This YANG module defines a component that describing the configuration of Access Control Lists (ACLs). Redistribution and use in...
Version: 2015-03-17
module ietf-access-control-list { yang-version 1; namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list"; prefix acl; import ietf-yang-types { prefix yang; } import ietf-packet-fields { prefix packet-fields; } organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: http://tools.ietf.org/wg/netmod/ WG List: netmod@ietf.org WG Chair: Juergen Schoenwaelder j.schoenwaelder@jacobs-university.de WG Chair: Tom Nadeau tnadeau@lucidvision.com Editor: Dean Bogdanovic deanb@juniper.net Editor: Kiran Agrahara Sreenivasa kkoushik@brocade.com Editor: Lisa Huang lyihuang@juniper.net Editor: Dana Blair dblair@cisco.com"; description "This YANG module defines a component that describing the configuration of Access Control Lists (ACLs). Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see the RFC itself for full legal notices."; revision "2015-03-17" { description "Base model for Network Access Control List (ACL)."; reference "RFC XXXX: Network Access Control List (ACL) YANG Data Model"; } identity acl-base { description "Base Access Control List type for all Access Control List type identifiers."; } identity ip-acl { base acl:acl-base; description "IP Access Control List is a common name for lists that contain layer 3 and/or layer 4 match conditions."; } identity eth-acl { base acl:acl-base; description "Ethernet Access Control List is name for layer 2 Ethernet technology Access Control List types, like 10/100/1000baseT or WiFi Access Control List"; } typedef acl-type { type identityref { base acl-base; } description "This type is used to refer to an Access Control List (ACL) type"; } typedef access-control-list-ref { type leafref { path "/access-lists/acl/acl-name"; } description "This type is used by data models that need to reference an Access Control List"; } container access-lists { description "This is a top level container for Access Control Lists. It can have one or more Access Control Lists."; list acl { key "acl-name"; description "An Access Control List(ACL) is an ordered list of Access List Entries (ACE). Each Access Control Entry has a list of match criteria and a list of actions. Since there are several kinds of Access Control Lists implemented with different attributes for different vendors, this model accommodates customizing Access Control Lists for each kind and for each vendor."; container acl-oper-data { config false; description "Overall Access Control List operational data"; } // container acl-oper-data container access-list-entries { description "The access-list-entries container contains a list of access-list-entries(ACE)."; list ace { key "rule-name"; ordered-by user; description "List of access list entries(ACE)"; container matches { description "Definitions for match criteria for this Access List Entry."; choice ace-type { description "Type of access list entry."; case ace-ip { description "IP Access List Entry."; choice ace-ip-version { description "IP version used in this Acess List Entry."; case ace-ipv4 { leaf destination-ipv4-network { type inet:ipv4-prefix; description "Destination IPv4 address prefix."; } leaf source-ipv4-network { type inet:ipv4-prefix; description "Source IPv4 address prefix."; } } // case ace-ipv4 case ace-ipv6 { leaf destination-ipv6-network { type inet:ipv6-prefix; description "Destination IPv6 address prefix."; } leaf source-ipv6-network { type inet:ipv6-prefix; description "Source IPv6 address prefix."; } leaf flow-label { type inet:ipv6-flow-label; description "IPv6 Flow label."; } } // case ace-ipv6 } // choice ace-ip-version leaf dscp { type inet:dscp; description "Value of dscp."; } leaf protocol { type uint8; description "Internet Protocol number."; } container source-port-range { description "Inclusive range representing source ports to be used. When only lower-port is present, it represents a single port."; leaf lower-port { type inet:port-number; mandatory true; description "Lower boundary for port."; } leaf upper-port { type inet:port-number; must ". >= ../lower-port" { error-message "The upper-port must be greater than or equal to lower-port"; } description "Upper boundary for port . If existing, the upper port must be greater or equal to lower-port."; } } // container source-port-range container destination-port-range { description "Inclusive range representing destination ports to be used. When only lower-port is present, it represents a single port."; leaf lower-port { type inet:port-number; mandatory true; description "Lower boundary for port."; } leaf upper-port { type inet:port-number; must ". >= ../lower-port" { error-message "The upper-port must be greater than or equal to lower-port"; } description "Upper boundary for port. If existing, the upper port must be greater or equal to lower-port"; } } // container destination-port-range container source-port { when "../acl:protocol = 6 or ../acl:protocol = 17"; description "Source port definition."; choice port-range-or-operator { description "Choice of specifying a port range or a single port along with an operator."; case range { leaf lower-port { type inet:port-number { range "1..65535"; } mandatory true; description "Lower boundary for a port."; } leaf upper-port { type inet:port-number { range "1..65535"; } must ". >= ../lower-port" { error-message "The upper-port must be greater than or equal to lower-port."; } mandatory true; description "Upper boundry for port."; } } // case range case operator { leaf operator { type operator; default "eq"; description "Operator to be applied on the port below."; } leaf port { type inet:port-number { range "1..65535"; } mandatory true; description "Port number on which to match."; } } // case operator } // choice port-range-or-operator } // container source-port container destination-port { when "../acl:protocol = 6 or ../acl:protocol = 17"; description "Destination port definition."; choice port-range-or-operator { description "Choice of specifying a port range or a single port along with an operator."; case range { leaf lower-port { type inet:port-number { range "1..65535"; } mandatory true; description "Lower boundary for a port."; } leaf upper-port { type inet:port-number { range "1..65535"; } must ". >= ../lower-port" { error-message "The upper-port must be greater than or equal to lower-port."; } mandatory true; description "Upper boundry for port."; } } // case range case operator { leaf operator { type operator; default "eq"; description "Operator to be applied on the port below."; } leaf port { type inet:port-number { range "1..65535"; } mandatory true; description "Port number on which to match."; } } // case operator } // choice port-range-or-operator } // container destination-port leaf-list flags { when "../acl:protocol = 6"; type string; description "Control Bits(URG/ACK/PSH/RST/FIN/SYN)"; } } // case ace-ip case ace-eth { description "Ethernet Access List entry."; leaf destination-mac-address { type yang:mac-address; description "Destination IEEE 802 MAC address."; } leaf destination-mac-address-mask { type yang:mac-address; description "Destination IEEE 802 MAC address mask."; } leaf source-mac-address { type yang:mac-address; description "Source IEEE 802 MAC address."; } leaf source-mac-address-mask { type yang:mac-address; description "Source IEEE 802 MAC address mask."; } } // case ace-eth } // choice ace-type leaf input-interface { type string; description "Packet was received on this interface."; } container absolute-time { description "Absolute time and date that the associated function starts going into effect."; leaf start { type yang:date-and-time; description "Absolute start time and date"; } leaf end { type yang:date-and-time; description "Absolute end time and date"; } leaf active { type boolean; default "true"; description "This object indicates whether the the ACL will be active(true) or inactive(false) during this time range."; } } // container absolute-time } // container matches container actions { description "Definitions of action criteria for this Access List Entry."; choice packet-handling { default "deny"; description "Packet handling action."; leaf deny { type empty; description "Deny action."; } leaf permit { type empty; description "Permit action."; } } // choice packet-handling } // container actions container ace-oper-data { config false; description "Operational data for this Access List Entry."; leaf match-counter { type yang:counter64; description "Number of matches for this Access List Entry"; } } // container ace-oper-data leaf rule-name { type string; description "A unique name identifying this Access List Entry(ACE)."; } } // list ace } // container access-list-entries leaf acl-name { type string; description "The name of access-list. A device MAY restrict the length and value of this name, possibly space and special characters are not allowed."; } leaf acl-type { type acl-type; description "It is recommended to have an Access Control List with uniform access list entries, all of the same type. When this type is not explicitly specified, if vendor implementation permits, the access control entries in the list can be mixed, by containing L2, L3 and L4 entries"; } } // list acl leaf-list auto-permitted-protocols { type fprot:auto-permitted-protocol; description "Auto permit protocols."; } } // container access-lists } // module ietf-access-control-list
© 2023 YumaWorks, Inc. All rights reserved.