< draft-huang-netmod-acl-02.txt   draft-huang-netmod-acl-03.txt >
Network Working Group L. Huang Network Working Group L. Huang
Internet-Draft A. Clemm Internet-Draft A. Clemm
Intended status: Informational Cisco Systems Intended status: Informational Cisco Systems
Expires: August 29, 2013 A. Bierman Expires: March 08, 2014 A. Bierman
YumaWorks YumaWorks
February 25, 2013 September 04, 2013
YANG Data Model for Access Control List Configuration YANG Data Model for Stateless Packet Filter Configuration
draft-huang-netmod-acl-02.txt draft-huang-netmod-acl-03.txt
Abstract Abstract
This document defines a YANG data model for the configuration of A Stateless Packet Filter (SPF) determines which packets are allowed
Access Control Lists (ACLs) on a device. to transit a system according to a set of rules, applying special
actions to packets as necessary. This document defines a YANG data
model for the configuration of Stateless Packet Filters on a device.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 29, 2013. This Internet-Draft will expire on March 08, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 7 skipping to change at page 2, line 29
modifications of such material outside the IETF Standards Process. modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Definitions and Acronyms . . . . . . . . . . . . . . . . . . . 4 2. Definitions and Acronyms . . . . . . . . . . . . . . . . . . 4
3. The Design of the ACL Data Model . . . . . . . . . . . . . . . 5 3. The Design of the Stateless Packet Filter Data Model . . . . 5
3.1. Overall Model Structure . . . . . . . . . . . . . . . . . 5 3.1. Overall Model Structure . . . . . . . . . . . . . . . . . 5
3.2. Data hierarchy . . . . . . . . . . . . . . . . . . . . . . 6 3.2. Data hierarchy . . . . . . . . . . . . . . . . . . . . . 6
3.3. Other Considerations . . . . . . . . . . . . . . . . . . . 9 3.3. Other Considerations . . . . . . . . . . . . . . . . . . 9
3.3.1. Extensibility . . . . . . . . . . . . . . . . . . . . 9 3.3.1. Extensibility . . . . . . . . . . . . . . . . . . . . 9
3.3.2. ACL Chain Support . . . . . . . . . . . . . . . . . . 10 3.3.2. SPF Chain Support . . . . . . . . . . . . . . . . . . 9
3.3.3. ACL Test Extensions . . . . . . . . . . . . . . . . . 10 3.3.3. SPF Test Extensions . . . . . . . . . . . . . . . . . 10
4. acl Module . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.3.4. Attaching SPFs to interfaces . . . . . . . . . . . . 11
4.1. Features . . . . . . . . . . . . . . . . . . . . . . . . . 11 4. stateless-pf Module . . . . . . . . . . . . . . . . . . . . . 11
4.2. Types . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.1. Features . . . . . . . . . . . . . . . . . . . . . . . . 11
4.3. Groupings . . . . . . . . . . . . . . . . . . . . . . . . 12 4.2. Types . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.4. Containers . . . . . . . . . . . . . . . . . . . . . . . . 13 4.3. Groupings . . . . . . . . . . . . . . . . . . . . . . . . 13
4.4.1. acls Container . . . . . . . . . . . . . . . . . . . . 13 4.4. Containers . . . . . . . . . . . . . . . . . . . . . . . 13
4.4.2. port-groups Container . . . . . . . . . . . . . . . . 13 4.4.1. spfs Container . . . . . . . . . . . . . . . . . . . 13
4.4.3. timerange-groups Container . . . . . . . . . . . . . . 14 4.4.2. port-groups Container . . . . . . . . . . . . . . . . 14
4.4.4. ip-address-groups Container . . . . . . . . . . . . . 15 4.4.3. timerange-groups Container . . . . . . . . . . . . . 14
5. acl-ip module . . . . . . . . . . . . . . . . . . . . . . . . 15 4.4.4. ip-address-groups Container . . . . . . . . . . . . . 15
5.1. Groupings . . . . . . . . . . . . . . . . . . . . . . . . 15 5. spf-ip module . . . . . . . . . . . . . . . . . . . . . . . . 16
5.1.1. IP-SOURCE-NETWORK grouping . . . . . . . . . . . . . . 16 5.1. Groupings . . . . . . . . . . . . . . . . . . . . . . . . 16
5.1.2. IP-DESTINATION-NETWORK grouping . . . . . . . . . . . 17 5.1.1. IP-SOURCE-NETWORK grouping . . . . . . . . . . . . . 16
5.1.3. DSCP-OR-TOS Grouping . . . . . . . . . . . . . . . . . 17 5.1.2. IP-DESTINATION-NETWORK grouping . . . . . . . . . . . 17
5.1.4. IP-ACE-FILTERS Grouping . . . . . . . . . . . . . . . 18 5.1.3. DSCP-OR-TOS Grouping . . . . . . . . . . . . . . . . 17
5.2. augment . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.1.4. IP-PFE-FILTERS Grouping . . . . . . . . . . . . . . . 18
5.2.1. global-fragments leaf . . . . . . . . . . . . . . . . 20 5.2. augment . . . . . . . . . . . . . . . . . . . . . . . . . 20
6. acl-mac module . . . . . . . . . . . . . . . . . . . . . . . . 23 5.2.1. global-fragments leaf . . . . . . . . . . . . . . . . 21
6.1. MAC-SOURCE-NETWORK grouping . . . . . . . . . . . . . . . 23 6. spf-mac module . . . . . . . . . . . . . . . . . . . . . . . 23
6.2. MAC-DESTINATION-NETWORK grouping . . . . . . . . . . . . . 24 6.1. MAC-SOURCE-NETWORK grouping . . . . . . . . . . . . . . . 23
6.3. augment . . . . . . . . . . . . . . . . . . . . . . . . . 24 6.2. MAC-DESTINATION-NETWORK grouping . . . . . . . . . . . . 24
7. acl-arp module . . . . . . . . . . . . . . . . . . . . . . . . 24 6.3. augment . . . . . . . . . . . . . . . . . . . . . . . . . 25
7.1. augment . . . . . . . . . . . . . . . . . . . . . . . . . 24 7. spf-arp module . . . . . . . . . . . . . . . . . . . . . . . 25
8. Data Model Structure . . . . . . . . . . . . . . . . . . . . . 25 7.1. augment . . . . . . . . . . . . . . . . . . . . . . . . . 25
9. ACL Examples . . . . . . . . . . . . . . . . . . . . . . . . . 33 8. Data Model Structure . . . . . . . . . . . . . . . . . . . . 25
9.1. Configuration Example . . . . . . . . . . . . . . . . . . 33 9. SPF Examples . . . . . . . . . . . . . . . . . . . . . . . . 33
10. ACL YANG Module . . . . . . . . . . . . . . . . . . . . . . . 35 9.1. Configuration Example . . . . . . . . . . . . . . . . . . 33
11. ACL-IP YANG Module . . . . . . . . . . . . . . . . . . . . . . 48 10. Stateless-PF YANG Module . . . . . . . . . . . . . . . . . . 35
12. ACL-MAC Configuration YANG Module . . . . . . . . . . . . . . 62 11. SPF-IP YANG Module . . . . . . . . . . . . . . . . . . . . . 48
13. ACL-ARP Configuration YANG Module . . . . . . . . . . . . . . 68 12. SPF-MAC Configuration YANG Module . . . . . . . . . . . . . . 62
14. COMMON-TYPES YANG Module . . . . . . . . . . . . . . . . . . . 71 13. SPF-ARP Configuration YANG Module . . . . . . . . . . . . . . 68
15. Security Considerations . . . . . . . . . . . . . . . . . . . 79 14. COMMON-TYPES YANG Module . . . . . . . . . . . . . . . . . . 71
16. Open items from the previous revision . . . . . . . . . . . . 79 15. Security Considerations . . . . . . . . . . . . . . . . . . . 79
17. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 80 16. Open items from the previous revision . . . . . . . . . . . . 79
18. Normative References . . . . . . . . . . . . . . . . . . . . . 80 17. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 80
18. References . . . . . . . . . . . . . . . . . . . . . . . . . 80
18.1. Normative References . . . . . . . . . . . . . . . . . . 80
18.2. Informative References . . . . . . . . . . . . . . . . . 80
1. Introduction 1. Introduction
This document defines a YANG [RFC6020] data model for the This document defines a YANG [RFC6020] data model for the
configuration of Access Control Lists (ACLs). configuration of Stateless Packet Filters (SPF).
An ACL is an ordered set of rules that is used to filter traffic on a
networking device, i.e. to define "firewall rules". Each rule is
represented by an Access Control Entry (ACE). An ACE consists of two
parts:
Filters with a set of matching criteria that a packet must satisfy A Stateless Packet Filter is a function that filters traffic on a
for the rule to be applied. network device according to an ordered set of rules that define which
packets are to be permitted and which are to be denied. Each rule is
represented by a Packet Filter Entry (PFE). The sets of rules are
sometimes also referred to as "Access Control Lists" (ACL), the rules
as "Access Control Entries" (ACE) or simply "firewall rules". For
the purposes of this document, we will use the terms SPF, stateless-
pf and ACL interchangeably, as well as the terms PFE and ACE.
Actions that specifies what to do with the packet when the matching A PFE consists of two parts:
criteria is met, for example, to drop the packet.
There are different types of ACL: MAC ACL, IP ACL, and ARP ACL. o A set of filters with a set of matching criteria that a packet
must satisfy for the rule to be applied.
MAC ACLs - MAC ACLs are used to filter traffic using the information o A set of actions (most commonly, a single action) that specifies
in the Layer 2 header of each packet. MAC ACLs are by default only what to do with the packet when the matching criteria is met, for
applied to non-IP traffic; however, Layer 2 interfaces can be example, to drop the packet.
configured to apply MAC ACLs to all traffic.
IP ACLs: IP ACLs are ordered sets of rules that can use to filter There are different types of SPF, depending on which types of packets
traffic based on IP information in the Layer 3 header of packets. they filter. Three of the most common types are covered in this
The device applies IP ACLs only to IP traffic. IP ACL can be IPv4 or specification: MAC SPF, IP SPF, and ARP SPF.
IPv6.
ARP ACLs - The device applies ARP ACLs to IP traffic. o MAC SPFs: MAC SPFs are used to filter traffic using the
information in the Layer 2 header of each packet. MAC SPFs are by
default only applied to non-IP traffic; however, Layer 2
interfaces can be configured to apply MAC SPFs to all traffic.
Not every device implements every type of ACL. In addition, device o IP SPFs: IP SPFs are ordered sets of rules that can use to filter
implementations may vary greatly in terms of the filter constructs traffic based on IP information in the Layer 3 header of packets.
that they support. Therefore, acl YANG Module makes extensive use of The device applies IP SPFs only to IP traffic. IP SPF can be IPv4
the "feature" construct which allows implementations to support those or IPv6.
ACL configuration features that lie within their capabilities.
How ACLs are applied in device configuration to interfaces and other o ARP SPFs: ARP SPFs are used to filter Address Resolution Protocol
components is outside the scope of this model. (ARP) traffic.
2. Definitions and Acronyms Not every device implements every type of SPF. The model for each
SPF type is therefore specified in its own YANG module. A device
will implement only the modules for the SPF types that it supports.
In addition, device implementations may vary greatly in terms of the
filter constructs that they support for any given SPF type.
Therefore, SPF YANG Module makes extensive use of the "feature"
construct which allows implementations to support those SPF
configuration features that lie within their capabilities.
ACE: Access Control Entry The model can accommodate other SPF types beyond the ones that are
defined in this document. For this purpose, new SPF types can be
defined in their own modules which extend and augment the generic
portion of the model according to the same design pattern. This way,
the model serves as a framework that can be applied for any type of
Stateless Packet Filter.
ACL: Access Control List 2. Definitions and Acronyms
AFI: Address Field Identifier AFI: Address Field Identifier
ARP: Address Resolution Protocol ARP: Address Resolution Protocol
CoS: Class of Service CoS: Class of Service
DSCP: Differentiated Services Code Point DSCP: Differentiated Services Code Point
ICMP: Internet Control Message Protocol ICMP: Internet Control Message Protocol
IGMP: Internet Group Management Protocol IGMP: Internet Group Management Protocol
IP: Internet Protocol IP: Internet Protocol
IPv4: Internet Protocol version 4 IPv4: Internet Protocol version 4
IPv6: Internet Protocol version 6 IPv6: Internet Protocol version 6
MAC: Media Access Control MAC: Media Access Control
PFE: Packet Filter Entry
QoS: Quality of Service QoS: Quality of Service
SPF: Stateless Packet Filter
TCP: Transmission Control Protocol TCP: Transmission Control Protocol
ToS: Type of Service ToS: Type of Service
TTL: Time To Live TTL: Time To Live
UDP: User Datagram Protocol UDP: User Datagram Protocol
VLAN: Virtual Local Area Network VLAN: Virtual Local Area Network
VRF: Virtual Routing and Forwarding VRF: Virtual Routing and Forwarding
3. The Design of the ACL Data Model 3. The Design of the Stateless Packet Filter Data Model
3.1. Overall Model Structure 3.1. Overall Model Structure
The ACL data model consists of five YANG modules. The first module, The stateless-pf data model consists of five YANG modules. The first
"acl", defines generic ACL aspects which are common to all ACLs module, "stateless-pf", defines generic SPF aspects which are common
regardless of their type, as well as a set of auxiliary definitions. to all SPFs regardless of their type, as well as a set of auxiliary
In effect, the module can be viewed as providing a generic ACL definitions. In effect, the module can be viewed as providing a
"superclass". generic SPF "superclass".
Three other modules, "acl-ip", "acl-mac", and "acl-arp" , augment the Three other modules, "spf-ip", "spf-mac", and "spf-arp" , augment the
"acl" module with definitions that are specific to different types of "stateless-pf" module with definitions that are specific to different
ACLs, specifically, ACLs for IP, MAC, and ARP, respectively. These types of SPFs, specifically, SPFs for IP, MAC, and ARP, respectively.
specifics are for the largest part reflected in the Access Control These specifics are for the largest part reflected in the Packet
Entries, that is, the rules which specify the filter criteria that a Filter Entries, that is, the rules which specify the filter criteria
packet must meet for the rule to be applied, and the actions that are that a packet must meet for the rule to be applied, and the actions
to be taken in case the filter matches. Keeping the modules separate that are to be taken in case the filter matches. Keeping the modules
provides for a more modular data model than would be the case if all separate provides for a more modular data model than would be the
types were combined into a single monolithic module. case if all types were combined into a single monolithic module.
Finally, module "common-types" defines types that are used in the ACL To extend the model with other SPF types, additional modules that
data model but are not really specific to ACLs. These definitions augment the "stateless-pf" module can be defined, thus reflecting the
could potentially be of interest to other models as well; keeping same model structure and following the same design pattern.
them in a separate module allows to import these definitions
independent of the support for ACLs. Finally, module "common-types" defines types that are used in the
stateless-pf data model but are not really specific to SPFs. These
definitions could potentially be of interest to other models as well;
keeping them in a separate module allows to import these definitions
independent of the support for SPFs.
3.2. Data hierarchy 3.2. Data hierarchy
The data hierarchy that is defined by the acl module is depicted in The data hierarchy that is defined by the spf module is depicted in
the following Figure 1, where brackets enclose list keys, "rw" means the following Figure "SPF Model Structure", where brackets enclose
configuration, "ro" means operational state data, and "?" means list keys, "rw" means configuration, "ro" means operational state
optional node. Parentheses enclose choice and case nodes. The data, and "?" means optional node. Parentheses enclose choice and
structure is a collapsed structure and does not depict all case nodes. The structure is a collapsed structure and does not
definitions; it is intended to illustrate the overall structure. A depict all definitions; it is intended to illustrate the overall
fully expanded structure can be found in Data Model Structure Section structure. A fully expanded structure can be found in Data Model
(Section 8). Structure Section (Section 8).
module: acl module: stateless-pf
+--rw acls +--rw spfs
+--rw acl [name] +--rw spf [name]
| +--rw name | +--rw name
| +--rw acl-type | +--rw spf-type
| +--rw enable-capture-global? | +--rw enable-capture-global?
| +--rw capture-session-id-global? | +--rw capture-session-id-global?
| +--rw (enable-match-counter-choices)? | +--rw (enable-match-counter-choices)?
| +--ro match? | +--ro match?
| |
| |
+--rw port-groups +--rw port-groups
| +--rw port-group [name] | +--rw port-group [name]
| +--rw name | +--rw name
| +--rw port-group-entry | +--rw port-group-entry
+--rw timerange-groups +--rw timerange-groups
| +--rw timerange-group [name] | +--rw timerange-group [name]
| +--rw name | +--rw name
| +--rw time-range | +--rw time-range
+--rw ip-address-groups +--rw ip-address-groups
| +--rw ip-address-group [name] | +--rw ip-address-group [name]
| +--rw name | +--rw name
| +--rw afi? | +--rw afi?
| +--rw ip-address | +--rw ip-address
Figure 1 SPF Model Structure
Data nodes in the acl module are contained under a single container Data nodes in the stateless-spf module are contained under a single
node, "acls". This node contains a list, "acl". Each ACL is container node, "spfs". This node contains a list, "spf". Each SPF
represented by an element in that list and identified by a name that is represented by an element in that list and identified by a name
serves as key to the list. Interfaces (which are not part of the that serves as key to the list. Interfaces (which are not part of
model) to which an ACL is applied can then refer to the ACL using the model, but for example defined per [if-config]) to which an SPF
that name. Each acl list element has furthermore a type, as is applied can then refer to the SPF using that name, respectively a
indicated through "acl-type". The acl-type determines which types of data type "spf-ref" introduced for that purpose. Each spf list
ACEs can be can be contained in an ACL. The ACE definitions element has furthermore a type, as indicated through "spf-type". The
themselves are provided by the acl-ip, acl-mac, and acl-arp modules, spf-type determines which types of PFEs can be can be contained in an
which augment the acl definition in the acl module accordingly. The SPF. The PFE definitions themselves are provided by the spf-ip, spf-
subsequent data nodes in the acl list allow to configure whether mac, and spf-arp modules, which augment the spf definition in the spf
packets that match an ACL should be captured for further analysis. module accordingly. The subsequent data nodes in the spf list allow
Finally, the list contains an object that maintains a counter of the to configure whether packets that match an SPF should be captured for
number of ACL matches. further analysis. Finally, the list contains an object that
maintains a counter of the number of SPF matches.
Auxiliary objects "port-groups", "ip-address-groups", "timerange- Auxiliary objects "port-groups", "ip-address-groups", "timerange-
groups" are used to define groupings of ports and of IP-addresses as groups" are used to define groupings of ports and of IP-addresses as
well as schedule information, respectively. They are in effect well as schedule information, respectively. They are in effect
convenience objects which allow ACEs to refer to groupings and convenience objects which allow PFEs to refer to groupings and
schedules by name, rather than needing to re-specify them in each ACE schedules by name, rather than needing to re-specify them in each PFE
where they apply. where they apply.
The following figure depicts how different types of ACEs are inserted The following figure depicts how different types of PFEs are inserted
into that structure. As indicated earlier, the corresponding into that structure. As indicated earlier, the corresponding
definitions are provided in separate modules that augment the acl definitions are provided in separate modules that augment the spf
module. In the data structure, the augmenting module is indicated by module. In the data structure, the augmenting module is indicated by
the prefix of the corresponding data nodes: "acl-ip", "acl-mac", and the prefix of the corresponding data nodes: "spf-ip", "spf-mac", and
"acl-arp", respectively. ACEs for IPv4 and for IPv6 are both defined "spf-arp", respectively. PFEs for IPv4 and for IPv6 are both defined
in the same module, acl-ip. While it would have been possible to in the same module, spf-ip. While it would have been possible to
define each in its own separate module, it was a design decision to define each in its own separate module, it was a design decision to
combine them, as they share enough commonality that a separation combine them, as they share enough commonality that a separation
would have resulted in a considerable amount of definition would have resulted in a considerable amount of definition
redundancy. redundancy.
The figure does not depict objects not pertinent to that structure, The figure does not depict objects not pertinent to that structure,
such as objects intended to make the definition of port groups such as objects intended to make the definition of port groups
("port-groups"), timeranges ("time-range-groups"), and IP address ("port-groups"), timeranges ("time-range-groups"), and IP address
groups ("ip-address-groups") reusable, as well as objects that are groups ("ip-address-groups") reusable, as well as objects that are
contained in acl list elements, such as "name" and "enable-capture- contained in spf list elements, such as "name" and "enable-capture-
global". global".
module: acl module: stateless-pf
+--rw acls +--rw spfs
+--rw acl [name] +--rw spf [name]
| +--rw acl-ip:afi | +--rw spf-ip:afi
| +--rw acl-ip:ipv6-aces | +--rw spf-ip:ipv6-pfes
| | +--rw acl-ip:ipv6-ace [name] | | +--rw spf-ip:ipv6-pfe [name]
| | +--rw acl-ip:name | | +--rw spf-ip:name
| | +--rw (remark-or-ipv6-case)? | | +--rw (remark-or-ipv6-case)?
| | +--:(remark) | | +--:(remark)
| | | +--rw acl-ip:remark | | | +--rw spf-ip:remark
| | +--:(ipv6-ace) | | +--:(ipv6-pfe)
| | | +--rw acl-ip:filters | | | +--rw spf-ip:filters
| | | +-- filter parameters | | | +-- filter parameters
| | | +--rw acl-ip:actions | | | +--rw spf-ip:actions
| | | +-- action parameters | | | +-- action parameters
| | +-- ro acl-ip:match | | +-- ro spf-ip:match
module: acl module: stateless-pf
+--rw acls +--rw spfs
+--rw acl [name] +--rw spf [name]
| +--rw acl-ip:afi | +--rw spf-ip:afi
| +--rw acl-ip:ipv4-aces | +--rw spf-ip:ipv4-pfes
| | +--rw acl-ip:ipv4-ace [name] | | +--rw spf-ip:ipv4-pfe [name]
| | +--rw acl-ip:name | | +--rw spf-ip:name
| | +--rw (remark-or-ipv4-ace)? | | +--rw (remark-or-ipv4-pfe)?
| | +--:(remark) | | +--:(remark)
| | | +--rw acl-ip:remark | | | +--rw spf-ip:remark
| | +--:(ipv4-ace) | | +--:(ipv4-pfe)
| | | +--rw acl-ip:filters | | | +--rw spf-ip:filters
| | | +-- filter parameters | | | +-- filter parameters
| | | +--rw acl-ip:actions | | | +--rw spf-ip:actions
| | | +-- action parameters | | | +-- action parameters
| | +-- ro acl-ip:match | | +-- ro spf-ip:match
module: acl module: stateless-pf
+--rw acls +--rw spfs
+--rw acl [name] +--rw spf [name]
| +--rw acl-mac:mac-aces | +--rw spf-mac:mac-pfes
| | +--rw acl-mac:mac-ace [name] | | +--rw spf-mac:mac-pfe [name]
| | +--rw acl-mac:name | | +--rw spf-mac:name
| | +--rw (remark-or-mac-ace)? | | +--rw (remark-or-mac-pfe)?
| | +--:(remark) | | +--:(remark)
| | | +--rw acl-mac:remark | | | +--rw spf-mac:remark
| | +--:(mac-ace) | | +--:(mac-pfe)
| | | +--rw acl-mac:filters | | | +--rw spf-mac:filters
| | | +-- filter parameters | | | +-- filter parameters
| | | +--rw acl-mac:actions | | | +--rw spf-mac:actions
| | | +-- action parameters | | | +-- action parameters
| | +-- ro acl-mac:match | | +-- ro spf-mac:match
module: acl module: stateless-pf
+--rw acls +--rw spfs
+--rw acl [name] +--rw spf [name]
| +--rw acl-arp:arp-aces | +--rw spf-arp:arp-pfes
| | +--rw acl-arp:arp-ace [name] | | +--rw spf-arp:arp-pfe [name]
| | +--rw acl-arp:name | | +--rw spf-arp:name
| | +--rw (remark-or-arp-ace)? | | +--rw (remark-or-arp-pfe)?
| | +--:(remark) | | +--:(remark)
| | | +--rw acl-arp:remark | | | +--rw spf-arp:remark
| | +--:(arp-ace) | | +--:(arp-pfe)
| | | +--rw acl-arp:filters | | | +--rw spf-arp:filters
| | | +-- filter parameters | | | +-- filter parameters
| | | +--rw acl-arp:actions | | | +--rw spf-arp:actions
| | | +-- action parameters | | | +-- action parameters
| | +-- ro acl-arp:match | | +-- ro spf-arp:match
Figure 2 Model structure - different SPF types
As is evident from Figure 2, the same generic design pattern is As is evident from Figure "Model structure - different SPF types",
reflected in every ACL type. Each ACL contains a list of ACEs, the same generic design pattern is reflected in every SPF type. Each
identified by a name by which ACEs in the list are ordered. Each ACE SPF contains a list of PFEs, identified by a name by which PFEs in
consists either of a remark or of an actual access control rule. the list are ordered. Each PFE consists either of a remark or of an
Remarks are in effect comment lines inside an ACL that are intended actual access control rule. Remarks are in effect comment lines
for human or administrator consumption. They are included in the inside an SPF that are intended for human or administrator
YANG module to maintain consistency with CLI. Access control rules, consumption. They are included in the YANG module to maintain
on the other hand, consist of a left hand side ("filters") that consistency with CLI. Access control rules, on the other hand,
specifies a set of matching criteria and a right hand side consist of a left hand side ("filters") that specifies a set of
("actions") that specifies the action to take when matching criteria matching criteria and a right hand side ("actions") that specifies
are met. An overview of the full list of filter and parameters is the action to take when matching criteria are met. An overview of
given in Section 8. the full list of filter and parameters is given in Section 8.
Since the design pattern for each ACL type is the same, an Since the design pattern for each SPF type is the same, an
alternative design to the YANG modules would have been to extend the alternative design to the YANG modules would have been to extend the
"acl" module to include the data nodes up to the level depicted in "spf" module to include the data nodes up to the level depicted in
Figure 2, as the real distinction occurs in the filter and action Figure "Model structure - different SPF types", as the real
parameters that occur below it. In that case, however, the distinction occurs in the filter and action parameters that occur
corresponding data nodes would have had to contend with more complex below it. In that case, however, the corresponding data nodes would
conditions. The modules defined here aim at keeping complexity of have had to contend with more complex conditions. The modules
definitions within the modules as low as possible, at the price of defined here aim at keeping complexity of definitions within the
repeating a few data nodes that provide the overall top level modules as low as possible, at the price of repeating a few data
structure. nodes that provide the overall top level structure.
3.3. Other Considerations 3.3. Other Considerations
3.3.1. Extensibility 3.3.1. Extensibility
If needed, the model can be extended for other types of ACLs in If needed, the model can be extended for other types of SPFs in
straightforward manner. New types of ACLs can be defined in straightforward manner. New types of SPFs can be defined in
additional YANG modules that apply the same design patterns much in additional YANG modules that apply the same design patterns much in
the same way as in the case of IP, MAC, and ARP ACLs. the same way as in the case of IP, MAC, and ARP SPFs.
3.3.2. ACL Chain Support
ACL chains are used in some application domains. ACL chains are not 3.3.2. SPF Chain Support
SPF chains are used in some application domains. SPF chains are not
included in the data model, but could be accommodated in the model included in the data model, but could be accommodated in the model
through extensions in a straightforward way. through extensions in a straightforward way.
ACL chains work roughly as follows. In an ACL chain, as an SPF chains work roughly as follows. In an SPF chain, as an
alternative to an action, an ACE can point to another ACL. If a alternative to an action, an PFE can point to another SPF. If a
packet matches the filter condition, it is subjected to the other packet matches the filter condition, it is subjected to the other
ACL. If the other ACL contains an ACE that matches, that action is SPF. If the other SPF contains an PFE that matches, that action is
executed. If there is no match, processing is returned to the first executed. If there is no match, processing is returned to the first
ACL and processing continues with the subsequent ACEs until a match SPF and processing continues with the subsequent PFEs until a match
is found. This way, chained ACLs can be considered as a special form is found. This way, chained SPFs can be considered as a special form
of "ACL subroutine". of "SPF subroutine".
An example of an ACL chain might be a rule that contains a filter for An example of an SPF chain might be a rule that contains a filter for
a specific destination port number in an IP packet, then invokes a specific destination port number in an IP packet, then invokes
another ACL that contains a specific set of firewall rules for another SPF that contains a specific set of firewall rules for
traffic directed at that particular port. Even though the data model traffic directed at that particular port. Even though the data model
for ACL presented in this document uses a flat list of ACE in each for SPF presented in this document uses a flat list of PFE in each
ACL, the actions in the model can be augmented to support ACL chains. SPF, the actions in the model can be augmented to support SPF chains.
The model can be extended with ACL chains roughly as follows: A new The model can be extended with SPF chains roughly as follows: A new
acl-chaining action is introduced, represented as a leaf whose value spf-chaining action is introduced, represented as a leaf whose value
contains a reference to an ACL as a parameter. For ACLs that are contains a reference to an SPF as a parameter. Below is an example
expected to not terminate when no ACE matches, but return processing of how the spf-ip model could be extended to support SPF chains for
to the invoking ACL, an optional ACL parameter can be introduced that ip-v4:
indicates for chained ACLs which chaining behavior should apply.
Below is an example of how the acl-ip model could be extended to
support ACL chains for ip-v4:
augment "/acl:acls/acl:acl/acl-ip:ipv4-aces" + augment "/spf:spfs/spf:spf/spf-ip:ipv4-pfes" +
"/acl-ip:ipv4-ace/acl-ip:actions" { "/spf-ip:ipv4-pfe/spf-ip:actions" {
leaf chain { leaf chain {
type acl-ref ; type spf-ref ;
description "Reference to another ACL name to chain the ACEs"; description "Reference to another SPF name to chain the PFEs";
} }
} }
3.3.3. ACL Test Extensions For SPFs that are expected to not terminate when no PFE matches, but
return processing to the invoking SPF, an optional SPF parameter can
be introduced that indicates for chained SPFs which chaining behavior
should apply.
Given the complexity of ACLs in many deployments, debugging ACLs and 3.3.3. SPF Test Extensions
assessing whether an ACL has the actual desired effect can be a
Given the complexity of SPFs in many deployments, debugging SPFs and
assessing whether an SPF has the actual desired effect can be a
challenge. In order to facilitate those tasks and allow to check challenge. In order to facilitate those tasks and allow to check
whether an ACL has indeed the intended effect, an additional whether an SPF has indeed the intended effect, an additional
administrative function that allows applications and users to test a administrative function that allows applications and users to test a
packet against the ACL can be introduced. The function can take the packet against the SPF can be introduced. The function can take the
form of an RPC which takes as input parameter a leaf with the form of an RPC which takes as input parameter a leaf with the
reference to the ACL that is to be tested, and a leaf with a packet. reference to the SPF that is to be tested, and a leaf with a packet.
The output parameter includes a leaf indicating the action that is The output parameter includes a leaf indicating the action that is
taken as a result, as well as a leaf with the reference to the taken as a result, as well as a leaf with the reference to the
matching ACE. matching PFE.
4. acl Module 3.3.4. Attaching SPFs to interfaces
Module "acl" is a top container module for all ACLs. It contains a SPFs typically do not exist in isolation. Intead, they are
container "acls" with a list "acl" of named ACLs. Modules "acl-ip", associated with a certain scope in which they are applied, for
"acl-mac", and "acl-arp" augment this list with the objects that are example, an interface of a set of interfaces. How to attach an SPF
specific to each respective type of ACL. In addition, module "acl" to an interface (or other system artifact) is outside the scope of
also defines a set of features, reusable types, and reusable this model, as it depends on the specifics of the system model that
groupings. is being applied. However, in general, the general design pattern
will involve adding a data node with a reference, or set of
references, to SPFs that are to be applied to the interface. For
this purpose, the type definition "spf-ref" can be used.
For example, to attach an SPF to an interface as defined per the data
model [if-config], the following steps can be applied:
o Introduce a new YANG module to extend the interface configuration
YANG module.
o Import modules "interfaces" [if-config] (prefix: "if") and
"stateless-pf" (prefix: "spf").
o Augment list "interface" (/if:interfaces/if:interface) with a
leaf-list of type "spf:spf-ref".
4. stateless-pf Module
Module "stateless-pf" is a top container module for all SPFs. It
contains a container "spfs" with a list "spf" of named SPFs. Modules
"spf-ip", "spf-mac", and "spf-arp" augment this list with the objects
that are specific to each respective type of SPF. In addition,
module "spf" also defines a set of features, reusable types, and
reusable groupings.
4.1. Features 4.1. Features
When it comes to ACL implementations, a wide range of different When it comes to SPF implementations, a wide range of different
capabilities exists across devices. For example, not every device capabilities exists across devices. For example, not every device
implements every type of ACL. Some devices may support time-based implements every type of SPF. Some devices may support time-based
ACLs that are only in effect during specified times, others may not. SPFs that are only in effect during specified times, others may not.
In order to accommodate this wide range of capabilities, this data In order to accommodate this wide range of capabilities, this data
model makes extensive use of the "feature" construct. The defined model makes extensive use of the "feature" construct. The defined
features allow implementations to declare which capabilities they features allow implementations to declare which capabilities they
support, and only support the corresponding portions of the data support, and only support the corresponding portions of the data
model. model.
4.2. Types 4.2. Types
The definition of ACLs requires a number of new data types introduced The definition of SPFs requires a number of new data types introduced
in this data model. Table 1 depicts data types that are unique to in this data model. Table 1 depicts data types that are unique to
ACLs. Table 2 depicts data types that are required by ACLs, but not SPFs. Table 2 depicts data types that are required by SPFs, but not
specific to them, and that may hence be reused by other models. specific to them, and that may hence be reused by other models.
Those data types are defined in module "common-types". For details Those data types are defined in module "common-types". For details
of each type, please refer to the corresponding typedef descriptions of each type, please refer to the corresponding typedef descriptions
and references in the model. and references in the model.
+----------------------+------------------------------+ +----------------------+------------------------------+
| YANG type | base type | | YANG type | base type |
+---------------------+-------------------------------+ +---------------------+-------------------------------+
| acl-comparator | enumeration | | spf-comparator | enumeration |
| acl-action | enumeration | | spf-action | enumeration |
| acl-remark | string | | spf-remark | string |
| acl-type-ref | identityref | | spf-type-ref | identityref |
| acl-ref | leafref | | spf-ref | leafref |
| port-group-ref | leafref | | port-group-ref | leafref |
| ip-address-group-ref | leafref | | ip-address-group-ref | leafref |
| time-range-Ref | leafref | | time-range-Ref | leafref |
| weekdays | bits | | weekdays | bits |
| acl-name-string | string | | spf-name-string | string |
+--------------------- +------------------------------+ +--------------------- +------------------------------+
Table 1 Table 1
+----------------------+------------------------------+ +----------------------+------------------------------+
| YANG type | base type | | YANG type | base type |
+---------------------+-------------------------------+ +---------------------+-------------------------------+
| cos | uint8 | | cos | uint8 |
| tos | uint8 | | tos | uint8 |
| precedence | uint8 | | precedence | uint8 |
skipping to change at page 12, line 42 skipping to change at page 13, line 10
| icmp-type | uint32 | | icmp-type | uint32 |
| icmp-code | uint32 | | icmp-code | uint32 |
| vlan-identifier | uint16 | | vlan-identifier | uint16 |
| time-to-live | uint32 | | time-to-live | uint32 |
+--------------------- +------------------------------+ +--------------------- +------------------------------+
Table 2 Table 2
4.3. Groupings 4.3. Groupings
The data model defines two groupings, ACE-COMMON and FILTER-COMMON. The data model defines two groupings, PFE-COMMON and FILTER-COMMON.
o ACE-COMMON is a collection of nodes that should be added to every o PFE-COMMON is a collection of nodes that should be added to every
ACE list entry. ACE-COMMON contains the actions container and a PFE list entry. PFE-COMMON contains the actions container and a
read-only match leaf. The actions container contains two leaves. read-only match leaf. The actions container contains two leaves.
* An "action" leaf that specifies what to do with the packet when * An "action" leaf that specifies what to do with the packet when
the matching criteria is met, for example, to drop the packet. the matching criteria is met, for example, to drop the packet.
* A "log" leaf that indicates whether to create a log entry when * A "log" leaf that indicates whether to create a log entry when
an ace filter matches. (Some devices may not support a log an pfe filter matches. (Some devices may not support a log
capability. Hence support of this leaf is conditional on capability. Hence support of this leaf is conditional on
declaration of a corresponding feature, as indicated by use of declaration of a corresponding feature, as indicated by use of
the "if-feature" construct.) the "if-feature" construct.)
o FILTER-COMMON is a collection of nodes that should be added to o FILTER-COMMON is a collection of nodes that should be added to
every 'filters' container within each ACE list entry. every 'filters' container within each PFE list entry.
4.4. Containers 4.4. Containers
4.4.1. acls Container 4.4.1. spfs Container
Container "acls" contains a list "acl" of named ACLs. Each list Container "spfs" contains a list "spf" of named SPFs. Each list
eleement "acl" contains the following global leaves. The list eleement "spf" contains the following global leaves. The list
elements are augmented with additional data nodes defined in modules elements are augmented with additional data nodes defined in modules
"acl-arp", "acl-mac", and "acl-ip". "spf-arp", "spf-mac", and "spf-ip".
o name o name
o acl-type o spf-type
o enable-capture-global o enable-capture-global
o capture-session-id-global o capture-session-id-global
o enable-match-counter-choices: The difference of these two choices o enable-match-counter-choices: The difference of these two choices
is that "enable-match-counter" indicates to collect total match is that "enable-match-counter" indicates to collect total match
statistics for all aces, whereas "enable-per-entry-match-counter" statistics for all pfes, whereas "enable-per-entry-match-counter"
indicates to collect match statistics for each ACE. indicates to collect match statistics for each PFE.
o match o match
4.4.2. port-groups Container 4.4.2. port-groups Container
Container "port-groups" allows to classifying protocol port into Container "port-groups" allows to classifying protocol port into
groups. It contains a sequence of "port-group" data nodes. Each groups. It contains a sequence of "port-group" data nodes. Each
"port-group" defines a range of ports and can be referred to by name. "port-group" defines a range of ports and can be referred to by name.
Multiple ACEs can refer to the same port group. The following is a Multiple PFEs can refer to the same port group. The following is a
Netconf XML example of port-groups and how it is referred to from an Netconf XML example of port-groups and how it is referred to from an
ACE. PFE.
<src-port-group-name> <src-port-group-name>
<port-group-name>port-tunnel1</port-group> <port-group-name>port-tunnel1</port-group>
</src-port-group-name> </src-port-group-name>
<port-groups> <port-groups>
<port-group> <port-group>
<name>port-tunnel1</name> <name>port-tunnel1</name>
<port-group-entry> <port-group-entry>
<name>http-proxy</name> <name>http-proxy</name>
skipping to change at page 14, line 29 skipping to change at page 14, line 38
4.4.3. timerange-groups Container 4.4.3. timerange-groups Container
Container "timerange-groups" container contains a list, "timerange- Container "timerange-groups" container contains a list, "timerange-
group". Eeach of its elements defines a sequence of time ranges, group". Eeach of its elements defines a sequence of time ranges,
"time-range". Each time-range object consists of either a remark "time-range". Each time-range object consists of either a remark
(comments for the time range), or of an absolute time for start or (comments for the time range), or of an absolute time for start or
end (or both) of the time range, or a periodic time for start or end end (or both) of the time range, or a periodic time for start or end
or both. Object "remark" contains administrator-provided comments or both. Object "remark" contains administrator-provided comments
for the time-range that will be kept in the device. Like with port for the time-range that will be kept in the device. Like with port
groups, the same time-range can be reused by different ACEs. The groups, the same time-range can be reused by different PFEs. The
following is a Netconf XML example of a timerange group that contains following is a Netconf XML example of a timerange group that contains
a remark and a single time range. a remark and a single time range.
<timerange-groups> <timerange-groups>
<timerange-group> <timerange-group>
<name>weekday</name> <name>weekday</name>
<time-range> <time-range>
<name>10</name> <name>10</name>
<remark> email server maintenance</remark> <remark> email server maintenance</remark>
</time-range> </time-range>
skipping to change at page 15, line 10 skipping to change at page 15, line 20
</periodic> </periodic>
</time-range> </time-range>
</timerange-group> </timerange-group>
</timerange-groups> </timerange-groups>
4.4.4. ip-address-groups Container 4.4.4. ip-address-groups Container
Container "ip-address-groups" contains is list "ip-address-group" of Container "ip-address-groups" contains is list "ip-address-group" of
named IP address groups. Each IP address group is a sequence of named IP address groups. Each IP address group is a sequence of
pairs "ip-address" and "mask", or a pair of "host" and "host- pairs "ip-address" and "mask", or a pair of "host" and "host-
address". Each IP address group can be referred from an ACE by name. address". Each IP address group can be referred from an PFE by name.
The following is a Netconf XML example of an IP address group and how The following is a Netconf XML example of an IP address group and how
it is referred to from an ACE. it is referred to from an PFE.
<ip-address-groups> <ip-address-groups>
<ip-address-group> <ip-address-group>
<name>Email-Server-IPV4</name> <name>Email-Server-IPV4</name>
<ip-addresses> <ip-addresses>
<ip-address> <ip-address>
<name>10</name> <name>10</name>
<ip-address>128.107.0,0</ip-address> <ip-address>128.107.0,0</ip-address>
<ip-mask>255.255.0.0</ip-mask> <ip-mask>255.255.0.0</ip-mask>
</ip-address> </ip-address>
<ip-address> <ip-address>
<name>20</name> <name>20</name>
<ip-address>139.207.0.0</ip-address> <ip-address>139.207.0.0</ip-address>
<ip-mask>255.255.0.0</ip-mask> <ip-mask>255.255.0.0</ip-mask>
</ip-address> </ip-address>
</ip-addresses> </ip-addresses>
</ip-address-group> </ip-address-group>
</ip-address-groups> </ip-address-groups>
<ip-ace> <ip-pfe>
<name>100</name> <name>100</name>
<afi>ipv4</afi> <afi>ipv4</afi>
<actions>permit</actions> <actions>permit</actions>
<filters> <filters>
<ip-source-group>Email-Server-IPV4</ip-source-group> <ip-source-group>Email-Server-IPV4</ip-source-group>
<ip-dest-any/> <ip-dest-any/>
</filters> </filters>
</ip-ace> </ip-pfe>
5. acl-ip module 5. spf-ip module
acl-ip is the module that defines IP-ACL. It augments acl list in spf-ip is the module that defines IP-SPF. It augments spf list in
acl module. spf module.
5.1. Groupings 5.1. Groupings
5.1.1. IP-SOURCE-NETWORK grouping 5.1.1. IP-SOURCE-NETWORK grouping
IP-SOURCE-NETWORK IP-SOURCE-NETWORK
+--rw (source-address-host-group)? +--rw (source-address-host-group)?
+--:(source-ip) +--:(source-ip)
| +--rw ip-source-address inet:ip-address | +--rw ip-source-address inet:ip-address
| +--rw ip-source-mask inet:ip-address | +--rw ip-source-mask inet:ip-address
+--:(ip-source-any) +--:(ip-source-any)
| +--rw ip-source-any empty | +--rw ip-source-any empty
+--:(source-host) +--:(source-host)
| +--:(ip-src-host-address-or-name) | +--:(ip-src-host-address-or-name)
| +--:(ip-source-host-address) | +--:(ip-source-host-address)
| +--rw ip-source-host-address inet:ip-address | +--rw ip-source-host-address inet:ip-address
| +--:(ip-source-host-name) | +--:(ip-source-host-name)
| +--rw ip-source-host-name inet:domain-name | +--rw ip-source-host-name inet:domain-name
+--:(source-group) +--:(source-group)
+--rw ip-source-group? ip-address-group-ref +--rw ip-source-group? ip-address-group-ref
IP-SOURCE-NETWORK is a reusable grouping. It allows five ways to IP-SOURCE-NETWORK is a reusable grouping. It allows five ways to
specify a network: ip with mask, any network, host-name or host specify a network: ip with mask, any network, host-name or host
address, reference to a predefined ip address group. Here are valid address, reference to a predefined ip address group. Here are valid
example instances: example instances:
o ip with mask: o ip with mask:
<ip-source-address>192.168.1.0</ip-source-address> <ip-source-address>192.168.1.0</ip-source-address>
<ip-source-mask>255.255.255.0</ip-source-mask> <ip-source-mask>255.255.255.0</ip-source-mask>
o any network: o any network:
<ip-source-any/> <ip-source-any/>
o host-name: o host-name:
<ip-source-host-name>switch1</ip-source-host-name> <ip-source-host-name>switch1</ip-source-host-name>
o host-address: o host-address:
<ip-source-host-address>192.168.1.2</ip-source-host-address> <ip-source-host-address>192.168.1.2</ip-source-host-address>
o reference to a predefined ip address group (Email-Server-IPV4 is o reference to a predefined ip address group (Email-Server-IPV4 is
defined in Section 4.4.4 ): defined in Section 4.4.4 ):
<ip-source-group>Email-Server-IPV4</ip-source-group> <ip-source-group>Email-Server-IPV4</ip-source-group>
5.1.2. IP-DESTINATION-NETWORK grouping 5.1.2. IP-DESTINATION-NETWORK grouping
IP-DESTINATION-NETWORK IP-DESTINATION-NETWORK
+--rw (dest-address-host-group)? +--rw (dest-address-host-group)?
+--:(dest-ip) +--:(dest-ip)
| +--rw ip-dest-address inet:ip-address | +--rw ip-dest-address inet:ip-address
| +--rw ip-dest-mask? inet:ip-address | +--rw ip-dest-mask? inet:ip-address
+--:(ip-dest-any) +--:(ip-dest-any)
| +--rw ip-dest-any empty | +--rw ip-dest-any empty
+--:(dest-host) +--:(dest-host)
| +--:(ip-dest-host-address-or-name) | +--:(ip-dest-host-address-or-name)
| +--:(ip-dest-host-address) | +--:(ip-dest-host-address)
| +--rw ip-dest-host-address inet:ip-address | +--rw ip-dest-host-address inet:ip-address
| +--:(ip-dest-host-name) | +--:(ip-dest-host-name)
| +--rw ip-dest-host-name inet:domain-name | +--rw ip-dest-host-name inet:domain-name
+--:(group) +--:(group)
+--rw ip-dest-group? ip-address-group-ref +--rw ip-dest-group? ip-address-group-ref
IP-DESTINATION-ADDRESS is a reusable grouping. Its structure is IP-DESTINATION-ADDRESS is a reusable grouping. Its structure is
similar to IP-SOURCE-NETWORK. The reason to have both IP-SOURCE- similar to IP-SOURCE-NETWORK. The reason to have both IP-SOURCE-
NETWORK and IP-DESTINATION-NETWORK groupings is to allow "ip-source- NETWORK and IP-DESTINATION-NETWORK groupings is to allow "ip-source-
address" and "ip-destination-address" leaves to appear in the same address" and "ip-destination-address" leaves to appear in the same
container. For example: container. For example:
<filters> <filters>
<ip-source-address>192.168.1.0</ip-source-address> <ip-source-address>192.168.1.0</ip-source-address>
<ip-source-mask>255.255.255.0</ip-source-mask> <ip-source-mask>255.255.255.0</ip-source-mask>
<ip-dest-address>any</ip-dest-address> <ip-dest-address>any</ip-dest-address>
</filters> </filters>
5.1.3. DSCP-OR-TOS Grouping 5.1.3. DSCP-OR-TOS Grouping
DSCP-OR-TOS grouping defines a choice, "dscp-or-tos". It allows two DSCP-OR-TOS grouping defines a choice, "dscp-or-tos". It allows two
ways to filter for a QoS packet: ways to filter for a QoS packet:
o dscp: Match packet on DSCP value. o dscp: Match packet on DSCP value.
o tos: Match packet on TOS and precedence value. o tos: Match packet on TOS and precedence value.
The typedef for "tos" and "precedence" is defined in module "common- The typedef for "tos" and "precedence" is defined in module "common-
types", which could be deprecated should IETF define a separate set types", which could be deprecated should IETF define a separate set
of definitions. of definitions.
5.1.4. IP-ACE-FILTERS Grouping 5.1.4. IP-PFE-FILTERS Grouping
IP-ACE-FILTERS IP-PFE-FILTERS
+--rw protocol? c-types:ip-protocol +--rw protocol? c-types:ip-protocol
+--acl:FILTER-COMMON +--spf:FILTER-COMMON
+--rw fragments? empty +--rw fragments? empty
+--rw time-range? acl:Time-Range-Ref +--rw time-range? spf:Time-Range-Ref
+-- (src-ports)? +-- (src-ports)?
| +--rw (port-number-or-range)? | +--rw (port-number-or-range)?
| | +--:(port-number-range) | | +--:(port-number-range)
| | | +--rw src-port-lower? inet:port-number | | | +--rw src-port-lower? inet:port-number
| | | +--rw src-port-upper? inet:port-number | | | +--rw src-port-upper? inet:port-number
| +--:(port-number) | +--:(port-number)
| | +--rw src-comparator comparator | | +--rw src-comparator comparator
| | +--rw src-port? inet:port-number | | +--rw src-port? inet:port-number
| +-- :(port-group-ref) | +-- :(port-group-ref)
| +--src-port-group-name | +--src-port-group-name
skipping to change at page 18, line 36 skipping to change at page 18, line 46
| | | +--rw des-port-upper? inet:port-number | | | +--rw des-port-upper? inet:port-number
| +--:(port-number) | +--:(port-number)
| | +--rw des-comparator comparator | | +--rw des-comparator comparator
| | +--rw des-port? inet:port-number | | +--rw des-port? inet:port-number
| +-- :(by-name) | +-- :(by-name)
| +-- des-port-group-name | +-- des-port-group-name
+--rw icmp-type? c-types:icmp-type +--rw icmp-type? c-types:icmp-type
+--rw icmp-code? c-types:icmp-type +--rw icmp-code? c-types:icmp-type
+--rw (packet-length-or-range)? +--rw (packet-length-or-range)?
| +--:(length) | +--:(length)
| | +--rw packet-length-comparator acl:Comparator | | +--rw packet-length-comparator spf:Comparator
| | +--rw packet-length uint32 | | +--rw packet-length uint32
| +--:(range) | +--:(range)
| +--rw packet-length-upper uint32 | +--rw packet-length-upper uint32
| +--rw packet-length-lower uint32 | +--rw packet-length-lower uint32
+--rw tcp-flag-value? c-types:tcp-flag-type +--rw tcp-flag-value? c-types:tcp-flag-type
+--rw tcp-flag-mask? c-types:tcp-flag-type +--rw tcp-flag-mask? c-types:tcp-flag-type
+--rw tcp-flag-operation? enumeration +--rw tcp-flag-operation? enumeration
+--rw (ttl-value-or-range)? +--rw (ttl-value-or-range)?
+--:(value) +--:(value)
| +--rw ttl-comparator? acl:acl-comparator | +--rw ttl-comparator? spf:spf-comparator
| +--rw ttl-value? c-types:Time-to-Live | +--rw ttl-value? c-types:Time-to-Live
+--:(range) +--:(range)
+--rw ttl-value-lower? c-types:Time-to-Live +--rw ttl-value-lower? c-types:Time-to-Live
+--rw :ttl-value--upper? c-types:Time-to-Live +--rw :ttl-value--upper? c-types:Time-to-Live
IP-ACE-FILTERS defines the following leaves that are used by both by IP-PFE-FILTERS defines the following leaves that are used by both by
IPv4 and IPv6 ACEs: IPv4 and IPv6 PFEs:
o protocol o protocol
o acl:FILTER-COMMON: see Section 4.3 o spf:FILTER-COMMON: see Section 4.3
o fragments: When present, it matches the non-initial fragment. o fragments: When present, it matches the non-initial fragment.
o time-range: Enable packet capture on this filter for a timerange- o time-range: Enable packet capture on this filter for a timerange-
group by name. time-range is Time-Range-Ref type which is a group by name. time-range is Time-Range-Ref type which is a
leafref. leafref.
o src-ports choice: Allows the following three ways to define a o src-ports choice: Allows the following three ways to define a
group of ports. group of ports.
skipping to change at page 19, line 32 skipping to change at page 19, line 41
leaves to specify a port range. The value of "src-port-lower" leaves to specify a port range. The value of "src-port-lower"
has to be less than or equal the value of "src-port-upper". has to be less than or equal the value of "src-port-upper".
* port-number: Use "comparator" and "src-port" leaves to specify * port-number: Use "comparator" and "src-port" leaves to specify
a port range. See Comparator typedef in the model for the a port range. See Comparator typedef in the model for the
possible values the "comparator" leaf. possible values the "comparator" leaf.
* port range ref: Refer to a named port group that is defined * port range ref: Refer to a named port group that is defined
using port-groups. For example: using port-groups. For example:
<port-group-name>port-tunnel1</port-group-name> <port-group-name>port-tunnel1</port-group-name>
o dest-ports choice: Analogous to "src-ports". o dest-ports choice: Analogous to "src-ports".
o packet-length-or-range: Allows two ways to specify packet length o packet-length-or-range: Allows two ways to specify packet length
range. range.
* case length: Use comparator and a single packet-length to case length: Use comparator and a single packet-length to
specify the range. specify the range.
* case range: Use packet-length-lower and packet-length-upper to case range: Use packet-length-lower and packet-length-upper to
specify a range. The value of packet-length-lower must be specify a range. The value of packet-length-lower must be
lower than or equal to the value of packet-length-upper. lower than or equal to the value of packet-length-upper.
o icmp-type o icmp-type
o icmp-code o icmp-code
o packet-length-or-range choice o packet-length-or-range choice
o tcp-flag-value: tcp-flag-value, tcp-flag-mask and tcp-flag- o tcp-flag-value: tcp-flag-value, tcp-flag-mask and tcp-flag-
operation allow to match any combination of packet tcp flag operation allow to match any combination of packet tcp flag
values. values.
The following example is to match the packet The following example is to match the packet
tcp flag ack=1, syn=1, and fin=0; tcp flag ack=1, syn=1, and fin=0;
<tcp-flag-value> ack syn <tcp-flag-value> <tcp-flag-value> ack syn <tcp-flag-value>
<tcp-flag-mask>ack syn fin</tcp-flag-mask> <tcp-flag-mask>ack syn fin</tcp-flag-mask>
<tcp-flag-operation>match-all</tcp-flag-operation> <tcp-flag-operation>match-all</tcp-flag-operation>
o tcp-flag-mask o tcp-flag-mask
o tcp-flag-operation o tcp-flag-operation
o ttl-value-or-range o ttl-value-or-range
5.2. augment 5.2. augment
The module "acl-ip" augments the definition of data node "/acl:acls/ The module "spf-ip" augments the definition of data node "/spf:spfs/
acl:acl" with additional leaves and subcomponents. spf:spf" with additional leaves and subcomponents.
o afi o afi
o ipv6-aces: It contains a list of ipv6-ace. Each ipv6-ace is o ipv6-pfes: It contains a list of ipv6-pfe. Each ipv6-pfe is
either a remark or a real access control filters. The case ipv6- either a remark or a real access control filters. The case
ace defines the filters and actions for ipv6-ace. The ace uses ipv6-pfe defines the filters and actions for ipv6-pfe. The pfe
filters defined in grouping IP-SOURCE-NETWORK, IP-DESTINATION- uses filters defined in grouping IP-SOURCE-NETWORK, IP-
NETWORK, IP-ACE-FILTERS, DSCP-OR-TOS. In addition, it also allows DESTINATION-NETWORK, IP-PFE-FILTERS, DSCP-OR-TOS. In addition, it
filter on igmp-type and flow-label, also allows filter on igmp-type and flow-label,
o ipv4-aces: ipv4-ace has similar structure to ipv6-aces. o ipv4-pfes: ipv4-pfe has similar structure to ipv6-pfes.
o global-fragments o global-fragments
5.2.1. global-fragments leaf 5.2.1. global-fragments leaf
global-fragments is an optional leaf. It has an enumeration value of global-fragments is an optional leaf. It has an enumeration value of
not-set, permit-all, deny-all. not-set is the default value. When not-set, permit-all, deny-all. not-set is the default value. When
the global-fragments is permit-all or deny-all, it is to permit or the global-fragments is permit-all or deny-all, it is to permit or
deny the implicit ace fragment filter. Here is an example of deny the implicit pfe fragment filter. Here is an example of
implicit ace and how the implicit ace is affected when global- implicit pfe and how the implicit pfe is affected when global-
fragments is set. fragments is set.
Example 1: The acl configuration from the management interface with Example 1: The spf configuration from the management interface with
global-fragments is absent. global-fragments is absent.
YANG instance of this cli configuration: YANG instance of this cli configuration:
<acls> <spfs>
<acl> <spf>
<name>fragment_test1</name> <name>fragment_test1</name>
<afi>ipv4</afi> <afi>ipv4</afi>
<acl-type>ip-acl</acl-type> <spf-type>ip-spf</spf-type>
<ip-aces> <ip-pfes>
<name>10</name> <name>10</name>
<actions> <actions>
<action>permit</action> <action>permit</action>
</actions> </actions>
<filters> <filters>
<ip-source-address>192.168.5.0</ip-source-address> <ip-source-address>192.168.5.0</ip-source-address>
<ip-source-mask>255.255.255.0</ip-source-mask> <ip-source-mask>255.255.255.0</ip-source-mask>
<ip-dest-address>any</ip-dest-address> <ip-dest-address>any</ip-dest-address>
</filters> </filters>
</ip-aces> </ip-pfes>
<ip-aces> <ip-pfes>
<name>20</name> <name>20</name>
<actions> <actions>
<action>permit</action> <action>permit</action>
</actions> </actions>
<filters> <filters>
<ip-source-address>189.168.0.0</ip-source-address> <ip-source-address>189.168.0.0</ip-source-address>
<ip-source-mask>255.255.0.0</ip-source-mask> <ip-source-mask>255.255.0.0</ip-source-mask>
<ip-dest-address>any</ip-dest-address> <ip-dest-address>any</ip-dest-address>
<fragments/> <fragments/>
</filters> </filters>
</ip-aces> </ip-pfes>
</acl> </spf>
</acls> </spfs>
By taking all the tags out, the above yang can be express in a By taking all the tags out, the above yang can be express in a
summary of cli format like the following: summary of cli format like the following:
fragment_test1 ip-acl ipv4 fragment_test1 ip-spf ipv4
10 permit ip 192.168.5.0 255.255.255.0 any 10 permit ip 192.168.5.0 255.255.255.0 any
20 permit ip 189.168.0.0 255.255.0.0 any fragment. 20 permit ip 189.168.0.0 255.255.0.0 any fragment.
The acl configuration together with implicit ace in the device will The spf configuration together with implicit pfe in the device will
be: be:
fragment_test1 ip-acl ipv4 fragment_test1 ip-spf ipv4
10 permit ip 192.168.5.0 255.255.255.0 any 10 permit ip 192.168.5.0 255.255.255.0 any
11 permit ip 192.168.5.0 255.255.255.0 any fragment 11 permit ip 192.168.5.0 255.255.255.0 any fragment
20 permit ip189.168.0.0 255.255.0.0 any fragment. 20 permit ip189.168.0.0 255.255.0.0 any fragment.
100 deny any any 100 deny any any
110 deny any any fragment 110 deny any any fragment
Notice three lines of configuration. 11, 100 and 110, are implicit. Notice three lines of configuration. 11, 100 and 110, are implicit.
Example 2: The acl configuration from the management interface with Example 2: The spf configuration from the management interface with
global-fragments global-fragments
<acls> <spfs>
<acl> <spf>
<name>fragment_test2</name> <name>fragment_test2</name>
<acl-type>ip-acl</acl-type> <spf-type>ip-spf</spf-type>
<global-fragments>deny-all</global-fragments> <global-fragments>deny-all</global-fragments>
<afi>ipv4</afi> <afi>ipv4</afi>
<ip-aces> <ip-pfes>
<name>10</name> <name>10</name>
<actions> <actions>
<action>permit</action> <action>permit</action>
</actions> </actions>
<filters> <filters>
<ip-source-address>192.168.5.0</ip-source-address> <ip-source-address>192.168.5.0</ip-source-address>
<ip-source-mask>255.255.255.0</ip-source-mask> <ip-source-mask>255.255.255.0</ip-source-mask>
<ip-dest-address>any</ip-dest-address> <ip-dest-address>any</ip-dest-address>
</filters> </filters>
</ip-aces> </ip-pfes>
<ip-aces> <ip-pfes>
<name>20</name> <name>20</name>
<actions> <actions>
<action>permit</action> <action>permit</action>
</actions> </actions>
<filters> <filters>
<ip-source-address>189.168.0.0</ip-source-address> <ip-source-address>189.168.0.0</ip-source-address>
<ip-source-mask>255.255.0.0</ip-source-mask> <ip-source-mask>255.255.0.0</ip-source-mask>
<ip-dest-address>any</ip-dest-address> <ip-dest-address>any</ip-dest-address>
<fragments/> <fragments/>
</filters> </filters>
</ip-aces> </ip-pfes>
</acl> </spf>
</acls> </spfs>
The acl configuration in the device with implicit aces. The deny-all The spf configuration in the device with implicit aces. The deny-all
void "11 permit ip 1.1.1.1/16 any fragment" ace in previous example. void "11 permit ip 1.1.1.1/16 any fragment" pfe in previous example.
By taking all the tags out, the above yang can be express in a By taking all the tags out, the above yang can be express in a
summary of cli format like the following: summary of cli format like the following:
fragment_test2 ip-acl ipv4 deny-all fragment_test2 ip-spf ipv4 deny-all
10 permit ip 192.168.5.0 255.255.255.0 any 10 permit ip 192.168.5.0 255.255.255.0 any
20 permit ip 189.168.0.0 255.255.0.0 any fragment. 20 permit ip 189.168.0.0 255.255.0.0 any fragment.
The acl configuration together with implicit ace in the device will The spf configuration together with implicit pfe in the device will
be: be:
fragment_test2 ip-acl ipv4 fragment_test2 ip-spf ipv4
10 permit ip 192.168.5.0 255.255.255.0 any 10 permit ip 192.168.5.0 255.255.255.0 any
20 permit ip 189.168.0.0 255.255.0.0 any fragment. 20 permit ip 189.168.0.0 255.255.0.0 any fragment.
100 deny any any 100 deny any any
110 deny any any fragment 110 deny any any fragment
6. acl-mac module 6. spf-mac module
6.1. MAC-SOURCE-NETWORK grouping 6.1. MAC-SOURCE-NETWORK grouping
MAC-SOURCE-NETWORK MAC-SOURCE-NETWORK
+--rw (source-network)? +--rw (source-network)?
+--:(source-mac) +--:(source-mac)
| +--rw source-address yang:mac-address | +--rw source-address yang:mac-address
| +--rw source-address-mask yang:mac-address | +--rw source-address-mask yang:mac-address
+--:(source-any) +--:(source-any)
| +--rw source-any empty | +--rw source-any empty
+--:(source-host) +--:(source-host)
+--rw acl-mac:source-host-name inet:host +--rw spf-mac:source-host-name inet:host
MAC-SOURCE-ADDRESS is a reusable grouping. It allows to express the MAC-SOURCE-ADDRESS is a reusable grouping. It allows to express the
three kinds network. three kinds network.
any network: use source-any to express any network. any network: use source-any to express any network.
<mac-source-kind>any</mac-source-kind> <mac-source-kind>any</mac-source-kind>
single host network. single host network.
<source-host-name>my-host</source-host-name> <source-host-name>my-host</source-host-name>
host address with a mask. host address with a mask.
<source-address>0180.c200.000</source-address> <source-address>0180.c200.000</source-address>
<source-address-mask>0000.0000.0000</source-address-mask> <source-address-mask>0000.0000.0000</source-address-mask>
6.2. MAC-DESTINATION-NETWORK grouping 6.2. MAC-DESTINATION-NETWORK grouping
MAC-DESTINATION-NETWORK MAC-DESTINATION-NETWORK
+--rw (dest-network)? +--rw (dest-network)?
+--:(address) +--:(address)
| +--rw dest-address yang:mac-address | +--rw dest-address yang:mac-address
| +--rw dest-address-mask yang:mac-address | +--rw dest-address-mask yang:mac-address
+--:(dest-any) +--:(dest-any)
| +--rw dest-any empty | +--rw dest-any empty
+--:(host) +--:(host)
+--rw acl-mac:dest-host-name inet:host +--rw spf-mac:dest-host-name inet:host
MAC-DESTINATION-ADDRESS is a reusable grouping similar to MAC-SOURCE- MAC-DESTINATION-ADDRESS is a reusable grouping similar to MAC-SOURCE-
ADDRESS. The reason to have both MAC-SOURCE-ADDRESS and MAC- ADDRESS. The reason to have both MAC-SOURCE-ADDRESS and MAC-
DESTINATION-ADDRESS grouping is to allow source-address and DESTINATION-ADDRESS grouping is to allow source-address and
destination-address leaves appear in the same container. For destination-address leaves appear in the same container. For
example: example:
<filters> <filters>
<source-address>0180.c200.000</source-address> <source-address>0180.c200.000</source-address>
<source-address-mask>0000.0000.0000</source-address-mask> <source-address-mask>0000.0000.0000</source-address-mask>
<dest-any/> <dest-any/>
</filters> </filters>
6.3. augment 6.3. augment
The module "acl-mac" augments the definition of data node "/acl:acls/ The module "spf-mac" augments the definition of data node "/spf:spfs/
acl:acl" with additional leaves and subcomponents. acl-mac has spf:spf" with additional leaves and subcomponents. spf-mac has
similar structure as acl-ipv4 and acl-ipv6 except the filters are similar structure as spf-ipv4 and spf-ipv6 except the filters are
different. mac-ace has filters defined in grouping MAC-SOUCE-NETWORK, different. mac-pfe has filters defined in grouping MAC-SOUCE-NETWORK,
MAC-DESTINATION-NETWORK, acl:FILTER-COMMON, ethertype-mask, cos, MAC-DESTINATION-NETWORK, spf:FILTER-COMMON, ethertype-mask, cos,
time-range, and vlan. time-range, and vlan.
7. acl-arp module 7. spf-arp module
7.1. augment 7.1. augment
The module "acl-arp" augments the definition of data node "/acl:acls/ The module "spf-arp" augments the definition of data node "/spf:spfs/
acl:acl" with additional leaves and subcomponents. spf:spf" with additional leaves and subcomponents.
augment "/acl:acls/acl:acl" augment "/spf:spfs/spf:spf"
+--rw acl-arp:arp-aces +--rw spf-arp:arp-pfes
+--rw acl-arp:arp-ace [name] +--rw spf-arp:arp-pfe [name]
+--rw acl-arp:name acl:acl-name-string +--rw spf-arp:name spf:spf-name-string
+--rw (remark-or-arp-ace)? +--rw (remark-or-arp-pfe)?
+--:(remark) +--:(remark)
| +--rw acl-arp:remark? acl:acl-remark | +--rw spf-arp:remark? spf:spf-remark
+--:(arp-ace) +--:(arp-pfe)
+--rw filters +--rw filters
| +--rw direction? enumeration | +--rw direction? enumeration
| +--acl-ip:IP-SOURCE-NETWORK | +--spf-ip:IP-SOURCE-NETWORK
| +--acl-ip:IP-DESTINATION-NETWORK | +--spf-ip:IP-DESTINATION-NETWORK
| +--acl-mac:MAC-SOURCE-NETWORK | +--spf-mac:MAC-SOURCE-NETWORK
| +--acl-mac:MAC-DESTINATION-NETWORK | +--spf-mac:MAC-DESTINATION-NETWORK
| +--acl:FILTER-COMMON | +--spf:FILTER-COMMON
+acl:ACE-COMMON +spf:PFE-COMMON
8. Data Model Structure 8. Data Model Structure
The combined data model for ACL configuration is structured as The combined data model for SPF configuration is structured as
follows. "acl" defines the generic components of an acl system. follows. "spf" defines the generic components of an spf system. "spf-
"acl-ip", "acl-mac", "acl-arp" augment the "acl" module with ip", "spf-mac", "spf-arp" augment the "spf" module with additional
additional data nodes that are needed for ip, mac, and arp acl data nodes that are needed for ip, mac, and arp spf respectively.
respectively.
module: acl
+--rw acls
+--rw acl [name]
| +--rw name
| +--rw acl-type
| +--rw enable-capture-global?
| +--rw capture-session-id-global?
| +--rw (enable-match-counter-choices)?
| | +--:(match)
| | | +--rw enable-match-counter?
| | +--:(per-entry-match)
| | +--rw enable-per-entry-match-counter?
| +--ro match?
| +--rw acl-ip:afi?
| +--rw acl-ip:ipv6-aces
| | +--rw acl-ip:ipv6-ace [name]
| | +--rw acl-ip:name acl:acl-name-string
| | +--rw (remark-or-ipv6-case)?
| | +--:(remark)
| | | +--rw acl-ip:remark? acl:acl-remark
| | +--:(ipv6-ace)
| | +--rw acl-ip:filters
| | | +--rw (source-address-host-group)
| | | | +--:(source-ip)
| | | | | +--rw acl-ip:ip-source-address
| | | | | +--rw acl-ip:ip-source-mask
| | | | +--:(ip-source-any)
| | | | | +--rw acl-ip:ip-source-any?
| | | | +--:(source-host)
| | | | | +--rw (ip-src-address-or-name)
| | | | | +--:(ip-source-host-address)
| | | | | | +--rw acl-ip:ip-source-host-address?
| | | | | +--:(ip-source-host-name)
| | | | | +--rw acl-ip:ip-source-host-name?
| | | | +--:(source-group)
| | | | +--rw acl-ip:ip-source-group?
| | | +--rw (dest-address-host-group)
| | | | +--:(dest-ip)
| | | | | +--rw acl-ip:ip-dest-address
| | | | | +--rw acl-ip:ip-dest-mask
| | | | +--:(ip-dest-any)
| | | | | +--rw acl-ip:ip-dest-any?
| | | | +--:(dest-host)
| | | | | +--rw (ip-dest-address-or-name)
| | | | | +--:(ip-dest-host-address)
| | | | | | +--rw acl-ip:ip-dest-host-address?
| | | | | +--:(ip-dest-host-name)
| | | | | +--rw acl-ip:ip-dest-host-name?
| | | | +--:(dest-group)
| | | | +--rw acl-ip:ip-dest-group?
| | | +--rw acl-ip:protocol?
| | | +--rw acl-ip:enable-capture?
| | | +--rw acl-ip:capture-session-id?
| | | +--rw acl-ip:fragments?
| | | +--rw acl-ip:time-range?
| | | +--rw (src-ports)?
| | | | +--:(port-number-range)
| | | | | +--rw acl-ip:src-port-lower
| | | | | +--rw acl-ip:src-port-upper
| | | | +--:(port-number)
| | | | | +--rw acl-ip:src-comparator
| | | | | +--rw acl-ip:src-port
| | | | +--:(port-group-ref)
| | | | +--rw acl-ip:src-port-group-name
| | | +--rw (dest-ports)?
| | | | +--:(port-number-range)
| | | | | +--rw acl-ip:des-port-lower
| | | | | +--rw acl-ip:des-port-upper
| | | | +--:(port-number)
| | | | | +--rw acl-ip:des-comparator
| | | | | +--rw acl-ip:des-port
| | | | +--:(port-group-ref)
| | | | +--rw acl-ip:des-port-group-name
| | | +--rw acl-ip:icmp-type?
| | | +--rw acl-ip:icmp-code?
| | | +--rw (packet-length-or-range)?
| | | | +--:(length)
| | | | | +--rw acl-ip:packet-length-comparator
| | | | | +--rw acl-ip:packet-length
| | | | +--:(range)
| | | | +--rw acl-ip:packet-length-upper
| | | | +--rw acl-ip:packet-length-lower
| | | +--rw acl-ip:tcp-flag-value?
| | | +--rw acl-ip:tcp-flag-mask?
| | | +--rw acl-ip:tcp-flag-operation?
| | | +--rw (ttl-value-or-range)?
| | | | +--:(value)
| | | | | +--rw acl-ip:ttl-comparator?
| | | | | +--rw acl-ip:ttl-value?
| | | | +--:(range)
| | | | +--rw acl-ip:ttl-value-lower?
| | | | +--rw acl-ip:ttl-value--upper?
| | | +--rw (dscp-or-tos)?
| | | | +--:(dscp)
| | | | | +--rw acl-ip:dscp?
| | | | +--:(tos)
| | | | +--rw acl-ip:tos?
| | | | +--rw acl-ip:precedence?
| | | +--rw acl-ip:igmp-type?
| | | +--rw acl-ip:flow-label?
| | +--rw acl-ip:actions
| | | +--rw acl-ip:action
| | | +--rw acl-ip:log?
| | +--ro acl-ip:match?
| +--rw acl-ip:ipv4-aces
| | +--rw acl-ip:ipv4-ace [name]
| | +--rw acl-ip:name acl:acl-name-string
| | +--rw (remark-or-ipv4-ace)?
| | +--:(remark)
| | | +--rw acl-ip:remark? acl:acl-remark
| | +--:(ipv4-ace)
| | +--rw acl-ip:filters
| | | +--rw (source-address-host-group)
| | | | +--:(source-ip)
| | | | | +--rw acl-ip:ip-source-address
| | | | | +--rw acl-ip:ip-source-mask
| | | | +--:(ip-source-any)
| | | | | +--rw acl-ip:ip-source-any?
| | | | +--:(source-host)
| | | | | +--rw (ip-src-address-or-name)
| | | | | +--:(ip-source-host-address)
| | | | | | +--rw acl-ip:ip-source-host-address?
| | | | | +--:(ip-source-host-name)
| | | | | +--rw acl-ip:ip-source-host-name?
| | | | +--:(source-group)
| | | | +--rw acl-ip:ip-source-group?
| | | +--rw (dest-address-host-group)
| | | | +--:(dest-ip)
| | | | | +--rw acl-ip:ip-dest-address
| | | | | +--rw acl-ip:ip-dest-mask
| | | | +--:(ip-dest-any)
| | | | | +--rw acl-ip:ip-dest-any?
| | | | +--:(dest-host)
| | | | | +--rw (ip-dest-address-or-name)
| | | | | +--:(ip-dest-host-address)
| | | | | | +--rw acl-ip:ip-dest-host-address?
| | | | | +--:(ip-dest-host-name)
| | | | | +--rw acl-ip:ip-dest-host-name?
| | | | +--:(dest-group)
| | | | +--rw acl-ip:ip-dest-group?
| | | +--rw acl-ip:protocol?
| | | +--rw acl-ip:enable-capture?
| | | +--rw acl-ip:capture-session-id?
| | | +--rw acl-ip:fragments?
| | | +--rw acl-ip:time-range?
| | | +--rw (src-ports)?
| | | | +--:(port-number-range)
| | | | | +--rw acl-ip:src-port-lower
| | | | | +--rw acl-ip:src-port-upper
| | | | +--:(port-number)
| | | | | +--rw acl-ip:src-comparator
| | | | | +--rw acl-ip:src-port
| | | | +--:(port-group-ref)
| | | | +--rw acl-ip:src-port-group-name
| | | +--rw (dest-ports)?
| | | | +--:(port-number-range)
| | | | | +--rw acl-ip:des-port-lower
| | | | | +--rw acl-ip:des-port-upper
| | | | +--:(port-number)
| | | | | +--rw acl-ip:des-comparator
| | | | | +--rw acl-ip:des-port
| | | | +--:(port-group-ref)
| | | | +--rw acl-ip:des-port-group-name
| | | +--rw acl-ip:icmp-type?
| | | +--rw acl-ip:icmp-code?
| | | +--rw (packet-length-or-range)?
| | | | +--:(length)
| | | | | +--rw acl-ip:packet-length-comparator
| | | | | +--rw acl-ip:packet-length
| | | | +--:(range)
| | | | +--rw acl-ip:packet-length-upper
| | | | +--rw acl-ip:packet-length-lower
| | | +--rw acl-ip:tcp-flag-value?
| | | +--rw acl-ip:tcp-flag-mask?
| | | +--rw acl-ip:tcp-flag-operation?
| | | +--rw (ttl-value-or-range)?
| | | | +--:(value)
| | | | | +--rw acl-ip:ttl-comparator?
| | | | | +--rw acl-ip:ttl-value?
| | | | +--:(range)
| | | | +--rw acl-ip:ttl-value-lower?
| | | | +--rw acl-ip:ttl-value--upper?
| | | +--rw (dscp-or-tos)?
| | | +--:(dscp)
| | | | +--rw acl-ip:dscp?
| | | +--:(tos)
| | | +--rw acl-ip:tos?
| | | +--rw acl-ip:precedence?
| | +--rw acl-ip:actions
| | | +--rw acl-ip:action acl:acl-action
| | | +--rw acl-ip:log? empty
| | +--ro acl-ip:match? yang:counter64
| +--rw acl-ip:global-fragments? enumeration
| +--rw acl-mac:mac-aces
| | +--rw acl-mac:mac-ace [name]
| | +--rw acl-mac:name acl:acl-name-string
| | +--rw (remark-or-mac-ace)?
| | +--:(remark)
| | | +--rw acl-mac:remark? acl:acl-remark
| | +--:(mac-ace)
| | +--rw acl-mac:filters
| | | +--rw (source-network)
| | | | +--:(source-mac)
| | | | | +--rw acl-mac:source-address
| | | | | +--rw acl-mac:source-address-mask
| | | | +--:(source-any)
| | | | | +--rw acl-mac:source-any?
| | | | +--:(source-host)
| | | | +--rw (src-address-or-name)
| | | | +--:(source-host-address)
| | | | | +--rw acl-mac:source-host-address?
| | | | +--:(source-host-name)
| | | | +--rw acl-mac:source-host-name?
| | | +--rw (dest-network)
| | | | +--:(dest-mac)
| | | | | +--rw acl-mac:dest-address
| | | | | +--rw acl-mac:dest-address-mask
| | | | +--:(dest-any)
| | | | | +--rw acl-mac:dest-any?
| | | | +--:(dest-host)
| | | | +--rw (dest-address-or-name)
| | | | +--:(dest-host-address)
| | | | | +--rw acl-mac:dest-host-address?
| | | | +--:(dest-host-name)
| | | | +--rw acl-mac:dest-host-name?
| | | +--rw acl-mac:ethertype?
| | | +--rw acl-mac:ethertype-mask?
| | | +--rw acl-mac:cos?
| | | +--rw acl-mac:time-range?
| | | +--rw acl-mac:vlan?
| | | +--rw acl-mac:enable-capture?
| | | +--rw acl-mac:capture-session-id?
| | +--rw acl-mac:actions
| | | +--rw acl-mac:action
| | | +--rw acl-mac:log?
| | +--ro acl-mac:match?
| +--rw acl-arp:arp-aces
| +--rw acl-arp:arp-ace [name]
| +--rw acl-arp:name
| +--rw (remark-or-arp-ace)?
| +--:(remark)
| | +--rw acl-arp:remark?
| +--:(arp-ace)
| +--rw acl-arp:filters
| | +--rw acl-arp:direction?
| | +--rw (source-address-host-group)
| | | +--:(source-ip)
| | | | +--rw acl-arp:ip-source-address
| | | | +--rw acl-arp:ip-source-mask
| | | +--:(ip-source-any)
| | | | +--rw acl-arp:ip-source-any?
| | | +--:(source-host)
| | | | +--rw (ip-src-address-or-name)
| | | | +--:(ip-source-host-address)
| | | | | +--rw acl-arp:ip-source-host-address?
| | | | +--:(ip-source-host-name)
| | | | +--rw acl-arp:ip-source-host-name?
| | | +--:(source-group)
| | | +--rw acl-arp:ip-source-group?
| | +--rw (dest-address-host-group)
| | | +--:(dest-ip)
| | | | +--rw acl-arp:ip-dest-address
| | | | +--rw acl-arp:ip-dest-mask
| | | +--:(ip-dest-any)
| | | | +--rw acl-arp:ip-dest-any?
| | | +--:(dest-host)
| | | | +--rw (ip-dest-address-or-name)
| | | | +--:(ip-dest-host-address)
| | | | | +--rw acl-arp:ip-dest-host-address?
| | | | +--:(ip-dest-host-name)
| | | | +--rw acl-arp:ip-dest-host-name?
| | | +--:(dest-group)
| | | +--rw acl-arp:ip-dest-group?
| | +--rw (source-network)
| | | +--:(source-mac)
| | | | +--rw acl-arp:source-address
| | | | +--rw acl-arp:source-address-mask
| | | +--:(source-any)
| | | | +--rw acl-arp:source-any?
| | | +--:(source-host)
| | | +--rw (src-address-or-name)
| | | +--:(source-host-address)
| | | | +--rw acl-arp:source-host-address?
| | | +--:(source-host-name)
| | | +--rw acl-arp:source-host-name?
| | +--rw (dest-network)
| | | +--:(dest-mac)
| | | | +--rw acl-arp:dest-address
| | | | +--rw acl-arp:dest-address-mask
| | | +--:(dest-any)
| | | | +--rw acl-arp:dest-any?
| | | +--:(dest-host)
| | | +--rw (dest-address-or-name)
| | | +--:(dest-host-address)
| | | | +--rw acl-arp:dest-host-address?
| | | +--:(dest-host-name)
| | | +--rw acl-arp:dest-host-name?
| | +--rw acl-arp:enable-capture?
| | +--rw acl-arp:capture-session-id?
| +--rw acl-arp:actions
| | +--rw acl-arp:action
| | +--rw acl-arp:log?
| +--ro acl-arp:match?
+--rw port-groups
| +--rw port-group [name]
| +--rw name
| +--rw port-group-entry [name]
| +--rw name
| +--rw (port-number-or-range)?
| +--:(port-number-range)
| | +--rw port-lower
| | +--rw port-upper
| +--:(port-number)
| +--rw comparator
| +--rw port
+--rw timerange-groups
| +--rw timerange-group [name]
| +--rw name
| +--rw time-range [name]
| +--rw name
| +--rw remark?
| +--rw (range-type)?
| +--:(absolute)
| | +--rw absolute
| | +--rw start?
| | +--rw end?
| +--:(periodic)
| +--rw periodic
| +--rw weekdays?
| +--rw start?
| +--rw end?
+--rw ip-address-groups
+--rw ip-address-group [name]
+--rw name
+--rw afi?
+--rw ip-address [name]
+--rw name
+--rw (ip-network-kind)
+--:(ip)
| +--rw ip-address?
| +--rw ip-mask
+--:(ip-any)
| +--rw ip-any?
+--:(host)
+--rw (address-or-name)
+--:(ip-host-address)
| +--rw ip-host-address?
+--:(ip-host-name)
+--rw ip-host-name?
module: acl-ip
module: acl-mac
module: acl-arp
Figure 3 module: stateless-pf
+--rw spfs
+--rw spf [name]
| +--rw name
| +--rw spf-type
| +--rw enable-capture-global?
| +--rw capture-session-id-global?
| +--rw (enable-match-counter-choices)?
| | +--:(match)
| | | +--rw enable-match-counter?
| | +--:(per-entry-match)
| | +--rw enable-per-entry-match-counter?
| +--ro match?
| +--rw spf-ip:afi?
| +--rw spf-ip:ipv6-pfes
| | +--rw spf-ip:ipv6-pfe [name]
| | +--rw spf-ip:name spf:spf-name-string
| | +--rw (remark-or-ipv6-case)?
| | +--:(remark)
| | | +--rw spf-ip:remark? spf:spf-remark
| | +--:(ipv6-pfe)
| | +--rw spf-ip:filters
| | | +--rw (source-address-host-group)
| | | | +--:(source-ip)
| | | | | +--rw spf-ip:ip-source-address
| | | | | +--rw spf-ip:ip-source-mask
| | | | +--:(ip-source-any)
| | | | | +--rw spf-ip:ip-source-any?
| | | | +--:(source-host)
| | | | | +--rw (ip-src-address-or-name)
| | | | | +--:(ip-source-host-address)
| | | | | | +--rw spf-ip:ip-source-host-address?
| | | | | +--:(ip-source-host-name)
| | | | | +--rw spf-ip:ip-source-host-name?
| | | | +--:(source-group)
| | | | +--rw spf-ip:ip-source-group?
| | | +--rw (dest-address-host-group)
| | | | +--:(dest-ip)
| | | | | +--rw spf-ip:ip-dest-address
| | | | | +--rw spf-ip:ip-dest-mask
| | | | +--:(ip-dest-any)
| | | | | +--rw spf-ip:ip-dest-any?
| | | | +--:(dest-host)
| | | | | +--rw (ip-dest-address-or-name)
| | | | | +--:(ip-dest-host-address)
| | | | | | +--rw spf-ip:ip-dest-host-address?
| | | | | +--:(ip-dest-host-name)
| | | | | +--rw spf-ip:ip-dest-host-name?
| | | | +--:(dest-group)
| | | | +--rw spf-ip:ip-dest-group?
| | | +--rw spf-ip:protocol?
| | | +--rw spf-ip:enable-capture?
| | | +--rw spf-ip:capture-session-id?
| | | +--rw spf-ip:fragments?
| | | +--rw spf-ip:time-range?
| | | +--rw (src-ports)?
| | | | +--:(port-number-range)
| | | | | +--rw spf-ip:src-port-lower
| | | | | +--rw spf-ip:src-port-upper
| | | | +--:(port-number)
| | | | | +--rw spf-ip:src-comparator
| | | | | +--rw spf-ip:src-port
| | | | +--:(port-group-ref)
| | | | +--rw spf-ip:src-port-group-name
| | | +--rw (dest-ports)?
| | | | +--:(port-number-range)
| | | | | +--rw spf-ip:des-port-lower
| | | | | +--rw spf-ip:des-port-upper
| | | | +--:(port-number)
| | | | | +--rw spf-ip:des-comparator
| | | | | +--rw spf-ip:des-port
| | | | +--:(port-group-ref)
| | | | +--rw spf-ip:des-port-group-name
| | | +--rw spf-ip:icmp-type?
| | | +--rw spf-ip:icmp-code?
| | | +--rw (packet-length-or-range)?
| | | | +--:(length)
| | | | | +--rw spf-ip:packet-length-comparator
| | | | | +--rw spf-ip:packet-length
| | | | +--:(range)
| | | | +--rw spf-ip:packet-length-upper
| | | | +--rw spf-ip:packet-length-lower
| | | +--rw spf-ip:tcp-flag-value?
| | | +--rw spf-ip:tcp-flag-mask?
| | | +--rw spf-ip:tcp-flag-operation?
| | | +--rw (ttl-value-or-range)?
| | | | +--:(value)
| | | | | +--rw spf-ip:ttl-comparator?
| | | | | +--rw spf-ip:ttl-value?
| | | | +--:(range)
| | | | +--rw spf-ip:ttl-value-lower?
| | | | +--rw spf-ip:ttl-value--upper?
| | | +--rw (dscp-or-tos)?
| | | | +--:(dscp)
| | | | | +--rw spf-ip:dscp?
| | | | +--:(tos)
| | | | +--rw spf-ip:tos?
| | | | +--rw spf-ip:precedence?
| | | +--rw spf-ip:igmp-type?
| | | +--rw spf-ip:flow-label?
| | +--rw spf-ip:actions
| | | +--rw spf-ip:action
| | | +--rw spf-ip:log?
| | +--ro spf-ip:match?
| +--rw spf-ip:ipv4-pfes
| | +--rw spf-ip:ipv4-pfe [name]
| | +--rw spf-ip:name spf:spf-name-string
| | +--rw (remark-or-ipv4-pfe)?
| | +--:(remark)
| | | +--rw spf-ip:remark? spf:spf-remark
| | +--:(ipv4-pfe)
| | +--rw spf-ip:filters
| | | +--rw (source-address-host-group)
| | | | +--:(source-ip)
| | | | | +--rw spf-ip:ip-source-address
| | | | | +--rw spf-ip:ip-source-mask
| | | | +--:(ip-source-any)
| | | | | +--rw spf-ip:ip-source-any?
| | | | +--:(source-host)
| | | | | +--rw (ip-src-address-or-name)
| | | | | +--:(ip-source-host-address)
| | | | | | +--rw spf-ip:ip-source-host-address?
| | | | | +--:(ip-source-host-name)
| | | | | +--rw spf-ip:ip-source-host-name?
| | | | +--:(source-group)
| | | | +--rw spf-ip:ip-source-group?
| | | +--rw (dest-address-host-group)
| | | | +--:(dest-ip)
| | | | | +--rw spf-ip:ip-dest-address
| | | | | +--rw spf-ip:ip-dest-mask
| | | | +--:(ip-dest-any)
| | | | | +--rw spf-ip:ip-dest-any?
| | | | +--:(dest-host)
| | | | | +--rw (ip-dest-address-or-name)
| | | | | +--:(ip-dest-host-address)
| | | | | | +--rw spf-ip:ip-dest-host-address?
| | | | | +--:(ip-dest-host-name)
| | | | | +--rw spf-ip:ip-dest-host-name?
| | | | +--:(dest-group)
| | | | +--rw spf-ip:ip-dest-group?
| | | +--rw spf-ip:protocol?
| | | +--rw spf-ip:enable-capture?
| | | +--rw spf-ip:capture-session-id?
| | | +--rw spf-ip:fragments?
| | | +--rw spf-ip:time-range?
| | | +--rw (src-ports)?
| | | | +--:(port-number-range)
| | | | | +--rw spf-ip:src-port-lower
| | | | | +--rw spf-ip:src-port-upper
| | | | +--:(port-number)
| | | | | +--rw spf-ip:src-comparator
| | | | | +--rw spf-ip:src-port
| | | | +--:(port-group-ref)
| | | | +--rw spf-ip:src-port-group-name
| | | +--rw (dest-ports)?
| | | | +--:(port-number-range)
| | | | | +--rw spf-ip:des-port-lower
| | | | | +--rw spf-ip:des-port-upper
| | | | +--:(port-number)
| | | | | +--rw spf-ip:des-comparator
| | | | | +--rw spf-ip:des-port
| | | | +--:(port-group-ref)
| | | | +--rw spf-ip:des-port-group-name
| | | +--rw spf-ip:icmp-type?
| | | +--rw spf-ip:icmp-code?
| | | +--rw (packet-length-or-range)?
| | | | +--:(length)
| | | | | +--rw spf-ip:packet-length-comparator
| | | | | +--rw spf-ip:packet-length
| | | | +--:(range)
| | | | +--rw spf-ip:packet-length-upper
| | | | +--rw spf-ip:packet-length-lower
| | | +--rw spf-ip:tcp-flag-value?
| | | +--rw spf-ip:tcp-flag-mask?
| | | +--rw spf-ip:tcp-flag-operation?
| | | +--rw (ttl-value-or-range)?
| | | | +--:(value)
| | | | | +--rw spf-ip:ttl-comparator?
| | | | | +--rw spf-ip:ttl-value?
| | | | +--:(range)
| | | | +--rw spf-ip:ttl-value-lower?
| | | | +--rw spf-ip:ttl-value--upper?
| | | +--rw (dscp-or-tos)?
| | | +--:(dscp)
| | | | +--rw spf-ip:dscp?
| | | +--:(tos)
| | | +--rw spf-ip:tos?
| | | +--rw spf-ip:precedence?
| | +--rw spf-ip:actions
| | | +--rw spf-ip:action spf:spf-action
| | | +--rw spf-ip:log? empty
| | +--ro spf-ip:match? yang:counter64
| +--rw spf-ip:global-fragments? enumeration
| +--rw spf-mac:mac-pfes
| | +--rw spf-mac:mac-pfe [name]
| | +--rw spf-mac:name spf:spf-name-string
| | +--rw (remark-or-mac-pfe)?
| | +--:(remark)
| | | +--rw spf-mac:remark? spf:spf-remark
| | +--:(mac-pfe)
| | +--rw spf-mac:filters
| | | +--rw (source-network)
| | | | +--:(source-mac)
| | | | | +--rw spf-mac:source-address
| | | | | +--rw spf-mac:source-address-mask
| | | | +--:(source-any)
| | | | | +--rw spf-mac:source-any?
| | | | +--:(source-host)
| | | | +--rw (src-address-or-name)
| | | | +--:(source-host-address)
| | | | | +--rw spf-mac:source-host-address?
| | | | +--:(source-host-name)
| | | | +--rw spf-mac:source-host-name?
| | | +--rw (dest-network)
| | | | +--:(dest-mac)
| | | | | +--rw spf-mac:dest-address
| | | | | +--rw spf-mac:dest-address-mask
| | | | +--:(dest-any)
| | | | | +--rw spf-mac:dest-any?
| | | | +--:(dest-host)
| | | | +--rw (dest-address-or-name)
| | | | +--:(dest-host-address)
| | | | | +--rw spf-mac:dest-host-address?
| | | | +--:(dest-host-name)
| | | | +--rw spf-mac:dest-host-name?
| | | +--rw spf-mac:ethertype?
| | | +--rw spf-mac:ethertype-mask?
| | | +--rw spf-mac:cos?
| | | +--rw spf-mac:time-range?
| | | +--rw spf-mac:vlan?
| | | +--rw spf-mac:enable-capture?
| | | +--rw spf-mac:capture-session-id?
| | +--rw spf-mac:actions
| | | +--rw spf-mac:action
| | | +--rw spf-mac:log?
| | +--ro spf-mac:match?
| +--rw spf-arp:arp-pfes
| +--rw spf-arp:arp-pfe [name]
| +--rw spf-arp:name
| +--rw (remark-or-arp-pfe)?
| +--:(remark)
| | +--rw spf-arp:remark?
| +--:(arp-pfe)
| +--rw spf-arp:filters
| | +--rw spf-arp:direction?
| | +--rw (source-address-host-group)
| | | +--:(source-ip)
| | | | +--rw spf-arp:ip-source-address
| | | | +--rw spf-arp:ip-source-mask
| | | +--:(ip-source-any)
| | | | +--rw spf-arp:ip-source-any?
| | | +--:(source-host)
| | | | +--rw (ip-src-address-or-name)
| | | | +--:(ip-source-host-address)
| | | | | +--rw spf-arp:ip-source-host-address?
| | | | +--:(ip-source-host-name)
| | | | +--rw spf-arp:ip-source-host-name?
| | | +--:(source-group)
| | | +--rw spf-arp:ip-source-group?
| | +--rw (dest-address-host-group)
| | | +--:(dest-ip)
| | | | +--rw spf-arp:ip-dest-address
| | | | +--rw spf-arp:ip-dest-mask
| | | +--:(ip-dest-any)
| | | | +--rw spf-arp:ip-dest-any?
| | | +--:(dest-host)
| | | | +--rw (ip-dest-address-or-name)
| | | | +--:(ip-dest-host-address)
| | | | | +--rw spf-arp:ip-dest-host-address?
| | | | +--:(ip-dest-host-name)
| | | | +--rw spf-arp:ip-dest-host-name?
| | | +--:(dest-group)
| | | +--rw spf-arp:ip-dest-group?
| | +--rw (source-network)
| | | +--:(source-mac)
| | | | +--rw spf-arp:source-address
| | | | +--rw spf-arp:source-address-mask
| | | +--:(source-any)
| | | | +--rw spf-arp:source-any?
| | | +--:(source-host)
| | | +--rw (src-address-or-name)
| | | +--:(source-host-address)
| | | | +--rw spf-arp:source-host-address?
| | | +--:(source-host-name)
| | | +--rw spf-arp:source-host-name?
| | +--rw (dest-network)
| | | +--:(dest-mac)
| | | | +--rw spf-arp:dest-address
| | | | +--rw spf-arp:dest-address-mask
| | | +--:(dest-any)
| | | | +--rw spf-arp:dest-any?
| | | +--:(dest-host)
| | | +--rw (dest-address-or-name)
| | | +--:(dest-host-address)
| | | | +--rw spf-arp:dest-host-address?
| | | +--:(dest-host-name)
| | | +--rw spf-arp:dest-host-name?
| | +--rw spf-arp:enable-capture?
| | +--rw spf-arp:capture-session-id?
| +--rw spf-arp:actions
| | +--rw spf-arp:action
| | +--rw spf-arp:log?
| +--ro spf-arp:match?
+--rw port-groups
| +--rw port-group [name]
| +--rw name
| +--rw port-group-entry [name]
| +--rw name
| +--rw (port-number-or-range)?
| +--:(port-number-range)
| | +--rw port-lower
| | +--rw port-upper
| +--:(port-number)
| +--rw comparator
| +--rw port
+--rw timerange-groups
| +--rw timerange-group [name]
| +--rw name
| +--rw time-range [name]
| +--rw name
| +--rw remark?
| +--rw (range-type)?
| +--:(absolute)
| | +--rw absolute
| | +--rw start?
| | +--rw end?
| +--:(periodic)
| +--rw periodic
| +--rw weekdays?
| +--rw start?
| +--rw end?
+--rw ip-address-groups
+--rw ip-address-group [name]
+--rw name
+--rw afi?
+--rw ip-address [name]
+--rw name
+--rw (ip-network-kind)
+--:(ip)
| +--rw ip-address?
| +--rw ip-mask
+--:(ip-any)
| +--rw ip-any?
+--:(host)
+--rw (address-or-name)
+--:(ip-host-address)
| +--rw ip-host-address?
+--:(ip-host-name)
+--rw ip-host-name?
module: spf-ip
module: spf-mac
module: spf-arp
9. ACL Examples 9. SPF Examples
9.1. Configuration Example 9.1. Configuration Example
Requirement: Denies TELNET traffic from 14.3.6.234 bound for host Requirement: Denies TELNET traffic from 14.3.6.234 bound for host
6.5.4.1 from leaving. Denies all TFTP traffic bound for TFTP 6.5.4.1 from leaving. Denies all TFTP traffic bound for TFTP
servers. Permits all other IP traffic. servers. Permits all other IP traffic.
In order to achieve the requirement, an name access control list is In order to achieve the requirement, an name access control list is
needed. In the acl, we need three aces. The acl and aces can be needed. In the spf, we need three pfes. The spf and pfes can be
described in CLI: as the following: described in CLI: as the following:
access-list ip iacl access-list ip ispf
deny tcp 14.3.6.234 0.0.0.0 host 6.5.4.1 eq 23 deny tcp 14.3.6.234 0.0.0.0 host 6.5.4.1 eq 23
deny udp any any eq tftp deny udp any any eq tftp
permit ip any any permit ip any any
Here is the example acl configuration xml: Here is the example spf configuration xml:
<rpc message-id="101"
xmlns:nc="urn:cisco:params:xml:ns:yang:acl:1.0"
xmlns:acl-ip="urn:cisco:params:xml:ns:yang:acl-ip"
// replace with IANA namespace when assigned
<edit-config>
<target>
<running/>
</target>
<config>
<top xmlns="http://example.com/schema/1.2/config">
<acls>
<acl >
<name>sample-ip-acl</name>
<acl-type>ip-acl</acl-type>
<enable-match-counter>false</enable-match-counter>
<acl-ip:afi>ipv4</acl-ip:afi>
<acl-ip:ipv4-aces>
<acl-ip:ipv4-ace> <rpc message-id="101"
<acl-ip:name>ace10</acl-ip:name> xmlns:nc="urn:cisco:params:xml:ns:yang:spf:1.0"
<acl-ip:filters> xmlns:spf-ip="urn:cisco:params:xml:ns:yang:spf-ip"
<acl-ip:protocol>6</acl-ip:protocol> // replace with IANA namespace when assigned
<acl-ip:ip-source-address> <edit-config>
14.3.6.234 <target>
</acl-ip:ip-source-address> <running/>
<acl-ip:ip-source-mask>0.0.0.0</acl-ip:ip-source-mask> </target>
<acl-ip:ip-dest-host-address> <config>
6.5.4.1 <top xmlns="http://example.com/schema/1.2/config">
</acl-ip:ip-dest-host-address>
<acl-ip:des-comparator>eq</acl-ip:des-comparator>
<acl-ip:des-port>23</acl-ip:des-port>
</acl-ip:filters>
<acl-ip:actions>
<acl-ip:action>deny</acl-ip:action>
</acl-ip:actions>
</acl-ip:ipv4-ace>
<acl-ip:ipv4-ace> <spfs>
<acl-ip:name>ace20</acl-ip:name> <spf >
<acl-ip:filters> <name>sample-ip-spf</name>
<acl-ip:protocol>17</acl-ip:protocol> <spf-type>ip-spf</spf-type>
<acl-ip:ip-source-any/> <enable-match-counter>false</enable-match-counter>
<acl-ip:ip-dest-any/> <spf-ip:afi>ipv4</spf-ip:afi>
<acl-ip:des-comparator>eq</acl-ip:des-comparator> <spf-ip:ipv4-pfes>
<acl-ip:des-port>69</acl-ip:des-port>
</acl-ip:filters>
<acl-ip:actions>
<acl-ip:action>deny</acl-ip:action>
</acl-ip:actions>
</acl-ip:ipv4-ace>
<acl-ip:ipv4-ace> <spf-ip:ipv4-pfe>
<acl-ip:name>ace30</acl-ip:name> <spf-ip:name>pfe10</spf-ip:name>
<acl-ip:filters> <spf-ip:filters>
<acl-ip:ip-source-any/> <spf-ip:protocol>6</spf-ip:protocol>
<acl-ip:ip-dest-any/> <spf-ip:ip-source-address>
</acl-ip:filters> 14.3.6.234
<acl-ip:actions> </spf-ip:ip-source-address>
<acl-ip:action>permit</acl-ip:action> <spf-ip:ip-source-mask>0.0.0.0</spf-ip:ip-source-mask>
</acl-ip:actions> <spf-ip:ip-dest-host-address>
</acl-ip:ipv4-ace> 6.5.4.1
</acl-ip:ipv4-aces> </spf-ip:ip-dest-host-address>
<spf-ip:des-comparator>eq</spf-ip:des-comparator>
<spf-ip:des-port>23</spf-ip:des-port>
</spf-ip:filters>
<spf-ip:actions>
<spf-ip:action>deny</spf-ip:action>
</spf-ip:actions>
</spf-ip:ipv4-pfe>
</acl> <spf-ip:ipv4-pfe>
</acls> <spf-ip:name>pfe20</spf-ip:name>
<spf-ip:filters>
<spf-ip:protocol>17</spf-ip:protocol>
<spf-ip:ip-source-any/>
<spf-ip:ip-dest-any/>
<spf-ip:des-comparator>eq</spf-ip:des-comparator>
<spf-ip:des-port>69</spf-ip:des-port>
</spf-ip:filters>
<spf-ip:actions>
<spf-ip:action>deny</spf-ip:action>
</spf-ip:actions>
</spf-ip:ipv4-pfe>
</top> <spf-ip:ipv4-pfe>
</config> <spf-ip:name>pfe30</spf-ip:name>
</edit-config> <spf-ip:filters>
</rpc> <spf-ip:ip-source-any/>
10. ACL YANG Module <spf-ip:ip-dest-any/>
</spf-ip:filters>
<spf-ip:actions>
<spf-ip:action>permit</spf-ip:action>
</spf-ip:actions>
</spf-ip:ipv4-pfe>
This module imports type definitions from [RFC6021]. </spf-ip:ipv4-pfes>
<CODE BEGINS> file "acl@2012-10-12.yang" </spf>
module acl { </spfs>
namespace "urn:cisco:params:xml:ns:yang:acl";
// replace with IANA namespace when assigned
prefix acl;
import ietf-inet-types { </top>
prefix "inet"; </config>
} </edit-config>
</rpc>
import ietf-yang-types { 10. Stateless-PF YANG Module
prefix "yang";
}
organization This module imports type definitions from [RFC6021].
"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact <CODE BEGINS> file "stateless-pf@2013-09-03.yang"
"WG Web: http://tools.ietf.org/wg/netmod/ module stateless-pf {
WG List: netmod@ietf.org namespace "urn:cisco:params:xml:ns:yang:spf";
// replace with IANA namespace when assigned
prefix spf;
WG Chair: David Kessens import ietf-inet-types {
david.kessens@nsn.com prefix "inet";
}
WG Chair: Juergen Schoenwaelder import ietf-yang-types {
j.schoenwaelder@jacobs-university.de prefix "yang";
}
Editor: Lisa Huang organization
yihuan@cisco.com "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
Editor: Alexander Clemm contact
alex@cisco.com "WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org
Editor: Andy Bierman WG Chair: David Kessens
andy@yumaworks.com"; david.kessens@nsn.com
description WG Chair: Juergen Schoenwaelder
"This YANG module defines a component that describing the j.schoenwaelder@jacobs-university.de
configuration of Access Control Lists (ACLs).
An ACL is an ordered set of rules and actions used to filter Editor: Lisa Huang
traffic. Each set of rules and actions is represented yihuan@cisco.com
as an Access Control Entries (ACE). Each ACE is evaluated
sequentially. When the rule matches then action for that
rule is applied to the packet.
There are three types of ACL. Editor: Alexander Clemm
alex@cisco.com
Editor: Andy Bierman
andy@yumaworks.com";
IP ACLs - IP ACLs are ordered sets of rules that can use to description
filter traffic based on IP information in the Layer 3 "This YANG module defines a component that describing the
header of packets. configuration of Stateless Packet Filters (SPF), also known as
The device applies IP ACLs only to IP traffic. IP ACL Access Control Lists (SPFs).
can be IPv4 or IPv6.
MAC ACLs - MAC ACLs are used to filter traffic using the
information in the Layer 2 header of each packet.
MAC ACLs are by default only applied to non-IP
traffic; however, Layer 2 interfaces can be configured
to apply MAC ACLs to all traffic.
ARP ACLs - The device applies ARP ACLs to IP traffic.
This module should be used with acl-ip, acl-arp, or acl-mac An SPF is an ordered set of rules and actions used to filter
depends on what feature the device supports. traffic. Each set of rules and actions is represented
as an Packet Filter Entry (PFE), also known as Access
Control Entries (PFE). Each PFE is evaluated
sequentially. When the rule matches then action for that
rule is applied to the packet.
This YANG module also includes auxiliary definitions that There are three types of SPF.
are needed in conjunction with configuration of ACLs, such as
reusable containers and references for ports and IP.
Terms and Acronyms IP SPFs - IP SPFs are ordered sets of rules that can use to
ACE (ace): Access Control Entry filter traffic based on IP information in the Layer 3
header of packets.
The device applies IP SPFs only to IP traffic. IP SPF
can be IPv4 or IPv6.
MAC SPFs - MAC SPFs are used to filter traffic using the
information in the Layer 2 header of each packet.
MAC SPFs are by default only applied to non-IP
traffic; however, Layer 2 interfaces can be configured
to apply MAC SPFs to all traffic.
ARP SPFs - The device applies ARP SPFs to IP traffic.
ACL (acl): Access Control List This module should be used with spf-ip, spf-arp, or spf-mac
depends on what feature the device supports.
AFI (afi): Authority and Format Identifier (Address This YANG module also includes auxiliary definitions that
Field Identifier) are needed in conjunction with configuration of SPFs, such as
reusable containers and references for ports and IP.
ARP (arp): Address Resolution Protocol Terms and Acronyms
PFE (pfe): Packet Filter Entry
IP (ip): Internet Protocol SPF (spf): Stateless Packet Filter
IPv4 (ipv4):Internet Protocol Version 4 AFI (afi): Authority and Format Identifier (Address
Field Identifier)
IPv6 (ipv6): Internet Protocol Version 6 ARP (arp): Address Resolution Protocol
MAC: Media Access Control IP (ip): Internet Protocol
IPv4 (ipv4):Internet Protocol Version 4
TCP (tcp): Transmission Control Protocol IPv6 (ipv6): Internet Protocol Version 6
TTL (ttl): Time to Live MAC: Media Access Control
VLAN (vlan): Virtual Local Area Network TCP (tcp): Transmission Control Protocol
";
reference TTL (ttl): Time to Live
"Access List Commands on Cisco IOS XR Software,
Cisco Nexus 7000 Series NX-OS Security Configuration Guide,
Catalyst 6500 Release 12.2SX Software Configuration Guide,
ACL TCP Flags Filtering";
revision 2012-10-12 { VLAN (vlan): Virtual Local Area Network
description "Initial revision. "; ";
}
/* Features */ revision 2013-09-03 {
description "Initial revision. ";
}
feature capture-session-id { /* Features */
if-feature packet-capture;
description
"The ability to configure ACL capture in order to
selectively monitor traffic on an interface or VLAN.
When the capture option for an ACL rule
is enabled, packets that match this rule are
either forwarded or dropped based on the specified permit
or deny action and may also be copied to an alternate
destination port for further analysis.
An ACL rule with the capture option can be applied
as follows:
On a VLAN
In the ingress direction on all interfaces
In the egress direction on all Layer 3 interfaces
The statistics data for the capture-session are capture
in the device where the ACL rule applied to.";
}
feature host-by-name { feature capture-session-id {
description if-feature packet-capture;
"The capability to reference a host by DNS name."; description
} "The ability to configure SPF capture in order to
selectively monitor traffic on an interface or VLAN.
When the capture option for an SPF rule
is enabled, packets that match this rule are
either forwarded or dropped based on the specified permit
or deny action and may also be copied to an alternate
destination port for further analysis.
An SPF rule with the capture option can be applied
as follows:
On a VLAN
In the ingress direction on all interfaces
In the egress direction on all Layer 3 interfaces
The statistics data for the capture-session are capture
in the device where the SPF rule applied to.";
}
feature ip-address-groups { feature host-by-name {
description description
"The ability to define named groups for lists of "The capability to reference a host by DNS name.";
ip addresses. "; }
}
feature logging { feature ip-address-groups {
description description
"The ability to log messages upon the matching of ACLs."; "The ability to define named groups for lists of
} ip addresses. ";
}
feature logging {
description
"The ability to log messages upon the matching of SPFs.";
}
feature match-counter { feature match-counter {
description description
"The ability to maintain global or local match statistics "The ability to maintain global or local match statistics
for each ACL rules."; for each SPF rules.";
} }
feature packet-capture { feature packet-capture {
description "The ability to capture packets that description "The ability to capture packets that
match the filter."; match the filter.";
} }
feature packet-length { feature packet-length {
description "The ability to filter packets by packet length"; description "The ability to filter packets by packet length";
} }
feature port-groups { feature port-groups {
description description
"The ability to define named groups for lists of ports. "; "The ability to define named groups for lists of ports. ";
} }
/* Identities */ /* Identities */
identity acl-type { identity spf-type {
description "Base acl type for all ACL type identifiers."; description "Base spf type for all SPF type identifiers.";
} }
/* Types */ /* Types */
typedef acl-comparator { typedef spf-comparator {
description "A data type used to express comparator string"; description "A data type used to express comparator string";
type enumeration { type enumeration {
enum "eq" { enum "eq" {
value 0; value 0;
description "match only equal to any giving number."; description "match only equal to any giving number.";
} }
enum "gt" { enum "gt" {
value 1; value 1;
description description
"match only greater than any giving number."; "match only greater than any giving number.";
} }
enum "lt" { enum "lt" {
value 2; value 2;
description description
"match only lower than any giving number."; "match only lower than any giving number.";
} }
enum "neq" { enum "neq" {
value 3; value 3;
description description
"match only not equal to any giving number"; "match only not equal to any giving number";
} }
} }
} }
typedef acl-action { typedef spf-action {
description "An enumeration data type to express acl description "An enumeration data type to express spf
action when match."; action when match.";
type enumeration { type enumeration {
enum deny { enum deny {
description "Apply deny action to the traffic"; description "Apply deny action to the traffic";
} }
enum permit { enum permit {
description "Apply permit action to the traffic"; description "Apply permit action to the traffic";
} }
} }
} }
typedef acl-remark { typedef spf-remark {
type string { type string {
length "0..100"; length "0..100";
} }
description description
"A remark is a comment that can be "A remark is a comment that can be
associated with an ACE in order to make associated with an PFE in order to make
the access list easier for the network the access list easier for the network
administrator to understand. administrator to understand.
It is retained to facilitate It is retained to facilitate
co-existence with CLI."; co-existence with CLI.";
} }
typedef acl-type-ref { typedef spf-type-ref {
description description
"This type is used to refer to an Access Control List "This type is used to refer to an Stateless Packet Filter
(ACL) type"; (spf) type";
type identityref { type identityref {
base "acl-type"; base "spf-type";
} }
} }
typedef spf-ref {
description "This type refers to an SPF.";
type leafref {
path "/spf:spfs/spf:spf/spf:name";
}
}
typedef acl-ref { typedef port-group-ref {
description "This type refers to an ACL."; description
type leafref { "This type is used to refer to a Portgroup object.";
path "/acl:acls/acl:acl/acl:name"; type leafref {
} path "/spfs/port-groups/port-group/name";
}
} }
typedef port-group-ref { typedef ip-address-group-ref {
description description
"This type is used to refer to a Portgroup object."; "This type is used to refer to a time range object.";
type leafref { type leafref {
path "/acls/port-groups/port-group/name"; path "/spfs/ip-address-groups/ip-address-group/name";
} }
}
} typedef time-range-ref {
description
"This type is used to refer to a time range object.";
type leafref {
path "/spfs/timerange-groups/timerange-group/name";
}
typedef ip-address-group-ref { }
description
"This type is used to refer to a time range object.";
type leafref {
path "/acls/ip-address-groups/ip-address-group/name";
}
}
typedef time-range-ref { typedef weekdays {
description type bits {
"This type is used to refer to a time range object."; bit Sunday {
type leafref { position 0;
path "/acls/timerange-groups/timerange-group/name"; }
bit Monday {
position 1;
}
bit Tuesday {
position 2;
}
bit Wednesday {
position 3;
}
bit Thursday {
position 4;
}
bit Friday {
position 5;
}
bit Saturday {
position 6;
}
} }
}
} typedef spf-name-string {
type string {
typedef weekdays { length "1 .. 64";
type bits {
bit Sunday {
position 0;
}
bit Monday {
position 1;
}
bit Tuesday {
position 2;
}
bit Wednesday {
position 3;
}
bit Thursday {
position 4;
}
bit Friday {
position 5;
}
bit Saturday {
position 6;
} }
} }
}
typedef acl-name-string { /* Groupings */
type string {
length "1 .. 64";
}
}
/* Groupings */ grouping PFE-COMMON {
description
"A collection of nodes that should be added to
every PFE list entry";
grouping ACE-COMMON { container actions {
description leaf action {
"A collection of nodes that should be added to type spf:spf-action;
every ACE list entry"; mandatory true;
description "Permit/deny action.";
}
container actions { leaf log {
leaf action { if-feature spf:logging;
type acl:acl-action; type empty;
mandatory true; description
description "Permit/deny action."; "Causes an informational logging message about the
packet that matches the entry to be sent to the
console.";
}
} }
leaf log { leaf match {
if-feature acl:logging; if-feature spf:match-counter;
type empty; config false;
description type yang:counter64;
"Causes an informational logging message about the description
packet that matches the entry to be sent to the "The total packet that have matched for the
console."; particular PFE";
} }
} }
leaf match { grouping FILTER-COMMON {
if-feature acl:match-counter;
config false;
type yang:counter64;
description description
"The total packet that have matched for the "A collection of nodes that should be added to
particular ACE"; every 'filters' container within each
} PFE list entry";
}
grouping FILTER-COMMON {
description
"A collection of nodes that should be added to
every 'filters' container within each
ACE list entry";
leaf enable-capture {
if-feature acl:packet-capture;
type boolean;
description
"Enable packet capture on this filter
for this session.";
}
leaf capture-session-id { leaf enable-capture {
if-feature acl:capture-session-id; if-feature spf:packet-capture;
when "../enable-capture = 'true'"; type boolean;
type uint32 { description
range "1..48";
}
description
"Enable packet capture on this filter "Enable packet capture on this filter
for this session id."; for this session.";
} }
}
/* Data Nodes */ leaf capture-session-id {
if-feature spf:capture-session-id;
when "../enable-capture = 'true'";
type uint32 {
range "1..48";
}
description
"Enable packet capture on this filter
for this session id.";
}
}
container acls { /* Data Nodes */
description
"This is the top container that contains a list of
named ACL and reusable acl object groups.";
list acl {
key name;
leaf name {
description "ACL/access group name.";
type acl-name-string;
}
leaf acl-type { container spfs {
type acl-type-ref; description
description "Type of ACL"; "This is the top container that contains a list of
mandatory true; named SPF and reusable spf object groups.";
} list spf {
leaf enable-capture-global { key name;
if-feature packet-capture; leaf name {
type boolean; description "spf/access group name.";
description "Enable packet capture on this filter type spf-name-string;
for this session. Session ID range is 1 to 48"; }
default "false";
} leaf spf-type {
leaf capture-session-id-global { type spf-type-ref;
if-feature capture-session-id; description "Type of SPF";
when "../enable-capture-global = 'true'"; mandatory true;
type uint32 { }
range "1..48"; leaf enable-capture-global {
} if-feature packet-capture;
description "Enable packet capture on this filter type boolean;
for this session. Session ID range is 1 to 48"; description "Enable packet capture on this filter
} for this session. Session ID range is 1 to 48";
choice enable-match-counter-choices { default "false";
if-feature match-counter; }
case match { leaf capture-session-id-global {
leaf enable-match-counter { if-feature capture-session-id;
type boolean; when "../enable-capture-global = 'true'";
description type uint32 {
"Enable to collect statistics for the ACL"; range "1..48";
default false; }
} description "Enable packet capture on this filter
} for this session. Session ID range is 1 to 48";
case per-entry-match { }
leaf enable-per-entry-match-counter { choice enable-match-counter-choices {
type boolean; if-feature match-counter;
description "Enable to collect match case match {
statistics for each ACL entry(ACE)."; leaf enable-match-counter {
default false; type boolean;
} description
} "Enable to collect statistics for the SPF";
} default false;
}
}
case per-entry-match {
leaf enable-per-entry-match-counter {
type boolean;
description "Enable to collect match
statistics for each SPF entry(Stateless PFE).";
default false;
}
}
}
leaf match { leaf match {
if-feature match-counter; if-feature match-counter;
config false; config false;
type yang:counter64; type yang:counter64;
description description
"The total packet that have matched for the "The total packet that have matched for the
particular access list"; particular access list";
} }
} }
container port-groups { container port-groups {
if-feature port-groups; if-feature port-groups;
list port-group { list port-group {
key "name"; key "name";
leaf name { leaf name {
type acl-name-string; type spf-name-string;
} }
list port-group-entry { list port-group-entry {
key "name"; key "name";
ordered-by user; ordered-by user;
leaf name { leaf name {
type acl-name-string; type spf-name-string;
} }
//unique "comparator port-number //unique "comparator port-number
//port-lower port-upper"; //port-lower port-upper";
choice port-number-or-range { choice port-number-or-range {
case port-number-range { case port-number-range {
description description
"Port group includes all ports between "Port group includes all ports between
port-lowerand port-upper (including those)"; port-lowerand port-upper (including those)";
leaf port-lower { leaf port-lower {
type inet:port-number; type inet:port-number;
description "Lower Port number."; description "Lower Port number.";
mandatory true; mandatory true;
} }
leaf port-upper { leaf port-upper {
type inet:port-number; type inet:port-number;
description "Upper Port number."; description "Upper Port number.";
mandatory true; mandatory true;
must "../port-lower <= ../port-upper"; must "../port-lower <= ../port-upper";
}
} }
} case port-number {
case port-number { description
description "Port group includes all ports that are greater
"Port group includes all ports that are greater than, greater or equal, less than, less or
than, greater or equal, less than, less or equal, or not equal the port, per the
equal, or not equal the port, per the indicated comparator.
indicated comparator. It is possible for the port group to be empty
It is possible for the port group to be empty (for example, in case a port group that
(for example, in case a port group that is less than the minimum port number is
is less than the minimum port number is specified).";
specified)."; leaf comparator {
leaf comparator { type spf-comparator;
type acl-comparator; mandatory true;
mandatory true; }
} leaf port {
leaf port { type inet:port-number;
type inet:port-number; description "Port number.";
description "Port number."; mandatory true;
mandatory true; }
} }
} } // choice port-number-or-range
} // choice port-number-or-range } // list port-group-entry
} // list port-group-entry } // list port-group
} // container port-groups
} // list port-group
} // container port-groups
container timerange-groups { container timerange-groups {
description "Define time range entries to restrict description "Define time range entries to restrict
the access. The time range is identified by a name the access. The time range is identified by a name
and then referenced by a function, so that those and then referenced by a function, so that those
time restrictions are imposed on the function itself."; time restrictions are imposed on the function itself.";
list timerange-group { list timerange-group {
key "name";
leaf name {
type acl-name-string;
}
list time-range {
key "name"; key "name";
ordered-by user;
leaf name { leaf name {
type acl-name-string; type spf-name-string;
} }
list time-range {
key "name";
ordered-by user;
leaf name {
type spf-name-string;
}
leaf remark { leaf remark {
type acl-remark; type spf-remark;
} }
choice range-type { choice range-type {
// abosolute or periodic time range // abosolute or periodic time range
container absolute { container absolute {
description
"Absolute time and date that
the associated function starts
going into effect.";
leaf start {
type yang:date-and-time;
description description
"Absolute start time and date"; "Absolute time and date that
} the associated function starts
leaf end { going into effect.";
type yang:date-and-time; leaf start {
description "Absolute end time and date"; type yang:date-and-time;
} description
} "Absolute start time and date";
container periodic { }
description leaf end {
"To specify a periodic time and date."; type yang:date-and-time;
leaf weekdays { description "Absolute end time and date";
type weekdays; }
}
leaf start {
type yang:timestamp;
description "Start time";
} }
leaf end { container periodic {
type yang:timestamp; description
description "End time"; "To specify a periodic time and date.";
leaf weekdays {
type weekdays;
}
leaf start {
type yang:timestamp;
description "Start time";
}
leaf end {
type yang:timestamp;
description "End time";
}
} }
} } // choice range-type
} // choice range-type } // list time-range
} // list time-range } // list timerange-group
} // list timerange-group } // container timerange-groups
} // container timerange-groups
container ip-address-groups { container ip-address-groups {
if-feature ip-address-groups; if-feature ip-address-groups;
description description
"This contains a list of named ip address group. Each "This contains a list of named ip address group. Each
group defines a range of address and mask pair."; group defines a range of address and mask pair.";
list ip-address-group { list ip-address-group {
key "name";
leaf name {
type acl-name-string;
}
leaf afi {
default "ipv4";
type inet:ip-version;
description "Address Field Identifier (AFI).";
}
list ip-address {
key "name"; key "name";
ordered-by user;
leaf name { leaf name {
type acl-name-string; type spf-name-string;
} }
//unique "ip-address ip-mask"; leaf afi {
//unique "ip-host-address"; default "ipv4";
type inet:ip-version;
description "Address Field Identifier (AFI).";
}
list ip-address {
key "name";
ordered-by user;
leaf name {
type spf-name-string;
}
//unique "ip-address ip-mask";
//unique "ip-host-address";
grouping IP-HOST { grouping IP-HOST {
description description
"Choice within a case not allowed so need "Choice within a case not allowed so need
this grouping."; this grouping.";
choice address-or-name { choice address-or-name {
mandatory true; mandatory true;
leaf ip-host-address { leaf ip-host-address {
type inet:ip-address; type inet:ip-address;
} }
leaf ip-host-name { leaf ip-host-name {
if-feature acl:host-by-name; if-feature spf:host-by-name;
type inet:domain-name; type inet:domain-name;
}
} }
} }
}
choice ip-network-kind { choice ip-network-kind {
mandatory true; mandatory true;
case ip { case ip {
leaf ip-address { leaf ip-address {
type inet:ip-address; type inet:ip-address;
}
leaf ip-mask {
type inet:ip-prefix;
mandatory true;
}
} }
leaf ip-mask { leaf ip-any {
type inet:ip-prefix; type empty;
mandatory true; description "To express Any network or address.
Use the any keyword as an abbreviation
for an address and a mask of 0.0.0.0
255.255.255.255. For example:
0.0.0.0/255.255.255.255 means 'any'";
} }
} case host {
leaf ip-any { description
type empty; "Use the host address combination as an
description "To express Any network or address. abbreviation for an address and wildcard
Use the any keyword as an abbreviation of address 0.0.0.0";
for an address and a mask of 0.0.0.0
255.255.255.255. For example:
0.0.0.0/255.255.255.255 means 'any'";
}
case host {
description
"Use the host address combination as an
abbreviation for an address and wildcard
of address 0.0.0.0";
uses IP-HOST; uses IP-HOST;
}
// case group not allowed here!
} }
// case group not allowed here!
}
} // list ip-address } // list ip-address
} // list ip-address-group } // list ip-address-group
} // container ip-address-groups } // container ip-address-groups
} // container acls } // container spfs
} }
<CODE ENDS> <CODE ENDS>
11. ACL-IP YANG Module 11. SPF-IP YANG Module
This module imports type definitions from [RFC6021] and common-types This module imports type definitions from [RFC6021] and common-types
yang defined with acl model. yang defined with stateless-pf model.
<CODE BEGINS> file "acl-ip@2012-10-12.yang"
module acl-ip {
namespace "urn:cisco:params:xml:ns:yang:acl-ip";
// replace with IANA namespace when assigned
prefix acl-ip;
import acl {
prefix acl;
}
import ietf-inet-types {
prefix "inet";
}
import common-types {
prefix "c-types";
}
organization <CODE BEGINS> file "spf-ip@2013-09-03.yang"
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; module spf-ip {
namespace "urn:cisco:params:xml:ns:yang:spf-ip";
// replace with IANA namespace when assigned
prefix spf-ip;
contact import stateless-pf {
"WG Web: http://tools.ietf.org/wg/netmod/ prefix spf;
WG List: netmod@ietf.org }
import ietf-inet-types {
prefix "inet";
}
import common-types {
prefix "c-types";
}
WG Chair: David Kessens organization
david.kessens@nsn.com "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
WG Chair: Juergen Schoenwaelder contact
j.schoenwaelder@jacobs-university.de "WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org
Editor: Lisa Huang WG Chair: David Kessens
yihuan@cisco.com david.kessens@nsn.com
Editor: Alexander Clemm WG Chair: Juergen Schoenwaelder
alex@cisco.com j.schoenwaelder@jacobs-university.de
Editor: Andy Bierman Editor: Lisa Huang
andy@yumaworks.com"; yihuan@cisco.com
description Editor: Alexander Clemm
"This YANG module augments the 'acl' module with configuration alex@cisco.com
and operational data for IPv4 and IPv6 access control list.
An ACL is an ordered set of rules and actions used to filter Editor: Andy Bierman
traffic. andy@yumaworks.com";
Each set of rules and actions is represented as an Access
Control Entries (ACE). Each ACE is evaluated sequentially.
When the rule matches then action for that rule is applied
to the packet.
IP ACLs are ordered sets of rules that can use to description
filter traffic based on IP information in the Layer 3 header "This YANG module augments the 'stateless-pf' module with configuration
of packets. and operational data for IPv4 and IPv6 stateless
The device applies IP ACLs only to IP traffic. IP ACL packet filter.
can be IPv4 or IPv6.
Terms and Acronyms An Stateless Packet Filter (SPF), also know as an Access
ACE (ace): Access Control Entry Control List (SPF), is an ordered set of rules and
actions used to filter traffic.
Each set of rules and actions is represented as a Packet Filter
Entry (PFE), also know as an Access
Control Entries (PFE). Each PFE is evaluated sequentially.
When the rule matches then action for that rule is applied
to the packet.
ACL (acl): Access Control List IP SPFs are ordered sets of rules that can use to
filter traffic based on IP information in the Layer 3 header
of packets.
The device applies IP SPFs only to IP traffic. IP SPF
can be IPv4 or IPv6.
AFI (afi): Authority and Format Identifier (Address Field Terms and Acronyms
Identifier) PFE (pfe): Packet Filter Entry
DSCP (dscp): Differentiated Services Code Point SPF (spf): Stateless Packet Filter
ICMP (icmp): Internet Control Message Protocol AFI (afi): Authority and Format Identifier (Address Field
Identifier)
IGMP (igmp): Internet Group Management Protocol DSCP (dscp): Differentiated Services Code Point
IP (ip): Internet Protocol ICMP (icmp): Internet Control Message Protocol
IPv4 (ipv4):Internet Protocol Version 4 IGMP (igmp): Internet Group Management Protocol
IPv6 (ipv6): Internet Protocol Version 6 IP (ip): Internet Protocol
QoS: Quality of Service IPv4 (ipv4):Internet Protocol Version 4
TCP (tcp): Transmission Control Protocol IPv6 (ipv6): Internet Protocol Version 6
ToS (tos): Type of Service QoS: Quality of Service
TTL (ttl): Time to Live TCP (tcp): Transmission Control Protocol
UDP (udp): User Datagram Protocol ToS (tos): Type of Service
VLAN (vlan): Virtual Local Area Network TTL (ttl): Time to Live
VRF(vrf) : Virtual Routing and Forwarding UDP (udp): User Datagram Protocol
"; VLAN (vlan): Virtual Local Area Network
reference
"Access List Commands on Cisco IOS XR Software,
Cisco Nexus 7000 Series NX-OS Security Configuration Guide,
Catalyst 6500 Release 12.2SX Software Configuration Guide,
ACL TCP Flags Filtering";
revision 2012-10-12 { VRF(vrf) : Virtual Routing and Forwarding
description "Initial revision. "; ";
}
/* Features */ revision 2013-09-03 {
description "Initial revision. ";
}
feature time-to-live { /* Features */
description "The ability to filter packets based on their
time-to-live (TTL) value (0 to 255)";
reference "ACL Support for Filtering on TTL Value";
}
feature flow-label { feature time-to-live {
description description "The ability to filter packets based on their
"The ability to filter packets based on flow lable. time-to-live (TTL) value (0 to 255)";
The 20-bit Flow Label field in the IPv6 header reference "SPF Support for Filtering on TTL Value";
is used by a source to label packets }
of a flow. This is an IPv6 ACEs option.";
reference "RFC 3697 IPv6 Flow Label Specification";
}
/* Identities */ feature flow-label {
description
"The ability to filter packets based on flow lable.
The 20-bit Flow Label field in the IPv6 header
is used by a source to label packets
of a flow. This is an IPv6 PFEs option.";
reference "RFC 3697 IPv6 Flow Label Specification";
}
identity ip-acl { /* Identities */
base "acl:acl-type";
description "layer 3 ACL type";
}
/* Groupings */ identity ip-spf {
base "spf:spf-type";
description "layer 3 SPF type";
}
grouping IP-SOURCE-NETWORK { /* Groupings */
description "Reusable IP address and mask pair.";
grouping IP-SOURCE-HOST { grouping IP-SOURCE-NETWORK {
description description "Reusable IP address and mask pair.";
"Choice within a case not allowed so need
this grouping.";
choice ip-src-address-or-name {
mandatory true;
leaf ip-source-host-address {
type inet:ip-address;
}
leaf ip-source-host-name {
if-feature acl:host-by-name;
type inet:domain-name;
}
}
}
choice source-address-host-group { grouping IP-SOURCE-HOST {
mandatory true; description
case source-ip { "Choice within a case not allowed so need
description "Used with address and mask couple this grouping.";
to express network."; choice ip-src-address-or-name {
mandatory true;
leaf ip-source-host-address {
type inet:ip-address;
}
leaf ip-source-host-name {
if-feature spf:host-by-name;
type inet:domain-name;
}
}
}
leaf ip-source-address { choice source-address-host-group {
type inet:ip-address; mandatory true;
mandatory true; case source-ip {
} description "Used with address and mask couple
leaf ip-source-mask { to express network.";
type inet:ip-address;
mandatory true;
}
}
leaf ip-source-any {
type empty;
description "To express Any network or address.
Use the any keyword as an abbreviation
for an address and a mask of 0.0.0.0
255.255.255.255. For example:
0.0.0.0/255.255.255.255 means 'any'";
}
case source-host {
description "Used with host address to express a
single host
Use the host address(or name)
combination is the same as an address
and mask of address 0.0.0.0.
For example: '10.1.1.2/0.0.0.0' is the same
as 'host 10.1.1.2'";
uses IP-SOURCE-HOST;
}
case source-group {
if-feature acl:ip-address-groups;
leaf ip-source-group {
type acl:ip-address-group-ref;
}
}
}
}
grouping IP-DESTINATION-NETWORK {
description
"Reusable IP address and mask pair for destination.";
grouping IP-DESTINATION-HOST { leaf ip-source-address {
description type inet:ip-address;
"Choice within a case not allowed so need mandatory true;
this grouping."; }
choice ip-dest-address-or-name { leaf ip-source-mask {
mandatory true; type inet:ip-address;
leaf ip-dest-host-address { mandatory true;
type inet:ip-address; }
} }
leaf ip-dest-host-name { leaf ip-source-any {
if-feature acl:host-by-name; type empty;
type inet:domain-name; description "To express Any network or address.
} Use the any keyword as an abbreviation
} for an address and a mask of 0.0.0.0
} 255.255.255.255. For example:
0.0.0.0/255.255.255.255 means 'any'";
}
case source-host {
description "Used with host address to express a
single host
Use the host address(or name)
combination is the same as an address
and mask of address 0.0.0.0.
For example: '10.1.1.2/0.0.0.0' is the same
as 'host 10.1.1.2'";
uses IP-SOURCE-HOST;
}
case source-group {
if-feature spf:ip-address-groups;
leaf ip-source-group {
type spf:ip-address-group-ref;
}
}
}
}
grouping IP-DESTINATION-NETWORK {
description
"Reusable IP address and mask pair for destination.";
choice dest-address-host-group { grouping IP-DESTINATION-HOST {
mandatory true; description
case dest-ip { "Choice within a case not allowed so need
description "Used with address and mask couple this grouping.";
to express network."; choice ip-dest-address-or-name {
leaf ip-dest-address { mandatory true;
type inet:ip-address; leaf ip-dest-host-address {
mandatory true; type inet:ip-address;
} }
leaf ip-dest-mask { leaf ip-dest-host-name {
type inet:ip-address; if-feature spf:host-by-name;
mandatory true; type inet:domain-name;
} }
} }
leaf ip-dest-any { }
type empty;
description "To express Any network or address.
Use the any keyword as an abbreviation
for an address and a mask of 0.0.0.0
255.255.255.255. For example:
0.0.0.0/255.255.255.255 means 'any'";
}
case dest-host {
description "Used with host address to express a
single host
Use the host address(or name)
combination is the same as an address
and mask of address 0.0.0.0.
For example: '10.1.1.2/0.0.0.0' is the same choice dest-address-host-group {
as 'host 10.1.1.2'"; mandatory true;
case dest-ip {
description "Used with address and mask couple
to express network.";
leaf ip-dest-address {
type inet:ip-address;
mandatory true;
}
leaf ip-dest-mask {
type inet:ip-address;
mandatory true;
}
}
leaf ip-dest-any {
type empty;
description "To express Any network or address.
Use the any keyword as an abbreviation
for an address and a mask of 0.0.0.0
255.255.255.255. For example:
0.0.0.0/255.255.255.255 means 'any'";
}
case dest-host {
description "Used with host address to express a
single host
Use the host address(or name)
combination is the same as an address
and mask of address 0.0.0.0.
uses IP-DESTINATION-HOST; For example: '10.1.1.2/0.0.0.0' is the same
} as 'host 10.1.1.2'";
case dest-group {
if-feature acl:ip-address-groups;
description "Use the group keyword and group name
to refer to a pre-defined address object group
which is a list of address and mask.";
leaf ip-dest-group { uses IP-DESTINATION-HOST;
type acl:ip-address-group-ref; }
} case dest-group {
} if-feature spf:ip-address-groups;
} description "Use the group keyword and group name
} to refer to a pre-defined address object group
which is a list of address and mask.";
grouping DSCP-OR-TOS { leaf ip-dest-group {
choice dscp-or-tos { type spf:ip-address-group-ref;
leaf dscp { }
type inet:dscp; }
description }
"Match packets with given dscp value"; }
}
case tos { grouping DSCP-OR-TOS {
leaf tos { choice dscp-or-tos {
type c-types:tos; leaf dscp {
type inet:dscp;
description description
"Match packets with given TOS value"; "Match packets with given dscp value";
} }
leaf precedence {
when "boolean(../tos)" ; case tos {
type c-types:precedence; leaf tos {
description type c-types:tos;
"Match packets with given precedence value"; description
"Match packets with given TOS value";
}
leaf precedence {
when "boolean(../tos)" ;
type c-types:precedence;
description
"Match packets with given precedence value";
}
} }
} }
} }
}
grouping IP-ACE-FILTERS { grouping IP-PFE-FILTERS {
leaf protocol { leaf protocol {
type c-types:ip-protocol; type c-types:ip-protocol;
description "IP protocol number."; description "IP protocol number.";
} }
uses acl:FILTER-COMMON; uses spf:FILTER-COMMON;
leaf fragments {
type empty;
description "Check non-initial fragments";
}
leaf time-range {
type acl:time-range-ref;
description
"Refer a time range object by
name (Max Size 64).";
}
choice src-ports { leaf fragments {
when "protocol = '6' or protocol = '17' or " + type empty;
"protocol = '132'"; description "Check non-initial fragments";
}
description leaf time-range {
"Apply only when the protocol is TCP, type spf:time-range-ref;
UDP or SCTP."; description
"Refer a time range object by
name (Max Size 64).";
}
case port-number-range { choice src-ports {
description when "protocol = '6' or protocol = '17' or " +
"Port group includes all ports between port-lower "protocol = '132'";
and port-upper (including those)";
leaf src-port-lower {
type inet:port-number;
description "Lower Port number.";
mandatory true;
}
leaf src-port-upper {
type inet:port-number;
description "Upper Port number.";
mandatory true;
must "../src-port-lower <= ../src-port-upper";
}
}
case port-number {
description
"Port group includes all ports that are greater
than, greater or equal, less than, less or equal,
or not equal the port, per the indicated
comparator. It is possible for the port group
to be empty (for example, in case a port group
that is less than the minimum port number is
specified).";
leaf src-comparator {
type acl:acl-comparator;
mandatory true;
}
leaf src-port {
type inet:port-number;
description "Port number.";
mandatory true;
}
}
case port-group-ref {
if-feature acl:port-groups;
leaf src-port-group-name {
type acl:port-group-ref;
mandatory true;
description
"Reference a port group by the Port
Group name.";
}
}
} // choice src-ports
choice dest-ports { description
when "protocol = '6' or protocol = '17' or " +
"protocol = '132'";
description
"Apply only when the protocol is TCP, "Apply only when the protocol is TCP,
UDP or SCTP."; UDP or SCTP.";
case port-number-range { case port-number-range {
description "Port group includes all ports between description
port-lower and port-upper (including those)"; "Port group includes all ports between port-lower
leaf des-port-lower { and port-upper (including those)";
type inet:port-number; leaf src-port-lower {
description "Lower Port number."; type inet:port-number;
mandatory true; description "Lower Port number.";
} mandatory true;
leaf des-port-upper { }
type inet:port-number; leaf src-port-upper {
description "Upper Port number."; type inet:port-number;
mandatory true; description "Upper Port number.";
must "../des-port-lower <= ../des-port-upper"; mandatory true;
} must "../src-port-lower <= ../src-port-upper";
} }
case port-number { }
description "Port group includes all ports that case port-number {
are greater than, greater or equal, less than, description
less or equal, or not equal the port, per the "Port group includes all ports that are greater
indicated comparator. It is possible for the than, greater or equal, less than, less or equal,
port group to be empty (for example, in case a or not equal the port, per the indicated
port group that is less than the minimum port comparator. It is possible for the port group
number is specified)."; to be empty (for example, in case a port group
leaf des-comparator { that is less than the minimum port number is
type acl:acl-comparator; specified).";
mandatory true; leaf src-comparator {
} type spf:spf-comparator;
leaf des-port { mandatory true;
type inet:port-number; }
description "Port number."; leaf src-port {
mandatory true; type inet:port-number;
} description "Port number.";
} mandatory true;
case port-group-ref { }
if-feature acl:port-groups; }
leaf des-port-group-name { case port-group-ref {
type acl:port-group-ref; if-feature spf:port-groups;
mandatory true; leaf src-port-group-name {
description type spf:port-group-ref;
"Reference a port group by the Port Group name."; mandatory true;
} description
} "Reference a port group by the Port
} // choice dest-ports Group name.";
}
}
} // choice src-ports
leaf icmp-type { choice dest-ports {
when "../protocol = '1'"; when "protocol = '6' or protocol = '17' or " +
type c-types:icmp-type; "protocol = '132'";
description description
"ICMP message type number. "Apply only when the protocol is TCP,
Apply only when the protocol is icmp"; UDP or SCTP.";
}
leaf icmp-code { case port-number-range {
when "boolean(../icmp-type) "; description "Port group includes all ports between
type c-types:icmp-code; port-lower and port-upper (including those)";
description leaf des-port-lower {
"ICMP subtype for a given icmp type."; type inet:port-number;
} description "Lower Port number.";
mandatory true;
}
leaf des-port-upper {
type inet:port-number;
description "Upper Port number.";
mandatory true;
must "../des-port-lower <= ../des-port-upper";
}
}
case port-number {
description "Port group includes all ports that
are greater than, greater or equal, less than,
less or equal, or not equal the port, per the
indicated comparator. It is possible for the
port group to be empty (for example, in case a
port group that is less than the minimum port
number is specified).";
leaf des-comparator {
type spf:spf-comparator;
mandatory true;
}
leaf des-port {
type inet:port-number;
description "Port number.";
mandatory true;
}
}
case port-group-ref {
if-feature spf:port-groups;
leaf des-port-group-name {
type spf:port-group-ref;
mandatory true;
description
"Reference a port group by the Port Group name.";
}
}
} // choice dest-ports
choice packet-length-or-range { leaf icmp-type {
if-feature acl:packet-length; when "../protocol = '1'";
case length { type c-types:icmp-type;
leaf packet-length-comparator { description
type acl:acl-comparator; "ICMP message type number.
description Apply only when the protocol is icmp";
"Operant that compare the packet }
length. Operands are lt (less than),
gt (greater than), eq (equal), and neq
(not equal).";
mandatory true;
}
leaf packet-length {
type uint32 {
range "20..9210";
}
description
"Packet length value for
operation gt, eq, etc, other
than range";
//TODO need to find out why package is
// less than 9210
mandatory true;
}
}
case range {
description
"Packet operator 'range' takes
both lower and upper value.";
leaf packet-length-upper { leaf icmp-code {
type uint32 { when "boolean(../icmp-type) ";
range "20..9210"; type c-types:icmp-code;
} description
mandatory true; "ICMP subtype for a given icmp type.";
description "Upper Packet length"; }
}
leaf packet-length-lower { choice packet-length-or-range {
type uint32 { if-feature spf:packet-length;
range "20..9210"; case length {
} leaf packet-length-comparator {
must "number(../packet-length-lower) <= " + type spf:spf-comparator;
"number(../packet-length-upper)"; description
mandatory true; "Operant that compare the packet
description "Lower packet length"; length. Operands are lt (less than),
} gt (greater than), eq (equal), and neq
} (not equal).";
} mandatory true;
}
leaf packet-length {
type uint32 {
range "20..9210";
}
description
"Packet length value for
operation gt, eq, etc, other
than range";
//TODO need to find out why package is
// less than 9210
mandatory true;
}
}
case range {
description
"Packet operator 'range' takes
both lower and upper value.";
leaf tcp-flag-value { leaf packet-length-upper {
type c-types:tcp-flag-type ; type uint32 {
description "TCP flag bits that needs to be checked"; range "20..9210";
} }
mandatory true;
description "Upper Packet length";
}
leaf tcp-flag-mask { leaf packet-length-lower {
when "boolean(../tcp-flag-value)" ; type uint32 {
type c-types:tcp-flag-type ; range "20..9210";
description "TCP flag bit that needs to be checked"; }
} must "number(../packet-length-lower) <= " +
"number(../packet-length-upper)";
mandatory true;
description "Lower packet length";
}
}
}
leaf tcp-flag-operation { leaf tcp-flag-value {
when "boolean(../tcp-flag-value)" ; type c-types:tcp-flag-type ;
description description "TCP flag bits that needs to be checked";
"TCP flag Match option. }
A match occurs if the TCP
datagram has certain TCP flags
set or not set. You use the
match-any keyword to allow a match
to occur if any of the specified
TCP flags are present, or you can
use the match-all keyword to allow
a match to occur only if all of
the specified TCP flags are
present. You must follow the
match-any and match-all keywords
with the + or - keyword and the
flag-name argument to match on
one or more TCP flags. ";
default match-any;
type enumeration {
enum match-any {
description "match any";
}
enum match-all {
description "match all";
}
}
}
choice ttl-value-or-range { leaf tcp-flag-mask {
if-feature time-to-live; when "boolean(../tcp-flag-value)" ;
case value { type c-types:tcp-flag-type ;
leaf ttl-comparator { description "TCP flag bit that needs to be checked";
type acl:acl-comparator; }
description leaf tcp-flag-operation {
"Compares the TTL value in the packet when "boolean(../tcp-flag-value)" ;
to the TTL value specified in this description
ACE statement. Operands are lt (less "TCP flag Match option.
than), gt (greater than), and eq A match occurs if the TCP
(equal), neq (not equal)."; datagram has certain TCP flags
} set or not set. You use the
leaf ttl-value { match-any keyword to allow a match
type c-types:time-to-live; to occur if any of the specified
TCP flags are present, or you can
use the match-all keyword to allow
a match to occur only if all of
the specified TCP flags are
present. You must follow the
match-any and match-all keywords
with the + or - keyword and the
flag-name argument to match on
one or more TCP flags. ";
default match-any;
type enumeration {
enum match-any {
description "match any";
}
enum match-all {
description "match all";
}
}
}
} choice ttl-value-or-range {
} if-feature time-to-live;
case range { case value {
leaf ttl-value-lower { leaf ttl-comparator {
type c-types:time-to-live; type spf:spf-comparator;
description "Lower ttl number.";
}
leaf ttl-value--upper {
type c-types:time-to-live;
description "Upper ttl number.";
} description
} "Compares the TTL value in the packet
} to the TTL value specified in this
} PFE statement. Operands are lt (less
than), gt (greater than), and eq
(equal), neq (not equal).";
}
leaf ttl-value {
type c-types:time-to-live;
/* Data Nodes */ }
}
case range {
leaf ttl-value-lower {
type c-types:time-to-live;
description "Lower ttl number.";
}
leaf ttl-value--upper {
type c-types:time-to-live;
description "Upper ttl number.";
augment "/acl:acls/acl:acl" { }
when "acl:acl-type = 'ip-acl'"; }
}
}
leaf afi { /* Data Nodes */
type inet:ip-version ;
default "ipv4";
}
container ipv6-aces { augment "/spf:spfs/spf:spf" {
when "../afi = 'ipv6'" ; when "spf:spf-type = 'ip-spf'";
description leaf afi {
" The ip-aces container contains a list of ip-ace. type inet:ip-version ;
Each ip-ace is made of a unique ID, an optional default "ipv4";
remark (comment), and a filter. The filter }
requires a mandatory action (permit/deny) and one or
more options such as source-address with mask,ttl etc";
list ipv6-ace { container ipv6-pfes {
key "name"; when "../afi = 'ipv6'" ;
ordered-by user;
description "Layer 3 Access Control Element (ACE)";
leaf name { description
type acl:acl-name-string; " The ip-pfes container contains a list of ip-pfe.
description "Unique ACE identifier."; Each ip-pfe is made of a unique ID, an optional
} remark (comment), and a filter. The filter
requires a mandatory action (permit/deny) and one or
more options such as source-address with mask,ttl etc";
choice remark-or-ipv6-case { list ipv6-pfe {
leaf remark { key "name";
type acl:acl-remark; ordered-by user;
// mandatory true; description "Layer 3 Packet Filter Entry (PFE)";
leaf name {
type spf:spf-name-string;
description "Unique PFE identifier.";
} }
case ipv6-ace {
container filters {
uses IP-SOURCE-NETWORK; choice remark-or-ipv6-case {
uses IP-DESTINATION-NETWORK; leaf remark {
uses IP-ACE-FILTERS; type spf:spf-remark;
uses DSCP-OR-TOS; // mandatory true;
}
case ipv6-pfe {
container filters {
leaf igmp-type { uses IP-SOURCE-NETWORK;
when "../protocol = '2' "; uses IP-DESTINATION-NETWORK;
type c-types:igmp-code; uses IP-PFE-FILTERS;
description uses DSCP-OR-TOS;
"IGMP message type (0 to 15) for
filtering IGMP packets. Apply only
when the protocol is igmp in ipv4";
}
leaf flow-label { leaf igmp-type {
if-feature flow-label; when "../protocol = '2' ";
when "../protocol = '17'"; type c-types:igmp-code;
type uint64 { description
range "0..1048575"; "IGMP message type (0 to 15) for
filtering IGMP packets. Apply only
when the protocol is igmp in ipv4";
} }
description
"Flow label value. Apply only when
the protocol is UDP in ipv6.";
reference
"RFC3697 IPv6 Flow Label Specification";
}
} // container filters
uses acl:ACE-COMMON; leaf flow-label {
} // case ipv6-ace if-feature flow-label;
} // choice remark-or-ipv6-ace when "../protocol = '17'";
} // list ipv6-ace type uint64 {
} // container ipv6-aces range "0..1048575";
}
description
"Flow label value. Apply only when
the protocol is UDP in ipv6.";
reference
"RFC3697 IPv6 Flow Label Specification";
}
} // container filters
container ipv4-aces { uses spf:PFE-COMMON;
when "../afi = 'ipv4'" ; } // case ipv6-pfe
} // choice remark-or-ipv6-pfe
} // list ipv6-pfe
} // container ipv6-pfes
description container ipv4-pfes {
"The ip-aces container contains a list of ip-ace. when "../afi = 'ipv4'" ;
Each ip-ace is made of a unique ID, an optional
remark (comment), and a filter. The filter requires a
mandatory action (permit/deny) and one or more options
such as source-address with mask,ttl etc";
list ipv4-ace { description
key "name"; "The ip-pfes container contains a list of ip-pfe.
ordered-by user; Each ip-pfe is made of a unique ID, an optional
description "Layer 3 Access Control Element (ACE)"; remark (comment), and a filter. The filter requires a
mandatory action (permit/deny) and one or more options
such as source-address with mask,ttl etc";
leaf name { list ipv4-pfe {
type acl:acl-name-string; key "name";
description "Unique ACE identifier"; ordered-by user;
} description "Layer 3 Packet Filter Entry (PFE)";
choice remark-or-ipv4-ace { leaf name {
leaf remark { type spf:spf-name-string;
type acl:acl-remark; description "Unique PFE identifier";
// mandatory true; }
}
case ipv4-ace {
container filters {
uses IP-SOURCE-NETWORK;
uses IP-DESTINATION-NETWORK;
uses IP-ACE-FILTERS;
uses DSCP-OR-TOS;
}
uses acl:ACE-COMMON;
} // case ipv4-ace
} // choice remark-or-ipv4-ace
} // list ipv4-ace
} // container ipv4-aces
leaf global-fragments { choice remark-or-ipv4-pfe {
default "not-set"; leaf remark {
type enumeration { type spf:spf-remark;
enum not-set; // mandatory true;
enum permit-all { }
description "Allow all fragments"; case ipv4-pfe {
} container filters {
enum deny-all { uses IP-SOURCE-NETWORK;
description "Drop all fragments"; uses IP-DESTINATION-NETWORK;
} uses IP-PFE-FILTERS;
} uses DSCP-OR-TOS;
description }
"Optimizes fragment handling for noninitial fragments. uses spf:PFE-COMMON;
When this leaf is set to 'permit-all', noninitial } // case ipv4-pfe
fragments will be permitted unless explicitly denied. } // choice remark-or-ipv4-pfe
When this leaf is set to 'deny-all', noninitial } // list ipv4-pfe
fragments will be denied unless explicitly } // container ipv4-pfes
permitted. ";
} leaf global-fragments {
} default "not-set";
type enumeration {
enum not-set;
enum permit-all {
description "Allow all fragments";
}
enum deny-all {
description "Drop all fragments";
}
}
description
"Optimizes fragment handling for noninitial fragments.
When this leaf is set to 'permit-all', noninitial
fragments will be permitted unless explicitly denied.
When this leaf is set to 'deny-all', noninitial
fragments will be denied unless explicitly
permitted. ";
} }
}
</CODE ENDS> }
12. ACL-MAC Configuration YANG Module <CODE ENDS>
12. SPF-MAC Configuration YANG Module
This module imports type definitions from common-types YANG defined This module imports type definitions from common-types YANG defined
in this model. in this model.
<CODE BEGINS> file "acl-mac@2012-10-12.yang" <CODE BEGINS> file "spf-mac@2013-09-03.yang"
module acl-mac { module spf-mac {
namespace "urn:cisco:params:xml:ns:yang:acl-mac"; namespace "urn:cisco:params:xml:ns:yang:spf-mac";
// replace with IANA namespace when assigned // replace with IANA namespace when assigned
prefix acl-mac; prefix spf-mac;
import acl { prefix acl; } import stateless-pf { prefix spf; }
import common-types { import common-types {
prefix "c-types"; prefix "c-types";
} }
import ietf-inet-types { import ietf-inet-types {
prefix "inet"; prefix "inet";
} }
import ietf-yang-types { import ietf-yang-types {
prefix "yang"; prefix "yang";
} }
organization organization
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact contact
"WG Web: http://tools.ietf.org/wg/netmod/ "WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org WG List: netmod@ietf.org
WG Chair: David Kessens WG Chair: David Kessens
david.kessens@nsn.com david.kessens@nsn.com
WG Chair: Juergen Schoenwaelder WG Chair: Juergen Schoenwaelder
j.schoenwaelder@jacobs-university.de j.schoenwaelder@jacobs-university.de
Editor: Lisa Huang
yihuan@cisco.com
Editor: Lisa Huang Editor: Alexander Clemm
yihuan@cisco.com alex@cisco.com
Editor: Alexander Clemm
alex@cisco.com
Editor: Andy Bierman Editor: Andy Bierman
andy@yumaworks.com"; andy@yumaworks.com";
description description
"This YANG module augments the 'acl' module with "This YANG module augments the 'stateless-pf' module with
configuration and operational data for MAC access control list configuration and operational data for MAC stateless packet
filter.
An ACL is an ordered set of rules and actions used to An Stateless Packet Filter (SPF), also know as an Access
filter traffic. Control List (SPF), is an ordered set of rules and
Each set of rules and actions is represented as an Access actions used to filter traffic.
Control Entries (ACE). Each ACE is evaluated sequentially. Each set of rules and actions is represented as a Packet Filter
When the rule matches then action for that rule is applied Entry (PFE), also know as an Access
to the packet. Control Entries (PFE). Each PFE is evaluated sequentially.
When the rule matches then action for that rule is applied
to the packet.
MAC ACLs - MAC ACLs are used to filter traffic using the MAC SPFs - MAC SPFs are used to filter traffic using the
information in the Layer 2 header of each packet. information in the Layer 2 header of each packet.
MAC ACLs are by default only applied to non-IP MAC SPFs are by default only applied to non-IP
traffic; however, Layer 2 interfaces can be configured to traffic; however, Layer 2 interfaces can be configured to
apply MAC ACLs to all traffic. apply MAC SPFs to all traffic.
Terms and Acronyms Terms and Acronyms
ACE (ace): Access Control Entry PFE (pfe): Packet FIlter Entry
ACL (acl): Access Control List SPF (spf): Stateless Packet Filter
AFI (afi): Authority and Format Identifier (Address Field AFI (afi): Authority and Format Identifier (Address Field
Identifier) Identifier)
CoS (cos): Class of Service CoS (cos): Class of Service
MAC: Media Access Control MAC: Media Access Control
TTL (ttl): Time to Live TTL (ttl): Time to Live
VLAN (vlan): Virtual Local Area Network VLAN (vlan): Virtual Local Area Network
VRF(vrf) : Virtual Routing and Forwarding VRF(vrf) : Virtual Routing and Forwarding
"; ";
reference
"Access List Commands on Cisco IOS XR Software,
Cisco Nexus 7000 Series NX-OS Security Configuration Guide,
Catalyst 6500 Release 12.2SX Software Configuration Guide";
revision 2012-10-12 { revision 2013-09-03 {
description "Initial revision. "; description "Initial revision. ";
}
} /* Features */
/* Features */ feature ethertype-mask {
description
"The ability to fiter packets based on ether-type mask
in hex 0x0-0xFFFF.";
}
feature ethertype-mask { /* Identities */
description
"The ability to fiter packets based on ether-type mask
in hex 0x0-0xFFFF.";
}
/* Identities */ identity mac-spf {
base spf:spf-type;
description "layer 2 SPF type";
}
identity mac-acl { /* Groupings */
base acl:acl-type;
description "layer 2 ACL type";
}
/* Groupings */ grouping MAC-SOURCE-NETWORK {
description "MAC address and mask pair for source.";
grouping MAC-SOURCE-NETWORK { grouping MAC-SOURCE-HOST {
description "MAC address and mask pair for source."; description
"Choice within a case not allowed so need
this grouping.";
choice src-address-or-name {
mandatory true;
leaf source-host-address {
type inet:ip-address;
description
"Use the host address combination as an
abbreviation for an address and wildcard
of address 0.0.0.0";
}
leaf source-host-name {
if-feature spf:host-by-name;
type inet:domain-name;
}
}
}
grouping MAC-SOURCE-HOST { choice source-network {
description mandatory true;
"Choice within a case not allowed so need case source-mac {
this grouping."; description
choice src-address-or-name { "Used with address and mask couple to
mandatory true; express network.";
leaf source-host-address { leaf source-address {
type inet:ip-address; type yang:mac-address;
description mandatory true;
"Use the host address combination as an description "A source MAC address.";
abbreviation for an address and wildcard }
of address 0.0.0.0"; leaf source-address-mask {
} type yang:mac-address;
leaf source-host-name { mandatory true;
if-feature acl:host-by-name; description "A source MAC address mask.";
type inet:domain-name; }
} }
} leaf source-any {
} type empty;
description "To express Any network or address";
}
case source-host {
description
"Use the host address combination as an
abbreviation for an address and wildcard
of address 0.0.0.0";
uses MAC-SOURCE-HOST;
}
}
}
choice source-network { grouping MAC-DESTINATION-NETWORK {
mandatory true; description
case source-mac { "MAC address and mask pair for destination.";
description
"Used with address and mask couple to
express network.";
leaf source-address { grouping MAC-DESTINATION-HOST {
type yang:mac-address; description
mandatory true; "Choice within a case not allowed so need
description "A source MAC address."; this grouping.";
} choice dest-address-or-name {
leaf source-address-mask { mandatory true;
type yang:mac-address; leaf dest-host-address {
mandatory true; type inet:ip-address;
description "A source MAC address mask."; description
} "Use the host address combination as an
} abbreviation for an address and wildcard
leaf source-any { of address 0.0.0.0";
type empty; }
description "To express Any network or address"; leaf dest-host-name {
} if-feature spf:host-by-name;
case source-host { type inet:domain-name;
description }
"Use the host address combination as an
abbreviation for an address and wildcard
of address 0.0.0.0";
uses MAC-SOURCE-HOST;
}
}
}
grouping MAC-DESTINATION-NETWORK { }
description }
"MAC address and mask pair for destination.";
grouping MAC-DESTINATION-HOST { choice dest-network {
description mandatory true;
"Choice within a case not allowed so need case dest-mac {
this grouping."; description
choice dest-address-or-name { "Used with address and mask couple to
mandatory true; express network.";
leaf dest-host-address { leaf dest-address {
type inet:ip-address; type yang:mac-address;
description mandatory true;
"Use the host address combination as an description "A source MAC address.";
abbreviation for an address and wildcard }
of address 0.0.0.0"; leaf dest-address-mask {
} type yang:mac-address;
leaf dest-host-name { mandatory true;
if-feature acl:host-by-name; description "A source MAC address mask.";
type inet:domain-name; }
} }
} leaf dest-any {
} type empty;
choice dest-network { description "To express Any network or address";
mandatory true; }
case dest-mac { case dest-host {
description description
"Used with address and mask couple to "Use the host address combination as an
express network."; abbreviation for an address and wildcard
leaf dest-address { of address 0.0.0.0";
type yang:mac-address; uses MAC-DESTINATION-HOST;
mandatory true; }
description "A source MAC address."; }
} }
leaf dest-address-mask {
type yang:mac-address;
mandatory true;
description "A source MAC address mask.";
}
}
leaf dest-any {
type empty;
description "To express Any network or address";
}
case dest-host {
description
"Use the host address combination as an
abbreviation for an address and wildcard
of address 0.0.0.0";
uses MAC-DESTINATION-HOST;
}
}
}
/* Layer 2 ACL */ /* Layer 2 SPF */
augment "/acl:acls/acl:acl" { augment "/spf:spfs/spf:spf" {
when "acl:acl-type = 'mac-acl'"; when "spf:spf-type = 'mac-spf'";
description description
"Layer 2 Access Control Entry (ACE). The mac-aces "Layer 2 Packet Filter Entry (PFE). The mac-pfes
container contains a list of mac-ace. Each mac-ace is container contains a list of mac-pfe. Each mac-pfe is
comprised of a name, an optional remark comprised of a name, an optional remark
and a rule. and a rule.
A rule is referred to as 'packet-filter', although it A rule is referred to as 'packet-filter', although it
contains both a filter and an action. contains both a filter and an action.
The packet-filter requires a mandatory action (permit/deny) The packet-filter requires a mandatory action (permit/deny)
and one or more options such as source-address with mask, and one or more options such as source-address with mask,
ethertype, vlan etc."; ethertype, vlan etc.";
container mac-aces {
list mac-ace {
key name;
ordered-by user;
leaf name { container mac-pfes {
type acl:acl-name-string; list mac-pfe {
description "Unique ACE identifier"; key name;
} ordered-by user;
choice remark-or-mac-ace { leaf name {
leaf remark { type spf:spf-name-string;
type acl:acl-remark; description "Unique PFE identifier";
// mandatory true;
} }
case mac-ace {
container filters {
uses MAC-SOURCE-NETWORK;
uses MAC-DESTINATION-NETWORK;
leaf ethertype { choice remark-or-mac-pfe {
type c-types:ether-type; leaf remark {
description "ether-type (also known as type spf:spf-remark;
protocol) in hex 0x0-0xffff"; // mandatory true;
} }
case mac-pfe {
leaf ethertype-mask { container filters {
if-feature ethertype-mask; uses MAC-SOURCE-NETWORK;
when "boolean(../ethertype)"; uses MAC-DESTINATION-NETWORK;
type c-types:ether-type;
default "0x0000";
description
"Ether-type mask in hex 0x0-0xFFFF.
0x0 is exactly match of the Ethertype..";
}
leaf cos { leaf ethertype {
type c-types:cos; type c-types:ether-type;
description "CoS value <0-7>"; description "Ether-Type (also known as
} protocol) in hex 0x0-0xffff";
}
leaf time-range { leaf ethertype-mask {
type acl:time-range-ref; if-feature ethertype-mask;
description when "boolean(../ethertype)";
"Enable packet capture on this type c-types:ether-type;
filter for a specify time range default "0x0000";
by name."; description
"Ether-type mask in hex 0x0-0xFFFF.
0x0 is exactly match of the Ethertype..";
} }
leaf vlan { leaf cos {
type c-types:vlan-identifier; type c-types:cos;
description "VLAN number"; description "CoS value <0-7>";
} }
uses acl:FILTER-COMMON; leaf time-range {
type spf:time-range-ref;
description
"Enable packet capture on this
filter for a specify time range
by name.";
}
leaf vlan {
type c-types:vlan-identifier;
description "VLAN number";
}
} // container filters uses spf:FILTER-COMMON;
uses acl:ACE-COMMON; } // container filters
} // case mac-ace uses spf:PFE-COMMON;
} // choice remark-or-ace
} // list mac-ace
} // container mac-aces
} // augment
} } // case mac-pfe
} // choice remark-or-pfe
} // list mac-pfe
} // container mac-pfes
} // augment
</CODE ENDS> }
13. ACL-ARP Configuration YANG Module <CODE ENDS>
<CODE BEGINS> file "acl-arp@2012-10-12.yang" 13. SPF-ARP Configuration YANG Module
module acl-arp { <CODE BEGINS> file "spf-arp@2013-09-03.yang"
namespace "urn:cisco:params:xml:ns:yang:acl-arp";
// replace with IANA namespace when assigned
prefix acl-arp;
import acl { prefix acl; } module spf-arp {
import acl-ip { prefix acl-ip; } namespace "urn:cisco:params:xml:ns:yang:spf-arp";
import acl-mac { prefix acl-mac; } // replace with IANA namespace when assigned
prefix spf-arp;
organization import stateless-pf { prefix spf; }
"IETF NETMOD (NETCONF Data Modeling Language) Working Group"; import spf-ip { prefix spf-ip; }
import spf-mac { prefix spf-mac; }
contact organization
"WG Web: http://tools.ietf.org/wg/netmod/ "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
WG List: netmod@ietf.org
WG Chair: David Kessens contact
david.kessens@nsn.com "WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org
WG Chair: Juergen Schoenwaelder WG Chair: David Kessens
j.schoenwaelder@jacobs-university.de david.kessens@nsn.com
Editor: Lisa Huang WG Chair: Juergen Schoenwaelder
yihuan@cisco.com j.schoenwaelder@jacobs-university.de
Editor: Alexander Clemm
alex@cisco.com
Editor: Andy Bierman Editor: Lisa Huang
andy@yumaworks.com"; yihuan@cisco.com
description
"This YANG module augments the 'acl' module with
configuration and operational data for ARP access control list
An ACL is an ordered set of rules and actions used to filter Editor: Alexander Clemm
traffic. alex@cisco.com
Each set of rules and actions is represented as an Access
Control Entries (ACE). Each ACE is evaluated sequentially.
When the rule matches then action for that rule is applied
to the packet.
ARP ACLs - The device applies ARP ACLs to IP traffic. Editor: Andy Bierman
andy@yumaworks.com";
description
"This YANG module augments the 'stateless-pf' module with
configuration and operational data for ARP stateless
packet filter.
Terms and Acronyms An Stateless Packet Filter (SPF), also know as an Access
ACE (ace): Access Control Entry Control List (SPF), is an ordered set of rules and
actions used to filter traffic.
Each set of rules and actions is represented as a Packet Filter
Entry (PFE), also know as an Access
Control Entries (PFE). Each PFE is evaluated sequentially.
When the rule matches then action for that rule is applied
to the packet.
ACL (acl): Access Control List ARP SPFs - The device applies ARP SPFs to IP traffic.
ARP (arp): Address Resolution Protocol Terms and Acronyms
PFE (pfe): Packet Filter Entry
IP (ip): Internet Protocol SPF (spf): Stateless Packet Filter
MAC: Media Access Control ARP (arp): Address Resolution Protocol
VLAN (vlan): Virtual Local Area Network IP (ip): Internet Protocol
";
reference
"Access List Commands on Cisco IOS XR Software,
Cisco Nexus 7000 Series NX-OS Security Configuration Guide,
Catalyst 6500 Release 12.2SX Software Configuration Guide,
ACL TCP Flags Filtering";
revision 2012-10-12 { MAC: Media Access Control
description "Initial revision. ";
}
/* Identities */ VLAN (vlan): Virtual Local Area Network
";
identity arp-acl { revision 2013-09-03 {
base "acl:acl-type"; description "Initial revision. ";
description "ARP ACL type"; }
}
/* Data Nodes */
augment "/acl:acls/acl:acl" { /* Identities */
when "acl:acl-type = 'arp-acl'";
description "ARP Access Control Entry (ACE)."; identity arp-spf {
container arp-aces { base "spf:spf-type";
list arp-ace { description "ARP SPF type";
key "name"; }
ordered-by user;
leaf name { /* Data Nodes */
type acl:acl-name-string;
}
choice remark-or-arp-ace { augment "/spf:spfs/spf:spf" {
leaf remark { when "spf:spf-type = 'arp-spf'";
type acl:acl-remark;
// mandatory true;
}
case arp-ace {
container filters {
leaf direction {
default "bi-direction";
type enumeration {
enum bi-direction;
enum request;
enum response;
}
description "ARP request/response.";
}
uses acl-ip:IP-SOURCE-NETWORK; description "ARP Packet FIlter Entry (PFE).";
uses acl-ip:IP-DESTINATION-NETWORK { container arp-pfes {
when "../direction = 'response'"; list arp-pfe {
} key "name";
ordered-by user;
uses acl-mac:MAC-SOURCE-NETWORK; leaf name {
uses acl-mac:MAC-DESTINATION-NETWORK { type spf:spf-name-string;
when "../direction = 'response'"; }
}
uses acl:FILTER-COMMON; choice remark-or-arp-pfe {
leaf remark {
type spf:spf-remark;
// mandatory true;
}
case arp-pfe {
container filters {
leaf direction {
default "bi-direction";
type enumeration {
enum bi-direction;
enum request;
enum response;
}
description "ARP request/response.";
}
} // container filters uses spf-ip:IP-SOURCE-NETWORK;
uses spf-ip:IP-DESTINATION-NETWORK {
when "../direction = 'response'";
}
uses acl:ACE-COMMON; uses spf-mac:MAC-SOURCE-NETWORK;
uses spf-mac:MAC-DESTINATION-NETWORK {
when "../direction = 'response'";
}
} // case arp-ace uses spf:FILTER-COMMON;
} // choice remark-or-arp-ace
} // list arp-ace
} // container arp-aces
} // augment
} } // container filters
uses spf:PFE-COMMON;
</CODE ENDS> } // case arp-pfe
} // choice remark-or-arp-pfe
} // list arp-pfe
} // container arp-pfes
} // augment
14. COMMON-TYPES YANG Module }
<CODE BEGINS> file "common-types@2012-10-12.yang" <CODE ENDS>
module common-types { 14. COMMON-TYPES YANG Module
namespace "urn:cisco:params:xml:ns:yang:common-types";
// replace with IANA namespace when assigned
prefix c-types;
organization <CODE BEGINS> file "common-types@2012-10-12.yang"
"IETF NETMOD (NETCONF Data Modeling Language) Working Group";
contact module common-types {
"WG Web: http://tools.ietf.org/wg/netmod/ namespace "urn:cisco:params:xml:ns:yang:common-types";
WG List: netmod@ietf.org // replace with IANA namespace when assigned
prefix c-types;
WG Chair: David Kessens organization
david.kessens@nsn.com "IETF NETMOD (NETCONF Data Modeling Language) Working Group";
WG Chair: Juergen Schoenwaelder contact
j.schoenwaelder@jacobs-university.de "WG Web: http://tools.ietf.org/wg/netmod/
WG List: netmod@ietf.org
Editor: Lisa Huang WG Chair: David Kessens
yihuan@cisco.com david.kessens@nsn.com
Editor: Alexander Clemm WG Chair: Juergen Schoenwaelder
alex@cisco.com j.schoenwaelder@jacobs-university.de
Editor: Andy Bierman Editor: Lisa Huang
andy@yumaworks.com"; yihuan@cisco.com
description Editor: Alexander Clemm
"This module contains a collection of generally useful alex@cisco.com
YANG types could be referred from multiple speciality
components.
Terms and Acronyms Editor: Andy Bierman
CoS (cos): Class of Service andy@yumaworks.com";
ICMP (icmp): Internet Control Message Protocol description
"This module contains a collection of generally useful
YANG types could be referred from multiple speciality
components.
IGMP (igmp): Internet Group Management Protocol Terms and Acronyms
IP (ip): Internet Protocol CoS (cos): Class of Service
IPv4 (ipv4):Internet Protocol Version 4 ICMP (icmp): Internet Control Message Protocol
IPv6 (ipv6): Internet Protocol Version 6 IGMP (igmp): Internet Group Management Protocol
TCP (tcp): Transmission Control Protocol IP (ip): Internet Protocol
ToS (tos): Type of Service IPv4 (ipv4):Internet Protocol Version 4
TTL (ttl): Time to Live IPv6 (ipv6): Internet Protocol Version 6
UDP (udp): User Datagram Protocol TCP (tcp): Transmission Control Protocol
VLAN (vlan): Virtual Local Area Network ToS (tos): Type of Service
";
revision 2012-10-12 {
description "Initial revision. ";
}
/* Typedefs */ TTL (ttl): Time to Live
typedef cos { UDP (udp): User Datagram Protocol
type uint8 {
range "0..7";
}
description
"Class of Service.
An integer that is in the range of the layer 2 CoS values.
This corresponds to the 802.1p and ISL CoS values.";
reference "IEEE 802.1p";
}
typedef tos { VLAN (vlan): Virtual Local Area Network
type uint8 { ";
range "0..15"; revision 2012-10-12 {
} description "Initial revision. ";
description }
"tos stands for Type of service .
The tos field are five bits in the IPv4 header.
It could specify a datagrams priority and
request a route for low-delay, high-throughput,
or highly-reliable service.
Based on these TOS values, a packet would be placed in /* Typedefs */
an prioritized outgoing queue, or take a route with
appropriate latency, throughput, or reliability.
The following are TOS field values (expressed as
binary numbers):
1000 -- minimize delay typedef cos {
0100 -- maximize throughput type uint8 {
0010 -- maximize reliability range "0..7";
0001 -- minimize monetary cost }
0000 -- normal service description
"Class of Service.
An integer that is in the range of the layer 2 CoS values.
This corresponds to the 802.1p and ISL CoS values.";
reference "IEEE 802.1p";
}
."; typedef tos {
type uint8 {
range "0..15";
}
description
"tos stands for Type of service .
The tos field are five bits in the IPv4 header.
It could specify a datagrams priority and
request a route for low-delay, high-throughput,
or highly-reliable service.
reference Based on these TOS values, a packet would be placed in
"RFC 791 Internet Protocol an prioritized outgoing queue, or take a route with
Protocol Specification appropriate latency, throughput, or reliability.
RFC 1122 Requirements for Internet Hosts -- The following are TOS field values (expressed as
Communication Layers binary numbers):
RFC 1349 Type of Service in the Internet Protocol
Suite
RFC 2474 Definition of the Differentiated Services
Field (DS Field)
in the IPv4 and IPv6 Headers
RFC 3168 The Addition of Explicit Congestion
Notification (ECN) to IP
";
}
typedef precedence { 1000 -- minimize delay
type uint8 { 0100 -- maximize throughput
range "0..7"; 0010 -- maximize reliability
} 0001 -- minimize monetary cost
description 0000 -- normal service
"Indicates the IP precedence.
Precedence is three bits in IP header.
Value Description .";
-------------------
000 (0) Routine or Best Effort
001 (1) Priority
010 (2) Immediate
011 (3) Flash - mainly used for Voice Signaling
or for Video.
100 (4) Flash Override
101 (5) Critical -mainly used for Voice RTP.
110 (6) Internet reference
111 (7) Network"; "RFC 791 Internet Protocol
Protocol Specification
RFC 1122 Requirements for Internet Hosts --
Communication Layers
RFC 1349 Type of Service in the Internet Protocol
Suite
RFC 2474 Definition of the Differentiated Services
Field (DS Field)
in the IPv4 and IPv6 Headers
RFC 3168 The Addition of Explicit Congestion
Notification (ECN) to IP
";
}
reference typedef precedence {
"RFC 791 Internet Protocol Chapter 3.1 type uint8 {
Protocol Specification"; range "0..7";
} }
description
"Indicates the IP precedence.
Precedence is three bits in IP header.
typedef tcp-flag-type { Value Description
type bits { -------------------
bit fin { 000 (0) Routine or Best Effort
position 0; 001 (1) Priority
description "No more data from sender"; 010 (2) Immediate
} 011 (3) Flash - mainly used for Voice Signaling
bit syn { or for Video.
position 1; 100 (4) Flash Override
description "Synchronize sequence numbers"; 101 (5) Critical -mainly used for Voice RTP.
} 110 (6) Internet
bit rst { 111 (7) Network";
position 2;
description "Reset the connection";
}
bit psh {
position 3;
description "Push Function";
}
bit ack {
position 4;
description "Acknowledgment field significant";
}
bit urg {
position 5;
description "Urgent Pointer field significant";
}
}
description "TCP flag type";
reference "RFC 793 TRANSMISSION CONTROL PROTOCOL";
}
typedef ether-type { reference
type string { "RFC 791 Internet Protocol Chapter 3.1
pattern '0x[0-9a-fA-F]{4}'; Protocol Specification";
} }
description
"ether-type is 0x0-0xffff. The protocol number
is a four-byte hexadecimal number prefixed with 0x.
Valid protocol numbers are from 0x0 to 0xffff.
This list shows the EtherType values and their typedef tcp-flag-type {
corresponding protocol keywords: type bits {
bit fin {
position 0;
description "No more data from sender";
}
bit syn {
position 1;
description "Synchronize sequence numbers";
}
bit rst {
position 2;
description "Reset the connection";
}
bit psh {
position 3;
description "Push Function";
}
bit ack {
position 4;
description "Acknowledgment field significant";
}
bit urg {
position 5;
description "Urgent Pointer field significant";
}
}
description "TCP flag type";
reference "RFC 793 TRANSMISSION CONTROL PROTOCOL";
}
0x0600 xns-idp Xerox XNS IDP typedef ether-type {
type string {
pattern '0x[0-9a-fA-F]{4}';
}
description
"ether-type is 0x0-0xffff. The protocol number
is a four-byte hexadecimal number prefixed with 0x.
Valid protocol numbers are from 0x0 to 0xffff.
0x0BAD vines-ip Banyan VINES IP This list shows the EtherType values and their
corresponding protocol keywords:
0x0baf vines-echo Banyan VINES Echo 0x0600 xns-idp Xerox XNS IDP
0x6000 etype-6000 DEC unassigned, experimental 0x0BAD vines-ip Banyan VINES IP
0x6001 mop-dump DEC Maintenance Operation Protocol 0x0baf vines-echo Banyan VINES Echo
(MOP) Dump/Load Assistance
0x6002 mop-console DEC MOP Remote Console 0x6000 etype-6000 DEC unassigned, experimental
0x6003 decnet-iv DEC DECnet Phase IV Route 0x6001 mop-dump DEC Maintenance Operation Protocol
(MOP) Dump/Load Assistance
0x6004 lat DEC Local Area Transport (LAT) 0x6002 mop-console DEC MOP Remote Console
0x6005 diagnostic DEC DECnet Diagnostics 0x6003 decnet-iv DEC DECnet Phase IV Route
0x6007 lavc-sca DEC Local-Area VAX Cluster (LAVC), SCA 0x6004 lat DEC Local Area Transport (LAT)
0x6008 amber DEC AMBER 0x6005 diagnostic DEC DECnet Diagnostics
0x6009 mumps DEC MUMPS 0x6007 lavc-sca DEC Local-Area VAX Cluster (LAVC), SCA
0x0800 ip Malformed, invalid, or deliberately corrupt 0x6008 amber DEC AMBER
IP frames
0x8038 dec-spanning DEC LANBridge Management 0x6009 mumps DEC MUMPS
0x8039 dsm DEC DSM/DDP 0x0800 ip Malformed, invalid, or deliberately corrupt
IP frames
0x8040 netbios DEC PATHWORKS DECnet NETBIOS Emulation 0x8038 dec-spanning DEC LANBridge Management
0x8041 msdos DEC Local Area System Transport 0x8039 dsm DEC DSM/DDP
0x8042 etype-8042 DEC unassigned 0x8040 netbios DEC PATHWORKS DECnet NETBIOS Emulation
0x809B appletalk Kinetics EtherTalk (AppleTalk over 0x8041 msdos DEC Local Area System Transport
Ethernet)
0x80F3 aarp Kinetics AppleTalk Address Resolution 0x8042 etype-8042 DEC unassigned
Protocol (AARP)
bpdu-sap BPDU SAP encapsulated packets 0x809B appletalk Kinetics EtherTalk (AppleTalk over
bpdu-snap BPDU SNAP encapsulated packets Ethernet)
ipx-arpa IPX Advanced Research Projects Agency
(ARPA)
ipx-non-arpa IPX non arpa
lacp Link Aggregation Control Protocol(LACP)
encapsulated packets
pagp Port Aggregation Protocol(PAGP)
encapsulated packets
vtp VTP packets
";
}
typedef ip-protocol { 0x80F3 aarp Kinetics AppleTalk Address Resolution
type uint8{ Protocol (AARP)
range "0..255";
}
description
"The Internet Protocol (IP) is the principal communications
protocol used for relaying datagrams (also known as network
packets) across an internetwork using the Internet Protocol
Suite.
IP protocol number value is 0 to 255. It is an 8 bit field bpdu-sap BPDU SAP encapsulated packets
in the packet header"; bpdu-snap BPDU SNAP encapsulated packets
reference ipx-arpa IPX Advanced Research Projects Agency
"IANA Protocol Numbers (ARPA)
RFC5237 IANA Allocation Guidelines for the Protocol Field"; ipx-non-arpa IPX non arpa
} lacp Link Aggregation Control Protocol(LACP)
encapsulated packets
pagp Port Aggregation Protocol(PAGP)
encapsulated packets
vtp VTP packets
";
}
typedef igmp-code { typedef ip-protocol {
//TODO: need more work. In NxOs, range is 0..15. type uint8{
// Could not match the IGMP with 0..15 range "0..255";
type uint8 ;/* { }
range "0..15"; description
}*/ "The Internet Protocol (IP) is the principal communications
//IGMP v1 4 bits 0-15 protocol used for relaying datagrams (also known as network
//IGMP v2 8bits. 0- packets) across an internetwork using the Internet Protocol
//NXOS only support v1, but XR support v2. Suite.
//
description IP protocol number value is 0 to 255. It is an 8 bit field
"Many of these IGMP types have a 'code' field. Here is in the packet header";
the list of the types again with their assigned reference
code fields. "IANA Protocol Numbers
RFC5237 IANA Allocation Guidelines for the Protocol Field";
}
Type Name Reference typedef igmp-code {
--------- ------------------------------------ --------- //TODO: need more work. In NxOs, range is 0..15.
0x11 IGMP Membership Query [RFC1112] // Could not match the IGMP with 0..15
0x12 IGMPv1 Membership Report [RFC1112] type uint8 ;/* {
0x13 DVMRP [RFCDVMRP] range "0..15";
0x14 PIM version 1 [PIMv1] }*/
0x15 Cisco Trace Messages //IGMP v1 4 bits 0-15
0x16 IGMPv2 Membership Report [RFC2236] //IGMP v2 8bits. 0-
0x17 IGMPv2 Leave Group [RFC2236] //NXOS only support v1, but XR support v2.
0x1e Multicast Traceroute Response [Fenner] //
0x1f Multicast Traceroute [Fenner]
0x22 IGMPv3 Membership Report [RFC3376]
";
reference
"IANA Internet Group Management Protocol (IGMP) Type
Numbers";
}
typedef icmp-type { description
type uint32 { "Many of these IGMP types have a 'code' field. Here is
range "0..255"; the list of the types again with their assigned
} code fields.
description
"icmp-type is the Internet Control Message Protocol (ICMP)
'type' field.
The ICMP header starts after the IPv4 header. All ICMP
packets will have an 8-byte header and variable-sized
data section.
The first 4 bytes of the header will be consistent.
The first byte is for the ICMP type. The second byte is
for the ICMP code.
ICMP type is specified below
Type Name Reference Type Name Reference
---- ------------------------- --------- --------- ------------------------------------ ---------
0 Echo Reply [RFC792] 0x11 IGMP Membership Query [RFC1112]
1 Unassigned [JBP] 0x12 IGMPv1 Membership Report [RFC1112]
2 Unassigned [JBP] 0x13 DVMRP [RFCDVMRP]
3 Destination Unreachable [RFC792] 0x14 PIM version 1 [PIMv1]
4 Source Quench [RFC792] 0x15 Cisco Trace Messages
5 Redirect [RFC792] 0x16 IGMPv2 Membership Report [RFC2236]
6 Alternate Host Address [JBP] 0x17 IGMPv2 Leave Group [RFC2236]
7 Unassigned [JBP] 0x1e Multicast Traceroute Response [Fenner]
8 Echo [RFC792] 0x1f Multicast Traceroute [Fenner]
9 Router Advertisement [RFC1256] 0x22 IGMPv3 Membership Report [RFC3376]
10 Router Selection [RFC1256] ";
11 Time Exceeded [RFC792] reference
12 Parameter Problem [RFC792] "IANA Internet Group Management Protocol (IGMP) Type
13 Timestamp [RFC792] Numbers";
14 Timestamp Reply [RFC792] }
15 Information Request [RFC792]
16 Information Reply [RFC792]
17 Address Mask Request [RFC950]
18 Address Mask Reply [RFC950]
19 Reserved (for Security) [Solo]
20-29 Reserved (for Robustness Experiment) [ZSu]
30 Traceroute [RFC1393]
31 Datagram Conversion Error [RFC1475]
32 Mobile Host Redirect [David Johnson]
33 IPv6 Where-Are-You [Bill Simpson]
34 IPv6 I-Am-Here [Bill Simpson]
35 Mobile Registration Request [Bill Simpson]
36 Mobile Registration Reply [Bill Simpson]
37-255 Reserved [JBP]";
reference
"RFC1700 ASSIGNED NUMBERS
RFC792 Internet Control Message Protocol
RFC4443 Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)
Specification
RFC2780 IANA Allocation Guidelines For Values In
the Internet Protocol and Related Headers";
}
typedef icmp-code { typedef icmp-type {
type uint32 { type uint32 {
range "0..255"; range "0..255";
} }
description description
"ICMP subtype to the given type. "icmp-type is the Internet Control Message Protocol (ICMP)
The ICMP header starts after the IPv4 header. All ICMP 'type' field.
packets will have an 8-byte header and variable-sized The ICMP header starts after the IPv4 header. All ICMP
data section. packets will have an 8-byte header and variable-sized
The first 4 bytes of the header will be consistent. data section.
The first byte is for the ICMP type. The second byte The first 4 bytes of the header will be consistent.
is for the ICMP code. "; The first byte is for the ICMP type. The second byte is
reference "RFC2 INTERNET CONTROL MESSAGE PROTOCOL"; for the ICMP code.
} ICMP type is specified below
typedef vlan-identifier { Type Name Reference
type uint16 { ---- ------------------------- ---------
range "1 .. 4095"; 0 Echo Reply [RFC792]
} 1 Unassigned [JBP]
description 2 Unassigned [JBP]
"This type denotes a VLAN tag. "; 3 Destination Unreachable [RFC792]
reference 4 Source Quench [RFC792]
"RFC3069 VLAN Aggregation for Efficient IP Address 5 Redirect [RFC792]
Allocation 6 Alternate Host Address [JBP]
IEEE 802.1Q"; 7 Unassigned [JBP]
8 Echo [RFC792]
9 Router Advertisement [RFC1256]
10 Router Selection [RFC1256]
11 Time Exceeded [RFC792]
12 Parameter Problem [RFC792]
13 Timestamp [RFC792]
14 Timestamp Reply [RFC792]
15 Information Request [RFC792]
16 Information Reply [RFC792]
17 Address Mask Request [RFC950]
18 Address Mask Reply [RFC950]
19 Reserved (for Security) [Solo]
20-29 Reserved (for Robustness Experiment) [ZSu]
30 Traceroute [RFC1393]
31 Datagram Conversion Error [RFC1475]
32 Mobile Host Redirect [David Johnson]
33 IPv6 Where-Are-You [Bill Simpson]
34 IPv6 I-Am-Here [Bill Simpson]
35 Mobile Registration Request [Bill Simpson]
36 Mobile Registration Reply [Bill Simpson]
37-255 Reserved [JBP]";
reference
"RFC1700 ASSIGNED NUMBERS
RFC792 Internet Control Message Protocol
RFC4443 Internet Control Message Protocol (ICMPv6)
for the Internet Protocol Version 6 (IPv6)
Specification
RFC2780 IANA Allocation Guidelines For Values In
the Internet Protocol and Related Headers";
}
} typedef icmp-code {
type uint32 {
range "0..255";
}
description
"ICMP subtype to the given type.
The ICMP header starts after the IPv4 header. All ICMP
packets will have an 8-byte header and variable-sized
data section.
The first 4 bytes of the header will be consistent.
The first byte is for the ICMP type. The second byte
is for the ICMP code. ";
reference "RFC2 INTERNET CONTROL MESSAGE PROTOCOL";
}
typedef time-to-live { typedef vlan-identifier {
type uint8 { type uint16 {
range "0..255"; range "1 .. 4095";
} }
description "The TTL is an 8-bit field in IP header. description
The maximum TTL value is 255."; "This type denotes a VLAN tag. ";
} reference
} "RFC3069 VLAN Aggregation for Efficient IP Address
Allocation
IEEE 802.1Q";
}
</CODE ENDS> typedef time-to-live {
type uint8 {
range "0..255";
}
description "The TTL is an 8-bit field in IP header.
The maximum TTL value is 255.";
}
}
<CODE ENDS>
15. Security Considerations 15. Security Considerations
. .
16. Open items from the previous revision 16. Open items from the previous revision
1. Are there any compatibility issues related to ACE ordering 1. Are there any compatibility issues related to PFE ordering
because a YANG user-order list is used instead of sequence IDs? because a YANG user-order list is used instead of sequence IDs?
This item is closely related to bullet item 3, see below. This item is closely related to bullet item 3, see below.
2. Is an administrative function to test a packet against a 2. Is an administrative function to test a packet against a
specified ACL needed? The server would return an indication of specified SPF needed? The server would return an indication of
permit or deny, and a leaf-list of the ACE entries that were permit or deny, and a leaf-list of the PFE entries that were
evaluated. We believe that this addition would be valuable and evaluated. We believe that this addition would be valuable and
have incorporated this suggestion into the "Additional have incorporated this suggestion into the "Additional
Considerations" section. We expect to move it into the data model Considerations" section. We expect to move it into the data model
in the next revision. in the next revision.
3.Is the model applicable to multiple implementations - can other 3.Is the model applicable to multiple implementations - can other
ACL models be accommodated? We have followed up with Juniper Yang SPF models be accommodated? We have followed up with Juniper Yang
experts, Kent Watsen and Phil Shafer, to review and check for experts, Kent Watsen and Phil Shafer, to review and check for
applicability to Junos implementation. The initial feedback from applicability to Junos implementation. The initial feedback from
Phil indicates that there do not seem to be any showstoppers and Phil indicates that there do not seem to be any showstoppers and
that the model does seem to be applicable. However, he suggested that the model does seem to be applicable. However, he suggested
further scrutiny should occur. Kent identified additional Juniper further scrutiny should occur. Kent identified additional Juniper
experts to scrutinize the model more closely; so far no further experts to scrutinize the model more closely; so far no further
comments have been received. We also followed up regarding comments have been received. We also followed up regarding
whether there are other standardized models of ACLs, for example whether there are other standardized models of SPFs, for example
in conjunction with the Desktop Management Task Force's (DMTF) CIM in conjunction with the Desktop Management Task Force's (DMTF) CIM
(Common Information Model). ACL is not covered by the (Common Information Model). SPF is not covered by the
standardized portion of CIM, but there are vendor-specific standardized portion of CIM, but there are vendor-specific
extensions by vendors. We inspected one such vendor specific extensions by vendors. We inspected one such vendor specific
model and found that in essence the same design patterns were used model and found that in essence the same design patterns were used
as in the model specified in this Internet Draft, with an ACL as in the model specified in this Internet Draft, with an SPF
corresponding to an ordered list of rules with filters or matching corresponding to an ordered list of rules with filters or matching
criteria, and actions to be taken in response. It appears that criteria, and actions to be taken in response. It appears that
mappings between the models can be accommodated in a mappings between the models can be accommodated in a
straightforward manner. straightforward manner.
17. Acknowledgements 17. Acknowledgements
We wish to acknowledge the helpful contributions, comments, and We wish to acknowledge the helpful contributions, comments, and
suggestions that were received from Louis Fourie, Dana Blair, Tula suggestions that were received from Louis Fourie, Dana Blair, Tula
Kraiser, Patrick Gili, George Serpa, Martin Bjorklund, Kent Watsen, Kraiser, Patrick Gili, George Serpa, Martin Bjorklund, Kent Watsen,
and Phil Shafer. and Phil Shafer.
18. Normative References 18. References
18.1. Normative References
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
Network Configuration Protocol (NETCONF)", RFC 6020, Network Configuration Protocol (NETCONF)", RFC 6020,
October 2010. October 2010.
[RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021, [RFC6021] Schoenwaelder, J., "Common YANG Data Types", RFC 6021,
October 2010. October 2010.
18.2. Informative References
[if-config]
Bjorklund, M., "A YANG Data Model for Interface
Management", I-D draft-ietf-netmod-interfaces-cfg-12, July
2013.
Authors' Addresses Authors' Addresses
Lisa Huang Lisa Huang
Cisco Systems Cisco Systems
EMail: yihuan@cisco.com EMail: yihuan@cisco.com
Alexander Clemm Alexander Clemm
Cisco Systems Cisco Systems
 End of changes. 514 change blocks. 
2673 lines changed or deleted 2719 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/