Thrift module: firewall

ModuleServicesData typesConstants
firewallFirewallService
AccessList
AccessListBindObjType
AccessListCounter
AccessListCounterVal
AccessListFamilies
AccessListFlags
AccessListObjBind
AccessListPolicer
AccessListReturnStatus
AccessListReturnVal
AccessListTypes
AclActionCounter
AclActionPolicer
AclActionRoutingInstance
AclAdjacency
AclAdjacencyType
AclBindDirection
AclBooleanType
AclEntry
AclEntryActionRejectReason
AclEntryInetAction
AclEntryInetNonTerminatingAction
AclEntryInetTerminatingAction
AclEntryMatchInet
AclEntryOperation
AclFragmentFlags
AclInetEntry
AclLossPriority
AclMatchDscpCode
AclMatchIcmpCode
AclMatchIcmpType
AclMatchIflNameIndex
AclMatchIpAddress
AclMatchOperation
AclMatchPktLen
AclMatchPort
AclMatchProtocol
AclMatchTtl
AclPolicerBurstSize
AclPolicerFlags
AclPolicerParameter
AclPolicerRate
AclPolicerTwoColor
AclPolicerType
IpAddress
Precedence
SERVICE_NAME

Constants

ConstantTypeValue
SERVICE_NAMEstring"FirewallService"

Enumerations

Enumeration: AclBooleanType

boolean types

ACL_FALSE0 False
ACL_TRUE1 True

Enumeration: AclMatchOperation


ACL_MATCH_OP_INVALID0
ACL_MATCH_OP_EQUAL1
ACL_MATCH_OP_NOT_EQUAL2

Enumeration: AclPolicerType

ACL Policer Type

ACL_POLICER_INVALID0
ACL_TWO_COLOR_POLICER1
ACL_THREE_COLOR_POLICER2
ACL_HIERARCHICAL_POLICER3

Enumeration: AclPolicerFlags

Policer Flags

ACL_POLICER_FLAG_INVALID0
ACL_POLICER_FLAG_TERM_SPECIFIC1 Policer is AclEntry specific
ACL_POLICER_FLAG_FILTER_SPECIFIC2 Policer is ACL specific

Enumeration: AclPolicerRate

Rate unit, packet size per second

ACL_POLICER_RATE_INVALID0
ACL_POLICER_RATE_BPS1
ACL_POLICER_RATE_KBPS2
ACL_POLICER_RATE_MBPS3
ACL_POLICER_RATE_GBPS4

Enumeration: AclPolicerBurstSize


ACL_POLICER_BURST_SIZE_INVALID0
ACL_POLICER_BURST_SIZE_BYTE1
ACL_POLICER_BURST_SIZE_KBYTE2
ACL_POLICER_BURST_SIZE_MBYTE3
ACL_POLICER_BURST_SIZE_GBYTE4

Enumeration: AclLossPriority

Loss Priority

ACL_LOSS_PRIORITY_INVALID0
ACL_LOSS_PRIORITY_HIGH1
ACL_LOSS_PRIORITY_MEDIUM_HIGH2
ACL_LOSS_PRIORITY_MEDIUM_LOW3
ACL_LOSS_PRIORITY_LOW4

Enumeration: AclEntryActionRejectReason


ACL_ACTION_REJECT_REASON_INVALID0
ACL_ACTION_REJECT_ADMINISTRATIVELY_PROHIBITED1
ACL_ACTION_REJECT_BAD_HOST_TOS2
ACL_ACTION_REJECT_BAD_NETWORK_TOS3
ACL_ACTION_REJECT_FRAGMENTATION_NEEDED4
ACL_ACTION_REJECT_HOST_PROHIBITED5
ACL_ACTION_REJECT_HOST_UNKNOWN6
ACL_ACTION_REJECT_HOST_UNREACHABLE7
ACL_ACTION_REJECT_NETWORK_PROHIBITED8
ACL_ACTION_REJECT_NETWORK_UNKNOWN9
ACL_ACTION_REJECT_NETWORK_UNREACHABLE10
ACL_ACTION_REJECT_PORT_UNREACHABLE11
ACL_ACTION_REJECT_PRECEDENCE_CUTOFF12
ACL_ACTION_REJECT_PRECEDENCE_VIOLATION13
ACL_ACTION_REJECT_PROTOCOL_UNREACHABLE14
ACL_ACTION_REJECT_SOURCE_HOST_ISOLATED15
ACL_ACTION_REJECT_SOURCE_ROUTE_FAILED16
ACL_ACTION_REJECT_TCP_RESET17

Enumeration: AclEntryOperation

ACL Entry operation

ACL_ENTRY_OPERATION_INVALID0
ACL_ENTRY_OPERATION_ADD1
ACL_ENTRY_OPERATION_DELETE2
ACL_ENTRY_OPERATION_REPLACE3

Enumeration: AclAdjacencyType

Adjacency Type

ACL_ADJACENCY_NONE0
ACL_ADJACENCY_AFTER1
ACL_ADJACENCY_BEFORE2

Enumeration: AclFragmentFlags

Fragment Flags

ACL_FRAGMENT_NONE0
ACL_DONT_FRAGMENT1
ACL_IS_FRAGMENT2
ACL_FIRST_FRAGMENT3
ACL_LAST_FRAGMENT4

Enumeration: Precedence

Precedence

ACL_PRECEDENCE_ROUTINE0
ACL_PRECEDENCE_PRIORITY1
ACL_PRECEDENCE_IMMEDIATE2
ACL_PRECEDENCE_FLASH3
ACL_PRECEDENCE_FLASH_OVERRIDE4
ACL_PRECEDENCE_CRITICAL_ECP5
ACL_PRECEDENCE_INTERNET_CONTROL6
ACL_PRECEDENCE_NET_CONTROL7

Enumeration: AccessListFamilies

AccessList Families. Currently only inet family firewall ACLs are supported.

ACL_FAMILY_INVALID0
ACL_FAMILY_INET1 IPv4 family

Enumeration: AccessListFlags

AccessListFlags Any proprietory flag to be enabled at the ACL level.

ACL_FLAGS_NONE0 None

Enumeration: AccessListTypes

AccessList types. Currently only classic is supported.

ACL_TYPE_INVALID0
ACL_TYPE_CLASSIC1 Classic ACL type

Enumeration: AclBindDirection

AccessList Bind Direction

ACL_BIND_DIRECTION_INVALID0
ACL_BIND_DIRECTION_INPUT1 Bind on ingress
ACL_BIND_DIRECTION_OUTPUT2 Bind on egress

Enumeration: AccessListReturnVal


ACL_STATUS_INVALID0
ACL_STATUS_EOK1 success
ACL_STATUS_NULL_MESSAGE2
ACL_STATUS_EINVALID_MESSAGE3
ACL_STATUS_EINTERNAL4
ACL_STATUS_EUNSUPPORTED_OP5
ACL_STATUS_NO_RESOURCE7
ACL_STATUS_BS_TIMEOUT8

Enumeration: AccessListBindObjType


ACL_BIND_OBJ_TYPE_INVALID0
ACL_BIND_OBJ_TYPE_INTERFACE1

Data structures

Struct: AclPolicerTwoColor

KeyFieldTypeDescriptionRequirednessDefault value
1bw_unitAclPolicerRateBandwidth unit
default
2bandwidthi64Bandwidth rate
default
3burst_unitAclPolicerBurstSizeBurst unit
default
4burst_sizei64Burst size
default
5lpAclLossPriorityLoss priority
optional
6fc_stringstringForwarding class should be provided as a string
optional
7discardAclBooleanTypeDiscard action
optional

Policer parameter for 2 color policer

Union: AclPolicerParameter

KeyFieldTypeDescriptionRequirednessDefault value
1two_color_parameterAclPolicerTwoColordefault

ACL Policer parameter

Struct: AccessListPolicer

KeyFieldTypeDescriptionRequirednessDefault value
1policer_namestringPolicer name (Less than 64 characters).
Requiredness: required.
default
2policer_typeAclPolicerTypePolicer type
default
3policer_flagAclPolicerFlagsPolicer Flags
default
4policer_paramsAclPolicerParameterPolicer Paremeter
default

A Policer

Union: IpAddress

KeyFieldTypeDescriptionRequirednessDefault value
1addr_stringstringoptional
2addr_bytesbinaryoptional

Struct: AclMatchIpAddress

KeyFieldTypeDescriptionRequirednessDefault value
1addrIpAddressDestination address
default
2prefix_leni32Destination prefix length
default
3match_opAclMatchOperationdefault

Address match condition

Struct: AclMatchPort

KeyFieldTypeDescriptionRequirednessDefault value
1mini32Minimum destination port
default
2maxi32Maximum destination port
default
3match_opAclMatchOperationdefault

Matching Port match condition

Struct: AclMatchDscpCode

KeyFieldTypeDescriptionRequirednessDefault value
1mini32Minimum Dscp code
default
2maxi32Maximum Dscp code
default
3match_opAclMatchOperationdefault

DSCP (diffserv code point) match condition

Struct: AclMatchProtocol

KeyFieldTypeDescriptionRequirednessDefault value
1mini32Minimum Protocol number
default
2maxi32Maximum Protocol number
default
3match_opAclMatchOperationdefault

IP Protocol match condition

Struct: AclMatchIcmpType

KeyFieldTypeDescriptionRequirednessDefault value
1mini32Minimum Icmp type
default
2maxi32Maximum Icmp type
default
3match_opAclMatchOperationdefault

ICMP type match condition

Struct: AclMatchIcmpCode

KeyFieldTypeDescriptionRequirednessDefault value
1mini32Minimum Icmp code
default
2maxi32Maximum Icmp code
default
3match_opAclMatchOperationdefault

ICMP code match condition

Struct: AclMatchPktLen

KeyFieldTypeDescriptionRequirednessDefault value
1mini32Minimum Packet length
default
2maxi32Maximum Packet length
default
3match_opAclMatchOperationdefault

Packet length match condition

Struct: AclMatchTtl

KeyFieldTypeDescriptionRequirednessDefault value
1mini32Minimum Time to live
default
2maxi32Maximum Time to live
default
3match_opAclMatchOperationAclMatch op
default

TTL (Time to live) match condition for IPv4

Struct: AclActionPolicer

KeyFieldTypeDescriptionRequirednessDefault value
1policerAccessListPolicerThe policer
default

Police the matching packets

Struct: AclActionCounter

KeyFieldTypeDescriptionRequirednessDefault value
1counter_namestringCounter name (upto 64 characters)
default

Count the matching packets

Struct: AclActionRoutingInstance

KeyFieldTypeDescriptionRequirednessDefault value
1rt_instance_namestringPolicer name (upto 64 characters)
default

Direct matching packets to a routing-instance

Struct: AclAdjacency

KeyFieldTypeDescriptionRequirednessDefault value
1typeAclAdjacencyTypeType of adjacency placement
default
2ace_namestringType of adjacency placement
default

Adjacency details of ace placement

Union: AclMatchIflNameIndex

KeyFieldTypeDescriptionRequirednessDefault value
1ifl_namestringIFL name
default
2ifl_indexi32IFL index
default

Struct: AclEntryMatchInet

KeyFieldTypeDescriptionRequirednessDefault value
1match_dst_addrslist<AclMatchIpAddress>List of Destination addresses
optional
2match_src_addrslist<AclMatchIpAddress>List of Source addresses
optional
3match_dst_portslist<AclMatchPort>List of Destination ports
optional
4match_src_portslist<AclMatchPort>List of Source ports
optional
5match_dscp_codelist<AclMatchDscpCode>List of Dscp code points
optional
6match_protocolslist<AclMatchProtocol>List of Protocols
optional
7match_icmp_typelist<AclMatchIcmpType>List of Icmp types
optional
8match_icmp_codelist<AclMatchIcmpCode>List of Icmp codes
optional
9match_pkt_lenlist<AclMatchPktLen>List of Packet lengths
optional
10match_ttllist<AclMatchTtl>List of Ttl's
optional
11fragment_flagsAclFragmentFlagsFragment type
optional
13ifl_namesAclMatchIflNameIndexInterface name (IFL with unit e.g. ge-0/0/1.0)
optional

An ACL Match

Union: AclEntryInetTerminatingAction

KeyFieldTypeDescriptionRequirednessDefault value
1action_acceptAclBooleanTypeAccept the matching packets
default
2action_discardAclBooleanTypeDiscard the matching packets
default
3action_rejectAclEntryActionRejectReasonReject the matching packets
default
4action_rt_instAclActionRoutingInstanceDirect matching packets to a routing instance
default

A terminating ACL Action

Union: AclEntryInetNonTerminatingAction

KeyFieldTypeDescriptionRequirednessDefault value
1action_countAclActionCounterCount the matching packets
optional
2action_logAclBooleanTypeLog the matching packets
optional
3action_syslogAclBooleanTypeSyslog the matching packets
optional
4action_policeAclActionPolicerPolice the matching packets.
Ensure that policer exists before it being used.
optional
5action_sampleAclBooleanTypeSample
optional

An ACL NonTerminating Action

Struct: AclEntryInetAction

KeyFieldTypeDescriptionRequirednessDefault value
1actions_ntAclEntryInetNonTerminatingActionnon-terminating actions.
default
2action_tAclEntryInetTerminatingActionOne terminating action
default

An ACL Action

Struct: AclInetEntry

KeyFieldTypeDescriptionRequirednessDefault value
1ace_namestringAclEntry name (Less than 64 characters)
default
2ace_opAclEntryOperationAclEntry operation
default
3adjacencyAclAdjacencyAdjacency
default
4matchesAclEntryMatchInetMatches
optional
5actionsAclEntryInetActionActions
optional

An Inet ACL entry

Struct: AclEntry

KeyFieldTypeDescriptionRequirednessDefault value
1inet_entryAclInetEntryFor Inet family
default

An ACL entry. It could be one of type of families.

Struct: AccessList

KeyFieldTypeDescriptionRequirednessDefault value
1acl_namestringAccessList name (Less than 64 characters)
default
2acl_typeAccessListTypesAccessList type
default
3acl_familyAccessListFamiliesAccessList family
default
4acl_flagAccessListFlagsAccessList flag
optional
5ace_listlist<AclEntry>List of Destination addresses
optional

An ACL

Struct: AccessListCounter

KeyFieldTypeDescriptionRequirednessDefault value
1aclAccessListAccess list
default
2counter_namestringCounter name
default

Struct: AccessListCounterVal

KeyFieldTypeDescriptionRequirednessDefault value
1counter_namestringCounter Name
default
2statusAccessListReturnValError status
default
3bytesi64Byte count
default
4packetsi64Packet count
default

Struct: AccessListObjBind

KeyFieldTypeDescriptionRequirednessDefault value
1aclAccessListAccess list
default
2obj_typeAccessListBindObjTypeAccess list object type
default
3bind_objectstringBind object name where the ACL is to be bound
default
4bind_directionAclBindDirectionBind direction
default
5bind_familyAccessListFamiliesFamily on the bind object. Must match with the ACL family
default

Per forwarding element ACL bindings

Struct: AccessListReturnStatus

KeyFieldTypeDescriptionRequirednessDefault value
1statusAccessListReturnValdefault
2err_strstringdefault


Services

Service: FirewallService

Firewall Service APIs

Function: FirewallService.AccessListAdd

AccessListReturnStatus AccessListAdd(AccessList acl)
Adds an ACL and returns the result.

Parameters

NameDescription
aclAccessList. Requiredness: required.

Function: FirewallService.AccessListDelete

AccessListReturnStatus AccessListDelete(AccessList acl)
Delete an ACL from the system and return the result. For successful delete to happen, the ACL should not be bound to any object.

Parameters

NameDescription
aclAccessList. Requiredness: required.

Function: FirewallService.AccessListChange

AccessListReturnStatus AccessListChange(AccessList acl)
Changes an ACL based on the list of ACL entries provided, and returns the result. It is advisable to use this API to for small incremental changes. For wholesale changes, it is recommended to use the 'Replace' version of the API.

Parameters

NameDescription
aclAccessList. Requiredness: required.

Function: FirewallService.AccessListBindAdd

AccessListReturnStatus AccessListBindAdd(AccessListObjBind bind_obj)
Add a binding of an ACL with a bind object and return the result.

Parameters

NameDescription
bind_objBind object

Function: FirewallService.AccessListBindDelete

AccessListReturnStatus AccessListBindDelete(AccessListObjBind bind_obj)
Deletes a binding of an ACL with a bind object and return the result.

Parameters

NameDescription
bind_objBind object

Function: FirewallService.AccessListPolicerAdd

AccessListReturnStatus AccessListPolicerAdd(AccessListPolicer policer)
Adds a policer and returns the result.

Parameters

NameDescription
policerAccessList type. Requiredness: required.

Function: FirewallService.AccessListPolicerReplace

AccessListReturnStatus AccessListPolicerReplace(AccessListPolicer policer)
Changes a policer and returns the result.

Parameters

NameDescription
policerAccessList type. Requiredness: required.

Function: FirewallService.AccessListPolicerDelete

AccessListReturnStatus AccessListPolicerDelete(AccessListPolicer policer)
Deletes a policer and returns the result.

Parameters

NameDescription
policerAccessList type. Requiredness: required.

Function: FirewallService.AccessListCounterGet

AccessListCounterVal AccessListCounterGet(AccessListCounter acl_counter)
Few points to note with this API. The call is going to be blocking for worst case of 10 seconds which is non configurable. The counter name is expected to be fully resolved. For eg. for term specific policer counter it is expected to be passed to full counter name.

Parameters

NameDescription
acl_counterAccessListCounter. Requiredness: required.

Function: FirewallService.AccessListCounterClear

AccessListReturnStatus AccessListCounterClear(AccessListCounter acl_counter)
Few points to note with this API. Currently only 1 counter get is supported. The counter name is expected to be fully resolved. For eg. for term specific policer counter it is expected to be passed to full counter name.

Parameters

NameDescription
acl_counterAccessListCounter. Requiredness: required.