Thrift module: firewall
Constants
Constant | Type | Value |
SERVICE_NAME | string | "FirewallService" |
Enumerations
Enumeration: AclBooleanType
boolean types
ACL_FALSE | 0 |
False
|
ACL_TRUE | 1 |
True
|
Enumeration: AclMatchOperation
ACL_MATCH_OP_INVALID | 0 |
|
ACL_MATCH_OP_EQUAL | 1 |
|
ACL_MATCH_OP_NOT_EQUAL | 2 |
|
Enumeration: AclPolicerType
ACL Policer Type
ACL_POLICER_INVALID | 0 |
|
ACL_TWO_COLOR_POLICER | 1 |
|
ACL_THREE_COLOR_POLICER | 2 |
|
ACL_HIERARCHICAL_POLICER | 3 |
|
Enumeration: AclPolicerFlags
Policer Flags
ACL_POLICER_FLAG_INVALID | 0 |
|
ACL_POLICER_FLAG_TERM_SPECIFIC | 1 |
Policer is AclEntry specific
|
ACL_POLICER_FLAG_FILTER_SPECIFIC | 2 |
Policer is ACL specific
|
Enumeration: AclPolicerRate
Rate unit, packet size per second
ACL_POLICER_RATE_INVALID | 0 |
|
ACL_POLICER_RATE_BPS | 1 |
|
ACL_POLICER_RATE_KBPS | 2 |
|
ACL_POLICER_RATE_MBPS | 3 |
|
ACL_POLICER_RATE_GBPS | 4 |
|
Enumeration: AclPolicerBurstSize
ACL_POLICER_BURST_SIZE_INVALID | 0 |
|
ACL_POLICER_BURST_SIZE_BYTE | 1 |
|
ACL_POLICER_BURST_SIZE_KBYTE | 2 |
|
ACL_POLICER_BURST_SIZE_MBYTE | 3 |
|
ACL_POLICER_BURST_SIZE_GBYTE | 4 |
|
Enumeration: AclLossPriority
Loss Priority
ACL_LOSS_PRIORITY_INVALID | 0 |
|
ACL_LOSS_PRIORITY_HIGH | 1 |
|
ACL_LOSS_PRIORITY_MEDIUM_HIGH | 2 |
|
ACL_LOSS_PRIORITY_MEDIUM_LOW | 3 |
|
ACL_LOSS_PRIORITY_LOW | 4 |
|
Enumeration: AclEntryActionRejectReason
ACL_ACTION_REJECT_REASON_INVALID | 0 |
|
ACL_ACTION_REJECT_ADMINISTRATIVELY_PROHIBITED | 1 |
|
ACL_ACTION_REJECT_BAD_HOST_TOS | 2 |
|
ACL_ACTION_REJECT_BAD_NETWORK_TOS | 3 |
|
ACL_ACTION_REJECT_FRAGMENTATION_NEEDED | 4 |
|
ACL_ACTION_REJECT_HOST_PROHIBITED | 5 |
|
ACL_ACTION_REJECT_HOST_UNKNOWN | 6 |
|
ACL_ACTION_REJECT_HOST_UNREACHABLE | 7 |
|
ACL_ACTION_REJECT_NETWORK_PROHIBITED | 8 |
|
ACL_ACTION_REJECT_NETWORK_UNKNOWN | 9 |
|
ACL_ACTION_REJECT_NETWORK_UNREACHABLE | 10 |
|
ACL_ACTION_REJECT_PORT_UNREACHABLE | 11 |
|
ACL_ACTION_REJECT_PRECEDENCE_CUTOFF | 12 |
|
ACL_ACTION_REJECT_PRECEDENCE_VIOLATION | 13 |
|
ACL_ACTION_REJECT_PROTOCOL_UNREACHABLE | 14 |
|
ACL_ACTION_REJECT_SOURCE_HOST_ISOLATED | 15 |
|
ACL_ACTION_REJECT_SOURCE_ROUTE_FAILED | 16 |
|
ACL_ACTION_REJECT_TCP_RESET | 17 |
|
Enumeration: AclEntryOperation
ACL Entry operation
ACL_ENTRY_OPERATION_INVALID | 0 |
|
ACL_ENTRY_OPERATION_ADD | 1 |
|
ACL_ENTRY_OPERATION_DELETE | 2 |
|
ACL_ENTRY_OPERATION_REPLACE | 3 |
|
Enumeration: AclAdjacencyType
Adjacency Type
ACL_ADJACENCY_NONE | 0 |
|
ACL_ADJACENCY_AFTER | 1 |
|
ACL_ADJACENCY_BEFORE | 2 |
|
Enumeration: AclFragmentFlags
Fragment Flags
ACL_FRAGMENT_NONE | 0 |
|
ACL_DONT_FRAGMENT | 1 |
|
ACL_IS_FRAGMENT | 2 |
|
ACL_FIRST_FRAGMENT | 3 |
|
ACL_LAST_FRAGMENT | 4 |
|
Enumeration: Precedence
Precedence
ACL_PRECEDENCE_ROUTINE | 0 |
|
ACL_PRECEDENCE_PRIORITY | 1 |
|
ACL_PRECEDENCE_IMMEDIATE | 2 |
|
ACL_PRECEDENCE_FLASH | 3 |
|
ACL_PRECEDENCE_FLASH_OVERRIDE | 4 |
|
ACL_PRECEDENCE_CRITICAL_ECP | 5 |
|
ACL_PRECEDENCE_INTERNET_CONTROL | 6 |
|
ACL_PRECEDENCE_NET_CONTROL | 7 |
|
Enumeration: AccessListFamilies
AccessList Families.
Currently only inet family firewall ACLs are supported.
ACL_FAMILY_INVALID | 0 |
|
ACL_FAMILY_INET | 1 |
IPv4 family
|
Enumeration: AccessListFlags
AccessListFlags
Any proprietory flag to be enabled at the ACL level.
Enumeration: AccessListTypes
AccessList types.
Currently only classic is supported.
ACL_TYPE_INVALID | 0 |
|
ACL_TYPE_CLASSIC | 1 |
Classic ACL type
|
Enumeration: AclBindDirection
AccessList Bind Direction
ACL_BIND_DIRECTION_INVALID | 0 |
|
ACL_BIND_DIRECTION_INPUT | 1 |
Bind on ingress
|
ACL_BIND_DIRECTION_OUTPUT | 2 |
Bind on egress
|
Enumeration: AccessListReturnVal
ACL_STATUS_INVALID | 0 |
|
ACL_STATUS_EOK | 1 |
success
|
ACL_STATUS_NULL_MESSAGE | 2 |
|
ACL_STATUS_EINVALID_MESSAGE | 3 |
|
ACL_STATUS_EINTERNAL | 4 |
|
ACL_STATUS_EUNSUPPORTED_OP | 5 |
|
ACL_STATUS_NO_RESOURCE | 7 |
|
ACL_STATUS_BS_TIMEOUT | 8 |
|
Enumeration: AccessListBindObjType
ACL_BIND_OBJ_TYPE_INVALID | 0 |
|
ACL_BIND_OBJ_TYPE_INTERFACE | 1 |
|
Data structures
Struct: AclPolicerTwoColor
Key | Field | Type | Description | Requiredness | Default value |
1 | bw_unit | AclPolicerRate | Bandwidth unit
| default | |
2 | bandwidth | i64 | Bandwidth rate
| default | |
3 | burst_unit | AclPolicerBurstSize | Burst unit
| default | |
4 | burst_size | i64 | Burst size
| default | |
5 | lp | AclLossPriority | Loss priority
| optional | |
6 | fc_string | string | Forwarding class should be provided as a string
| optional | |
7 | discard | AclBooleanType | Discard action
| optional | |
Policer parameter for 2 color policer
Union: AclPolicerParameter
Key | Field | Type | Description | Requiredness | Default value |
1 | two_color_parameter | AclPolicerTwoColor | | default | |
ACL Policer parameter
Struct: AccessListPolicer
Key | Field | Type | Description | Requiredness | Default value |
1 | policer_name | string | Policer name (Less than 64 characters). Requiredness: required.
| default | |
2 | policer_type | AclPolicerType | Policer type
| default | |
3 | policer_flag | AclPolicerFlags | Policer Flags
| default | |
4 | policer_params | AclPolicerParameter | Policer Paremeter
| default | |
A Policer
Union: IpAddress
Key | Field | Type | Description | Requiredness | Default value |
1 | addr_string | string | | optional | |
2 | addr_bytes | binary | | optional | |
Struct: AclMatchIpAddress
Key | Field | Type | Description | Requiredness | Default value |
1 | addr | IpAddress | Destination address
| default | |
2 | prefix_len | i32 | Destination prefix length
| default | |
3 | match_op | AclMatchOperation | | default | |
Address match condition
Struct: AclMatchPort
Key | Field | Type | Description | Requiredness | Default value |
1 | min | i32 | Minimum destination port
| default | |
2 | max | i32 | Maximum destination port
| default | |
3 | match_op | AclMatchOperation | | default | |
Matching Port match condition
Struct: AclMatchDscpCode
Key | Field | Type | Description | Requiredness | Default value |
1 | min | i32 | Minimum Dscp code
| default | |
2 | max | i32 | Maximum Dscp code
| default | |
3 | match_op | AclMatchOperation | | default | |
DSCP (diffserv code point) match condition
Struct: AclMatchProtocol
Key | Field | Type | Description | Requiredness | Default value |
1 | min | i32 | Minimum Protocol number
| default | |
2 | max | i32 | Maximum Protocol number
| default | |
3 | match_op | AclMatchOperation | | default | |
IP Protocol match condition
Struct: AclMatchIcmpType
Key | Field | Type | Description | Requiredness | Default value |
1 | min | i32 | Minimum Icmp type
| default | |
2 | max | i32 | Maximum Icmp type
| default | |
3 | match_op | AclMatchOperation | | default | |
ICMP type match condition
Struct: AclMatchIcmpCode
Key | Field | Type | Description | Requiredness | Default value |
1 | min | i32 | Minimum Icmp code
| default | |
2 | max | i32 | Maximum Icmp code
| default | |
3 | match_op | AclMatchOperation | | default | |
ICMP code match condition
Struct: AclMatchPktLen
Key | Field | Type | Description | Requiredness | Default value |
1 | min | i32 | Minimum Packet length
| default | |
2 | max | i32 | Maximum Packet length
| default | |
3 | match_op | AclMatchOperation | | default | |
Packet length match condition
Struct: AclMatchTtl
Key | Field | Type | Description | Requiredness | Default value |
1 | min | i32 | Minimum Time to live
| default | |
2 | max | i32 | Maximum Time to live
| default | |
3 | match_op | AclMatchOperation | AclMatch op
| default | |
TTL (Time to live) match condition for IPv4
Struct: AclActionPolicer
Key | Field | Type | Description | Requiredness | Default value |
1 | policer | AccessListPolicer | The policer
| default | |
Police the matching packets
Struct: AclActionCounter
Key | Field | Type | Description | Requiredness | Default value |
1 | counter_name | string | Counter name (upto 64 characters)
| default | |
Count the matching packets
Struct: AclActionRoutingInstance
Key | Field | Type | Description | Requiredness | Default value |
1 | rt_instance_name | string | Policer name (upto 64 characters)
| default | |
Direct matching packets to a routing-instance
Struct: AclAdjacency
Key | Field | Type | Description | Requiredness | Default value |
1 | type | AclAdjacencyType | Type of adjacency placement
| default | |
2 | ace_name | string | Type of adjacency placement
| default | |
Adjacency details of ace placement
Union: AclMatchIflNameIndex
Key | Field | Type | Description | Requiredness | Default value |
1 | ifl_name | string | IFL name
| default | |
2 | ifl_index | i32 | IFL index
| default | |
Struct: AclEntryMatchInet
An ACL Match
Union: AclEntryInetTerminatingAction
A terminating ACL Action
Union: AclEntryInetNonTerminatingAction
Key | Field | Type | Description | Requiredness | Default value |
1 | action_count | AclActionCounter | Count the matching packets
| optional | |
2 | action_log | AclBooleanType | Log the matching packets
| optional | |
3 | action_syslog | AclBooleanType | Syslog the matching packets
| optional | |
4 | action_police | AclActionPolicer | Police the matching packets. Ensure that policer exists before it being used.
| optional | |
5 | action_sample | AclBooleanType | Sample
| optional | |
An ACL NonTerminating Action
Struct: AclEntryInetAction
An ACL Action
Struct: AclInetEntry
An Inet ACL entry
Struct: AclEntry
Key | Field | Type | Description | Requiredness | Default value |
1 | inet_entry | AclInetEntry | For Inet family
| default | |
An ACL entry. It could be one of type of families.
Struct: AccessList
Key | Field | Type | Description | Requiredness | Default value |
1 | acl_name | string | AccessList name (Less than 64 characters)
| default | |
2 | acl_type | AccessListTypes | AccessList type
| default | |
3 | acl_family | AccessListFamilies | AccessList family
| default | |
4 | acl_flag | AccessListFlags | AccessList flag
| optional | |
5 | ace_list | list<AclEntry > | List of Destination addresses
| optional | |
An ACL
Struct: AccessListCounter
Key | Field | Type | Description | Requiredness | Default value |
1 | acl | AccessList | Access list
| default | |
2 | counter_name | string | Counter name
| default | |
Struct: AccessListCounterVal
Key | Field | Type | Description | Requiredness | Default value |
1 | counter_name | string | Counter Name
| default | |
2 | status | AccessListReturnVal | Error status
| default | |
3 | bytes | i64 | Byte count
| default | |
4 | packets | i64 | Packet count
| default | |
Struct: AccessListObjBind
Key | Field | Type | Description | Requiredness | Default value |
1 | acl | AccessList | Access list
| default | |
2 | obj_type | AccessListBindObjType | Access list object type
| default | |
3 | bind_object | string | Bind object name where the ACL is to be bound
| default | |
4 | bind_direction | AclBindDirection | Bind direction
| default | |
5 | bind_family | AccessListFamilies | Family on the bind object. Must match with the ACL family
| default | |
Per forwarding element ACL bindings
Struct: AccessListReturnStatus
Key | Field | Type | Description | Requiredness | Default value |
1 | status | AccessListReturnVal | | default | |
2 | err_str | string | | default | |
Services
Service: FirewallService
Firewall Service APIs
Function: FirewallService.AccessListAdd
AccessListReturnStatus
AccessListAdd(AccessList
acl)
Adds an ACL and returns the result.
Parameters
Name | Description | acl | AccessList. Requiredness: required.
|
Function: FirewallService.AccessListDelete
AccessListReturnStatus
AccessListDelete(AccessList
acl)
Delete an ACL from the system and return the result.
For successful delete to happen, the ACL should not be bound to any object.
Parameters
Name | Description | acl | AccessList. Requiredness: required.
|
Function: FirewallService.AccessListChange
AccessListReturnStatus
AccessListChange(AccessList
acl)
Changes an ACL based on the list of ACL entries provided, and returns the result.
It is advisable to use this API to for small incremental changes. For wholesale
changes, it is recommended to use the 'Replace' version of the API.
Parameters
Name | Description | acl | AccessList. Requiredness: required.
|
Function: FirewallService.AccessListBindAdd
AccessListReturnStatus
AccessListBindAdd(AccessListObjBind
bind_obj)
Add a binding of an ACL with a bind object and return the result.
Parameters
Name | Description | bind_obj | Bind object
|
Function: FirewallService.AccessListBindDelete
AccessListReturnStatus
AccessListBindDelete(AccessListObjBind
bind_obj)
Deletes a binding of an ACL with a bind object and return the result.
Parameters
Name | Description | bind_obj | Bind object
|
Function: FirewallService.AccessListPolicerAdd
AccessListReturnStatus
AccessListPolicerAdd(AccessListPolicer
policer)
Adds a policer and returns the result.
Parameters
Name | Description | policer | AccessList type. Requiredness: required.
|
Function: FirewallService.AccessListPolicerReplace
AccessListReturnStatus
AccessListPolicerReplace(AccessListPolicer
policer)
Changes a policer and returns the result.
Parameters
Name | Description | policer | AccessList type. Requiredness: required.
|
Function: FirewallService.AccessListPolicerDelete
AccessListReturnStatus
AccessListPolicerDelete(AccessListPolicer
policer)
Deletes a policer and returns the result.
Parameters
Name | Description | policer | AccessList type. Requiredness: required.
|
Function: FirewallService.AccessListCounterGet
AccessListCounterVal
AccessListCounterGet(AccessListCounter
acl_counter)
Few points to note with this API.
The call is going to be blocking for worst case of 10 seconds which is non configurable.
The counter name is expected to be fully resolved. For eg. for term specific policer counter
it is expected to be passed to full counter name.
Parameters
Name | Description | acl_counter | AccessListCounter. Requiredness: required.
|
Function: FirewallService.AccessListCounterClear
AccessListReturnStatus
AccessListCounterClear(AccessListCounter
acl_counter)
Few points to note with this API. Currently only 1 counter get is supported.
The counter name is expected to be fully resolved. For eg. for term specific policer counter
it is expected to be passed to full counter name.
Parameters
Name | Description | acl_counter | AccessListCounter. Requiredness: required.
|