Firewall Service API

firewall_service.proto

This file defines the ACL package for JUNOS.

Brief Description of the key concepts associated with this package and functionality is as follows:

ACL is an acronym for Access Control List which is a basic stateless forwarding construct to match on packet content and take a set of actions if packet passes the matching criteria.

An ACL is made up of an ordered set of ACL Entries, which defines how a packet is matched against configured criteria and how it is treated in the event of a match.

Each ACL Entry or ACE defines a set of packet matching criteria and a set of actions to take on the packet if the matching criteria is true. A packet needs to match ALL the matches in an ACE to be considered a match.

A Match is defined by an operation, packet field and value to be matched against. For details on the operations supported and various packet fields that could be matched, refer to the corresponding Enum or Message structure below.

An action determines what to do with the packet when it matches the matching criteria. There are two types of actions, terminating actions and non-terminating actions. Each ACE can have zero or more non-terminating actions and zero or exactly one terminating action. A non-terminating action is one that does not stop the packet from undergoing the rest of the ACL processing. An terminating action is one, that stops the packet from undergoing any further ACL processing.

An attachment point or a bind point is the point in the path of packet processing where the packet is subjected to ACL processing. An attachment point is defined by attachment entity and direction in which the ACL is applied. For example a typical bind point is an interface where a packet is subjected to ACL.

The diagram below depicts an object diagram for a typical ACL. Legends: ACE-1 is the ordered Access List Entry at position 1. ACE-n is the ordered Access List Entry at position n. M-n is the match number n in list of matching criteria in a given ACE. A-n is the action number n in the list of actions for a given ACE. No no more than 1 action could be a terminating action.

+-------+-------+-----+------+ ACL -> | ACE-1 | ACE-2 | ... | ACE-n| +-------+-------+-----+------+ | | | +-----+ +----->| M-1 | +-----+ | M-2 | +-----+ | ... | +-----+ | M-n | +-----+ | | +-----+ +---------->| A-1 | +-----+ | A-2 | +-----+ | ... | +-----+ | A-n | +-----+

AccessList

ACL

Field Type Label Description
acl_name string optional AccessList name
acl_type AccessListTypes optional AccessList type
acl_family AccessListFamilies optional AccessList family
acl_flag AccessListFlags optional AccessList flag
ace_list AclEntry repeated List of Destination addresses

AccessListBindObjPoint

ACL Bind Points

Field Type Label Description
intf string optional Bind object - Interface
fwd_table string optional Bind object - Forwarding Table
vlan AclBindObjVlan optional Bind object - VLAN
bd AclBindObjBridgeDomain optional Bind object - Bridge Domain

AccessListCounter

An ACL Counter

Field Type Label Description
acl AccessList optional Access list
counter_name string optional Counter name

AccessListCounterBulk

Bulk ACL Counter

Field Type Label Description
acl AccessList optional Access list
starting_index uint32 optional Starting Index

AccessListCounterVal

Return counter statistics

Field Type Label Description
counter_name string optional Counter Name
status AccessListReturnVal optional Error status
bytes uint64 optional Byte count
packets uint64 optional Packet count

AccessListObjBind

Per forwarding element ACL binding

Field Type Label Description
acl AccessList optional ACL
obj_type AccessListBindObjType optional Binding object type
bind_object AccessListBindObjPoint optional Bind object name where the ACL is to be bound
bind_direction AclBindDirection optional Bind direction
bind_family AccessListFamilies optional Family on the bind object. Must match with the ACL family

AccessListPolicer

ACL Policer

Field Type Label Description
policer_name string optional Policer name
policer_type AclPolicerType optional Policer type
policer_flag AclPolicerFlags optional Policer Flags
policer_params AclPolicerParameter optional Policer Paremeter

AccessListReturnStatus

ACL Return Status

Field Type Label Description
status AccessListReturnVal optional ACL return status value

AccessListVoid

A void message

Field Type Label Description
void string optional

AclActionCopyToHost

Copy To Client action

Field Type Label Description
client_name string optional Client name (upto 64 characters)

AclActionCounter

Counter action

Field Type Label Description
counter_name string optional Counter name (upto 64 characters)

AclActionForwardingClass

Action forwarding class by id

Field Type Label Description
fc AclForwardingClass optional set forwarding class id

AclActionForwardingPriority

action forwarding priority

Field Type Label Description
priority uint32 optional priority

AclActionIflNameIndex

Ifl Index or name in filter action

Field Type Label Description
ifl_name string optional Ifl Name
ifl_index uint32 optional Ifl Index

AclActionLossPriority

action losspriority

Field Type Label Description
lp AclLossPriority optional Set loss priority

AclActionNextHop

Next hop

Field Type Label Description
nh_idx uint32 optional Next hop index

AclActionNextInterface

action next interface

Field Type Label Description
rti_name string optional routing-instance name
ifl AclActionIflNameIndex optional ifl index or ifl name

AclActionNextIp

action next interface

Field Type Label Description
rti_name string optional routing-instance name
addr IpAddress optional address
prefix_len uint32 optional Destination prefix length

AclActionPolicer

Police the matching packets

Field Type Label Description
policer AccessListPolicer optional The policer

AclActionPolicerInstance

Police the matching packets with respect to template

Field Type Label Description
policer AccessListPolicer optional The policer
policer_instance string optional Policer Instance name

AclActionRoutingInstance

Direct matching packets to a routing-instance

Field Type Label Description
rt_instance_name string optional

AclActionSendToClient

Send To Client action

Field Type Label Description
client_name string optional Client name (upto 64 characters)

AclActionSetIpDscp

action set dscp

Field Type Label Description
dscp uint32 optional DSCP for IP and IPv6

AclActionSetNexthop

Next hop action

Field Type Label Description
nh_idx uint32 optional Set nh idx

AclActionTopologyRedirect

Redirect matching packets with respect to topology mentioned

Field Type Label Description
rt_instance_name string optional RT instance name
topology_name string optional Topology name

AclAdjacency

Adjacency details of ace placement

Field Type Label Description
type AclAdjacencyType optional Type of adjacency placement
ace_name string optional The previous or the next AC

AclBindObjBridgeDomain

Bridge Domain Elements

Field Type Label Description
bd_name string optional Bind object bd name where the ACL is to be bound
rtb_name string optional Bind object Routing Instance name of bd_name where the ACL is to be bound

AclBindObjVlan

The VLAN objects to which the ACL can be bound

Field Type Label Description
vlan_name string optional Bind object VLAN name where the ACL is to be bound
rtb_name string optional Bind object Routing Instance name of vlan_name where the ACL is to be bound

AclCccEntry

CCC ACL entry

Field Type Label Description
ace_name string optional AclEntry name
ace_op AclEntryOperation optional AclEntry operation
adjacency AclAdjacency optional Adjacency
matches AclEntryMatchCcc optional Matches
actions AclEntryCccAction optional Actions

AclEntry

An ACL entry. It could be one of type of families.

Field Type Label Description
inet_entry AclInetEntry optional For Inet family
es_entry AclEsEntry optional For Ethernet Switching family
inet6_entry AclInet6Entry optional For Inet6 family
vpls_entry AclVplsEntry optional For vpls family
ccc_entry AclCccEntry optional For ccc family
mservice_entry AclMultiServiceEntry optional For multiservices family
mpls_entry AclMplsEntry optional For mpls family

AclEntryCccAction

ACL CCC Action

Field Type Label Description
actions_nt AclEntryCccNonTerminatingAction optional List of non-terminating actions.
action_t AclEntryCccTerminatingAction optional One terminating action

AclEntryCccNonTerminatingAction

Non-terminating ACL CCC Actions

Field Type Label Description
action_count AclActionCounter optional Count the matching packets
action_log AclBooleanType optional Log the matching packets
action_syslog AclBooleanType optional Syslog the matching packets
action_policer AclActionPolicer optional Police the matching packets. Ensure that policer exists before using it.
action_sample AclBooleanType optional Sample
action_copy_to_host AclActionCopyToHost optional Copy of matching packets to host client name

AclEntryCccTerminatingAction

Terminating ACL CCC Actions

Field Type Label Description
action_accept AclBooleanType optional Accept the matching packets
action_discard AclBooleanType optional Discard the matching packets
action_send_to_client AclActionSendToClient optional Direct matching packets to client name
action_send_to_host AclBooleanType optional Direct matching packets to host

AclEntryEsAction

ACL Action

Field Type Label Description
actions_nt AclEntryEsNonTerminatingAction optional List of non-terminating actions.
action_t AclEntryEsTerminatingAction optional One terminating action

AclEntryEsNonTerminatingAction

Non-terminating ACL Action

Field Type Label Description
action_count AclActionCounter optional Count the matching packets
action_log AclBooleanType optional Log the matching packets
action_syslog AclBooleanType optional Syslog the matching packets
action_policer AclActionPolicer optional Police the matching packets. Ensure that policer exists before using it.
action_next_term AclBooleanType optional Next Term
action_lp AclActionLossPriority optional Loss priority

AclEntryEsTerminatingAction

Terminating ACL Action

Field Type Label Description
action_accept AclBooleanType optional Accept the matching packets
action_discard AclBooleanType optional Discard the matching packets
action_nh AclActionNextHop optional Next hop
action_send_to_host AclBooleanType optional Send to host

AclEntryInet6Action

ACL inet6 Actions

Field Type Label Description
actions_nt AclEntryInet6NonTerminatingAction optional List of non-terminating actions.
action_t AclEntryInet6TerminatingAction optional One terminating action

AclEntryInet6NonTerminatingAction

Non-terminating ACL inet6 Actions

Field Type Label Description
action_count AclActionCounter optional Count the matching packets
action_log AclBooleanType optional Log the matching packets
action_syslog AclBooleanType optional Syslog the matching packets
action_policer AclActionPolicer optional Police the matching packets. Ensure that policer exists before using it.
action_sample AclBooleanType optional Sample
action_next_term AclBooleanType optional Next Term
action_port_mirror AclBooleanType optional port mirror action
action_lp AclActionLossPriority optional set loss priority to matched packets
action_fwd_class AclActionForwardingClass optional set Forwarding class to matched packets
action_fwd_priority AclActionForwardingPriority optional set Forwarding Priority to matched packets
action_next_intf AclActionNextInterface optional set Next interface to matched packets
action_next_ip AclActionNextIp optional set Next IPv4 to matched packets
action_ip_dscp AclActionSetIpDscp optional set IP DSCP to matched packets
action_copy_to_host AclActionCopyToHost optional Copy of matching packets to host client name
action_policer_inst AclActionPolicerInstance optional Police the matching packets. Ensure that policer exists before using it.

AclEntryInet6TerminatingAction

Terminating ACL inet6 Actions

Field Type Label Description
action_accept AclBooleanType optional Accept the matching packets
action_discard AclBooleanType optional Discard the matching packets
action_reject AclEntryActionRejectReason optional Reject the matching packets
action_rt_inst AclActionRoutingInstance optional Direct matching packets to a routing instance
action_topo_redirect AclActionTopologyRedirect optional Direct matching packets to a routing instance
action_send_to_client AclActionSendToClient optional client name
action_send_to_host AclBooleanType optional Direct matching packets to host
action_nh AclActionSetNexthop optional set nexthop idx

AclEntryInetAction

ACL Action

Field Type Label Description
actions_nt AclEntryInetNonTerminatingAction optional List of non-terminating actions.
action_t AclEntryInetTerminatingAction optional One terminating action

AclEntryInetNonTerminatingAction

Non-terminating ACL Action

Field Type Label Description
action_count AclActionCounter optional Count the matching packets
action_log AclBooleanType optional Log the matching packets
action_syslog AclBooleanType optional Syslog the matching packets
action_policer AclActionPolicer optional Police the matching packets. / Ensure that policer exists before using it.
action_sample AclBooleanType optional Sample
action_next_term AclBooleanType optional Next Term

AclEntryInetTerminatingAction

Terminating ACL Action

Field Type Label Description
action_accept AclBooleanType optional Accept the matching packets
action_discard AclBooleanType optional Discard the matching packets
action_reject AclEntryActionRejectReason optional Reject the matching packets
action_rt_inst AclActionRoutingInstance optional Direct matching packets to a routing instance

AclEntryMatchCcc

CCC Matches and Actions

Field Type Label Description
match_pkt_len AclMatchPktLen repeated List of Packet lengths
ifl_names AclMatchIflNameIndex repeated Interface name (IFL with unit like ge-0/0/1.0 or IFL index)
ether_types AclMatchEtherType repeated List of Ether type match
match_src_macs AclMatchMacAddress repeated List Source MAC match
match_dst_macs AclMatchMacAddress repeated List Destination MAC match
cfm_opcodes AclMatchCfmOpcode repeated List of CFM Opcode match
cfm_levels AclMatchCfmLevel repeated List of CFM Level match
match_flex_range AclMatchFlexibleOffsetRange optional Flex Ranges
match_flex_mask AclMatchFlexibleOffsetMask optional Flex Masks

AclEntryMatchEs

An ACL Match

Field Type Label Description
match_dst_mac_addrs AclMatchMacAddress repeated List of Destination mac addresses
match_src_mac_addrs AclMatchMacAddress repeated List of Source mac addresses
match_dst_ports AclMatchPort repeated List of Destination ports
match_src_ports AclMatchPort repeated List of Source ports
match_dscp_code AclMatchDscpCode repeated List of Dscp code points
match_protocols AclMatchProtocol repeated List of Protocols
match_icmp_type AclMatchIcmpType repeated List of Icmp types
match_icmp_code AclMatchIcmpCode repeated List of Icmp codes
ifl_names AclMatchIflNameIndex repeated Interface name (IFL with unit, for example: ge-0/0/1.0 or IFL index)
match_ether_type AclMatchEtherType repeated
match_learn_vlan_id AclMatchLearnVlanId repeated
match_learn_vlan_priority AclMatchLearnVlanPriority repeated

AclEntryMatchInet

An ACL Match

Field Type Label Description
match_dst_addrs AclMatchIpAddress repeated List of Destination addresses
match_src_addrs AclMatchIpAddress repeated List of Source addresses
match_dst_ports AclMatchPort repeated List of Destination ports
match_src_ports AclMatchPort repeated List of Source ports
match_dscp_code AclMatchDscpCode repeated List of Dscp code points
match_protocols AclMatchProtocol repeated List of Protocols
match_icmp_type AclMatchIcmpType repeated List of Icmp types
match_icmp_code AclMatchIcmpCode repeated List of Icmp codes
match_pkt_len AclMatchPktLen repeated List of Packet lengths
match_ttl AclMatchTtl repeated List of Ttl's
fragment_flags AclFragmentFlags optional Fragment flag
match_frag_offset AclMatchFragmentOffset repeated List of fragment offset range
ifl_names AclMatchIflNameIndex repeated Interface name (IFL with unit, for example: ge-0/0/1.0 or IFL index)
match_ip_precedence AclMatchIpPrecedence repeated List of ip precedence
match_addrs AclMatchIpAddress repeated List of Addresses
match_ports AclMatchPort repeated List of Ports
match_flex_range AclMatchFlexibleOffsetRange optional Flex Ranges
match_flex_mask AclMatchFlexibleOffsetMask optional Flex Masks

AclEntryMatchInet6

Inet6 Matches and actions

Field Type Label Description
match_dst_addrs AclMatchIpAddress repeated List of Destination addresses
match_src_addrs AclMatchIpAddress repeated List of Source addresses
match_dst_ports AclMatchPort repeated List of Destination ports
match_src_ports AclMatchPort repeated List of Source ports
match_dscp_code AclMatchDscpCode repeated List of Dscp code points
payload_protocols AclMatchProtocol repeated List of Protocols
match_icmp_type AclMatchIcmpType repeated List of Icmp types
match_icmp_code AclMatchIcmpCode repeated List of Icmp codes
match_pkt_len AclMatchPktLen repeated List of Packet lengths
fragment_flags AclFragmentFlags optional Fragment flag
ifl_names AclMatchIflNameIndex repeated Interface name (IFL with unit, for example: ge-0/0/1.0 or IFL index)
match_traffic_classes AclMatchTrafficClass repeated List of traffic classes
match_addrs AclMatchIpAddress repeated List of Addresses
match_flex_range AclMatchFlexibleOffsetRange optional Flex Ranges
match_flex_mask AclMatchFlexibleOffsetMask optional Flex Masks
ipv6_next_headers AclMatchNextHeader repeated List of Next Header match
match_loss_priority AclMatchLossPriority repeated List of Loss Priority
match_fwd_class AclMatchForwardingClass repeated List of Forwarding Class
match_ports AclMatchPort repeated List of Ports

AclEntryMatchMpls

Mpls Matches and Actions

Field Type Label Description
match_label1 AclMatchMplsLabel repeated Label-1 match
match_label2 AclMatchMplsLabel repeated Label-2 match
match_label3 AclMatchMplsLabel repeated Label-3 match
match_flex_range AclMatchFlexibleOffsetRange optional Flex Ranges
match_flex_mask AclMatchFlexibleOffsetMask optional Flex Masks

AclEntryMatchMultiService

multiservices Matches and Actions

Field Type Label Description
match_dst_addrs AclMatchIpAddress repeated List of Destination addresses (V4)
match_src_addrs AclMatchIpAddress repeated List of Source addresses (V4)
match_addrs AclMatchIpAddress repeated List of addresses (V4)
match_dst_ports AclMatchPort repeated List of Destination ports
match_src_ports AclMatchPort repeated List of Source ports
match_ip_protocols AclMatchProtocol repeated List of Protocols
payload_protocols AclMatchProtocol repeated List of Protocols
match_icmp_type AclMatchIcmpType repeated List of Icmp types
match_icmp_code AclMatchIcmpCode repeated List of Icmp codes
ifl_names AclMatchIflNameIndex repeated Interface name (IFL with unit like ge-0/0/1.0 or IFL index)
ipv6_next_headers AclMatchNextHeader repeated List of Next Header match
ether_types AclMatchEtherType repeated List of Ether type match
match_src_macs AclMatchMacAddress repeated List Source MAC match
match_dst_macs AclMatchMacAddress repeated List Destination MAC match
vlan_ether_types AclMatchEtherType repeated List of Ether type match
stp_state AclStpMatchFlags optional STP state match
mesh_group_ids AclMatchMeshGroup repeated List of mesh group id match
l2_tokens AclMatchL2Token repeated List of L2 token match
match_pkt_len AclMatchPktLen repeated List of Packet lengths

AclEntryMatchVpls

VPLS Matches and Actions

Field Type Label Description
match_dst_addrs AclMatchIpAddress repeated List of Destination addresses (V4)
match_src_addrs AclMatchIpAddress repeated List of Source addresses (V4)
match_dst_v6_addrs AclMatchIpAddress repeated List of Destination addresses (V6)
match_src_v6_addrs AclMatchIpAddress repeated List of Source addresses (V6)
match_dst_ports AclMatchPort repeated List of Destination ports
match_src_ports AclMatchPort repeated List of Source ports
match_dscp_code AclMatchDscpCode repeated List of Dscp code points
match_ip_protocols AclMatchProtocol repeated List of Protocols
payload_protocols AclMatchProtocol repeated List of Protocols
match_icmp_type AclMatchIcmpType repeated List of Icmp types
match_icmp_code AclMatchIcmpCode repeated List of Icmp codes
ifl_names AclMatchIflNameIndex repeated Interface name (IFL with unit, for example: ge-0/0/1.0 or IFL index)
match_traffic_classes AclMatchTrafficClass repeated List of traffic classes
ipv6_next_headers AclMatchNextHeader repeated List of Next Header match
ether_types AclMatchEtherType repeated List of Ether type match
match_src_macs AclMatchMacAddress repeated List Source MAC match
match_dst_macs AclMatchMacAddress repeated List Destination MAC match
vlan_ether_types AclMatchEtherType repeated List of Ether type match
learn_vlan_ids AclMatchVlanId repeated List of Vlan Id match
user_vlan_ids AclMatchVlanId repeated List of Vlan Id match
learn_vlan_priority AclMatchLearnVlanPriority repeated List of Vlan Id match
stp_state AclStpMatchFlags optional STP state match
mesh_group_ids AclMatchMeshGroup repeated List of mesh group id match
cfm_opcodes AclMatchCfmOpcode repeated List of CFM Opcode match
cfm_levels AclMatchCfmLevel repeated List of CFM Level match
l2_tokens AclMatchL2Token repeated List of L2 token match
match_v6_addrs AclMatchIpAddress repeated List of Ipv6 addresses (V6)
match_flex_range AclMatchFlexibleOffsetRange optional Flex Ranges
match_flex_mask AclMatchFlexibleOffsetMask optional Flex Masks
match_pkt_len AclMatchPktLen repeated List of Packet lengths

AclEntryMplsAction

ACL Mpls Action

Field Type Label Description
actions_nt AclEntryMplsNonTerminatingAction optional List of non-terminating actions.
action_t AclEntryMplsTerminatingAction optional One terminating action

AclEntryMplsNonTerminatingAction

Non-terminating ACL MPLS Actions

Field Type Label Description
action_count AclActionCounter optional Count the matching packets
action_policer AclActionPolicer optional Police the matching packets. Ensure that policer exists before using it.

AclEntryMplsTerminatingAction

Terminating ACL MPLS Actions

Field Type Label Description
action_accept AclBooleanType optional Accept the matching packets
action_discard AclBooleanType optional Discard the matching packets

AclEntryMultiServiceAction

ACL Multi Service Actions

Field Type Label Description
actions_nt AclEntryMultiServiceNonTerminatingAction optional List of non-terminating actions.
action_t AclEntryMultiServiceTerminatingAction optional One terminating action

AclEntryMultiServiceNonTerminatingAction

Non-terminating ACL Multi Service Actions

Field Type Label Description
action_count AclActionCounter optional Count the matching packets
action_log AclBooleanType optional Log the matching packets
action_syslog AclBooleanType optional Syslog the matching packets
action_policer AclActionPolicer optional Police the matching packets. Ensure that policer exists before using it.
action_sample AclBooleanType optional Sample
action_next_term AclBooleanType optional Next Term
action_copy_to_host AclActionCopyToHost optional Copy of matching packets to host

AclEntryMultiServiceTerminatingAction

Terminating ACL Multi Service Actions

Field Type Label Description
action_accept AclBooleanType optional Accept the matching packets
action_discard AclBooleanType optional Discard the matching packets
action_send_to_client AclActionSendToClient optional Direct matching packets to client name
action_send_to_host AclBooleanType optional Direct matching packets to host

AclEntryVplsAction

ACL VPLS Action

Field Type Label Description
actions_nt AclEntryVplsNonTerminatingAction optional List of non-terminating actions.
action_t AclEntryVplsTerminatingAction optional One terminating action

AclEntryVplsNonTerminatingAction

Non-terminating ACL Vpls Actions

Field Type Label Description
action_count AclActionCounter optional Count the matching packets
action_log AclBooleanType optional Log the matching packets
action_syslog AclBooleanType optional Syslog the matching packets
action_policer AclActionPolicer optional Police the matching packets. Ensure that policer exists before using it.
action_sample AclBooleanType optional Sample
action_next_term AclBooleanType optional Next Term
action_no_mac_learn AclBooleanType optional No Mac Learn
action_copy_to_host AclActionCopyToHost optional Copy of matching packets to host client name

AclEntryVplsTerminatingAction

Terminating ACL Vpls Actions

Field Type Label Description
action_accept AclBooleanType optional Accept the matching packets
action_discard AclBooleanType optional Discard the matching packets
action_send_to_client AclActionSendToClient optional Direct matching packets to client name
action_send_to_host AclBooleanType optional Direct matching packets to host
action_nh AclActionSetNexthop optional set nexthop idx

AclEsEntry

An Inet ACL entry

Field Type Label Description
ace_name string optional AclEntry name
ace_op AclEntryOperation optional AclEntry operation
adjacency AclAdjacency optional Adjacency
matches AclEntryMatchEs optional Matches
actions AclEntryEsAction optional Actions

AclInet6Entry

An Inet6 ACL entry

Field Type Label Description
ace_name string optional AclEntry name
ace_op AclEntryOperation optional AclEntry operation
adjacency AclAdjacency optional Adjacency
matches AclEntryMatchInet6 optional Matches
actions AclEntryInet6Action optional Actions

AclInetEntry

An Inet ACL entry

Field Type Label Description
ace_name string optional AclEntry name
ace_op AclEntryOperation optional AclEntry operation
adjacency AclAdjacency optional Adjacency
matches AclEntryMatchInet optional Matches
actions AclEntryInetAction optional Actions

AclMatchCfmLevel

CFM Level match condition

Field Type Label Description
cfm_level uint32 optional cfm_level value
match_op AclMatchOperation optional AclMatch op

AclMatchCfmOpcode

CFM opcode match condition

Field Type Label Description
min uint32 optional Minimum cfm opcode value
max uint32 optional Maximum cfm opcode Value
match_op AclMatchOperation optional AclMatch op

AclMatchDscpCode

DSCP (diffserv code point) match condition

Field Type Label Description
min uint32 optional Minimum Dscp code
max uint32 optional Maximum Dscp code
match_op AclMatchOperation optional AclMatch op

AclMatchEtherType

EtherType Match

Field Type Label Description
min uint32 optional Minimum Ether type
max uint32 optional Maximum Ether type
match_op AclMatchOperation optional AclMatch op

AclMatchFlexOffset

Flex Offset range matches

Field Type Label Description
min uint32 optional Minimum range value
max uint32 optional Maximum range value
match_op AclMatchOperation optional AclMatch op

AclMatchFlexibleMask

A Flexible Mask Match

Field Type Label Description
start_offset AclEntryMatchFlexStartOffest optional Flex match start offset
bit_length uint32 optional Flex match bit length (0 - 32)
bit_offset uint32 optional Flex match bit offset (0 - 7)
byte_offset uint32 optional Flex match byte offset
mask uint32 optional Flex match mask
prefix_string string optional 32 Bit, Flex match value in hex format (0x12345678)

AclMatchFlexibleOffsetMask

A Flexible Offset Mask Match

Field Type Label Description
flex_mask_match AclMatchFlexibleMask optional Flexible mask match

AclMatchFlexibleOffsetRange

A Flexible Offset Range Match

Field Type Label Description
flex_range_match AclMatchFlexibleRange optional Flexible range match

AclMatchFlexibleRange

A Flexible Range Match

Field Type Label Description
start_offset AclEntryMatchFlexStartOffest optional Flex match start offset
bit_length uint32 optional Flex match bit length (0 - 32)
bit_offset uint32 optional Flex match bit offset (0 - 7)
byte_offset uint32 optional Flex match byte offset
range AclMatchFlexOffset optional Flex match range value

AclMatchForwardingClass

Forwarding class match condition

Field Type Label Description
fwd_class AclForwardingClass optional Loss Priority match
match_op AclMatchOperation optional AclMatch op

AclMatchFragmentOffset

Fragment offset match condition for IPv4

Field Type Label Description
min uint32 optional Fragment offset range start
max uint32 optional Fragment offset range start
match_op AclMatchOperation optional AclMatch op

AclMatchIcmpCode

ICMP code match condition

Field Type Label Description
min uint32 optional Minimum Icmp code
max uint32 optional Maximum Icmp code
match_op AclMatchOperation optional AclMatch op

AclMatchIcmpType

ICMP type match condition

Field Type Label Description
min uint32 optional Minimum Icmp type
max uint32 optional Maximum Icmp type
match_op AclMatchOperation optional AclMatch op

AclMatchIflNameIndex

Ifl Index or name

Field Type Label Description
ifl_name string optional Ifl Name
ifl_index uint32 optional Ifl Index

AclMatchIpAddress

Destination Address match condition

Field Type Label Description
addr IpAddress optional address
prefix_len uint32 optional Destination prefix length
match_op AclMatchOperation optional AclMatch op

AclMatchIpPrecedence

Ip Precedence match

Field Type Label Description
min Precedence optional Minimum precedence
max Precedence optional Maximum precedence
match_op AclMatchOperation optional AclMatch op

AclMatchL2Token

L2 token match condition

Field Type Label Description
token uint32 optional L2 token value
match_op AclMatchOperation optional AclMatch op

AclMatchLearnVlanId

Learn VLAN ID Match

Field Type Label Description
min uint32 optional Minimum Learn vlan id
max uint32 optional Maximum Learn vLan id
match_op AclMatchOperation optional AclMatch op

AclMatchLearnVlanPriority

Learn VLAN Priority Match

Field Type Label Description
min uint32 optional Minimum Learn vlan priority
max uint32 optional Maximum Learn vLan priority
match_op AclMatchOperation optional AclMatch op

AclMatchLossPriority

Loss Priority match condition

Field Type Label Description
lp AclLossPriority optional Loss Priority match
match_op AclMatchOperation optional AclMatch op

AclMatchMacAddress

Mac Address match condition

Field Type Label Description
addr MacAddress optional Mac address
addr_len uint32 optional Mac address length
match_op AclMatchOperation optional AclMatch op

AclMatchMeshGroup

Mesh Group match condition

Field Type Label Description
mesh_group_id uint32 optional mesh_group_id value
match_op AclMatchOperation optional AclMatch op

AclMatchMplsLabel

Mpls label match condition

Field Type Label Description
min uint32 optional Minimum Label value
max uint32 optional Maximum Label Value
match_op AclMatchOperation optional AclMatch op

AclMatchNextHeader

NextHeader match condition

Field Type Label Description
min uint32 optional Minimum Label value
max uint32 optional Maximum Label Value
match_op AclMatchOperation optional AclMatch op

AclMatchPktLen

Packet length match condition

Field Type Label Description
min uint32 optional Minimum Packet length
max uint32 optional Maximum Packet length
match_op AclMatchOperation optional AclMatch op

AclMatchPort

Port match condition

Field Type Label Description
min int32 optional Minimum port
max int32 optional Maximum port
match_op AclMatchOperation optional AclMatch op

AclMatchProtocol

IP Protocol match condition

Field Type Label Description
min uint32 optional Minimum Protocol number
max uint32 optional Maximum Protocol number
match_op AclMatchOperation optional AclMatch op

AclMatchTrafficClass

Traffic class match

Field Type Label Description
min int32 optional Minimum value
max int32 optional Maximum value
match_op AclMatchOperation optional AclMatch op

AclMatchTtl

TTL (Time to live) match condition for IPv4

Field Type Label Description
min uint32 optional Minimum Time to live
max uint32 optional Maximum Time to live
match_op AclMatchOperation optional AclMatch op

AclMatchVlanId

VlanId match condition

Field Type Label Description
min uint32 optional Minimum Label value
max uint32 optional Maximum Label Value
match_op AclMatchOperation optional AclMatch op

AclMplsEntry

MPLS ACL entry

Field Type Label Description
ace_name string optional AclEntry name
ace_op AclEntryOperation optional AclEntry operation
adjacency AclAdjacency optional Adjacency
matches AclEntryMatchMpls optional Matches
actions AclEntryMplsAction optional Actions

AclMultiServiceEntry

MultiServices ACL entry

Field Type Label Description
ace_name string optional AclEntry name
ace_op AclEntryOperation optional AclEntry operation
adjacency AclAdjacency optional Adjacency
matches AclEntryMatchMultiService optional Matches
actions AclEntryMultiServiceAction optional Actions

AclPolicerHierarchical

Hierarchical Policer parameters

Field Type Label Description
aggregate_rate_unit AclPolicerRate optional Bandwidth unit
aggregate_rate uint64 optional Bandwidth rate
aggregate_burst_size_unit AclPolicerBurstSize optional Burst unit
aggregate_burst_size uint64 optional Burst size
premium_rate_unit AclPolicerRate optional Bandwidth unit
premium_rate uint64 optional Bandwidth rate
premium_burst_size_unit AclPolicerBurstSize optional Burst unit
premium_burst_size uint64 optional Burst size
discard AclBooleanType optional Discard action

AclPolicerParameter

Policer Parameter

Field Type Label Description
two_color_parameter AclPolicerTwoColor optional Two color
sr_three_color_parameter AclPolicerSingleRateThreeColor optional Three color
tr_three_color_parameter AclPolicerTwoRateThreeColor optional Three color
hierarchical_parameter AclPolicerHierarchical optional Hierarchcical

AclPolicerSingleRateThreeColor

Policer parameter for single rate three color policer

Field Type Label Description
committed_rate_unit AclPolicerRate optional Bandwidth unit
committed_rate uint64 optional Bandwidth rate
committed_burst_unit AclPolicerBurstSize optional Burst unit
committed_burst_size uint64 optional Burst size
excess_burst_size uint64 optional Burst size
excess_burst_unit AclPolicerBurstSize optional Burst unit
discard AclBooleanType optional Discard action
color_mode AclColorModeType optional Color mode

AclPolicerTwoColor

Policer parameter for two color policer

Field Type Label Description
bw_unit AclPolicerRate optional Bandwidth unit
bandwidth uint64 optional Bandwidth rate
burst_unit AclPolicerBurstSize optional Burst unit
burst_size uint64 optional Burst size
lp AclLossPriority optional Loss priority
fc_string string optional Forwarding class.
discard AclBooleanType optional Discard action

AclPolicerTwoRateThreeColor

Policer parameter for two rate three color policer

Field Type Label Description
committed_rate_unit AclPolicerRate optional Bandwidth unit
committed_rate uint64 optional Bandwidth rate
committed_burst_unit AclPolicerBurstSize optional Burst unit
committed_burst_size uint64 optional Burst size
excess_rate_unit AclPolicerRate optional Bandwidth unit
excess_rate uint64 optional Bandwidth rate
excess_burst_unit AclPolicerBurstSize optional Burst unit
excess_burst_size uint64 optional Burst size
discard AclBooleanType optional Discard action
color_mode AclColorModeType optional

AclVplsEntry

VPLS ACL entry

Field Type Label Description
ace_name string optional AclEntry name
ace_op AclEntryOperation optional AclEntry operation
adjacency AclAdjacency optional Adjacency
matches AclEntryMatchVpls optional Matches
actions AclEntryVplsAction optional Actions

AccessListBindObjType

The forwarding element entities to which the ACL can be bound.

Name Number Description
ACL_BIND_OBJ_TYPE_INVALID 0 Invalid
ACL_BIND_OBJ_TYPE_INTERFACE 1 Interface
ACL_BIND_OBJ_TYPE_FWD_TABLE 2 Forwarding table
ACL_BIND_OBJ_TYPE_VLAN 3 Forwarding table
ACL_BIND_OBJ_TYPE_BRG_DOMAIN 4 Bridge domain

AccessListFamilies

AccessList Families.

Name Number Description
ACL_FAMILY_INVALID 0 Invalid
ACL_FAMILY_INET 1 IPv4 family
ACL_FAMILY_INET6 2 IPv6 family
ACL_FAMILY_ES 3 Ethernet Switching family
ACL_FAMILY_VPLS 4 VPLS family
ACL_FAMILY_MULTISERVICE 5 MULTISERVICE family
ACL_FAMILY_CCC 6 CCC family
ACL_FAMILY_MPLS 7 MPLS family

AccessListFlags

Any proprietory flag to be enabled at the ACL level.

Name Number Description
ACL_FLAGS_NONE 0 None

AccessListReturnVal

Return values for the RPCs.

Name Number Description
ACL_STATUS_EOK 0 Success
ACL_STATUS_NULL_MESSAGE 1 The RPC was a NULL buffer
ACL_STATUS_EINVALID_MESSAGE 2 Wrong input
ACL_STATUS_EINTERNAL 3 Server Internal error
ACL_STATUS_EUNSUPPORTED_OP 4 Operation not supported
ACL_STATUS_NO_RESOURCE 5 Resource not available at server
ACL_STATUS_BS_TIMEOUT 6 Bulk Stats timeout

AccessListTypes

AccessList types.

Name Number Description
ACL_TYPE_INVALID 0 Invalid ACL type
ACL_TYPE_CLASSIC 1 Classic ACL type

AclAdjacencyType

Adjacency Type which determines the ACE order in an ACL

Name Number Description
ACL_ADJACENCY_NONE 0 For first ace
ACL_ADJACENCY_AFTER 1 Add next to the given ace
ACL_ADJACENCY_BEFORE 2 Add before the given ace

AclBindDirection

Direction in which an ACL is bound.

Name Number Description
ACL_BIND_DIRECTION_INVALID 0 Invalid bind direction
ACL_BIND_DIRECTION_INPUT 1 Bind on ingress
ACL_BIND_DIRECTION_OUTPUT 2 Bind on egress

AclBooleanType

Boolean types

Name Number Description
ACL_FALSE 0
ACL_TRUE 1

AclColorModeType

Color mode for SRTCM and TRTCM

Name Number Description
ACL_COLOR_MODE_INVALID 0 Invalid Color Mode
ACL_COLOR_MODE_COLOR_BLIND 1 Color Blind
ACL_COLOR_MODE_COLOR_AWARE 2 Color Aware

AclEntryActionRejectReason

Name Number Description
ACL_ACTION_REJECT_ADMINISTRATIVELY_PROHIBITED 0 Send ICMP Administratively Prohibited message
ACL_ACTION_REJECT_BAD_HOST_TOS 1 Send ICMP Bad Host ToS message
ACL_ACTION_REJECT_BAD_NETWORK_TOS 2 Send ICMP Bad Network ToS message
ACL_ACTION_REJECT_FRAGMENTATION_NEEDED 3 Send ICMP Fragmentation Needed message
ACL_ACTION_REJECT_HOST_PROHIBITED 4 Send ICMP Host Prohibited message
ACL_ACTION_REJECT_HOST_UNKNOWN 5 Send ICMP Host Unknown message
ACL_ACTION_REJECT_HOST_UNREACHABLE 6 Send ICMP Host Unreachable message
ACL_ACTION_REJECT_NETWORK_PROHIBITED 7 Send ICMP Network Prohibited message
ACL_ACTION_REJECT_NETWORK_UNKNOWN 8 Send ICMP Network Unknown message
ACL_ACTION_REJECT_NETWORK_UNREACHABLE 9 Send ICMP Network Unreachable message
ACL_ACTION_REJECT_PORT_UNREACHABLE 10 Send ICMP Port Unreachable message
ACL_ACTION_REJECT_PRECEDENCE_CUTOFF 11 Send ICMP Precedence Cutoff message
ACL_ACTION_REJECT_PRECEDENCE_VIOLATION 12 Send ICMP Precedence Violation message
ACL_ACTION_REJECT_PROTOCOL_UNREACHABLE 13 Send ICMP Protocol Unreachable message
ACL_ACTION_REJECT_SOURCE_HOST_ISOLATED 14 Send ICMP Source Host Isolated message
ACL_ACTION_REJECT_SOURCE_ROUTE_FAILED 15 Send ICMP Source Route Failed message
ACL_ACTION_REJECT_TCP_RESET 16 Send TCP Reset message

AclEntryMatchFlexStartOffest

Flexible Start Offset Match Conditions

Name Number Description
ACL_FLEX_MATCH_OFFSET_INVALID 0 Invalid Flex match start offset
ACL_FLEX_MATCH_OFFSET_LAYER_THREE 1 Layer-3 Flex match start offset
ACL_FLEX_MATCH_OFFSET_LAYER_FOUR 2 Layer-4 Flex match start offset
ACL_FLEX_MATCH_OFFSET_PAYLOAD 3 Payload Flex match start offset

AclEntryOperation

ACL Entry operation

Name Number Description
ACL_ENTRY_OPERATION_INVALID 0 Invalid ACE operation
ACL_ENTRY_OPERATION_ADD 1 Add a new ACE. Can be used with Add ACL, Change ACL, replace ACL API's
ACL_ENTRY_OPERATION_DELETE 2 Delete a existing ace. Can be used with change ACL API
ACL_ENTRY_OPERATION_REPLACE 3 Replace a existing ace. Must provide adjacency details to preserve the order of the ace. Can be used with Change ACL API

AclForwardingClass

Forwarding Class

Name Number Description
ACL_FORWARDING_CLASS_INVALID 0 Invalid ACL forwarding class
ACL_FORWARDING_CLASS_ASSURED 1 Assured
ACL_FORWARDING_CLASS_BEST_EFFORT 2 Best effort
ACL_FORWARDING_CLASS_EXPEDITED 3 Expidited
ACL_FORWARDING_CLASS_NETWORK_CONTROL 4 Network Control

AclFragmentFlags

Fragment Flags

Name Number Description
ACL_FRAGMENT_NONE 0 None
ACL_DONT_FRAGMENT 1 Dont fragment flag
ACL_IS_FRAGMENT 2 Is fragment flag
ACL_FIRST_FRAGMENT 3 First fragment flag
ACL_LAST_FRAGMENT 4 More last fragment flag

AclLossPriority

Loss Priority

Name Number Description
ACL_LOSS_PRIORITY_INVALID 0 Invalid Loss Priority
ACL_LOSS_PRIORITY_HIGH 1 Loss Priority HIGH
ACL_LOSS_PRIORITY_MEDIUM_HIGH 2 Loss Priority MEDIUM-HIGH
ACL_LOSS_PRIORITY_MEDIUM_LOW 3 Loss priority - MEDIUM-LOW
ACL_LOSS_PRIORITY_LOW 4 Loss priority - LOW

AclMatchOperation

Supported Match Operations

Name Number Description
ACL_MATCH_OP_INVALID 0 Invalid match operation
ACL_MATCH_OP_EQUAL 1 Match operation equal
ACL_MATCH_OP_NOT_EQUAL 2 Match operation not equal

AclPolicerBurstSize

Policer Burst Size

Name Number Description
ACL_POLICER_BURST_SIZE_INVALID 0 Invalid Policer Burst Size
ACL_POLICER_BURST_SIZE_BYTE 1 Bytes
ACL_POLICER_BURST_SIZE_KBYTE 2 KiloBytes
ACL_POLICER_BURST_SIZE_MBYTE 3 MegaBytes
ACL_POLICER_BURST_SIZE_GBYTE 4 GigaBytes

AclPolicerFlags

Policer Flags

Name Number Description
ACL_POLICER_FLAG_INVALID 0 Invalid Policer Flag
ACL_POLICER_FLAG_TERM_SPECIFIC 1 The policer instance is activated for each ACE its referenced.
ACL_POLICER_FLAG_FILTER_SPECIFIC 2 The policer instance is activated at global ACL level.

AclPolicerRate

Policer Rate unit

Name Number Description
ACL_POLICER_RATE_INVALID 0 Invalid Policer Rate
ACL_POLICER_RATE_BPS 1 Bits per second
ACL_POLICER_RATE_KBPS 2 Kilobits per second
ACL_POLICER_RATE_MBPS 3 Megabits per second
ACL_POLICER_RATE_GBPS 4 Gigabits per second

AclPolicerType

Various ACL Policer Type

Name Number Description
ACL_POLICER_INVALID 0 Invalid policer type
ACL_TWO_COLOR_POLICER 1 Single rate two color
ACL_SINGLE_RATE_THREE_COLOR_POLICER 2 Single rate three color
ACL_TWO_RATE_THREE_COLOR_POLICER 3 Two rate three color
ACL_HIERARCHICAL_POLICER 4 Hierarchical

AclStpMatchFlags

STP match Flags

Name Number Description
ACL_MATCH_STP_FLAG_INVALID 0 Invalid STP flag
ACL_MATCH_STP_FLAG_BLOCKING 1 Match BLOCKING STP flag
ACL_MATCH_STP_FLAG_FORWARDING 2 Match FORWARDING STP flag

Precedence

Precedence

Name Number Description
ACL_PRECENCE_ROUTINE 0 Routine precedence
ACL_PRECENCE_PRIORITY 1 Priority precedence
ACL_PRECENCE_IMMEDIATE 2 Immediate precedence
ACL_PRECENCE_FLASH 3 Flash precedence
ACL_PRECENCE_FLASH_OVERRIDE 4 Flash override precedence
ACL_PRECENCE_CRITICAL_ECP 5 Critical ecp precedence
ACL_PRECENCE_INTERNET_CONTROL 6 Internet control precedence
ACL_PRECENCE_NET_CONTROL 7 Network control precedence

AclService

ACL Service APIs defines a set of simple RPCs to operate upon the various components, viz. - ACL

  • ACE

  • Policer

  • Attachment Points

  • Statistics

Each of RPCs are named by concatenating the corresponding ACL object and the operation to be performed. This gives an easy to understand semantics to the RPCs.

Method Name Request Type Response Type Description
AccessListAdd AccessList AccessListReturnStatus Adds an ACL and returns the result.
AccessListDelete AccessList AccessListReturnStatus Delete an ACL from the system and return the result. For successful delete to happen, the ACL should not be bound to any object.
AccessListChange AccessList AccessListReturnStatus Changes an ACL based on the list of ACL entries provided, and returns the result. It is advisable to use this API to for small incremental changes. For wholesale changes, it is recommended to use the 'Replace' version of the API.
AccessListBindAdd AccessListObjBind AccessListReturnStatus Add a binding of an ACL with a bind object and return the result.
AccessListBindDelete AccessListObjBind AccessListReturnStatus Deletes a binding of an ACL with a bind object and return the result.
AccessListPolicerAdd AccessListPolicer AccessListReturnStatus Adds a policer and returns the result.
AccessListPolicerReplace AccessListPolicer AccessListReturnStatus Changes a policer and returns the result.
AccessListPolicerDelete AccessListPolicer AccessListReturnStatus Deletes a policer and returns the result.
AccessListPileupStart AccessListVoid AccessListReturnStatus Following are optimized command to let the server know to accumulate the Access List Entries and configure on when AccessListPileupEnd is received. For every AccessList RPC invocation, the entire ACL is applied to the system For application which wants to do batching for better performance, the AccessListPileupStart and AccessListPileupEnd will help achieve that.
AccessListPileupEnd AccessListVoid AccessListReturnStatus Following are optimized command to let the server know to accumulate the ace_list and configure on when AccessListPileupEnd is received. For every AccessList RPC invocation, the entire ACL is applied to the system For application which wants to do batching for better performance, the AccessListPileupStart and AccessListPileupEnd will help achieve that.
AccessListCounterGet AccessListCounter AccessListCounterVal Few points to note with this API. The call is going to be blocking for worst case of 10 seconds which is non configurable. The counter name is expected to be fully resolved. For example: for term specific policer counter it is expected to be passed to full counter name.
AccessListPolicerCounterGet AccessListCounter AccessListCounterVal
AccessListCounterClear AccessListCounter AccessListReturnStatus Clears a particular counter whose fully qualified name is provided, associated with an ACL. Few points to note with this API. Currently only 1 counter get is supported. The counter name is expected to be fully resolved. For example: for term specific policer counter it is expected to be passed to full counter name.
AccessListCounterBulkGet AccessListCounterBulk AccessListCounterVal Get all the counters associated with an ACL. Each call to this API will return 10 counters from the starting_index specified in AccessListCounterBulk message. The client is expected to run this API in loop which should stop in either one of the following condition: a. The targeted number of counters are retrieved. b. An error is returned. c. The API returns less than 10 counters.
AccessListPolicerCounterBulkGet AccessListCounterBulk AccessListCounterVal Get all the policer counters associated with an ACL. Each call to this API will return 10 counters from the starting_index specified in AccessListCounterBulk message. The client is expected to run this API in loop which should stop in either one of the following condition: a. The targeted number of counters are retrieved. b. An error is returned. c. The API returns less than 10 counters.

Scalar Value Types

.proto Type Notes C++ Type Java Type Python Type
double double double float
float float float float
int32 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. int32 int int
int64 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. int64 long int/long
uint32 Uses variable-length encoding. uint32 int int/long
uint64 Uses variable-length encoding. uint64 long int/long
sint32 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. int32 int int
sint64 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. int64 long int/long
fixed32 Always four bytes. More efficient than uint32 if values are often greater than 2^28. uint32 int int
fixed64 Always eight bytes. More efficient than uint64 if values are often greater than 2^56. uint64 long int/long
sfixed32 Always four bytes. int32 int int
sfixed64 Always eight bytes. int64 long int/long
bool bool boolean boolean
string A string must always contain UTF-8 encoded or 7-bit ASCII text. string String str/unicode
bytes May contain any arbitrary sequence of bytes. string ByteString str