Robert Wilton <rwil...@cisco.com> writes: > Thinking about this some more. I'm not sure what it means for the "ACL > Type" to be "any-acl". It seems that the "match any packet" should be a > type of ACE, e.g. perhaps as the last entry of an ACL, rather than a > type of ACL.
Yes, I agree as so far that any-acl makes no sense as an acl-type. The way I understood acl-type, and the way that vendors have told me it will be used, is to say "this is an IPv4 ACL" and then on an attachment point you can specify that only ACLs of acl-type ipv4-acl can be attached to the interface. That makes perfect sense. I do not see how any-acl can map into this. I agree that any-acl is logically a type of ACE but we don't have an ace-type and the exact same information can IMHO already be conveyed WITHOUT the any-acl type and thus it has no reason to exist. Nor do we need a feature for it. >From what I can tell the any-acl container in the ACE should be used to explicitly signify a match on "any". Think of IOS style ipv4 acl: permit ip any any We have to provide a source and destination so this would be a rather explicit mapping of that. However, our structure in this YANG model is just completely different than an IOS command so I don't see why we should try and mimic IOS in the YANg model. Not specifying a destination IP address means we match on any destination IP address. The same is true for any other field we can match on. Not setting a match implies we don't try to match on that field, thus we allow "any" value. I think the logical continuation of this is that for an ACE with no matches defined at all, we match any packet. I think we can update the text to better explain this. > Otherwise if the ACL type is "any-acl" then this only allows two types > of ACLs to be defined, neither of which seem to be particularly useful: > (1) An ACL that matches all traffic and permits it, i.e. the same as > having no ACL at all. > (2) An ACL that matches all traffic and drops. > > So I think perhaps the answer here is to define neither ACL type > "any-acl" nor leaf "any". The presumption could be that any ACE that is > configured to match no fields implicitly matches all packets (because > all non specified fields are treated as wildcards), and then applies the > permit/deny rule associated with the ACE. This logic can apply to all > ACL types. Yes yes yes :) Kristian. _______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod
