1 module ietf-access-control-list {
3 namespace "urn:ietf:params:xml:ns:yang:ietf-access-control-list";
6 import ietf-yang-types {
9 "RFC 6991 - Common YANG Data Types.";
12 import ietf-packet-fields {
15 "RFC 8519 - YANG Data Model for Network Access Control
19 import ietf-interfaces {
22 "RFC 8343 - A YANG Data Model for Interface Management.";
26 "IETF NETMOD (Network Modeling) Working Group.";
29 "WG Web: <https://datatracker.ietf.org/wg/netmod/>
30 WG List: netmod@ietf.org
32 Editor: Mahesh Jethanandani
33 mjethanandani@gmail.com
42 "This YANG module defines a component that describes the
43 configuration and monitoring of Access Control Lists (ACLs).
45 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
46 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
47 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
48 are to be interpreted as described in BCP 14 (RFC 2119)
49 (RFC 8174) when, and only when, they appear in all
50 capitals, as shown here.
52 Copyright (c) 2019 IETF Trust and the persons identified as
53 the document authors. All rights reserved.
55 Redistribution and use in source and binary forms, with or
56 without modification, is permitted pursuant to, and subject
57 to the license terms contained in, the Simplified BSD
58 License set forth in Section 4.c of the IETF Trust's Legal
59 Provisions Relating to IETF Documents
60 (http://trustee.ietf.org/license-info).
62 This version of this YANG module is part of RFC 8519; see
63 the RFC itself for full legal notices.";
69 "RFC 8519: YANG Data Model for Network Access Control
77 * Forwarding actions for a packet
80 identity forwarding-action {
82 "Base identity for actions in the forwarding category.";
86 base forwarding-action;
92 base forwarding-action;
94 "Drop packet without sending any ICMP error message.";
98 base forwarding-action;
100 "Drop the packet and send an ICMP error message to the source.";
104 * Logging actions for a packet
107 identity log-action {
109 "Base identity for defining the destination for logging
113 identity log-syslog {
116 "System log (syslog) the information for the packet.";
121 "No logging for the packet.";
125 * ACL type identities
130 "Base Access Control List type for all Access Control List type
134 identity ipv4-acl-type {
138 "An ACL that matches on fields from the IPv4 header
139 (e.g., IPv4 destination address) and Layer 4 headers (e.g., TCP
140 destination port). An ACL of type ipv4 does not contain
141 matches on fields in the Ethernet header or the IPv6 header.";
144 identity ipv6-acl-type {
148 "An ACL that matches on fields from the IPv6 header
149 (e.g., IPv6 destination address) and Layer 4 headers (e.g., TCP
150 destination port). An ACL of type ipv6 does not contain
151 matches on fields in the Ethernet header or the IPv4 header.";
154 identity eth-acl-type {
158 "An ACL that matches on fields in the Ethernet header,
159 like 10/100/1000baseT or a Wi-Fi Access Control List. An ACL
160 of type ethernet does not contain matches on fields in the
161 IPv4 header, the IPv6 header, or Layer 4 headers.";
164 identity mixed-eth-ipv4-acl-type {
165 base acl:eth-acl-type;
166 base acl:ipv4-acl-type;
167 if-feature "mixed-eth-ipv4";
169 "An ACL that contains a mix of entries that match
170 on fields in Ethernet headers and in IPv4 headers.
171 Matching on Layer 4 header fields may also exist in the
175 identity mixed-eth-ipv6-acl-type {
176 base acl:eth-acl-type;
177 base acl:ipv6-acl-type;
178 if-feature "mixed-eth-ipv6";
180 "An ACL that contains a mix of entries that match on fields
181 in Ethernet headers and in IPv6 headers. Matching
182 on Layer 4 header fields may also exist in the list.";
185 identity mixed-eth-ipv4-ipv6-acl-type {
186 base acl:eth-acl-type;
187 base acl:ipv4-acl-type;
188 base acl:ipv6-acl-type;
189 if-feature "mixed-eth-ipv4-ipv6";
191 "An ACL that contains a mix of entries that
192 match on fields in Ethernet headers, IPv4 headers, and IPv6
193 headers. Matching on Layer 4 header fields may also exist
202 * Features supported by device
204 feature match-on-eth {
206 "The device can support matching on Ethernet headers.";
209 feature match-on-ipv4 {
211 "The device can support matching on IPv4 headers.";
214 feature match-on-ipv6 {
216 "The device can support matching on IPv6 headers.";
219 feature match-on-tcp {
221 "The device can support matching on TCP headers.";
224 feature match-on-udp {
226 "The device can support matching on UDP headers.";
229 feature match-on-icmp {
231 "The device can support matching on ICMP (v4 and v6) headers.";
235 * Header classifications combinations supported by
240 if-feature "match-on-eth";
242 "Plain Ethernet ACL supported.";
246 if-feature "match-on-ipv4";
248 "Plain IPv4 ACL supported.";
252 if-feature "match-on-ipv6";
254 "Plain IPv6 ACL supported.";
257 feature mixed-eth-ipv4 {
258 if-feature "match-on-eth and match-on-ipv4";
260 "Ethernet and IPv4 ACL combinations supported.";
262 feature mixed-eth-ipv6 {
263 if-feature "match-on-eth and match-on-ipv6";
265 "Ethernet and IPv6 ACL combinations supported.";
268 feature mixed-eth-ipv4-ipv6 {
270 "match-on-eth and match-on-ipv4
273 "Ethernet, IPv4, and IPv6 ACL combinations supported.";
279 feature interface-stats {
281 "ACL counters are available and reported only per interface.";
284 feature acl-aggregate-stats {
286 "ACL counters are aggregated over all interfaces and reported
287 only per ACL entry.";
291 * Attachment point features
293 feature interface-attachment {
295 "ACLs are set on interfaces.";
306 "This type is used to refer to an ACL type.";
312 grouping acl-counters {
314 "Common grouping for ACL counters.";
315 leaf matched-packets {
319 "Count of the number of packets matching the current ACL
322 An implementation should provide this counter on a
323 per-interface, per-ACL-entry basis if possible.
325 If an implementation only supports ACL counters on a per-
326 entry basis (i.e., not broken out per interface), then the
327 value should be equal to the aggregate count across all
330 An implementation that provides counters on a per-entry, per-
331 interface basis is not required to also provide an aggregate
332 count, e.g., per entry -- the user is expected to be able to
333 implement the required aggregation if such a count is
337 leaf matched-octets {
341 "Count of the number of octets (bytes) matching the current
344 An implementation should provide this counter on a
345 per-interface, per-ACL-entry basis if possible.
347 If an implementation only supports ACL counters per entry
348 (i.e., not broken out per interface), then the value
349 should be equal to the aggregate count across all interfaces.
351 An implementation that provides counters per entry per
352 interface is not required to also provide an aggregate count,
353 e.g., per entry -- the user is expected to be able to
354 implement the required aggregation if such a count is needed.";
359 * Configuration and monitoring data nodes
364 "This is a top-level container for Access Control Lists.
365 It can have one or more acl nodes.";
369 "An ACL is an ordered list of ACEs. Each ACE has a
370 list of match criteria and a list of actions.
371 Since there are several kinds of ACLs implemented
372 with different attributes for different vendors,
373 this model accommodates customizing ACLs for
374 each kind and for each vendor.";
380 "The name of the access list. A device MAY further
381 restrict the length of this name; space and special
382 characters are not allowed.";
387 "Type of ACL. Indicates the primary intended
388 type of match criteria (e.g., Ethernet, IPv4, IPv6, mixed,
389 etc.) used in the list instance.";
393 "The aces container contains one or more ACE nodes.";
404 "A unique name identifying this ACE.";
408 "The rules in this set determine what fields will be
409 matched upon before any action is taken on them.
410 The rules are selected based on the feature set
411 defined by the server and the acl-type defined.
412 If no matches are defined in a particular container,
413 then any packet will match that container. If no
414 matches are specified at all in an ACE, then any
415 packet will match the ACE.";
419 when "derived-from-or-self(/acls/acl/type, "
420 + "'acl:eth-acl-type')";
421 if-feature "match-on-eth";
422 uses pf:acl-eth-header-fields;
424 "Rule set that matches Ethernet headers.";
427 "Match Layer 2 headers, for example, Ethernet
433 when "derived-from-or-self(/acls/acl/type, "
434 + "'acl:ipv4-acl-type')";
435 if-feature "match-on-ipv4";
436 uses pf:acl-ip-header-fields;
437 uses pf:acl-ipv4-header-fields;
439 "Rule set that matches IPv4 headers.";
443 when "derived-from-or-self(/acls/acl/type, "
444 + "'acl:ipv6-acl-type')";
445 if-feature "match-on-ipv6";
446 uses pf:acl-ip-header-fields;
447 uses pf:acl-ipv6-header-fields;
449 "Rule set that matches IPv6 headers.";
452 "Choice of either IPv4 or IPv6 headers";
456 if-feature "match-on-tcp";
457 uses pf:acl-tcp-header-fields;
458 container source-port {
460 case range-or-operator {
461 uses pf:port-range-or-operator;
463 "Source port definition from range or
467 "Choice of source port definition using
468 range/operator or a choice to support future
469 'case' statements, such as one enabling a
470 group of source ports to be referenced.";
473 "Source port definition.";
475 container destination-port {
476 choice destination-port {
477 case range-or-operator {
478 uses pf:port-range-or-operator;
480 "Destination port definition from range or
484 "Choice of destination port definition using
485 range/operator or a choice to support future
486 'case' statements, such as one enabling a
487 group of destination ports to be referenced.";
490 "Destination port definition.";
493 "Rule set that matches TCP headers.";
497 if-feature "match-on-udp";
498 uses pf:acl-udp-header-fields;
499 container source-port {
501 case range-or-operator {
502 uses pf:port-range-or-operator;
504 "Source port definition from range or
508 "Choice of source port definition using
509 range/operator or a choice to support future
510 'case' statements, such as one enabling a
511 group of source ports to be referenced.";
514 "Source port definition.";
516 container destination-port {
517 choice destination-port {
518 case range-or-operator {
519 uses pf:port-range-or-operator;
521 "Destination port definition from range or
525 "Choice of destination port definition using
526 range/operator or a choice to support future
527 'case' statements, such as one enabling a
528 group of destination ports to be referenced.";
531 "Destination port definition.";
534 "Rule set that matches UDP headers.";
538 if-feature "match-on-icmp";
539 uses pf:acl-icmp-header-fields;
541 "Rule set that matches ICMP headers.";
544 "Choice of TCP, UDP, or ICMP headers.";
547 leaf egress-interface {
548 type if:interface-ref;
550 "Egress interface. This should not be used if this ACL
551 is attached as an egress ACL (or the value should
552 equal the interface to which the ACL is attached).";
555 leaf ingress-interface {
556 type if:interface-ref;
558 "Ingress interface. This should not be used if this ACL
559 is attached as an ingress ACL (or the value should
560 equal the interface to which the ACL is attached).";
566 "Definition of actions for this ace entry.";
569 base forwarding-action;
573 "Specifies the forwarding action per ace entry.";
582 "Specifies the log action and destination for
583 matched packets. Default value is not to log the
587 container statistics {
588 if-feature "acl-aggregate-stats";
591 "Statistics gathered across all attachment points for the
598 container attachment-points {
600 "Enclosing container for the list of
601 attachment points on which ACLs are set.";
605 grouping interface-acl {
607 "Grouping for per-interface ingress ACL data.";
610 "Enclosing container for the list of ingress ACLs on the
616 "List of ingress ACLs on the interface.";
619 path "/acls/acl/name";
622 "Reference to the ACL name applied on the ingress.";
624 list ace-statistics {
625 if-feature "interface-stats";
632 path "/acls/acl/aces/ace/name";
635 "Name of the ace entry.";
644 if-feature "interface-attachment";
647 "List of interfaces on which ACLs are set.";
650 type if:interface-ref;
652 "Reference to the interface id list key.";
658 "The ACLs applied to the ingress interface.";
663 "The ACLs applied to the egress interface.";