forked from ligato/vpp-agent
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathacl.proto
128 lines (117 loc) · 5.36 KB
/
acl.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
syntax = "proto3";
package acl;
enum AclAction {
DENY = 0;
PERMIT = 1;
REFLECT = 2;
};
// This is a top level container for Access Control Lists.
// It can have one or more Access Control Lists.
message AccessLists {
// An Access Control List (ACL) is an ordered list of Access List Rules.
message Acl {
// The name of access list. A device MAY restrict the length
// and value of this name, possibly spaces and special
// characters are not allowed.
string acl_name = 1;
// List of access list entries (Rules). Each Access Control Rule has
// a list of match criteria and a list of actions.
// Access List entry that can define:
// - IPv4/IPv6 src ip prefix
// - src MAC address mask
// - src MAC address value
// - can be used only for static ACLs.
message Rule {
// A unique name identifying this Access List Entry (Rule)
string rule_name = 1;
// Action for this Access List Rule
AclAction acl_action = 2;
// Definitions for match criteria for this Access List Rule
message Match {
// Access List entry that can define:
// - IPv4/IPv6 src/dst IP prefix
// - Internet Protocol number
// - selected L4 headers:
// * ICMP (type range)
// * UDP (port range)
// * TCP (port range, flags mask, flags value)
message IpRule {
// IP version used in this Access List Entry.
message Ip {
// Destination IPv4/IPv6 network address (<ip>/<network>)
string destination_network = 1;
// Destination IPv4/IPv6 network address (<ip>/<network>)
string source_network = 2;
}
Ip ip = 1;
message Icmp {
// ICMPv6 flag, if false ICMPv4 will be used
bool icmpv6 = 1;
message Range {
// Lower boundary for range
uint32 first = 1;
// Upper boundary for range
uint32 last = 2;
}
// Inclusive range representing icmp codes to be used.
Range icmp_code_range = 2;
Range icmp_type_range = 3;
}
Icmp icmp = 2;
// Inclusive range representing destination ports to be used. When
// only lower-port is present, it represents a single port.
message PortRange {
// Lower boundary for port.
uint32 lower_port = 1;
// Upper boundary for port. If existing, the upper port must
// be greater or equal to lower-port
uint32 upper_port = 2;
}
message Tcp {
PortRange destination_port_range = 1;
PortRange source_port_range = 2;
// Binary mask for tcp flags to match. MSB order (FIN at position 0).
// Applied as logical AND to tcp flags field of the packet being matched,
// before it is compared with tcp-flags-value.
uint32 tcp_flags_mask = 3;
// Binary value for tcp flags to match. MSB order (FIN at position 0).
// Before tcp-flags-value is compared with tcp flags field of the packet being matched,
// tcp-flags-mask is applied to packet field value.
uint32 tcp_flags_value = 4;
}
Tcp tcp = 3;
message Udp {
PortRange destination_port_range = 1;
PortRange source_port_range = 2;
}
Udp udp = 4;
}
IpRule ip_rule = 1;
message MacIpRule {
// Source IP address.
string source_address = 1;
// Source IP address prefix.
uint32 source_address_prefix = 2;
// Source MAC address.
// Before source-mac-address is compared with source mac address field of the packet
// being matched, source-mac-address-mask is applied to packet field value.
string source_mac_address = 3;
// Source MAC address mask.
// Applied as logical AND with source mac address field of the packet being matched,
// before it is compared with source-mac-address.
string source_mac_address_mask = 4;
}
MacIpRule macip_rule = 2;
}
Match match = 3;
}
repeated Rule rules = 2;
message Interfaces {
repeated string egress = 1;
repeated string ingress = 2;
}
// The set of interfaces that has assigned this ACL on ingres or egress.
Interfaces interfaces = 3;
}
repeated Acl acls = 1;
}