acls: Syntax schema, example and docs
First stab at integrating the acl-plugin from VPP. Allow to craft ACLs consisting of one-or-more ACEs (this is ensured by 'terms' being required with min=1), and a rich language to be able to set any L3 and L4 (UDP, ICMP, TCP) matchers that the plugin provides. Explain how the syntax will look like, although for now only YAMALE syntax checking can be performed (semantic validation is next). TESTED: pim@hippo:~/src/vppcfg/vppcfg$ ./vppcfg.py check -c example.yaml [INFO ] root.main: Loading configfile example.yaml [INFO ] vppcfg.config.valid_config: Configuration validated successfully [INFO ] root.main: Configuration is valid
This commit is contained in:
Pim van Pelt
@ -117,3 +117,23 @@ taps:
|
||||
name: vpp-tap101
|
||||
mtu: 1500
|
||||
bridge: br1
|
||||
|
||||
acls:
|
||||
acl01:
|
||||
description: "Test ACL"
|
||||
terms:
|
||||
- description: "Allow a specific IPv6 TCP flow"
|
||||
action: permit
|
||||
source: 2001:db8::/64
|
||||
destination: 2001:db8:1::/64
|
||||
protocol: tcp
|
||||
destination-port: www
|
||||
source-port: "1024-65535"
|
||||
- description: "Allow IPv4 ICMP Destination Unreachable, any code"
|
||||
family: ipv4
|
||||
action: permit
|
||||
protocol: icmp
|
||||
icmp-type: 3
|
||||
icmp-code: any
|
||||
- description: "Deny any IPv4 or IPv6"
|
||||
action: deny
|
||||
|
||||
@ -4,6 +4,7 @@ loopbacks: map(include('loopback'),key=str(matches='loop[0-9]+'),required=False)
|
||||
bridgedomains: map(include('bridgedomain'),key=str(matches='bd[0-9]+'),required=False)
|
||||
vxlan_tunnels: map(include('vxlan'),key=str(matches='vxlan_tunnel[0-9]+'),required=False)
|
||||
taps: map(include('tap'),key=str(matches='tap[0-9]+'),required=False)
|
||||
acls: map(include('acl'),key=str(matches='[a-z][a-z0-9\-]+'),required=False)
|
||||
---
|
||||
vxlan:
|
||||
description: str(exclude='\'"',len=64,required=False)
|
||||
@ -79,3 +80,24 @@ tap:
|
||||
namespace-create: bool(required=False)
|
||||
rx-ring-size: int(min=8,max=32768,required=False)
|
||||
tx-ring-size: int(min=8,max=32768,required=False)
|
||||
---
|
||||
# Valid: 80 "www" "-1024" "1024-" "1024-65535", and "any"
|
||||
acl-term-port-int-range-symbolic: any(int(min=1,max=65535),str(equals="any"),regex('^([1-9][0-9]*-|-[1-9][0-9]*|[1-9][0-9]*-[1-9][0-9]*)$'),regex('^[a-z][a-z0-9-]*$'))
|
||||
# Valid: 80 "-245" "10-" "10-245", and "any"
|
||||
acl-term-icmp-int-range: any(int(min=0,max=255),str(equals="any"),regex('^([0-9]+-|-[1-9][0-9]*|[0-9]*-[1-9][0-9]*)$'))
|
||||
---
|
||||
acl-term:
|
||||
description: str(exclude='\'"',len=64,required=False)
|
||||
action: enum('permit','deny','permit+reflect')
|
||||
family: enum('ipv4','ipv6','any',required=False)
|
||||
source: ip_interface(required=False)
|
||||
destination: ip_interface(required=False)
|
||||
protocol: any(int(min=1,max=255),regex('^[a-z][a-z0-9-]*$'),required=False)
|
||||
source-port: include('acl-term-port-int-range-symbolic', required=False)
|
||||
destination-port: include('acl-term-port-int-range-symbolic', required=False)
|
||||
icmp-type: include('acl-term-icmp-int-range',required=False)
|
||||
icmp-code: include('acl-term-icmp-int-range',required=False)
|
||||
---
|
||||
acl:
|
||||
description: str(exclude='\'"',len=64,required=False)
|
||||
terms: list(include('acl-term'), min=1, max=100, required=True)
|
||||
|
||||
Reference in New Issue
Block a user