT'"; type inet:port-number; description "Value for action Set Packet L4 Src Port"; } container CPU_QUEUE_VALUE { when "../type = 'SET_CPU_QUEUE'"; description "Queue Data-Id"; leaf index { type base-cmn:base-obj-id-type; mandatory true; description "Refers to the Queue Id of the CPU Queue defined in QoS data model. Yang Ref: dell-base-qos/queue/id."; } leaf data { type base-cmn:qos-queue-opaque-data; mandatory true; description "Opaque blob containing hardware specific Qos queue data. Yang Ref: dell-base-qos/queue/data. To get the opaque data, the Application needs to do a GET operation on the above QoS QoS attribute only AFTER a successful Observed state change is published for the Queue configuration. The Application has to perform this GET every time the Meter is configured on a new NPU. It then needs to pass this blob as an attribute to the ACL Entry object. Dependency - The Queue should have been successfully configured on all the NPUs specified in the ACL entry"; } } // container CPU_QUEUE_VALUE leaf-list EGRESS_MASK_VALUE { when "../type = 'EGRESS_MASK'"; type base-cmn:logical-ifindex; status obsolete; description "List of ports to be blocked"; } leaf-list REDIRECT_PORT_LIST_VALUE { when "../type = 'REDIRECT_PORT_LIST'"; type base-cmn:logical-ifindex; status obsolete; description "List of port to be redirected"; } leaf REDIRECT_INTF_VALUE { when "../type = 'REDIRECT_INTF'"; type if:interface-ref; description "Port or LAG trunk to Redirect Packet on"; } leaf-list EGRESS_INTF_MASK_VALUE { when "../type = 'EGRESS_INTF_MASK'"; type if:interface-ref; description "List of ports to be blocked"; } leaf-list REDIRECT_INTF_LIST_VALUE { when "../type = 'REDIRECT_INTF_LIST'"; type if:interface-ref; description "List of port to be redirected"; } leaf SET_USER_TRAP_ID_VALUE { when "../type = 'SET_USER_TRAP_ID'"; type base-cmn:base-obj-id-type; description "User defined trap id value"; } leaf SET_PACKET_COLOR_VALUE { when "../type = 'SET_PACKET_COLOR'"; type packet-color; description "Packet color value"; } } // list action leaf table-name { type string { length "32"; } description "Optional attribute to specify name of ACL Table to which this Entry belongs"; } leaf name { type string { length "32"; } description "Optional user provided name for ACL entry. User could use name as identity other than ID to retrieve entry information if name is given when ACL entry being created"; } } // list entry list counter { key "table-id id"; description "Create and configure ACL counter parameters."; leaf switch-id { type base-cmn:logical-switch-id; status obsolete; description "Logical Switch to which this ACL Counter belongs. The concept of logical switch is obsolete and this attribute is ignored."; } leaf table-id { type base-cmn:base-obj-id-type; description "ACL-Table to which this Counter belongs."; } leaf id { type base-cmn:base-obj-id-type; description "Unique Counter Id generated upon Create request. Scope of this ID is within the ACL Table. Subsequent Modify or Delete requests require the Counter ID to be passed in."; } leaf-list types { type counter-type; min-elements 1; description "Packet, Byte counter - more than 1 type can be specified for the same counter."; } leaf-list npu-id-list { type base-cmn:npu-id; description "Optional NPU ID list attribute that allows application to configure the counter only on specific NPU(s). For a CREATE/SET/DELETE operation, if this optional attribute is not specified then the counter is installed/modified/deleted on all NPUs."; } leaf name { type string { length "32"; } description "Optional user provided name for ACL counter. User could use name as identity other than ID to retrieve counter information if name is given when ACL counter being created"; } leaf table-name { type string { length "32"; } description "Optional attribute to specify name of ACL Table to which this Counter belongs"; } } // list counter list stats { key "table-id counter-id"; description "NPU ACL entry hit stats. Stats objects cannot be Created or Deleted. Stats objects are indexed using the ACL counter object ID."; leaf switch-id { type base-cmn:logical-switch-id; status obsolete; description "Logical Switch to which this ACL Counter belongs. The concept of logical switch is obsolete and this attribute is ignored."; } leaf table-id { type base-cmn:base-obj-id-type; description "ACL-Table to which this Counter belongs."; } leaf counter-id { type base-cmn:base-obj-id-type; description "ACL-Counter whose stats needs to be set/retrieved."; } leaf table-name { type string { length "32"; } description "Name of ACL-Table to which this Counter belongs."; } leaf counter-name { type string { length "32"; } description "Name of ACL-Counter whose stats needs to be set/retrieved."; } leaf-list npu-id-list { type base-cmn:npu-id; description "Optional NPU ID list attribute that allows application to set/retrieve the counter value to/from specific NPU(s). For a GET operation, if more than 1 NPU is specified in the list, then the counter value returned is the sum of the counters from all the specified NPUs. If this optional attribute is not specified then the counter value returned is the sum of the counters on all NPUs where the ACL entry is installed. Similarly, for a SET operation, the counter value is reset on all NPUs specified in the list. If this optional attribute is not specified then the counter is reset on all NPUs in which the ACL entry is installed"; } leaf matched-packets { type yang:counter64; description "Number of packets that have matched the ACL entries associated with this counter on the given NPU. This is valid only if PACKET counter type is enabled for this counter."; } leaf matched-bytes { type yang:counter64; description "Number of bytes that have matched the ACL entries associated with this counter on the given NPU. This is valid only if BYTE counter type is enabled for this counter."; } } // list stats typedef range-type { type enumeration { enum "L4_SRC_PORT" { value 1; description "Checking source port field of TCP/UDP header."; } enum "L4_DST_PORT" { value 2; description "Checking destination port field of TCP/UDP header."; } enum "OUTER_VLAN" { value 3; description "Checking outer VLAN ID."; } enum "INNER_VLAN" { value 4; description "Checking inner VLAN ID."; } enum "PACKET_LENGTH" { value 5; description "Checking length in bytes of L3 payload plus L3 header."; } } description "Types of extended attribute for packet match"; } list range { key "id"; description "Each entry of this list defines a range."; leaf id { type base-cmn:base-obj-id-type; description "Unique ID generated upon Create request. Subsequent Modify and Delete request required this Range ID to be passed in."; } leaf type { type range-type; mandatory true; description "Specify parameter type to check."; } leaf limit_min { type uint32; mandatory true; description "Minimum limit of range"; } leaf limit_max { type uint32; mandatory true; description "Maximum limit of range"; } } // list range rpc clear-acl-entries-for-nh { description "This method is used to notify ACL component for removal of ACL entries associated with the opaque data. This method is triggered from routing component and the opaque data is associated with next-hop group"; input { leaf data { type base-cmn:ip-nexthop-group-opaque-data; mandatory true; description "Opaque blob containing hardware specific data for the Next-Hop Group for which the ACL entries are to be deleted."; } } } // rpc clear-acl-entries-for-nh list switching-entity { key "switch-id"; description "Switching entity ACL pool, application configuration parameters."; leaf switch-id { type base-cmn:logical-switch-id; description "Switch Identifier"; } leaf max-ingress-acl-pool-count { type uint32; config false; description "Maximum number of Ingress ACL pools available."; } leaf max-egress-acl-pool-count { type uint32; config false; description "Maximum number of Egress ACL pool available."; } list app-group { key "id"; description "List of applications mapped to this application group, one application should be part of one application group only."; leaf id { type string { length "1..32"; } description "ACL application group id for this group in this switch NPU."; } leaf stage { type stage; config false; description "Types of packet forwarding pipeline stages (ingress or egress)."; } leaf depth { type uint32; config false; description "Max number of normalized units available for this application group in a single pool. A normalized unit is the basic memory unit used for ACL rules created by applications; some ACL rules need 1 unit, others need 2 and so forth, depending on the ACL rule contents."; } leaf default-pool-count { type uint32; config false; description "Number of ACL pools assigned by default for this application group by switch NPU."; } leaf pool-count { type uint32; description "Configured number of ACL pools for this application group, that would take effect on next boot."; } list application { key "app-id"; leaf app-id { type string { length "1..32"; } description "ACL application id for this application in the application group."; } leaf num-units-per-entry { type uint32; config false; description "Number of normalized pool units required for one application acl entry. A normalized unit is the basic memory unit used for ACL rules created by applications; some ACL rules need 1 unit, others need 2 and so forth, depending on the ACL rule contents."; } } // list application } // list app-group } // list switching-entity list acl-table { key "npu-id id"; description "list of ACL table information."; leaf npu-id { type base-cmn:npu-id; description "NPU to which this acl-table belongs to."; } leaf id { type base-cmn:base-obj-id-type; description "This refers to the ACL table object id YANG Ref: dell-base-acl/table/id."; } list info { key "pipeline-id"; description "List of ACL table utilization information for all pipelines within the NPU."; leaf pipeline-id { type uint32; description "In multi pipeline systems, 0-based index of the pipeline where the pool is present."; } leaf used-count { type uint32; config false; description "Number of normalized units used in the ACL table in this pipeline. A normalized unit is the basic memory unit used for ACL rules created by applications; some ACL rules need 1 unit, others need 2 and so forth, depending on the ACL rule contents."; } leaf avail-count { type uint32; config false; description "Number of normalized units available for use in the ACL table in this pipeline. A normalized unit is the basic memory unit used for ACL rules created by applications; some ACL rules need 1 unit, others need 2 and so forth, depending on the ACL rule contents."; } } // list info } // list acl-table list acl-pool-info { key "npu-id pool-id"; description "List of ACL table pool for a NPU."; leaf npu-id { type base-cmn:npu-id; description "NPU to which this pool belongs to."; } leaf pool-id { type base-cmn:base-obj-id-type; description "Unique ACL Pool Id generated upon system initialization. Scope of this ID is within the NPU."; } leaf index { type uint32; config false; description "Index of the pool within a given pipeline and stage"; } leaf pipeline-id { type uint32; config false; description "In multi pipeline systems, 0-based index of the pipeline where the pool is present."; } leaf stage { type stage; config false; description "Types of packet forwarding pipeline stages (ingress or egress)."; } leaf used-count { type uint32; config false; description "Number of entries used in the pool."; } leaf avail-count { type uint32; config false; description "Number of entries available for use in the pool."; } leaf depth { type uint32; config false; description "Number of normalized units in this pool. This is initialized to avail-count at switch NPU init time."; } leaf-list acl-table { type base-cmn:base-obj-id-type; config false; description "List of ACL table ids for a given pool. This refers to the ACL table object id, YANG Ref: dell-base-acl/table/id."; } } // list acl-pool-info } // module dell-base-acl
© 2023 YumaWorks, Inc. All rights reserved.