Junos OS acl IDL - Protocol Documentation

Table of Contents

firewall_service.proto

Top

This file defines the Access Control List (ACL) package for JUNOS.

An ACL is a basic stateless forwarding construct also known as a firewall filter. An ACL is made up of an ordered set of ACL entries (ACE) An ACL matches packet content against a set of criteria and takes an action or actions against the packet if it matches the criteria.

NOTE: A packet must match ALL the criteria in an ACE to be considered a match.

A match is defined by an operation, a packet field, and a value to be matched against. For details about the various packet fields that could be matched and the operations supported for matched packets, see the corresponding enum or message structures that follow.

There are two types of actions that can be taken against matched packets, terminating and non-terminating actions. Each ACE in an ACL can have zero or more non-terminating actions and zero or one terminating action.

A non-terminating action is one that does not stop the processing of the packet through the rest of the ACL. Non-terminating actions include count, log, assign DSCP value, etc. Terminating actions do prevent the packet from being processed any further through the ACL. Terminating actions include accept, discard, reject, etc.

An attachment point, or bind point, is the point in the path of packet processing where the packet is subjected to ACL processing. An attachment point is defined by attachment entity and direction in which the ACL is applied. A typical bind point where packets are subjected to ACL processing is an interface.

The following diagram depicts an object diagram for a typical ACL. Legend: ACE-1 is the ordered Access List Entry at position 1. ACE-n is the ordered Access List Entry at position n. M-n is the match number n in the list of matching criteria in a given ACE. A-n is the action number n in the list of actions for a given ACE. No no more than 1 action could be a terminating action.


          +----------+----------+---+----------+
ACL -> | ACE-1 | ACE-2 | ... | ACE-n |
          +----------+----------+---+----------+
             |
             |
             |         +-------+
             +----->| M-1 |
                       +-------+
                        | M-2 |
                       +------+
                         | ... |
                       +-----+
                       | M-n |
                       +-----+
                           |
                           |               +-----+
                          +---------->| A-1 |
                                          +-----+
                                           | A-2 |
                                          +-----+
                                            | ... |
                                          +-----+
                                           | A-n |
                                          +-----+

AccessList

Access Control List (ACL)

FieldTypeLabelDescription
acl_name string optional

AccessList name

acl_type AccessListTypes optional

AccessList type

acl_family AccessListFamilies optional

AccessList family

acl_flag AccessListFlags optional

AccessList flag

ace_list AclEntry repeated

List of Destination addresses

AccessListCounter

Message structure for ACL counters

FieldTypeLabelDescription
acl AccessList optional

Access list

counter_name string optional

Counter name used with the ACL

AccessListCounterBulk

Message structure for ACL bulk counter

FieldTypeLabelDescription
acl AccessList optional

Access list

starting_index uint32 optional

Starting index for counter

AccessListCounterVal

Return counter statistics

FieldTypeLabelDescription
counter_name string optional

Counter Name

status AccessListReturnVal optional

Error status

bytes uint64 optional

Byte count

packets uint64 optional

Packet count

AccessListObjBind

Per forwarding element ACL binding

FieldTypeLabelDescription
acl AccessList optional

ACL

obj_type AccessListBindObjType optional

Binding object type

bind_object string optional

Bind object name where the ACL is to be bound

bind_direction AclBindDirection optional

Bind direction

bind_family AccessListFamilies optional

Family on the bind object. Must match with the ACL family

AccessListPolicer

ACL Policer

FieldTypeLabelDescription
policer_name string optional

Policer name

policer_type AclPolicerType optional

Policer type

policer_flag AclPolicerFlags optional

Policer Flags

policer_params AclPolicerParameter optional

Policer Paremeter

AccessListReturnStatus

Return message structure for access list status queries

FieldTypeLabelDescription
status AccessListReturnVal optional

Status message

AccessListVoid

A void message

FieldTypeLabelDescription
void string optional

Void

AclActionCounter

Counter action

FieldTypeLabelDescription
counter_name string optional

Counter name (upto 64 characters)

AclActionNextHop

Next hop action

FieldTypeLabelDescription
nh_idx uint32 optional

Index for next hop

AclActionPolicer

Police the matching packets

FieldTypeLabelDescription
policer AccessListPolicer optional

The policer

AclActionRoutingInstance

Direct matching packets to a routing-instance

FieldTypeLabelDescription
rt_instance_name string optional

Instance name

AclAdjacency

Adjacency details of ACE placement

FieldTypeLabelDescription
type AclAdjacencyType optional

Type of adjacency placement

ace_name string optional

The previous or the next AC

AclEntry

An ACL entry - One of the listed families.

FieldTypeLabelDescription
inet_entry AclInetEntry optional

For Inet family

es_entry AclEsEntry optional

For Ethernet switching family

AclEntryEsAction

Available ACL Actions for Ethernet Switching Family

FieldTypeLabelDescription
actions_nt AclEntryEsNonTerminatingAction optional

List of non-terminating actions.

action_t AclEntryEsTerminatingAction optional

One terminating action

AclEntryEsNonTerminatingAction

Non-terminating ACL Action

FieldTypeLabelDescription
action_count AclActionCounter optional

Count the matching packets

action_log AclBooleanType optional

Log the matching packets

action_syslog AclBooleanType optional

Syslog the matching packets

action_policer AclActionPolicer optional

Police the matching packets. Ensure that policer exists before it being used.

action_sample AclBooleanType optional

Sample

action_next_term AclBooleanType optional

Next Term

action_lp AclLossPriority optional

Loss priority

action_nh AclActionNextHop optional

Next hop

action_send_to_host AclBooleanType optional

Send to host

AclEntryEsTerminatingAction

Terminating ACL Actions for Ethernet Switching Family

FieldTypeLabelDescription
action_accept AclBooleanType optional

Accept the matching packets

action_discard AclBooleanType optional

Discard the matching packets

action_reject AclEntryActionRejectReason optional

Reject the matching packets

AclEntryInetAction

ACL Action for IPv4

FieldTypeLabelDescription
actions_nt AclEntryInetNonTerminatingAction optional

List of non-terminating actions.

action_t AclEntryInetTerminatingAction optional

One terminating action

AclEntryInetNonTerminatingAction

Non-terminating ACL Action

FieldTypeLabelDescription
action_count AclActionCounter optional

Count the matching packets

action_log AclBooleanType optional

Log the matching packets

action_syslog AclBooleanType optional

Syslog the matching packets

action_policer AclActionPolicer optional

Police the matching packets. Ensure that policer exists before it being used.

action_sample AclBooleanType optional

Sample the matching packets

action_next_term AclBooleanType optional

Next term

AclEntryInetTerminatingAction

Terminating ACL Action for IPv4

FieldTypeLabelDescription
action_accept AclBooleanType optional

Accept the matching packets

action_discard AclBooleanType optional

Discard the matching packets

action_reject AclEntryActionRejectReason optional

Reject the matching packets

action_rt_inst AclActionRoutingInstance optional

Direct matching packets to a routing instance

AclEntryMatchEs

An ACL Match for Ethernet Switching Family

FieldTypeLabelDescription
match_dst_mac_addrs AclMatchMacAddress repeated

List of Destination mac addresses

match_src_mac_addrs AclMatchMacAddress repeated

List of Source mac addresses

match_dst_ports AclMatchPort repeated

List of Destination ports

match_src_ports AclMatchPort repeated

List of Source ports

match_dscp_code AclMatchDscpCode repeated

List of Dscp code points

match_protocols AclMatchProtocol repeated

List of Protocols

match_icmp_type AclMatchIcmpType repeated

List of Icmp types

match_icmp_code AclMatchIcmpCode repeated

List of Icmp codes

match_pkt_len AclMatchPktLen repeated

List of Packet lengths

ifl_names AclMatchIflNameIndex repeated

Logical interface (IFL) name with unit or IFL index number.

For example, ge-0/0/1.0 or 507.

match_ether_type AclMatchEtherType repeated

List of Ether type

match_learn_vlan_id AclMatchLearnVlanId repeated

List of Learn vlan id

match_learn_vlan_priority AclMatchLearnVlanPriority repeated

List of learn vlan priority

AclEntryMatchInet

Message structure for inet family ACL matching

FieldTypeLabelDescription
match_dst_addrs AclMatchIpAddress repeated

List of Destination addresses

match_src_addrs AclMatchIpAddress repeated

List of Source addresses

match_dst_ports AclMatchPort repeated

List of Destination ports

match_src_ports AclMatchPort repeated

List of Source ports

match_dscp_code AclMatchDscpCode repeated

List of Dscp code points

match_protocols AclMatchProtocol repeated

List of Protocols

match_icmp_type AclMatchIcmpType repeated

List of Icmp types

match_icmp_code AclMatchIcmpCode repeated

List of Icmp codes

match_pkt_len AclMatchPktLen repeated

List of Packet lengths

match_ttl AclMatchTtl repeated

List of Ttl's

fragment_flags AclFragmentFlags optional

Fragment flag

match_frag_offset AclMatchFragmentOffset repeated

List of fragment offset range

ifl_names AclMatchIflNameIndex repeated

Logical interface (IFL) name with unit or IFL index number.

For example, ge-0/0/1.0 or 507.

match_ip_precedence AclMatchIpPrecedence repeated

List of ip precedence

match_addrs AclMatchIpAddress repeated

List of Addresses

match_ports AclMatchPort repeated

List of Ports

match_flex_range AclMatchFlexibleOffsetRange repeated

List of Flex Ranges

match_flex_mask AclMatchFlexibleOffsetMask repeated

List of Flex Masks

AclEsEntry

An Ethernet Switching ACL entry

FieldTypeLabelDescription
ace_name string optional

AclEntry name

ace_op AclEntryOperation optional

AclEntry operation

adjacency AclAdjacency optional

Adjacency

matches AclEntryMatchEs optional

Matches

actions AclEntryEsAction optional

Actions

AclInetEntry

An ACL entry for IPv4

FieldTypeLabelDescription
ace_name string optional

AclEntry name

ace_op AclEntryOperation optional

AclEntry operation

adjacency AclAdjacency optional

Adjacency

matches AclEntryMatchInet optional

Matches

actions AclEntryInetAction optional

Actions

AclMatchDscpCode

DSCP (diffserv code point) match condition

FieldTypeLabelDescription
min uint32 optional

Minimum Dscp code

max uint32 optional

Maximum Dscp code

match_op AclMatchOperation optional

AclMatch op

AclMatchEtherType

Ether type match condition

FieldTypeLabelDescription
min uint32 optional

Minimum Ether type

max uint32 optional

Maximum Ether type

match_op AclMatchOperation optional

AclMatch op

AclMatchFlexOffset

Flex Offset range matches

FieldTypeLabelDescription
min uint32 optional

Minimum range value

max uint32 optional

Maximum range value

match_op AclMatchOperation optional

AclMatch op

AclMatchFlexibleMask

Flexible mask match condition

FieldTypeLabelDescription
start_offset AclEntryMatchFlexStartOffest optional

Flex match start offset

bit_length uint32 optional

Flex match bit length (0 - 32)

bit_offset uint32 optional

Flex match bit offset (0 - 7)

byte_offset uint32 optional

Flex match byte offset

mask uint32 optional

Flex match mask

prefix_string string optional

32 Bit, Flex match value in hex format (0x12345678)

AclMatchFlexibleOffsetMask

Flexible offset mask match condition

FieldTypeLabelDescription
flex_mask_match AclMatchFlexibleMask optional

Flexible mask match

AclMatchFlexibleOffsetRange

Flexible offset range match condition

FieldTypeLabelDescription
flex_range_match AclMatchFlexibleRange optional

Flex range match

AclMatchFlexibleRange

Flexible range match condition

FieldTypeLabelDescription
start_offset AclEntryMatchFlexStartOffest optional

Flex match start offset

bit_length uint32 optional

Flex match bit length (0 - 32)

bit_offset uint32 optional

Flex match bit offset (0 - 7)

byte_offset uint32 optional

Flex match byte offset

range AclMatchFlexOffset optional

Flex match range value

AclMatchFragmentOffset

Fragment offset match condition

FieldTypeLabelDescription
min uint32 optional

Fragment offset range start

max uint32 optional

Fragment offset range start

match_op AclMatchOperation optional

AclMatch op

AclMatchIcmpCode

ICMP code match condition

FieldTypeLabelDescription
min uint32 optional

Minimum Icmp code

max uint32 optional

Maximum Icmp code

match_op AclMatchOperation optional

AclMatch op

AclMatchIcmpType

ICMP type match condition

FieldTypeLabelDescription
min uint32 optional

Minimum Icmp type

max uint32 optional

Maximum Icmp type

match_op AclMatchOperation optional

AclMatch op

AclMatchIflNameIndex

Ifl Index or name

FieldTypeLabelDescription
ifl_name string optional

Ifl Name

ifl_index uint32 optional

Ifl Index

AclMatchIpAddress

Destination Address match condition

FieldTypeLabelDescription
addr IpAddress optional

address

prefix_len uint32 optional

Destination prefix length

match_op AclMatchOperation optional

AclMatch op

AclMatchIpPrecedence

Ip Precedence match

FieldTypeLabelDescription
min Precedence optional

Minimum precedence

max Precedence optional

Maximum precedence

match_op AclMatchOperation optional

AclMatch op

AclMatchLearnVlanId

Learn VLAN Id match condition

FieldTypeLabelDescription
min uint32 optional

Minimum Learn vlan id

max uint32 optional

Maximum Learn vlan id

match_op AclMatchOperation optional

ACL Match operation

AclMatchLearnVlanPriority

Learn VLAN priority match condition

FieldTypeLabelDescription
min uint32 optional

Minimum Learn vlan priority

max uint32 optional

Maximum Learn vlan priority

match_op AclMatchOperation optional

AclMatch op

AclMatchMacAddress

Mac Address match condition

FieldTypeLabelDescription
addr MacAddress optional

Mac address

addr_len uint32 optional

Mac address length

match_op AclMatchOperation optional

AclMatch op

AclMatchPktLen

Packet length match condition

FieldTypeLabelDescription
min uint32 optional

Minimum Packet length

max uint32 optional

Maximum Packet length

match_op AclMatchOperation optional

AclMatch op

AclMatchPort

Port match condition

FieldTypeLabelDescription
min int32 optional

Minimum port

max int32 optional

Maximum port

match_op AclMatchOperation optional

AclMatch op

AclMatchProtocol

IP Protocol match condition

FieldTypeLabelDescription
min uint32 optional

Minimum Protocol number

max uint32 optional

Maximum Protocol number

match_op AclMatchOperation optional

AclMatch op

AclMatchTtl

TTL (Time to live) match condition for IPv4

FieldTypeLabelDescription
min uint32 optional

Minimum Time to live

max uint32 optional

Maximum Time to live

match_op AclMatchOperation optional

AclMatch op

AclPolicerHeirarchical

Heirarchical Policer parameters

FieldTypeLabelDescription
aggregate_rate_unit AclPolicerRate optional

Bandwidth unit

aggregate_rate uint64 optional

Bandwidth rate

aggregate_burst_size_unit AclPolicerBurstSize optional

Burst unit

aggregate_burst_size uint64 optional

Burst size

preminum_rate_unit AclPolicerRate optional

Bandwidth unit

premium_rate uint64 optional

Bandwidth rate

premium_burst_size_unit AclPolicerBurstSize optional

Burst unit

premium_burst_size uint64 optional

Burst size

discard AclBooleanType optional

Discard action

AclPolicerParameter

Policer Parameter

FieldTypeLabelDescription
two_color_parameter AclPolicerTwoColor optional

Two color

sr_three_color_parameter AclPolicerSingleRateThreeColor optional

Three color

tr_three_color_parameter AclPolicerTwoRateThreeColor optional

Three color

hierarchical_parameter AclPolicerHeirarchical optional

Hierarchcical

AclPolicerSingleRateThreeColor

Policer parameter for single rate three color policer

FieldTypeLabelDescription
committed_rate_unit AclPolicerRate optional

Bandwidth unit

committed_rate uint64 optional

Bandwidth rate

committed_burst_unit AclPolicerBurstSize optional

Burst unit

committed_burst_size uint64 optional

Burst size

excess_burst_size uint64 optional

Burst size

excess_burst_unit AclPolicerBurstSize optional

Burst unit

discard AclBooleanType optional

Discard action

color_mode AclColorModeType optional

Color mode

AclPolicerTwoColor

Policer parameter for two color policer

FieldTypeLabelDescription
bw_unit AclPolicerRate optional

Bandwidth unit

bandwidth uint64 optional

Bandwidth rate

burst_unit AclPolicerBurstSize optional

Burst unit

burst_size uint64 optional

Burst size

lp AclLossPriority optional

Loss priority

fc_string string optional

Forwarding class.

discard AclBooleanType optional

Discard action

AclPolicerTwoRateThreeColor

Policer parameter for two rate three color policer

FieldTypeLabelDescription
committed_rate_unit AclPolicerRate optional

Bandwidth unit

committed_rate uint64 optional

Bandwidth rate

committed_burst_unit AclPolicerBurstSize optional

Burst unit

committed_burst_size uint64 optional

Burst size

excess_rate_unit AclPolicerRate optional

Bandwidth unit

excess_rate uint64 optional

Bandwidth rate

excess_burst_unit AclPolicerBurstSize optional

Burst unit

excess_burst_size uint64 optional

Burst size

discard AclBooleanType optional

Discard action

color_mode AclColorModeType optional

Color mode

AccessListBindObjType

The forwarding element entities to which the ACL can be bound.

NameNumberDescription
ACL_BIND_OBJ_TYPE_INVALID 0

Invalid

ACL_BIND_OBJ_TYPE_INTERFACE 1

Interface

AccessListFamilies

Access List Families

NameNumberDescription
ACL_FAMILY_INVALID 0

Invalid

ACL_FAMILY_INET 1

IPv4 family

ACL_FAMILY_INET6 2

IPv6 family

ACL_FAMILY_ES 3

Ethernet Switching family

ACL_FAMILY_VPLS 4

VPLS family

ACL_FAMILY_MULTISERVICE 5

MULTISERVICE family

ACL_FAMILY_CCC 6

CCC family

ACL_FAMILY_MPLS 7

MPLS family

AccessListFlags

Any proprietory flag to be enabled at the ACL level.

NameNumberDescription
ACL_FLAGS_NONE 0

None

AccessListReturnVal

Return values for the RPCs.

NameNumberDescription
ACL_STATUS_EOK 0

Success

ACL_STATUS_NULL_MESSAGE 1

The RPC was a NULL buffer

ACL_STATUS_EINVALID_MESSAGE 2

Wrong input

ACL_STATUS_EINTERNAL 3

Server Internal error

ACL_STATUS_EUNSUPPORTED_OP 4

Operation not supported

ACL_STATUS_NO_RESOURCE 5

Resource not available at server

ACL_STATUS_BS_TIMEOUT 6

Bulk Stats timeout

AccessListTypes

Access List Types

NameNumberDescription
ACL_TYPE_INVALID 0

Invalid ACL type

ACL_TYPE_CLASSIC 1

Classic ACL type

AclAdjacencyType

Adjacency Type which determines the ACE order in an ACL

NameNumberDescription
ACL_ADJACENCY_NONE 0

For first ACE

ACL_ADJACENCY_AFTER 1

Add next to the given ACE

ACL_ADJACENCY_BEFORE 2

Add before the given ACE

AclBindDirection

Direction in which an ACL is bound.

NameNumberDescription
ACL_BIND_DIRECTION_INVALID 0

ACL_BIND_DIRECTION_INPUT 1

Bind on ingress

ACL_BIND_DIRECTION_OUTPUT 2

Bind on egress

AclBooleanType

Boolean types

NameNumberDescription
ACL_FALSE 0

False

ACL_TRUE 1

True

AclColorModeType

Color mode for SRTCM and TRTCM

NameNumberDescription
ACL_COLOR_MODE_INVALID 0

Invalid Color Mode

ACL_COLOR_MODE_COLOR_BLIND 1

Color blind

ACL_COLOR_MODE_COLOR_AWARE 2

Color aware

AclEntryActionRejectReason

Various Reject Action Reasons.

NameNumberDescription
ACL_ACTION_REJECT_ADMINISTRATIVELY_PROHIBITED 0

Send ICMP Administratively Prohibited message

ACL_ACTION_REJECT_BAD_HOST_TOS 1

Send ICMP Bad Host ToS message

ACL_ACTION_REJECT_BAD_NETWORK_TOS 2

Send ICMP Bad Network ToS message

ACL_ACTION_REJECT_FRAGMENTATION_NEEDED 3

Send ICMP Fragmentation Needed message

ACL_ACTION_REJECT_HOST_PROHIBITED 4

Send ICMP Host Prohibited message

ACL_ACTION_REJECT_HOST_UNKNOWN 5

Send ICMP Host Unknown message

ACL_ACTION_REJECT_HOST_UNREACHABLE 6

Send ICMP Host Unreachable message

ACL_ACTION_REJECT_NETWORK_PROHIBITED 7

Send ICMP Network Prohibited message

ACL_ACTION_REJECT_NETWORK_UNKNOWN 8

Send ICMP Network Unknown message

ACL_ACTION_REJECT_NETWORK_UNREACHABLE 9

Send ICMP Network Unreachable message

ACL_ACTION_REJECT_PORT_UNREACHABLE 10

Send ICMP Port Unreachable message

ACL_ACTION_REJECT_PRECEDENCE_CUTOFF 11

Send ICMP Precedence Cutoff message

ACL_ACTION_REJECT_PRECEDENCE_VIOLATION 12

Send ICMP Precedence Violation message

ACL_ACTION_REJECT_PROTOCOL_UNREACHABLE 13

Send ICMP Protocol Unreachable message

ACL_ACTION_REJECT_SOURCE_HOST_ISOLATED 14

Send ICMP Source Host Isolated message

ACL_ACTION_REJECT_SOURCE_ROUTE_FAILED 15

Send ICMP Source Route Failed message

ACL_ACTION_REJECT_TCP_RESET 16

Send TCP Reset message

AclEntryMatchFlexStartOffest

Flex offset match starting points

NameNumberDescription
ACL_FLEX_MATCH_OFFSET_INVALID 0

Invalid Flex match start offset

ACL_FLEX_MATCH_OFFSET_LAYER_THREE 1

Layer-3 Flex match start offset

ACL_FLEX_MATCH_OFFSET_LAYER_FOUR 2

Layer-4 Flex match start offset

ACL_FLEX_MATCH_OFFSET_PAYLOAD 3

Payload Flex match start offset

AclEntryOperation

ACL Entry operation

NameNumberDescription
ACL_ENTRY_OPERATION_INVALID 0

Invalid ACE operation

ACL_ENTRY_OPERATION_ADD 1

Add a new ACE.

Can be used with:

Add ACL

Change ACL

Replace ACL API's

ACL_ENTRY_OPERATION_DELETE 2

Delete a existing ace. Can be used with Change ACL API

ACL_ENTRY_OPERATION_REPLACE 3

Replace a existing ace. Must provide adjacency details to preserve the order of the ace. Can be used with Change ACL API

AclFragmentFlags

Fragment Flags

NameNumberDescription
ACL_FRAGMENT_NONE 0

None

ACL_DONT_FRAGMENT 1

Dont fragment flag

ACL_IS_FRAGMENT 2

Is fragment flag

ACL_FIRST_FRAGMENT 3

First fragment flag

ACL_LAST_FRAGMENT 4

More last fragment flag

AclLossPriority

Loss Priority

NameNumberDescription
ACL_LOSS_PRIORITY_INVALID 0

Loss priority invalid

ACL_LOSS_PRIORITY_HIGH 1

High loss priority

ACL_LOSS_PRIORITY_MEDIUM_HIGH 2

Medium-hihg loss priority

ACL_LOSS_PRIORITY_MEDIUM_LOW 3

Medium-low loss priority

ACL_LOSS_PRIORITY_LOW 4

Low loss priority

AclMatchOperation

Supported Match Operations

NameNumberDescription
ACL_MATCH_OP_INVALID 0

Invalid match operation

ACL_MATCH_OP_EQUAL 1

Match operation equal

ACL_MATCH_OP_NOT_EQUAL 2

Match operation not equal

AclPolicerBurstSize

Policer Burst Size

NameNumberDescription
ACL_POLICER_BURST_SIZE_INVALID 0

Policer burst size invalid

ACL_POLICER_BURST_SIZE_BYTE 1

Bytes

ACL_POLICER_BURST_SIZE_KBYTE 2

KiloBytes

ACL_POLICER_BURST_SIZE_MBYTE 3

MegaBytes

ACL_POLICER_BURST_SIZE_GBYTE 4

GigaBytes

AclPolicerFlags

Policer Flags

NameNumberDescription
ACL_POLICER_FLAG_INVALID 0

Invalid policer Flag

ACL_POLICER_FLAG_TERM_SPECIFIC 1

The policer instance is activated for each ACE its referenced.

ACL_POLICER_FLAG_FILTER_SPECIFIC 2

The policer instance is activated at global ACL level.

AclPolicerRate

Policer Rate unit

NameNumberDescription
ACL_POLICER_RATE_INVALID 0

Invalid policer rate

ACL_POLICER_RATE_BPS 1

Bits per second

ACL_POLICER_RATE_KBPS 2

Kilobits per second

ACL_POLICER_RATE_MBPS 3

Megabits per second

ACL_POLICER_RATE_GBPS 4

Gigabits per second

AclPolicerType

Various ACL Policer Type

NameNumberDescription
ACL_POLICER_INVALID 0

Invalid policer type

ACL_TWO_COLOR_POLICER 1

Single rate two color

ACL_SINGLE_RATE_THREE_COLOR_POLICER 2

Single rate three color

ACL_TWO_RATE_THREE_COLOR_POLICER 3

Two rate three color

ACL_HIERARCHICAL_POLICER 4

Hierarchical

Precedence

Precedence

NameNumberDescription
ACL_PRECENCE_ROUTINE 0

Routine precedence

ACL_PRECENCE_PRIORITY 1

Priority precedence

ACL_PRECENCE_IMMEDIATE 2

Immediate precedence

ACL_PRECENCE_FLASH 3

Flash precedence

ACL_PRECENCE_FLASH_OVERRIDE 4

Flash override precedence

ACL_PRECENCE_CRITICAL_ECP 5

Critical ecp precedence

ACL_PRECENCE_INTERNET_CONTROL 6

Internet control precedence

ACL_PRECENCE_NET_CONTROL 7

Network control precedence

AclService

ACL Service APIs defines a set of simple RPCs to operate upon the various components, for example:

- ACL

- ACE

- Policer

- Attachment Points

- Statistics

Each of the RPCs are named by concatenating the corresponding ACL object and the operation performed.

Method NameRequest TypeResponse TypeDescription
AccessListAdd AccessList AccessListReturnStatus

Adds an ACL and returns the result.

AccessListDelete AccessList AccessListReturnStatus

Delete an ACL from the system and return the result. For the delete operation to succeed, the ACL must not be bound to any object.

AccessListChange AccessList AccessListReturnStatus

Changes an ACL based on the list of ACL entries provided and returns the result. It is advisable to use this API for small incremental changes. For wholesale changes, it is recommended to use the 'Replace' version of the API.

AccessListBindAdd AccessListObjBind AccessListReturnStatus

Adds a binding of an ACL with a bind object and returns the result.

AccessListBindDelete AccessListObjBind AccessListReturnStatus

Deletes a binding of an ACL with a bind object and returns the result.

AccessListPolicerAdd AccessListPolicer AccessListReturnStatus

Adds a policer and returns the result.

AccessListPolicerReplace AccessListPolicer AccessListReturnStatus

Changes a policer and returns the result.

AccessListPolicerDelete AccessListPolicer AccessListReturnStatus

Deletes a policer and returns the result.

AccessListPileupStart AccessListVoid AccessListReturnStatus

Following are optimized commands to let the server know to accumulate the Access List Entries and configure when AccessListPileupEnd is received. For every AccessList RPC invocation, the entire ACL is applied to the system For application that wants to do batching for better performance, the AccessListPileupStart and AccessListPileupEnd help achieve that.

AccessListPileupEnd AccessListVoid AccessListReturnStatus

Following are optimized commands to let the server know to accumulate the ace_list and configure when AccessListPileupEnd is received. For every AccessList RPC invocation, the entire ACL is applied to the system. For application that wants to do batching for better performance, the AccessListPileupStart and AccessListPileupEnd help achieve that.

AccessListCounterGet AccessListCounter AccessListCounterVal

There are a few points to note with this API: The call is blocking for at most 10 seconds. This time is not configurable. The counter name is expected to be fully resolved. For example, for term specific policer counter the full counter name must be passed.

AccessListPolicerCounterGet AccessListCounter AccessListCounterVal

Get policer counter

AccessListCounterClear AccessListCounter AccessListReturnStatus

Clears a particular counter associated with an ACL whose fully qualified name is provided. There are a few points to note with this API: Currently only 1 counter get is supported. The counter name is expected to be fully resolved. For example, for term specific policer counter the full counter name must be passed.

AccessListCounterBulkGet AccessListCounterBulk AccessListCounterVal

Get all the counters associated with an ACL. Each call to this API returns 10 counters from the starting_index specified in AccessListCounterBulk message. The client is expected to run this API in a loop that stops if any of the following conditions are met:

a. The targeted number of counters are retrieved.

b. An error is returned.

c. The API returns less than 10 counters.

AccessListPolicerCounterBulkGet AccessListCounterBulk AccessListCounterVal

Get all the policer counters associated with an ACL. Each call to this API returns 10 counters from the starting_index specified in AccessListCounterBulk message. The client is expected to run this API in a loop that stops if any of the following conditions are met:

a. The targeted number of counters are retrieved.

b. An error is returned.

c. The API returns less than 10 counters.

Scalar Value Types

.proto TypeNotesC++ TypeJava TypePython Type
double double double float
float float float float
int32 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. int32 int int
int64 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. int64 long int/long
uint32 Uses variable-length encoding. uint32 int int/long
uint64 Uses variable-length encoding. uint64 long int/long
sint32 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. int32 int int
sint64 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. int64 long int/long
fixed32 Always four bytes. More efficient than uint32 if values are often greater than 2^28. uint32 int int
fixed64 Always eight bytes. More efficient than uint64 if values are often greater than 2^56. uint64 long int/long
sfixed32 Always four bytes. int32 int int
sfixed64 Always eight bytes. int64 long int/long
bool bool boolean boolean
string A string must always contain UTF-8 encoded or 7-bit ASCII text. string String str/unicode
bytes May contain any arbitrary sequence of bytes. string ByteString str