go.ligato.io/vpp-agent/v3@v3.5.0/proto/ligato/vpp/acl/acl.proto

syntax = "proto3";

package ligato.vpp.acl;

option go_package = "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/acl;vpp_acl";

import "ligato/annotations.proto";

// ACL defines Access Control List.
message ACL {
    // The name of an access list. A device MAY restrict the length
    // and value of this name, possibly spaces and special
    // characters are not allowed.
    string name = 1;

    // List of access list entries (Rules). Each Access Control Rule has
    // a list of match criteria and a list of actions.
    // Access List entry that can define:
    // - IPv4/IPv6 src ip prefix
    // - src MAC address mask
    // - src MAC address value
    // - can be used only for static ACLs.
    message Rule {
        enum Action {
            DENY = 0;
            PERMIT = 1;
            REFLECT = 2;
        };
        Action action = 1;

        // Access List entry that can define:
        // - IPv4/IPv6 src/dst IP prefix
        // - Internet Protocol number
        // - selected L4 headers:
        //   * ICMP (type range)
        //   * UDP (port range)
        //   * TCP (port range, flags mask, flags value)

        message IpRule {
            // IP  used in this Access List Entry.
            message Ip {
                // Destination IPv4/IPv6 network address (<ip>/<network>)
                string destination_network = 1;
                // Destination IPv4/IPv6 network address (<ip>/<network>)
                string source_network = 2;
                // IP protocol number (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)
                // Zero value (i.e. undefined protocol) means that the protocol to match will be automatically
                // selected from one of the ICMP/ICMP6/TCP/UDP based on the rule definition. For example, if "icmp"
                // is defined and src/dst addresses are IPv6 then packets of the ICMP6 protocol will be matched, etc.
                uint32 protocol = 3  [(ligato_options).int_range = {minimum: 0 maximum: 255}];
            }
            Ip ip = 1;

            message Icmp {
                // ICMPv6 flag, if false ICMPv4 will be used
                bool icmpv6 = 1;
                message Range {
                    uint32 first = 1  [(ligato_options).int_range = {minimum: 0 maximum: 255}];
                    uint32 last = 2  [(ligato_options).int_range = {minimum: 0 maximum: 255}];
                }
                // Inclusive range representing icmp codes to be used.
                Range icmp_code_range = 2;
                Range icmp_type_range = 3;
            }
            Icmp icmp = 2;

            // Inclusive range representing destination ports to be used. When
            // only lower-port is present, it represents a single port.
            message PortRange {
                uint32 lower_port = 1  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
                // If upper port is set, it must
                // be greater or equal to lower port
                uint32 upper_port = 2  [(ligato_options).int_range = {minimum: 0 maximum: 65535}];
            }

            message Tcp {
                PortRange destination_port_range = 1;
                PortRange source_port_range = 2;
                // Binary mask for tcp flags to match. MSB order (FIN at position 0).
                // Applied as logical AND to tcp flags field of the packet being matched,
                // before it is compared with tcp-flags-value.
                uint32 tcp_flags_mask = 3  [(ligato_options).int_range = {minimum: 0 maximum: 255}];
                // Binary value for tcp flags to match. MSB order (FIN at position 0).
                // Before tcp-flags-value is compared with tcp flags field of the packet being matched,
                // tcp-flags-mask is applied to packet field value.
                uint32 tcp_flags_value = 4  [(ligato_options).int_range = {minimum: 0 maximum: 255}];
            }
            Tcp tcp = 3;

            message Udp {
                PortRange destination_port_range = 1;
                PortRange source_port_range = 2;
            }
            Udp udp = 4;
        }
        IpRule ip_rule = 2;

        message MacIpRule {
            string source_address = 1  [(ligato_options).type = IP];
            uint32 source_address_prefix = 2  [(ligato_options).int_range = {minimum: 0 maximum: 128}];
            // Before source-mac-address is compared with source mac address field of the packet
            // being matched, source-mac-address-mask is applied to packet field value.
            string source_mac_address = 3;
            // Source MAC address mask.
            // Applied as logical AND with source mac address field of the packet being matched,
            // before it is compared with source-mac-address.
            string source_mac_address_mask = 4;
        }
        MacIpRule macip_rule = 3;
    }
    repeated Rule rules = 2;

    // The set of interfaces that has assigned this ACL on ingres or egress.
    message Interfaces {
        repeated string egress = 1;
        repeated string ingress = 2;
    }
    Interfaces interfaces = 3;
}