go.ligato.io/vpp-agent/v3@v3.5.0/proto/ligato/vpp/acl/acl.proto (about) 1 syntax = "proto3"; 2 3 package ligato.vpp.acl; 4 5 option go_package = "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/acl;vpp_acl"; 6 7 import "ligato/annotations.proto"; 8 9 // ACL defines Access Control List. 10 message ACL { 11 // The name of an access list. A device MAY restrict the length 12 // and value of this name, possibly spaces and special 13 // characters are not allowed. 14 string name = 1; 15 16 // List of access list entries (Rules). Each Access Control Rule has 17 // a list of match criteria and a list of actions. 18 // Access List entry that can define: 19 // - IPv4/IPv6 src ip prefix 20 // - src MAC address mask 21 // - src MAC address value 22 // - can be used only for static ACLs. 23 message Rule { 24 enum Action { 25 DENY = 0; 26 PERMIT = 1; 27 REFLECT = 2; 28 }; 29 Action action = 1; 30 31 // Access List entry that can define: 32 // - IPv4/IPv6 src/dst IP prefix 33 // - Internet Protocol number 34 // - selected L4 headers: 35 // * ICMP (type range) 36 // * UDP (port range) 37 // * TCP (port range, flags mask, flags value) 38 39 message IpRule { 40 // IP used in this Access List Entry. 41 message Ip { 42 // Destination IPv4/IPv6 network address (<ip>/<network>) 43 string destination_network = 1; 44 // Destination IPv4/IPv6 network address (<ip>/<network>) 45 string source_network = 2; 46 // IP protocol number (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) 47 // Zero value (i.e. undefined protocol) means that the protocol to match will be automatically 48 // selected from one of the ICMP/ICMP6/TCP/UDP based on the rule definition. For example, if "icmp" 49 // is defined and src/dst addresses are IPv6 then packets of the ICMP6 protocol will be matched, etc. 50 uint32 protocol = 3 [(ligato_options).int_range = {minimum: 0 maximum: 255}]; 51 } 52 Ip ip = 1; 53 54 message Icmp { 55 // ICMPv6 flag, if false ICMPv4 will be used 56 bool icmpv6 = 1; 57 message Range { 58 uint32 first = 1 [(ligato_options).int_range = {minimum: 0 maximum: 255}]; 59 uint32 last = 2 [(ligato_options).int_range = {minimum: 0 maximum: 255}]; 60 } 61 // Inclusive range representing icmp codes to be used. 62 Range icmp_code_range = 2; 63 Range icmp_type_range = 3; 64 } 65 Icmp icmp = 2; 66 67 // Inclusive range representing destination ports to be used. When 68 // only lower-port is present, it represents a single port. 69 message PortRange { 70 uint32 lower_port = 1 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 71 // If upper port is set, it must 72 // be greater or equal to lower port 73 uint32 upper_port = 2 [(ligato_options).int_range = {minimum: 0 maximum: 65535}]; 74 } 75 76 message Tcp { 77 PortRange destination_port_range = 1; 78 PortRange source_port_range = 2; 79 // Binary mask for tcp flags to match. MSB order (FIN at position 0). 80 // Applied as logical AND to tcp flags field of the packet being matched, 81 // before it is compared with tcp-flags-value. 82 uint32 tcp_flags_mask = 3 [(ligato_options).int_range = {minimum: 0 maximum: 255}]; 83 // Binary value for tcp flags to match. MSB order (FIN at position 0). 84 // Before tcp-flags-value is compared with tcp flags field of the packet being matched, 85 // tcp-flags-mask is applied to packet field value. 86 uint32 tcp_flags_value = 4 [(ligato_options).int_range = {minimum: 0 maximum: 255}]; 87 } 88 Tcp tcp = 3; 89 90 message Udp { 91 PortRange destination_port_range = 1; 92 PortRange source_port_range = 2; 93 } 94 Udp udp = 4; 95 } 96 IpRule ip_rule = 2; 97 98 message MacIpRule { 99 string source_address = 1 [(ligato_options).type = IP]; 100 uint32 source_address_prefix = 2 [(ligato_options).int_range = {minimum: 0 maximum: 128}]; 101 // Before source-mac-address is compared with source mac address field of the packet 102 // being matched, source-mac-address-mask is applied to packet field value. 103 string source_mac_address = 3; 104 // Source MAC address mask. 105 // Applied as logical AND with source mac address field of the packet being matched, 106 // before it is compared with source-mac-address. 107 string source_mac_address_mask = 4; 108 } 109 MacIpRule macip_rule = 3; 110 } 111 repeated Rule rules = 2; 112 113 // The set of interfaces that has assigned this ACL on ingres or egress. 114 message Interfaces { 115 repeated string egress = 1; 116 repeated string ingress = 2; 117 } 118 Interfaces interfaces = 3; 119 }