netconfcentral logo

ietf-policy-object

HTML

ietf-policy-object@2018-10-12



  module ietf-policy-object {

    yang-version 1.1;

    namespace
      "urn:ietf:params:xml:ns:yang:ietf-policy-object";

    prefix policy-object;

    import ietf-inet-types {
      prefix inet;
      reference
        "RFC 6991 - Common YANG Data Types.";


    }
    import ietf-yang-types {
      prefix yang;
      reference
        "RFC 6991 - Common YANG Data Types.";


    }
    import iana-crypt-hash {
      prefix ianach;
      reference
        "RFC7317 - A YANG Data Model for System Management.";


    }
    import ietf-packet-fields {
      prefix pf;
      reference
        "draft-ietf-netmod-acl-model - Network Access Control List (ACL) YANG Data Model.";


    }

    organization
      "IETF I2NSF (Interface To Network Security Functions) Working Group";

    contact
      "WG Web: http://tools.ietf.org/wg/i2nsf/
    WG List: i2nsf@ietf.org

    Editor: Liang Xia
            frank.xialiang@huawei.com
    Editor: Qiushi Lin
            linqiushi@huawei.com";

    description
      "This YANG module defines groupings that are used by ietf-policy-object YANG module. Their usage is not limited to ietf-policy-object and can be used anywhere as applicable.";

    revision "2018-10-12" {
      description "Initial version.";
      reference
        "draft-xia-i2nsf-sec-object-dm-01";

    }


    typedef address-set-name {
      type string {
        length "1..63";
      }
      description
        "This type represents an address object or an address group name.";
    }

    typedef service-set-name {
      type string {
        length "1..63";
      }
      description
        "This type represents a service object or a service group name.";
    }

    typedef port-range {
      type uint16;
      description
        "This type represents a port number, which may be a start port of a port range or an end port of a port range.";
    }

    typedef proto-id-range {
      type uint8 {
        range "0..255";
      }
      description
        "This type represents the range of protocol id.";
    }

    typedef icmp-name-type {
      type enumeration {
        enum "echo" {
          value 0;
          description
            "ICMP type number 8, ICMP code number 0";
        }
        enum "echo-reply" {
          value 1;
          description
            "ICMP type number 0, ICMP code number 0";
        }
        enum "fragmentneed-DFset" {
          value 2;
          description
            "ICMP type number 3, ICMP code number 4";
        }
        enum "host-redirect" {
          value 3;
          description
            "ICMP type number 5, ICMP code number 1";
        }
        enum "host-tos-redirect" {
          value 4;
          description
            "ICMP type number 5, ICMP code number 3";
        }
        enum "host-unreachable" {
          value 5;
          description
            "ICMP type number 3, ICMP code number 1";
        }
        enum "information-reply" {
          value 6;
          description
            "ICMP type number 16, ICMP code number 0";
        }
        enum "information-request" {
          value 7;
          description
            "ICMP type number 15, ICMP code number 0";
        }
        enum "net-redirect" {
          value 8;
          description
            "ICMP type number 5, ICMP code number 0";
        }
        enum "net-tos-redirect" {
          value 9;
          description
            "ICMP type number 5, ICMP code number 2";
        }
        enum "net-unreachable" {
          value 10;
          description
            "ICMP type number 3, ICMP code number 0";
        }
        enum "parameter-problem" {
          value 11;
          description
            "ICMP type number 12, ICMP code number 0";
        }
        enum "port-unreachable" {
          value 12;
          description
            "ICMP type number 3, ICMP code number 3";
        }
        enum "protocol-unreachable" {
          value 13;
          description
            "ICMP type number 3, ICMP code number 2";
        }
        enum "reassembly-timeout" {
          value 14;
          description
            "ICMP type number 11, ICMP code number 1";
        }
        enum "source-quench" {
          value 15;
          description
            "ICMP type number 4, ICMP code number 0";
        }
        enum "source-soute-failed" {
          value 16;
          description
            "ICMP type number 3, ICMP code number 5";
        }
        enum "timestamp-reply" {
          value 17;
          description
            "ICMP type number 14, ICMP code number 0";
        }
        enum "timestamp-request" {
          value 18;
          description
            "ICMP type number 13, ICMP code number 0";
        }
        enum "ttl-exceeded" {
          value 19;
          description
            "ICMP type number 11, ICMP code number 0";
        }
      }
      description
        "This type is an enumeration of ICMP type names.";
    }

    typedef icmp6-name-type {
      type enumeration {
        enum "redirect" {
          value 0;
          description
            "ICMPv6 type number 137, ICMPv6 code number 0";
        }
        enum "echo" {
          value 1;
          description
            "ICMPv6 type number 128, ICMPv6 code number 0";
        }
        enum "echo-reply" {
          value 2;
          description
            "ICMPv6 type number 129, ICMPv6 code number 0";
        }
        enum "err-Header-field" {
          value 3;
          description
            "ICMPv6 type number 4, ICMPv6 code number 0";
        }
        enum "frag-time-exceeded" {
          value 4;
          description
            "ICMPv6 type number 3, ICMPv6 code number 1";
        }
        enum "hop-limit-exceeded" {
          value 5;
          description
            "ICMPv6 type number 3, ICMPv6 code number 0";
        }
        enum "host-admin-prohib" {
          value 6;
          description
            "ICMPv6 type number 1, ICMPv6 code number 1";
        }
        enum "host-unreachable" {
          value 7;
          description
            "ICMPv6 type number 1, ICMPv6 code number 3";
        }
        enum "neighbor-advertisement" {
          value 8;
          description
            "ICMPv6 type number 136, ICMPv6 code number 0";
        }
        enum "neighbor-solicitation" {
          value 9;
          description
            "ICMPv6 type number 135, ICMPv6 code number 0";
        }
        enum "network-unreachable" {
          value 10;
          description
            "ICMPv6 type number 1, ICMPv6 code number 0";
        }
        enum "packet-too-big" {
          value 11;
          description
            "ICMPv6 type number 2, ICMPv6 code number 0";
        }
        enum "port-unreachable" {
          value 12;
          description
            "ICMPv6 type number 1, ICMPv6 code number 4";
        }
        enum "router-advertisement" {
          value 13;
          description
            "ICMPv6 type number 134, ICMPv6 code number 0";
        }
        enum "router-solicitation" {
          value 14;
          description
            "ICMPv6 type number 133, ICMPv6 code number 0";
        }
        enum "unknown-ipv6-opt" {
          value 15;
          description
            "ICMPv6 type number 4, ICMPv6 code number 2";
        }
        enum "unknown-next-hdr" {
          value 16;
          description
            "ICMPv6 type number 4, ICMPv6 code number 1";
        }
      }
      description
        "This type is an enumeration of ICMPv6 type names.";
    }

    typedef protocol {
      type enumeration {
        enum "tcp" {
          value 0;
          description "tcp protocol";
        }
        enum "udp" {
          value 1;
          description "udp protocol";
        }
        enum "any" {
          value 2;
          description "any protocol";
        }
      }
      description
        "The protocol of user-defined application rule:tcp/udp/any.";
    }

    typedef mode {
      type enumeration {
        enum "flow" {
          value 0;
          description
            "Keyword exists in multiple packets";
        }
        enum "packet" {
          value 1;
          description
            "Keyword exists in one packet";
        }
      }
      description
        "The mode of keyword identification to identify user-defined applications. If the keyword exists in one packet, the mode is Packet. If the keyword exists in multiple packets, the mode is Flow.";
    }

    typedef direction {
      type enumeration {
        enum "request" {
          value 0;
          description
            "Request indicates that data to the server is monitored to detect applications.";
        }
        enum "response" {
          value 1;
          description
            "Response indicates that data from the server is monitored to detect applications.";
        }
        enum "both" {
          value 2;
          description
            "Both indicates that data from and to the server is monitored to detect applications.";
        }
      }
      description
        "The data flow direction that is monitored to identify user-defined applications:request/response/both. Request indicates that data to the server is monitored to detect applications, Response indicates that data from the server is monitored to detect applications, and Both indicates that data from and to the server is monitored to detect applications.";
    }

    typedef pattern-type {
      type enumeration {
        enum "regular" {
          value 0;
          description
            "Regular indicates that the keyword of the match pattern is not a fixed string, it is represented by regular expression.";
        }
        enum "plain" {
          value 1;
          description
            "Plain indicates that the keyword of the match pattern is a fixed string.";
        }
      }
      description
        "The match pattern of the user-defined application rule. If the keyword is a fixed string, the pattern type is Plain. If the keyword is not a fixed string, the pattern type is Regular Expression.";
    }

    typedef user-name {
      type string {
        length "1..63";
      }
      description
        "This type represents a user name.";
    }

    typedef user-group-name {
      type string {
        length "1..63";
      }
      description
        "This type represents a user group name.";
    }

    typedef user-security-group-name {
      type string {
        length "1..63";
      }
      description
        "This type represents a security group name.";
    }

    typedef ip-mac-binding-type {
      type enumeration {
        enum "bidirectional" {
          value 0;
          description
            "Bidirectional binding indicates that a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses cannot be used by other bidirectional binding users.";
        }
        enum "unidirectional" {
          value 1;
          description
            "Unidirectional binding indicates that a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users.";
        }
      }
      description
        "The user and IP/MAC address binding mode: bidirectional, or unidirectional. In unidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users.  In bidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses cannot be used by other bidirectional binding users.";
    }

    typedef time-range-name {
      type string {
        length "1..32";
      }
      description
        "This type represents a time-range name.";
    }

    typedef hour-minute-second {
      type string {
        pattern '\d{1,2}:\d{1,2}:\d{1,2}';
      }
      description
        "The representation of Hour, Minute, Sencond - hh:mm:ss";
    }

    typedef weekday {
      type enumeration {
        enum "sunday" {
          value 0;
          description "Sunday of the week";
        }
        enum "monday" {
          value 1;
          description "Monday of the week";
        }
        enum "tuesday" {
          value 2;
          description "Tuesday of the week";
        }
        enum "wednesday" {
          value 3;
          description
            "Wednesday of the week";
        }
        enum "thursday" {
          value 4;
          description "Thursday of the week";
        }
        enum "friday" {
          value 5;
          description "Friday of the week";
        }
        enum "saturday" {
          value 6;
          description "Saturday of the week";
        }
      }
      description
        "A type modeling the weekdays in the Greco-Roman tradition.";
    }

    typedef region-name {
      type string;
      description
        "This type represents a location or location set name.";
    }

    typedef region-longitude {
      type string;
      description
        "This type represents a region longitude number(-180.00 - 180.00).";
    }

    typedef region-latitude {
      type string;
      description
        "This type represents a region latitude number(-90.00 - 90.00).";
    }

    typedef domain-name {
      type string {
        length "1..63";
      }
      description
        "This type represents a domain object name.";
    }

    identity protocol-field {
      base 
      description
        "Base type of protocol field.";
    }

    identity general-payload {
      base protocol-field;
      description
        "The field of signature is general-payload.";
    }

    identity http-method {
      base protocol-field;
      description
        "The field of signature is http.method.";
    }

    identity http-uri {
      base protocol-field;
      description
        "The field of signature is http.uri.";
    }

    identity http-user-agent {
      base protocol-field;
      description
        "The field of signature is http.user-agent.";
    }

    identity http-host {
      base protocol-field;
      description
        "The field of signature is http.host.";
    }

    identity http-content-type {
      base protocol-field;
      description
        "The field of signature is http.content-type.";
    }

    identity http-cookie {
      base protocol-field;
      description
        "The field of signature is http.cookie.";
    }

    identity http-body {
      base protocol-field;
      description
        "The field of signature is http.body.";
    }

    feature user-defined-application {
      description
        "This feature means the NSF supports user-defined application function that can be used to define application rule.";
    }

    feature support-ipv6-address {
      description
        "This feature means the NSF support configuring IPv6 addresses for Region Object.";
    }

    grouping address-objects {
      description
        "This grouping represents a list of address objects. An address object is identified by a unique name and contains a set of IPv4/IPv6 addresses or MAC addresses. This grouping reuse the predefined address-object-item grouping.";
      list address-object {
        key "name";
        description
          "A list of address objects.";
        leaf name {
          type address-set-name;
          description
            "The name of the address object.";
        }

        leaf desc {
          type string {
            length "1..127";
          }
          description
            "The description of the address object.";
        }

        leaf vpn-instance {
          type string;
          description
            "The name of the vpn-instrance.";
        }

        list elements {
          key "elem-id";
          description
            "A list of addresses that belong to a specific address object.";
          leaf elem-id {
            type uint16;
            description
              "The id of the element in address object.";
          }

          choice object-items {
            description
              "Diffrent types of addresses: IPv4, IPv6, MAC.";
            leaf address-ipv4 {
              type inet:ipv4-prefix;
              description
                "A set of IPv4 addresses that are represented by an IPv4 address prefix.";
            }
            leaf address-ipv6 {
              type inet:ipv6-prefix;
              description
                "A set of IPv6 addresses that are represented by an IPv6 address prefix.";
            }

            case mac {
              leaf mac-address {
                type yang:mac-address;
                description
                  "MAC address. This leaf is combined with the mac-address-mask leaf to represent a single MAC address or a set of MAC addresses. If the mac-address-mask leaf is not presented, this leaf represents a single MAC address. If the mac-address-mask leaf is setted, this leaf represents a range of contiguous MAC addresses.";
              }

              leaf mac-address-mask {
                type yang:mac-address;
                description
                  "If this leaf is not presented, the mac-address leaf represents a single MAC address. If this leaf is setted, the mac-address leaf represents a range of contiguous MAC addresses.";
              }
            }  // case mac

            case ipv4-range {
              leaf start-ipv4 {
                type inet:ipv4-address;
                description
                  "The start IPv4 address of an IPv4 address range.";
              }

              leaf end-ipv4 {
                type inet:ipv4-address;
                description
                  "The end IPv4 address of an IPv4 address range.";
              }
            }  // case ipv4-range

            case ipv6-range {
              leaf start-ipv6 {
                type inet:ipv6-address;
                description
                  "The start IPv6 address of an IPv6 address range.";
              }

              leaf end-ipv6 {
                type inet:ipv6-address;
                description
                  "The end IPv6 address of an IPv6 address range.";
              }
            }  // case ipv6-range
          }  // choice object-items
        }  // list elements
      }  // list address-object
    }  // grouping address-objects

    grouping address-groups {
      description
        "An address group object is comprised of several address objects that require the same policy enforcement. This grouping represents a list of address groups.";
      list address-group {
        key "name";
        description
          "A list of address group objects.";
        leaf name {
          type address-set-name;
          description
            "The name of the address group.";
        }

        leaf desc {
          type string {
            length "1..127";
          }
          description
            "The description of the address group.";
        }

        leaf vpn-instance {
          type string;
          description
            "The name of the vpn-instrance.";
        }

        list elements {
          key "elem-id";
          description
            "A list of address objects that consists the address group object.";
          leaf elem-id {
            type uint16;
            description
              "The id of the element in address group.";
          }

          leaf addr-object-name {
            type address-set-name;
            mandatory true;
            description
              "The name of the address object that consists the address group.";
          }
        }  // list elements
      }  // list address-group
    }  // grouping address-groups

    grouping port-items {
      description
        "This grouping consists of the source port numbers and destination port numbers that represent UDP, TCP or SCTP based services.";
      container source-port {
        description
          "Source port definition from range or operator.";
        uses pf:port-range-or-operator;
      }  // container source-port

      container dest-port {
        description
          "Destination port definition from range or operator.";
        uses pf:port-range-or-operator;
      }  // container dest-port
    }  // grouping port-items

    grouping service-objects {
      description
        "A list of the predefined service objects and user defined service objects.";
      list pre-defined-service {
        key "name";
        config false;
        description
          "A list of the predefined service objects.";
        leaf name {
          type service-set-name;
          config false;
          description
            "The name of the predefined service object.";
        }

        leaf session-aging-time {
          type uint16;
          units "second";
          config false;
          description
            "The aging time of the predefined service object.";
        }
      }  // list pre-defined-service

      list service-object {
        key "name";
        description
          "A list of user defined service objects.";
        leaf name {
          type service-set-name;
          description
            "The name of the service object.";
        }

        leaf session-aging-time {
          type uint16;
          units "second";
          description
            "The aging time of the service object.";
        }

        leaf desc {
          type string {
            length "1..127";
          }
          description
            "The description of the service object.";
        }

        list items {
          key "id";
          description
            "A list of service items that consist an service object.";
          leaf id {
            type uint16;
            description
              "The id of the element in service object.";
          }

          choice item {
            description
              "Diffrent types of protocols for service definition.";
            container tcp {
              description
                "TCP based service is recognized by source port number and destination port number. This container reuse the port-items grouping.";
              uses port-items;
            }  // container tcp
            container udp {
              description
                "UDP based service is recognized by source port number and destination port number. This container reuse the port-items grouping.";
              uses port-items;
            }  // container udp
            container sctp {
              description
                "SCTP based service is recognized by source port number and destination port number. This container reuse the port-items grouping.";
              uses port-items;
            }  // container sctp
            choice icmp-type {
              description
                "The ICMP based service object and its attributes.";
              leaf icmp-name {
                type icmp-name-type;
                mandatory true;
                description
                  "The ICMP based service is identified by the predefined ICMP name type.";
              }
              container icmp-type-code {
                description
                  "The ICMP based service is recognized by two header fields in the ICMP packets: type field and code field.";
                leaf icmp-type-number {
                  type uint8;
                  mandatory true;
                  description
                    "The ICMP type number.";
                }

                leaf icmp-code-number {
                  type string;
                  mandatory true;
                  description
                    "The ICMP code number.";
                }
              }  // container icmp-type-code
            }  // choice icmp-type

            case icmp6-item {
              description
                "The ICMPv6 based service object and its attributes.";
              choice icmp6-type {
                description
                  "The ICMPv6 based service object and its attributes.";
                leaf icmp6-name {
                  type icmp6-name-type;
                  mandatory true;
                  description
                    "The ICMPv6 based service is identified by the predefined ICMPv6 name type.";
                }
                container icmp6-type-code {
                  description
                    "The ICMPv6 based service is recognized by two header fields in the ICMPv6 packets: type field and code field.";
                  leaf icmp6-type-number {
                    type uint8;
                    mandatory true;
                    description
                      "The ICMPv6 type number.";
                  }

                  leaf icmp6-code-number {
                    type string;
                    mandatory true;
                    description
                      "The ICMP code number.";
                  }
                }  // container icmp6-type-code
              }  // choice icmp6-type
            }  // case icmp6-item
            leaf proto-id {
              type proto-id-range;
              mandatory true;
              description
                "IP based service is identified by the value of the protocol field in IP packet header.";
            }
          }  // choice item
        }  // list items
      }  // list service-object
    }  // grouping service-objects

    grouping service-groups {
      description
        "A service group object is comprised of several service objects that require the same policy enforcement. This grouping represents a list of service groups.";
      list service-group {
        key "name";
        description
          "A list of service group objects.";
        leaf name {
          type service-set-name;
          description
            "The name of the service group.";
        }

        leaf desc {
          type string {
            length "1..127";
          }
          description
            "The description of the service group.";
        }

        list items {
          key "id";
          description
            "A list of service objects that consists the service group object.";
          leaf id {
            type uint16;
            description
              "The id of the element in service group.";
          }

          leaf service-object-name {
            type service-set-name;
            mandatory true;
            description
              "The name of the service object that consists the service group.";
          }
        }  // list items
      }  // list service-group
    }  // grouping service-groups

    grouping application-objects {
      description
        "A list of predefined application objects.";
      container user-defined-application {
        if-feature user-defined-application;
        description
          "When the NSF supports user-defined application function, this container is used to configure application objects.";
        container applications {
          description
            "When the NSF supports user-defined application function, these are a list of user-defined application objects.";
          list application {
            key "name";
            description
              "A list of user-defined application objects.";
            leaf name {
              type string;
              description
                "The name of user-defined application object.";
            }

            leaf-list label {
              type string;
              description
                "A list of labels for user-defined application.";
            }

            leaf data-model {
              type string;
              description
                "The data transmission model of user-defined application. Examples are client/server, peer-to-peer. Data transmission models are predefined in the NSF.";
            }

            leaf category {
              type string;
              description
                "The category of user-defined application. The value of this leaf is selected from a predefined set of categories, e.g., general category, network category.";
            }

            leaf subcategory {
              type string;
              description
                "The subcategory of user-defined application. ";
            }

            leaf risk-value {
              type uint32;
              config false;
              description
                "The risk value of predefined application.";
            }

            leaf desc {
              type string;
              description
                "The description information of user-defined application.";
            }

            list rule {
              key "name";
              description
                "The rule used to identify the user-defined application.";
              leaf name {
                type string;
                description
                  "The name of the user-defined application rule.";
              }

              leaf protocol {
                type protocol;
                description
                  "The protocol that user-defined application is based on.";
              }

              container signature {
                description
                  "The signature/characteristics of user-defined application.";
                leaf mode {
                  type string;
                  description
                    "The mode of keyword identification. If the keyword exists in one packet, the mode is Packet. If the keyword exists in multiple packets, the mode is Flow.";
                }

                leaf direction {
                  type direction;
                  description
                    "The traffic direction for application identification. Request indicates that data to the server is detected, Response indicates that data from the server is detected, and Both indicates that data from and to the server is detected.";
                }

                leaf pattern-type {
                  type pattern-type;
                  description
                    "The match pattern of the user-defined application rule. If the keyword is a fixed string, the pattern type is Plain. If the keyword is not a fixed string, the pattern type is Regular Expression.";
                }

                leaf pattern {
                  type string;
                  description
                    "The keyword of user-defined application rule.";
                }

                leaf field {
                  type identityref {
                    base protocol-field;
                  }
                  default 'general-payload';
                  description
                    "The protocol field to search for a signature. The default protocol field is General-payload.";
                }
              }  // container signature
            }  // list rule

            leaf-list ip-address {
              type inet:ip-prefix;
              description
                "The destination IPv4/IPv6 address of user-defined application.";
            }

            leaf-list port {
              type inet:port-number;
              description
                "The destination port number of user-defined application.";
            }
          }  // list application
        }  // container applications
      }  // container user-defined-application

      container predefined-application {
        config false;
        description
          "The information of all predefined applications.";
        list application {
          key "name";
          description
            "The attributes of a predefined application.";
          leaf name {
            type string;
            config false;
            description
              "The name of the predefined application.";
          }

          leaf-list protocol {
            type string;
            config false;
            description
              "The protocol information of application.";
          }

          leaf risk-value {
            type uint32;
            config false;
            description
              "The risk value of predefined application.";
          }

          leaf-list label {
            type string;
            config false;
            description
              "The label of predefined application,an application may have multiple labels.";
          }

          leaf abandon {
            type boolean;
            config false;
            description
              "The abandon flag of predefined application.";
          }

          leaf multichannel {
            type boolean;
            config false;
            description
              "The multi channel flag of predefined application.";
          }

          leaf data-model {
            type string;
            description
              "The data transmission model of user-defined application. Examples are client/server, peer-to-peer. Data transmission models are predefined in the NSF.";
          }

          leaf category {
            type string;
            config false;
            description
              "The category of user-defined application. The value of this leaf is selected from a predefined set of categories, e.g., general category, network category.";
          }

          leaf subcategory {
            type string;
            config false;
            description
              "The name of application subcategory.";
          }

          leaf desc {
            type string;
            config false;
            description
              "The description information of application.";
          }
        }  // list application
      }  // container predefined-application
    }  // grouping application-objects

    grouping application-groups {
      description
        "An application group object is comprised of several application objects that require the same policy enforcement. This grouping represents a list of application groups.";
      list application-group {
        key "name";
        description
          "A list of application group objects.";
        leaf name {
          type string;
          description
            "The name of the application group.";
        }

        leaf desc {
          type string {
            length "1..127";
          }
          description
            "The description of the application group.";
        }

        list items {
          key "id";
          description
            "A list of application objects that consist an application group object.";
          leaf id {
            type uint16;
            description
              "The id of the element in application group.";
          }

          leaf application-object-name {
            type string;
            mandatory true;
            description
              "The name of the application object that consists the application group.";
          }
        }  // list items
      }  // list application-group
    }  // grouping application-groups

    grouping user-objects {
      description "A list of user objects.";
      list user-object {
        key "name aaa-domain";
        description
          "User Object and its attributes.";
        leaf name {
          type user-name;
          description
            "The name of the user.";
        }

        leaf aaa-domain {
          type string {
            length "1..64";
          }
          description
            "The name of the domain to which the user belong.";
        }

        leaf desc {
          type string {
            length "1..127";
          }
          description
            "The description of the user.";
        }

        leaf password {
          type ianach:crypt-hash;
          description
            "If user is authenticated locally on the NSF, this attribute is mandatory. It defines the password corresponding to the user name.";
        }

        leaf parent-user-group {
          type user-group-name;
          description
            "The name of the parent group. User objects and user groups are in a hierarchical structure. A user object can only belong to one user group.";
        }

        leaf-list parent-security-group {
          type user-security-group-name;
          max-elements 40;
          description
            "The name of the parent security group. A user object can belong to several security groups.";
        }

        container expiration-time {
          description
            "User expiration time.";
          choice expiration-type {
            description
              "Two types of user expiration configurations.";
            leaf never-expire {
              type empty;
              description
                "This case indicates that the user never expire.";
            }
            leaf expiration-time {
              type yang:date-and-time;
              description
                "User expired time.";
            }
          }  // choice expiration-type
        }  // container expiration-time

        container ip-mac-binding {
          description
            "Whether there are IP/MAC addresses bound to the user.";
          choice bind-state {
            description
              "The binding state: no-binding, binding.";
            leaf no-binding {
              type empty;
              mandatory true;
              description
                "No binding: Indicates that a user is not bound to any IP or MAC address.";
            }

            case binding {
              leaf bind-mode {
                type ip-mac-binding-type;
                description
                  "The user and IP/MAC address binding mode: bidirectional, or unidirectional. In unidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users.  In bidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses cannot be used by other bidirectional binding users.";
              }

              leaf-list ip-binding {
                type inet:ipv4-address;
                description
                  "The IP address bound to the user.";
              }

              leaf-list mac-binding {
                type yang:mac-address;
                description
                  "The MAC address bound to the user.";
              }

              list ip-mac-bindings {
                key "ip-binding";
                unique "mac-binding";
                description
                  "Configure the IP address and MAC address pairs bound to the user.";
                leaf ip-binding {
                  type inet:ipv4-address;
                  description
                    "The bound IPv4 address";
                }

                leaf mac-binding {
                  type yang:mac-address;
                  description
                    "The bound mac address";
                }
              }  // list ip-mac-bindings
            }  // case binding
          }  // choice bind-state
        }  // container ip-mac-binding
      }  // list user-object
    }  // grouping user-objects

    grouping security-groups {
      description
        "A list of security groups.";
      list security-group {
        key "name";
        description
          "Security group and its attributes.";
        leaf name {
          type user-security-group-name;
          description
            "The name of the security-group.";
        }

        leaf desc {
          type string {
            length "1..127";
          }
          description
            "The description of the security-group.";
        }

        leaf-list parent-security-group {
          type user-security-group-name;
          max-elements 40;
          description
            "Configure the name of the parent-security-group.";
        }

        container filter-action {
          description
            "The filter type of the security group, static and dynamic. For dynamic security group, an filter rule needs to be configured.";
          choice filter-type {
            description
              "The filter type: static, dynamic.";
            leaf static {
              type empty;
              mandatory true;
              description
                "Empty leaf indicates that this is a static security group.";
            }

            case dynamic {
              leaf dynamic {
                type empty;
                mandatory true;
                description
                  "Empty leaf indicates that this is a dynamic security group.";
              }

              leaf-list filter-rule {
                type string {
                  length "1..256";
                }
                max-elements 5;
                description
                  "Filter rules for dynamic security group.";
              }
            }  // case dynamic
          }  // choice filter-type
        }  // container filter-action
      }  // list security-group
    }  // grouping security-groups

    grouping user-groups {
      description "A list of user groups";
      list user-group {
        key "name";
        description
          "User group and its attributes.";
        leaf name {
          type user-group-name;
          description
            "The name of the user group.";
        }

        leaf desc {
          type string {
            length "1..63";
          }
          description
            "The description of the user group.";
        }

        leaf parent-user-group {
          type user-group-name;
          description
            "The name of the user group. A user group can only belong to one parent user group.";
        }
      }  // list user-group
    }  // grouping user-groups

    grouping time-range-objects {
      description
        "A list of time range objects";
      list time-range-object {
        key "name";
        description
          "The time range object and its attributes.";
        leaf name {
          type time-range-name;
          description
            "The name of the time range object.";
        }

        list period-time {
          key "start end";
          description
            "Periodic time that the associated function starts going into effect.";
          leaf start {
            type hour-minute-second;
            mandatory true;
            description
              "Start time of the periodic time range.";
          }

          leaf end {
            type hour-minute-second;
            mandatory true;
            description
              "End time of the periodic time range.";
          }

          leaf-list weekday {
            type weekday;
            min-elements 1;
            max-elements 7;
            description
              "The weekday to which the periodic time range belongs.";
          }
        }  // list period-time

        list absolute-time {
          key "start end";
          description
            "Absolute time and date that the associated function starts going into effect.";
          leaf start {
            type yang:date-and-time;
            description
              "Absolute start time and date";
          }

          leaf end {
            type yang:date-and-time;
            description
              "Absolute end time and date";
          }
        }  // list absolute-time
      }  // list time-range-object
    }  // grouping time-range-objects

    grouping region-objects {
      description
        "A list of predefined region objects and a list of user-defined region objects.";
      list pre-defined-region {
        key "name";
        config false;
        description
          "A list of predefined region objects.";
        leaf name {
          type region-name;
          config false;
          description
            "The name of the predefined region.";
        }

        leaf desc {
          type string;
          config false;
          description
            "The description of the predefined region.";
        }

        container region-ipv4-address {
          description
            "The IPv4 addresses of the predefined region.";
          leaf-list address-ipv4 {
            type inet:ipv4-prefix;
            config false;
            description "IPv4 address.";
          }

          list address-ipv4-range {
            key "start-ipv4 end-ipv4";
            description
              "A list of ipv4 address ranges";
            leaf start-ipv4 {
              type inet:ipv4-address;
              config false;
              description
                "Start ipv4 address.";
            }

            leaf end-ipv4 {
              type inet:ipv4-address;
              config false;
              description
                "End ipv4 address.";
            }
          }  // list address-ipv4-range
        }  // container region-ipv4-address

        container region-ipv6-address {
          if-feature support-ipv6-address;
          description
            "The IPv6 addresses of the predefined region.";
          leaf-list address-ipv6 {
            type inet:ipv6-prefix;
            config false;
            description "IPv6 address.";
          }

          list address-ipv6-range {
            key "start-ipv6 end-ipv6";
            description
              "A list of ipv6 address ranges";
            leaf start-ipv6 {
              type inet:ipv6-address;
              config false;
              description
                "Start ipv6 address.";
            }

            leaf end-ipv6 {
              type inet:ipv6-address;
              config false;
              description
                "End ipv6 address.";
            }
          }  // list address-ipv6-range
        }  // container region-ipv6-address
      }  // list pre-defined-region

      list user-defined-region {
        key "name";
        description
          "A list of user-defined region objects.";
        leaf name {
          type region-name;
          description
            "The name of the user-defined region.";
        }

        leaf desc {
          type string;
          description
            "The description of the user-defined region.";
        }

        container coordinate {
          description
            "The latitude and longitude of the user-defined region.";
          leaf longitude {
            type region-longitude;
            description
              "The latitude of the user-defined region.";
          }

          leaf latitude {
            type region-latitude;
            description
              "The longitude of the user-defined region.";
          }
        }  // container coordinate

        container region-ipv4-address {
          description
            "The IPv4 addresses of the predefined region.";
          leaf-list address-ipv4 {
            type inet:ipv4-prefix;
            description "IPv4 address.";
          }

          list address-ipv4-range {
            key "start-ipv4 end-ipv4";
            description
              "A list of ipv4 address ranges";
            leaf start-ipv4 {
              type inet:ipv4-address;
              description
                "Start ipv4 address.";
            }

            leaf end-ipv4 {
              type inet:ipv4-address;
              description
                "End ipv4 address.";
            }
          }  // list address-ipv4-range
        }  // container region-ipv4-address

        container region-ipv6-address {
          if-feature support-ipv6-address;
          description
            "The IPv6 addresses of the user-defined region.";
          leaf-list address-ipv6 {
            type inet:ipv6-prefix;
            description "IPv6 address.";
          }

          list address-ipv6-range {
            key "start-ipv6 end-ipv6";
            description
              "A list of ipv6 address ranges";
            leaf start-ipv6 {
              type inet:ipv6-address;
              description
                "Start ipv6 address.";
            }

            leaf end-ipv6 {
              type inet:ipv6-address;
              description
                "End ipv6 address.";
            }
          }  // list address-ipv6-range
        }  // container region-ipv6-address
      }  // list user-defined-region
    }  // grouping region-objects

    grouping region-groups {
      description
        "A list of region group objects.";
      list region-group {
        key "name";
        description
          "Region group consists of a set of region objects or region groups.";
        leaf name {
          type region-name;
          description
            "The name of the region group.";
        }

        leaf desc {
          type string;
          description
            "The description of the region group.";
        }

        leaf-list region-name {
          type region-name;
          description
            "A list of region objects.";
        }

        leaf-list region-group-name {
          type region-name;
          description
            "A list of region groups.";
        }
      }  // list region-group
    }  // grouping region-groups

    grouping domain-objects {
      description
        "A list of domain objects.";
      list domain-object {
        key "name";
        description
          "Domain object and its attributes.";
        leaf name {
          type domain-name;
          description
            "The name of the domain object.";
        }

        leaf desc {
          type string;
          description
            "The description of the domain object.";
        }

        leaf-list domain {
          type string;
          description
            "A list of domains that consists the domain objects.";
        }
      }  // list domain-object
    }  // grouping domain-objects
  }  // module ietf-policy-object

Summary

  
  
Organization IETF I2NSF (Interface To Network Security Functions) Working Group
  
Module ietf-policy-object
Version 2018-10-12
File ietf-policy-object@2018-10-12.yang
  
Prefix policy-object
Namespace urn:ietf:params:xml:ns:yang:ietf-policy-object
  
Cooked /cookedmodules/ietf-policy-object/2018-10-12
YANG /src/ietf-policy-object@2018-10-12.yang
XSD /xsd/ietf-policy-object@2018-10-12.xsd
  
Abstract This YANG module defines groupings that are used by ietf-policy-object YANG module. Their usage is not limited to ietf-policy-ob...
  
Contact
WG Web: http://tools.ietf.org/wg/i2nsf/
WG List: i2nsf@ietf.org

Editor: Liang Xia
       frank.xialiang@huawei.com
Editor: Qiushi Lin
       linqiushi@huawei.com

Description

 
This YANG module defines groupings that are used by ietf-policy-object YANG module. Their usage is not limited to ietf-policy-object and can be used anywhere as applicable.

Typedefs

Typedef Base type Abstract
address-set-name string This type represents an address object or an address group name.
direction enumeration The data flow direction that is monitored to identify user-defined applications:request/response/both. Request indicates that data to the server is monitored to detect applications, Response indicates that data from the server is monitored to detect appli...
domain-name string This type represents a domain object name.
hour-minute-second string The representation of Hour, Minute, Sencond - hh:mm:ss
icmp-name-type enumeration This type is an enumeration of ICMP type names.
icmp6-name-type enumeration This type is an enumeration of ICMPv6 type names.
ip-mac-binding-type enumeration The user and IP/MAC address binding mode: bidirectional, or unidirectional. In unidirectional binding, a user must use the specified IP and MAC addresses to log in. The same IP and MAC addresses can also be used by other users. In bidirectional binding, ...
mode enumeration The mode of keyword identification to identify user-defined applications. If the keyword exists in one packet, the mode is Packet. If the keyword exists in multiple packets, the mode is Flow.
pattern-type enumeration The match pattern of the user-defined application rule. If the keyword is a fixed string, the pattern type is Plain. If the keyword is not a fixed string, the pattern type is Regular Expression.
port-range uint16 This type represents a port number, which may be a start port of a port range or an end port of a port range.
proto-id-range uint8 This type represents the range of protocol id.
protocol enumeration The protocol of user-defined application rule:tcp/udp/any.
region-latitude string This type represents a region latitude number(-90.00 - 90.00).
region-longitude string This type represents a region longitude number(-180.00 - 180.00).
region-name string This type represents a location or location set name.
service-set-name string This type represents a service object or a service group name.
time-range-name string This type represents a time-range name.
user-group-name string This type represents a user group name.
user-name string This type represents a user name.
user-security-group-name string This type represents a security group name.
weekday enumeration A type modeling the weekdays in the Greco-Roman tradition.

Groupings

Grouping Objects Abstract
address-groups address-group An address group object is comprised of several address objects that require the same policy enforcement. This grouping represents a list of address groups.
address-objects address-object This grouping represents a list of address objects. An address object is identified by a unique name and contains a set of IPv4/IPv6 addresses or MAC addresses. This grouping reuse the predefined address-object-item grouping.
application-groups application-group An application group object is comprised of several application objects that require the same policy enforcement. This grouping represents a list of application groups.
application-objects user-defined-application predefined-application A list of predefined application objects.
domain-objects domain-object A list of domain objects.
port-items source-port dest-port This grouping consists of the source port numbers and destination port numbers that represent UDP, TCP or SCTP based services.
region-groups region-group A list of region group objects.
region-objects pre-defined-region user-defined-region A list of predefined region objects and a list of user-defined region objects.
security-groups security-group A list of security groups.
service-groups service-group A service group object is comprised of several service objects that require the same policy enforcement. This grouping represents a list of service groups.
service-objects pre-defined-service service-object A list of the predefined service objects and user defined service objects.
time-range-objects time-range-object A list of time range objects
user-groups user-group A list of user groups
user-objects user-object A list of user objects.