For now.
Kristian and I discussed this, and agreed that we will pull it in in a new pull
request.
> On Nov 29, 2017, at 4:08 PM, Sonal Agarwal (agarwaso) <agarw...@cisco.com>
> wrote:
>
> Are you removing the definition of “global” ACL?
>
> -
> leaf global {
> -
> if-feature global-attachment;
> -
> type
> empty;
> -
> description
> -
> "ACL rule is global";
> - }
>
> The remaining changes look fine to me.
>
> Thanks,
> ---
> Sonal Agarwal
>
> From: Mahesh Jethanandani <mjethanand...@gmail.com
> <mailto:mjethanand...@gmail.com>>
> Date: Wednesday, November 29, 2017 at 12:11 PM
> To: NetMod WG <netmod@ietf.org <mailto:netmod@ietf.org>>
> Cc: "Robert Wilton -X (rwilton - ENSOFT LIMITED at Cisco)" <rwil...@cisco.com
> <mailto:rwil...@cisco.com>>, Jeffrey Haas <jh...@juniper.net
> <mailto:jh...@juniper.net>>, Cisco Employee <agarw...@cisco.com
> <mailto:agarw...@cisco.com>>, Kristian Larsson <k...@spritelink.net
> <mailto:k...@spritelink.net>>, Kristian Larsson <k...@dev.terastrm.net
> <mailto:k...@dev.terastrm.net>>, Martin Bjorklund <m...@tail-f.com
> <mailto:m...@tail-f.com>>
> Subject: Re: [netmod] IETF ACL model
>
> The updated commit here
> <https://github.com/netmod-wg/acl-model/pull/19/commits/37e4c030180ae052a5fae26ca86813970fc6b4bf>
> takes care of restoring “type" to "acl-type", fixes some indentation issues,
> adds a choice for “l3" where either “ipv4" or “ipv6" can be selected, and a
> similar choice at “l4" that allows either “tcp", “udp" or “icmp" to be
> selected, and removes changes for “global" attachment point. Will add the
> last item as a separate commit.
>
> Unless I hear objections, I will roll the pr/18 changes into the master
> branch in 48 hours.
>
>> On Nov 28, 2017, at 2:17 AM, Martin Bjorklund <m...@tail-f.com
>> <mailto:m...@tail-f.com>> wrote:
>>
>> Mahesh Jethanandani <mjethanand...@gmail.com
>> <mailto:mjethanand...@gmail.com>> wrote:
>>> An updated version of the model has been posted as part of the PR here
>>> <https://github.com/netmod-wg/acl-model/commit/2477cd400cce6d39933c908ad97da27ff759588b
>>>
>>> <https://github.com/netmod-wg/acl-model/commit/2477cd400cce6d39933c908ad97da27ff759588b>>.
>>>
>>> The particular change removes any-acl from the model, expands on eth
>>> (to ethernet), removes acl- prefix for things like acl-type and
>>> acl-name. Please review.
>>
>> I think 99% of the changes in this PR look good. The one
>> exception is the typedef that used to be called "acl-type". I think
>> it should still be called "acl-type". "type" is too broad. NOTE,
>> this is just the typedef; the leaf /access-lists/acl/type should keep
>> its name ("type").
>>
>>
>> /martin
>>
>>
>>
>>>
>>>> On Nov 27, 2017, at 5:17 AM, Kristian Larsson <k...@dev.terastrm.net
>>>> <mailto:k...@dev.terastrm.net>>
>>>> wrote:
>>>>
>>>>
>>>> Robert Wilton <rwil...@cisco.com <mailto:rwil...@cisco.com>> writes:
>>>>
>>>>> Thinking about this some more. I'm not sure what it means for the "ACL
>>>>> Type" to be "any-acl". It seems that the "match any packet" should be
>>>>> a
>>>>> type of ACE, e.g. perhaps as the last entry of an ACL, rather than a
>>>>> type of ACL.
>>>>
>>>> Yes, I agree as so far that any-acl makes no sense as an acl-type. The
>>>> way I understood acl-type, and the way that vendors have told me it
>>>> will
>>>> be used, is to say "this is an IPv4 ACL" and then on an attachment
>>>> point
>>>> you can specify that only ACLs of acl-type ipv4-acl can be attached to
>>>> the interface. That makes perfect sense. I do not see how any-acl can
>>>> map into this.
>>>>
>>>> I agree that any-acl is logically a type of ACE but we don't have an
>>>> ace-type and the exact same information can IMHO already be conveyed
>>>> WITHOUT the any-acl type and thus it has no reason to exist. Nor do we
>>>> need a feature for it.
>>>>
>>>> From what I can tell the any-acl container in the ACE should be used
>>>> to
>>>> explicitly signify a match on "any". Think of IOS style ipv4 acl:
>>>> permit ip any any
>>>>
>>>> We have to provide a source and destination so this would be a rather
>>>> explicit mapping of that. However, our structure in this YANG model is
>>>> just completely different than an IOS command so I don't see why we
>>>> should try and mimic IOS in the YANg model.
>>>>
>>>> Not specifying a destination IP address means we match on any
>>>> destination IP address. The same is true for any other field we can
>>>> match on. Not setting a match implies we don't try to match on that
>>>> field, thus we allow "any" value. I think the logical continuation of
>>>> this is that for an ACE with no matches defined at all, we match any
>>>> packet. I think we can update the text to better explain this.
>>>>
>>>>
>>>>
>>>>> Otherwise if the ACL type is "any-acl" then this only allows two types
>>>>> of ACLs to be defined, neither of which seem to be particularly
>>>>> useful:
>>>>> (1) An ACL that matches all traffic and permits it, i.e. the same as
>>>>> having no ACL at all.
>>>>> (2) An ACL that matches all traffic and drops.
>>>>>
>>>>> So I think perhaps the answer here is to define neither ACL type
>>>>> "any-acl" nor leaf "any". The presumption could be that any ACE that
>>>>> is
>>>>> configured to match no fields implicitly matches all packets (because
>>>>> all non specified fields are treated as wildcards), and then applies
>>>>> the
>>>>> permit/deny rule associated with the ACE. This logic can apply to all
>>>>> ACL types.
>>>>
>>>> Yes yes yes :)
>>>>
>>>> Kristian.
>>>
>>> Mahesh Jethanandani
>>> mjethanand...@gmail.com <mailto:mjethanand...@gmail.com>
>>>
>
> Mahesh Jethanandani
> mjethanand...@gmail.com <mailto:mjethanand...@gmail.com>
Mahesh Jethanandani
mjethanand...@gmail.com
_______________________________________________
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod
