An updated version of the model has been posted as part of the PR here <https://github.com/netmod-wg/acl-model/commit/2477cd400cce6d39933c908ad97da27ff759588b>.
The particular change removes any-acl from the model, expands on eth (to ethernet), removes acl- prefix for things like acl-type and acl-name. Please review. > On Nov 27, 2017, at 5:17 AM, Kristian Larsson <k...@dev.terastrm.net> wrote: > > > Robert Wilton <rwil...@cisco.com> writes: > >> Thinking about this some more. I'm not sure what it means for the "ACL >> Type" to be "any-acl". It seems that the "match any packet" should be a >> type of ACE, e.g. perhaps as the last entry of an ACL, rather than a >> type of ACL. > > Yes, I agree as so far that any-acl makes no sense as an acl-type. The > way I understood acl-type, and the way that vendors have told me it will > be used, is to say "this is an IPv4 ACL" and then on an attachment point > you can specify that only ACLs of acl-type ipv4-acl can be attached to > the interface. That makes perfect sense. I do not see how any-acl can > map into this. > > I agree that any-acl is logically a type of ACE but we don't have an > ace-type and the exact same information can IMHO already be conveyed > WITHOUT the any-acl type and thus it has no reason to exist. Nor do we > need a feature for it. > > From what I can tell the any-acl container in the ACE should be used to > explicitly signify a match on "any". Think of IOS style ipv4 acl: > permit ip any any > > We have to provide a source and destination so this would be a rather > explicit mapping of that. However, our structure in this YANG model is > just completely different than an IOS command so I don't see why we > should try and mimic IOS in the YANg model. > > Not specifying a destination IP address means we match on any > destination IP address. The same is true for any other field we can > match on. Not setting a match implies we don't try to match on that > field, thus we allow "any" value. I think the logical continuation of > this is that for an ACE with no matches defined at all, we match any > packet. I think we can update the text to better explain this. > > > >> Otherwise if the ACL type is "any-acl" then this only allows two types >> of ACLs to be defined, neither of which seem to be particularly useful: >> (1) An ACL that matches all traffic and permits it, i.e. the same as >> having no ACL at all. >> (2) An ACL that matches all traffic and drops. >> >> So I think perhaps the answer here is to define neither ACL type >> "any-acl" nor leaf "any". The presumption could be that any ACE that is >> configured to match no fields implicitly matches all packets (because >> all non specified fields are treated as wildcards), and then applies the >> permit/deny rule associated with the ACE. This logic can apply to all >> ACL types. > > Yes yes yes :) > > Kristian. Mahesh Jethanandani mjethanand...@gmail.com
_______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
