forked from ligato/vpp-agent
-
Notifications
You must be signed in to change notification settings - Fork 0
/
acl.proto
161 lines (159 loc) · 7.74 KB
/
acl.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
syntax = "proto3";
package acl;
enum AclAction {
DENY = 0;
PERMIT = 1;
REFLECT = 2;
};
// This is a top level container for Access Control Lists.
// It can have one or more Access Control Lists.
message AccessLists {
// An Access Control List(ACL) is an ordered list of Access List Rules. Each Access Control Rule has
// a list of match criteria and a list of actions.
message Acl {
// List of access list entries(Rule)
message Rule {
// Definitions of action criteria for this Access List Rule
message Actions {
AclAction acl_action = 1;
}
Actions actions = 2;
// Definitions for match criteria for this Access List Rule
message Matches {
// Access List entry that can define:
// - IP4/IP6 src/dst ip prefix- Internet Protocol number
// - Internet Protocol number
// - selected L4 headers:
// * ICMP (type range)
// * UDP (port range)
// * TCP (port range, flags mask, flags value)
message IpRule {
// IP version used in this Access List Entry.
message Ip {
// Destination IPv4/IPv6 network address (<ip>/<network>)
string destination_network = 1;
// Destination IPv4/IPv6 network address (<ip>/<network>)
string source_network = 2;
}
Ip ip = 1;
message Icmp {
// ICMPv6 flag, if false ICMPv4 will be used
bool Icmpv6 = 1;
// Inclusive range representing icmp codes to be used.
message IcmpCodeRange {
// Lower boundary for range
uint32 first = 1;
// Upper boundary for range
uint32 last = 2;
}
IcmpCodeRange icmp_code_range = 2;
message IcmpTypeRange {
// Lower boundary for range
uint32 first = 1;
// Upper boundary for range
uint32 last = 2;
}
IcmpTypeRange icmp_type_range = 3;
}
Icmp icmp = 2;
message Tcp {
// Inclusive range representing destination ports to be used. When
// only lower-port is present, it represents a single port.
message DestinationPortRange {
// Lower boundary for port.
uint32 lower_port = 1;
// Upper boundary for port. If existing, the upper port must
// be greater or equal to lower-port
uint32 upper_port = 2;
}
DestinationPortRange destination_port_range = 1;
// Inclusive range representing source ports to be used.
// When only lower-port is present, it represents a single port.
message SourcePortRange {
// Lower boundary for port.
uint32 lower_port = 1;
// Upper boundary for port . If existing, the upper port
// must be greater or equal to lower-port.
uint32 upper_port = 2;
}
SourcePortRange source_port_range = 2;
// Binary mask for tcp flags to match. MSB order (FIN at position 0).
// Applied as logical AND to tcp flags field of the packet being matched,
// before it is compared with tcp-flags-value.
uint32 tcp_flags_mask = 3;
// Binary value for tcp flags to match. MSB order (FIN at position 0).
// Before tcp-flags-value is compared with tcp flags field of the packet being matched,
// tcp-flags-mask is applied to packet field value.
uint32 tcp_flags_value = 4;
}
Tcp tcp = 4;
message Udp {
// Inclusive range representing destination ports to be used. When
// only lower-port is present, it represents a single port.
message DestinationPortRange {
// Lower boundary for port.
uint32 lower_port = 1;
// Upper boundary for port. If existing, the upper port must
// be greater or equal to lower-port
uint32 upper_port = 2;
}
DestinationPortRange destination_port_range = 1;
// Inclusive range representing source ports to be used.
// When only lower-port is present, it represents a single port.
message SourcePortRange {
// Lower boundary for port.
uint32 lower_port = 1;
// Upper boundary for port . If existing, the upper port
// must be greater or equal to lower-port.
uint32 upper_port = 2;
}
SourcePortRange source_port_range = 2;
}
Udp udp = 5;
message Other {
// Internet Protocol number.
uint32 protocol = 1;
}
Other other = 3;
}
IpRule ip_rule = 1;
message MacIpRule {
// Source IPv4/Ipv6 address
string source_address = 1;
// Source IPv4/Ipv6 address prefix
uint32 source_address_prefix = 2;
// Source IEEE 802 MAC address.
// Before source-mac-address is compared with source mac address field of the packet being matched,
// source-mac-address-mask is applied to packet field value.
string source_mac_address = 3;
// Source IEEE 802 MAC address mask.
// Applied as logical AND with source mac address field of the packet being matched,
// before it is compared with source-mac-address.
string source_mac_address_mask = 4;
}
MacIpRule macip_rule = 4;
}
Matches matches = 3;
// Access List entry that can define:
// - IP4/IP6 src ip prefix
// - src MAC address mask
// - src MAC address value
// - can be used only for static ACLs.
// A unique name identifying this Access List
// Entry(Rule).
string rule_name = 5;
}
repeated Rule rules = 1;
// The name of access-list. A device MAY restrict the length
// and value of this name, possibly spRule and special
// characters are not allowed.
string acl_name = 3;
message Interfaces {
repeated string egress = 1;
repeated string ingress = 2;
}
// The set of interfRules that has assigned this ACL on ingres or egress
Interfaces interfaces = 2;
}
repeated Acl acl = 1;
}