Junos OS acl IDL - Protocol Documentation

Table of Contents

firewall_service.proto

Top

This file defines the ACL package for JUNOS.

Brief Description of the key concepts associated with this package and functionality is as follows:

ACL is an acronym to Access List which is a basic stateless forwarding construct to match on packet content and take a set of actions if packet passes the matching criteria.

An ACL is made up of a ordered set of ACL Entries, which defines how a packet is matched against configured criteria and be treated.

Each ACL Entry or ACE defines a set of packet matching criteria and a set of action to take on the packet if the matching criteria is true. A packets needs to match ALL the matches in an ACE to be considered a match.

A Match is defined by an operation, packet field and value to be matched against. For details on the operations supported and various packet fields that could be matched, refer the corresponding Enum/Message structure below.

An action determines what to do with the packet on meeting the matching criteria. There are two types of actions, viz. terminating and non-terminating. Each ACE can have zero or more non-terminating actions and zero or exactly one terminating action. A non-terminating action is one that does not stop the packet to undergo the rest of the ACL processing. An terminating action is one, that stops the packet to undergo any further ACL processing.

An attachment point or a bind point is the point in path of packet processing where the packet is subjected to ACL processing. An attachment point is defined by attachment entity and direction in which the ACL is applied. For eg. a typical bind point is an interface where a packet is subjected to ACL.

Diagram below depicts an object diagram for a typical ACL. Legends: ACE-1 is the ordered Access List Entry at position 1. ACE-n is the ordered Access List Entry at position n. M-n is the match number n in list of matching criteria in a given ACE. A-n is the action number n in the list of actions for a given ACE. No no more than 1 action could be a terminating action.

+-------+-------+-----+------+ ACL -> | ACE-1 | ACE-2 | ... | ACE-n| +-------+-------+-----+------+ | | | +-----+ +----->| M-1 | +-----+ | M-2 | +-----+ | ... | +-----+ | M-n | +-----+ | | +-----+ +---------->| A-1 | +-----+ | A-2 | +-----+ | ... | +-----+ | A-n | +-----+

AccessList

ACL

FieldTypeLabelDescription
acl_name string optional

AccessList name

acl_type AccessListTypes optional

AccessList type

acl_family AccessListFamilies optional

AccessList family

acl_flag AccessListFlags optional

AccessList flag

ace_list AclEntry repeated

List of Destination addresses

AccessListBindObjPoint

FieldTypeLabelDescription
intf string optional

Interface Bind object name where the ACL is to be bound

fwd_table string optional

Forwarding Table Bind object name where the ACL is to be bound

vlan AclBindObjVlan optional

VLAN Bind object name where the ACL is to be bound

bd AclBindObjBridgeDomain optional

bind object bridge domain

AccessListCounter

An ACL Counter

FieldTypeLabelDescription
acl AccessList optional

Access list

counter_name string optional

Counter name

AccessListCounterBulk

Bulk ACL Counter

FieldTypeLabelDescription
acl AccessList optional

Access list

starting_index uint32 optional

Starting Index

AccessListCounterVal

Return counter statistics

FieldTypeLabelDescription
counter_name string optional

Counter Name

status AccessListReturnVal optional

Error status

bytes uint64 optional

Byte count

packets uint64 optional

Packet count

AccessListObjBind

Per forwarding element ACL binding

FieldTypeLabelDescription
acl AccessList optional

ACL

obj_type AccessListBindObjType optional

Binding object type

bind_object AccessListBindObjPoint optional

Bind object name where the ACL is to be bound

bind_direction AclBindDirection optional

Bind direction

bind_family AccessListFamilies optional

Family on the bind object. Must match with the ACL family

AccessListPolicer

FieldTypeLabelDescription
policer_name string optional

Policer name

policer_type AclPolicerType optional

Policer type

policer_flag AclPolicerFlags optional

Policer Flags

policer_params AclPolicerParameter optional

Policer Paremeter

AccessListReturnStatus

ACL Return Status

FieldTypeLabelDescription
status AccessListReturnVal optional

ACL return status value

AccessListVoid

A void message

FieldTypeLabelDescription
void string optional

AclActionCopyToHost

FieldTypeLabelDescription
client_name string optional

Client name (upto 64 characters)

AclActionCounter

FieldTypeLabelDescription
counter_name string optional

Counter name (upto 64 characters)

AclActionForwardingClass

FieldTypeLabelDescription
fc AclForwardingClass optional

set forwarding class id

AclActionForwardingPriority

FieldTypeLabelDescription
priority uint32 optional

priority

AclActionIflNameIndex

FieldTypeLabelDescription
ifl_name string optional

Ifl Name

ifl_index uint32 optional

Ifl Index

AclActionLossPriority

FieldTypeLabelDescription
lp AclLossPriority optional

Set loss priority

AclActionNextHop

FieldTypeLabelDescription
nh_idx uint32 optional

Next hop index

AclActionNextInterface

FieldTypeLabelDescription
rti_name string optional

routing-instance name

ifl AclActionIflNameIndex optional

ifl index or ifl name

AclActionNextIp

FieldTypeLabelDescription
rti_name string optional

routing-instance name

addr IpAddress optional

address

prefix_len uint32 optional

Destination prefix length

AclActionPolicer

FieldTypeLabelDescription
policer AccessListPolicer optional

The policer

AclActionPolicerInstance

Police the matching packets with respect to template

FieldTypeLabelDescription
policer AccessListPolicer optional

The policer

policer_instance string optional

Policer Instance name

AclActionRoutingInstance

Direct matching packets to a routing-instance

FieldTypeLabelDescription
rt_instance_name string optional

RT instance name

AclActionSendToClient

FieldTypeLabelDescription
client_name string optional

Client name (upto 64 characters)

AclActionSetIpDscp

FieldTypeLabelDescription
dscp uint32 optional

DSCP for IP and IPv6

AclActionSetNexthop

FieldTypeLabelDescription
nh_idx uint32 optional

Set nh idx

AclActionTopologyRedirect

FieldTypeLabelDescription
rt_instance_name string optional

RT instance name

topology_name string optional

Topology name

AclAdjacency

FieldTypeLabelDescription
type AclAdjacencyType optional

Type of adjacency placement

ace_name string optional

The previous or the next AC

AclBindObjBridgeDomain

Bridge Domain elelments

FieldTypeLabelDescription
bd_name string optional

Bind object bd name where the ACL is to be bound

rtb_name string optional

Bind object Routing Instance name of bd_name where the ACL is to be bound

AclBindObjVlan

The VLAN objects to which the ACL can be bound

FieldTypeLabelDescription
vlan_name string optional

Bind object VLAN name where the ACL is to be bound

rtb_name string optional

Bind object Routing Instance name of vlan_name where the ACL is to be bound

AclCccEntry

CCC ACL entry

FieldTypeLabelDescription
ace_name string optional

AclEntry name

ace_op AclEntryOperation optional

AclEntry operation

adjacency AclAdjacency optional

Adjacency

matches AclEntryMatchCcc optional

Matches

actions AclEntryCccAction optional

Actions

AclEntry

An ACL entry. It could be one of type of families.

FieldTypeLabelDescription
inet_entry AclInetEntry optional

For Inet family

es_entry AclEsEntry optional

For Ethernet Switching family

inet6_entry AclInet6Entry optional

For Inet6 family

vpls_entry AclVplsEntry optional

For vpls family

ccc_entry AclCccEntry optional

For ccc family

mservice_entry AclMultiServiceEntry optional

For multiservices family

mpls_entry AclMplsEntry optional

For mpls family

AclEntryCccAction

ACL CCC Action

FieldTypeLabelDescription
actions_nt AclEntryCccNonTerminatingAction optional

List of non-terminating actions.

action_t AclEntryCccTerminatingAction optional

One terminating action

AclEntryCccNonTerminatingAction

Non-terminating ACL CCC Actions

FieldTypeLabelDescription
action_count AclActionCounter optional

Count the matching packets

action_log AclBooleanType optional

Log the matching packets

action_syslog AclBooleanType optional

Syslog the matching packets

action_policer AclActionPolicer optional

Police the matching packets. Ensure that the policer exists before using it.

action_sample AclBooleanType optional

Sample

action_copy_to_host AclActionCopyToHost optional

Copy of matching packets to host client name

AclEntryCccTerminatingAction

Terminating ACL CCC Actions

FieldTypeLabelDescription
action_accept AclBooleanType optional

Accept the matching packets

action_discard AclBooleanType optional

Discard the matching packets

action_send_to_client AclActionSendToClient optional

Direct matching packets to client client name

action_send_to_host AclBooleanType optional

Direct matching packets to host

AclEntryEsAction

ACL Action

FieldTypeLabelDescription
actions_nt AclEntryEsNonTerminatingAction optional

List of non-terminating actions.

action_t AclEntryEsTerminatingAction optional

One terminating action

AclEntryEsNonTerminatingAction

Non-terminating ACL Action

FieldTypeLabelDescription
action_count AclActionCounter optional

Count the matching packets

action_log AclBooleanType optional

Log the matching packets

action_syslog AclBooleanType optional

Syslog the matching packets

action_policer AclActionPolicer optional

Police the matching packets. / Ensure that policer exists before it being used.

action_next_term AclBooleanType optional

Next Term

action_lp AclActionLossPriority optional

Loss priority

AclEntryEsTerminatingAction

Terminating ACL Action

FieldTypeLabelDescription
action_accept AclBooleanType optional

Accept the matching packets

action_discard AclBooleanType optional

Discard the matching packets

action_nh AclActionNextHop optional

Next hop

action_send_to_host AclBooleanType optional

Send to host

AclEntryInet6Action

ACL inet6 Actions

FieldTypeLabelDescription
actions_nt AclEntryInet6NonTerminatingAction optional

List of non-terminating actions.

action_t AclEntryInet6TerminatingAction optional

One terminating action

AclEntryInet6NonTerminatingAction

Non-terminating ACL inet6 Actions

FieldTypeLabelDescription
action_count AclActionCounter optional

Count the matching packets

action_log AclBooleanType optional

Log the matching packets

action_syslog AclBooleanType optional

Syslog the matching packets

action_policer AclActionPolicer optional

Police the matching packets. Ensure that the policer exists before using it.

action_sample AclBooleanType optional

Sample

action_next_term AclBooleanType optional

Next Term

action_port_mirror AclBooleanType optional

port mirror action

action_lp AclActionLossPriority optional

set loss priority to matched packets

action_fwd_class AclActionForwardingClass optional

set Forwarding class to matched packets

action_fwd_priority AclActionForwardingPriority optional

set Forwarding Priority to matched packets

action_next_intf AclActionNextInterface optional

set Next interface to matched packets

action_next_ip AclActionNextIp optional

set Next IPv4 to matched packets

action_ip_dscp AclActionSetIpDscp optional

set IP DSCP to matched packets

action_copy_to_host AclActionCopyToHost optional

Copy of matching packets to host client name

action_policer_inst AclActionPolicerInstance optional

Police the matching packets. Ensure that the policer exists before using it.

AclEntryInet6TerminatingAction

Terminating ACL inet6 Actions

FieldTypeLabelDescription
action_accept AclBooleanType optional

Accept the matching packets

action_discard AclBooleanType optional

Discard the matching packets

action_reject AclEntryActionRejectReason optional

Reject the matching packets

action_rt_inst AclActionRoutingInstance optional

Direct matching packets to a routing instance

action_topo_redirect AclActionTopologyRedirect optional

Direct matching packets to a routing instance

action_send_to_client AclActionSendToClient optional

client name

action_send_to_host AclBooleanType optional

Direct matching packets to host

action_nh AclActionSetNexthop optional

set nexthop idx

AclEntryInetAction

FieldTypeLabelDescription
actions_nt AclEntryInetNonTerminatingAction optional

List of non-terminating actions.

action_t AclEntryInetTerminatingAction optional

One terminating action

AclEntryInetNonTerminatingAction

Non-terminating ACL Action

FieldTypeLabelDescription
action_count AclActionCounter optional

Count the matching packets

action_log AclBooleanType optional

Log the matching packets

action_syslog AclBooleanType optional

Syslog the matching packets

action_policer AclActionPolicer optional

Police the matching packets. Ensure that the policer exists before using it.

action_sample AclBooleanType optional

Sample

action_next_term AclBooleanType optional

Next Term

AclEntryInetTerminatingAction

Terminating ACL Action

FieldTypeLabelDescription
action_accept AclBooleanType optional

Accept the matching packets

action_discard AclBooleanType optional

Discard the matching packets

action_reject AclEntryActionRejectReason optional

Reject the matching packets

action_rt_inst AclActionRoutingInstance optional

Direct matching packets to a routing instance

AclEntryMatchCcc

FieldTypeLabelDescription
match_pkt_len AclMatchPktLen repeated

List of Packet lengths

ifl_names AclMatchIflNameIndex repeated

Interface name (IFL with unit like ge-0/0/1.0 or IFL index)

ether_types AclMatchEtherType repeated

List of Ether type match

match_src_macs AclMatchMacAddress repeated

List Source MAC match

match_dst_macs AclMatchMacAddress repeated

List Destination MAC match

cfm_opcodes AclMatchCfmOpcode repeated

List of CFM Opcode match

cfm_levels AclMatchCfmLevel repeated

List of CFM Level match

match_flex_range AclMatchFlexibleOffsetRange optional

Flex Ranges

match_flex_mask AclMatchFlexibleOffsetMask optional

Flex Masks

AclEntryMatchEs

An ACL Match

FieldTypeLabelDescription
match_dst_mac_addrs AclMatchMacAddress repeated

List of Destination mac addresses

match_src_mac_addrs AclMatchMacAddress repeated

List of Source mac addresses

match_dst_ports AclMatchPort repeated

List of Destination ports

match_src_ports AclMatchPort repeated

List of Source ports

match_dscp_code AclMatchDscpCode repeated

List of Dscp code points

match_protocols AclMatchProtocol repeated

List of Protocols

match_icmp_type AclMatchIcmpType repeated

List of Icmp types

match_icmp_code AclMatchIcmpCode repeated

List of Icmp codes

ifl_names AclMatchIflNameIndex repeated

Interface name (IFL with unit like ge-0/0/1.0 or IFL index)

match_ether_type AclMatchEtherType repeated

List of Ether type

match_learn_vlan_id AclMatchLearnVlanId repeated

List of Learn vlan id

match_learn_vlan_priority AclMatchLearnVlanPriority repeated

List of learn vlan priority

AclEntryMatchInet

An ACL Match

FieldTypeLabelDescription
match_dst_addrs AclMatchIpAddress repeated

List of Destination addresses

match_src_addrs AclMatchIpAddress repeated

List of Source addresses

match_dst_ports AclMatchPort repeated

List of Destination ports

match_src_ports AclMatchPort repeated

List of Source ports

match_dscp_code AclMatchDscpCode repeated

List of Dscp code points

match_protocols AclMatchProtocol repeated

List of Protocols

match_icmp_type AclMatchIcmpType repeated

List of Icmp types

match_icmp_code AclMatchIcmpCode repeated

List of Icmp codes

match_pkt_len AclMatchPktLen repeated

List of Packet lengths

match_ttl AclMatchTtl repeated

List of Ttl's

fragment_flags AclFragmentFlags optional

Fragment flag

match_frag_offset AclMatchFragmentOffset repeated

List of fragment offset range

ifl_names AclMatchIflNameIndex repeated

Interface name (IFL with unit like ge-0/0/1.0 or IFL index)

match_ip_precedence AclMatchIpPrecedence repeated

List of ip precedence

match_addrs AclMatchIpAddress repeated

List of Addresses

match_ports AclMatchPort repeated

List of Ports

match_flex_range AclMatchFlexibleOffsetRange optional

Flex Ranges

match_flex_mask AclMatchFlexibleOffsetMask optional

Flex Masks

AclEntryMatchInet6

FieldTypeLabelDescription
match_dst_addrs AclMatchIpAddress repeated

List of Destination addresses

match_src_addrs AclMatchIpAddress repeated

List of Source addresses

match_dst_ports AclMatchPort repeated

List of Destination ports

match_src_ports AclMatchPort repeated

List of Source ports

match_dscp_code AclMatchDscpCode repeated

List of Dscp code points

payload_protocols AclMatchProtocol repeated

List of Protocols

match_icmp_type AclMatchIcmpType repeated

List of Icmp types

match_icmp_code AclMatchIcmpCode repeated

List of Icmp codes

match_pkt_len AclMatchPktLen repeated

List of Packet lengths

fragment_flags AclFragmentFlags optional

Fragment flag

ifl_names AclMatchIflNameIndex repeated

Interface name (IFL with unit like ge-0/0/1.0 or IFL index)

match_traffic_classes AclMatchTrafficClass repeated

List of traffic classes

match_addrs AclMatchIpAddress repeated

List of Addresses

match_flex_range AclMatchFlexibleOffsetRange optional

Flex Ranges

match_flex_mask AclMatchFlexibleOffsetMask optional

Flex Masks

ipv6_next_headers AclMatchNextHeader repeated

List of Next Header match

match_loss_priority AclMatchLossPriority repeated

List of Loss Priority

match_fwd_class AclMatchForwardingClass repeated

List of Forwarding Class

match_ports AclMatchPort repeated

List of Ports

AclEntryMatchMpls

FieldTypeLabelDescription
match_label1 AclMatchMplsLabel repeated

Label-1 match

match_label2 AclMatchMplsLabel repeated

Label-2 match

match_label3 AclMatchMplsLabel repeated

Label-3 match

match_flex_range AclMatchFlexibleOffsetRange optional

Flex Ranges

match_flex_mask AclMatchFlexibleOffsetMask optional

Flex Masks

AclEntryMatchMultiService

FieldTypeLabelDescription
match_dst_addrs AclMatchIpAddress repeated

List of Destination addresses (V4)

match_src_addrs AclMatchIpAddress repeated

List of Source addresses (V4)

match_addrs AclMatchIpAddress repeated

List of addresses (V4)

match_dst_ports AclMatchPort repeated

List of Destination ports

match_src_ports AclMatchPort repeated

List of Source ports

match_ip_protocols AclMatchProtocol repeated

List of Protocols

payload_protocols AclMatchProtocol repeated

List of Protocols

match_icmp_type AclMatchIcmpType repeated

List of Icmp types

match_icmp_code AclMatchIcmpCode repeated

List of Icmp codes

ifl_names AclMatchIflNameIndex repeated

Interface name (IFL with unit like ge-0/0/1.0 or IFL index)

ipv6_next_headers AclMatchNextHeader repeated

List of Next Header match

ether_types AclMatchEtherType repeated

List of Ether type match

match_src_macs AclMatchMacAddress repeated

List Source MAC match

match_dst_macs AclMatchMacAddress repeated

List Destination MAC match

vlan_ether_types AclMatchEtherType repeated

List of Ether type match

stp_state AclStpMatchFlags optional

STP state match

mesh_group_ids AclMatchMeshGroup repeated

List of mesh group id match

l2_tokens AclMatchL2Token repeated

List of L2 token match

match_pkt_len AclMatchPktLen repeated

List of Packet lengths

AclEntryMatchVpls

FieldTypeLabelDescription
match_dst_addrs AclMatchIpAddress repeated

List of Destination addresses (V4)

match_src_addrs AclMatchIpAddress repeated

List of Source addresses (V4)

match_dst_v6_addrs AclMatchIpAddress repeated

List of Destination addresses (V6)

match_src_v6_addrs AclMatchIpAddress repeated

List of Source addresses (V6)

match_dst_ports AclMatchPort repeated

List of Destination ports

match_src_ports AclMatchPort repeated

List of Source ports

match_dscp_code AclMatchDscpCode repeated

List of Dscp code points

match_ip_protocols AclMatchProtocol repeated

List of Protocols

payload_protocols AclMatchProtocol repeated

List of Protocols

match_icmp_type AclMatchIcmpType repeated

List of Icmp types

match_icmp_code AclMatchIcmpCode repeated

List of Icmp codes

ifl_names AclMatchIflNameIndex repeated

Interface name (IFL with unit like ge-0/0/1.0 or IFL index)

match_traffic_classes AclMatchTrafficClass repeated

List of traffic classes

ipv6_next_headers AclMatchNextHeader repeated

List of Next Header match

ether_types AclMatchEtherType repeated

List of Ether type match

match_src_macs AclMatchMacAddress repeated

List Source MAC match

match_dst_macs AclMatchMacAddress repeated

List Destination MAC match

vlan_ether_types AclMatchEtherType repeated

List of Ether type match

learn_vlan_ids AclMatchVlanId repeated

List of Vlan Id match

user_vlan_ids AclMatchVlanId repeated

List of Vlan Id match

learn_vlan_priority AclMatchLearnVlanPriority repeated

List of Vlan Id match

stp_state AclStpMatchFlags optional

STP state match

mesh_group_ids AclMatchMeshGroup repeated

List of mesh group id match

cfm_opcodes AclMatchCfmOpcode repeated

List of CFM Opcode match

cfm_levels AclMatchCfmLevel repeated

List of CFM Level match

l2_tokens AclMatchL2Token repeated

List of L2 token match

match_v6_addrs AclMatchIpAddress repeated

List of Ipv6 addresses (V6)

match_flex_range AclMatchFlexibleOffsetRange optional

Flex Ranges

match_flex_mask AclMatchFlexibleOffsetMask optional

Flex Masks

match_pkt_len AclMatchPktLen repeated

List of Packet lengths

AclEntryMplsAction

ACL Mpls Action

FieldTypeLabelDescription
actions_nt AclEntryMplsNonTerminatingAction optional

List of non-terminating actions.

action_t AclEntryMplsTerminatingAction optional

One terminating action

AclEntryMplsNonTerminatingAction

Non-terminating ACL MPLS Actions

FieldTypeLabelDescription
action_count AclActionCounter optional

Count the matching packets

action_policer AclActionPolicer optional

Police the matching packets. Ensure that the policer exists before using it.

AclEntryMplsTerminatingAction

Terminating ACL MPLS Actions

FieldTypeLabelDescription
action_accept AclBooleanType optional

Accept the matching packets

action_discard AclBooleanType optional

Discard the matching packets

AclEntryMultiServiceAction

ACL Multi Service Actions

FieldTypeLabelDescription
actions_nt AclEntryMultiServiceNonTerminatingAction optional

List of non-terminating actions.

action_t AclEntryMultiServiceTerminatingAction optional

One terminating action

AclEntryMultiServiceNonTerminatingAction

Non-terminating ACL Multi Service Actions

FieldTypeLabelDescription
action_count AclActionCounter optional

Count the matching packets

action_log AclBooleanType optional

Log the matching packets

action_syslog AclBooleanType optional

Syslog the matching packets

action_policer AclActionPolicer optional

Police the matching packets. Ensure that the policer exists before using it.

action_sample AclBooleanType optional

Sample

action_next_term AclBooleanType optional

Next Term

action_copy_to_host AclActionCopyToHost optional

Copy of matching packets to host

AclEntryMultiServiceTerminatingAction

Terminating ACL Multi Service Actions

FieldTypeLabelDescription
action_accept AclBooleanType optional

Accept the matching packets

action_discard AclBooleanType optional

Discard the matching packets

action_send_to_client AclActionSendToClient optional

Direct matching packets to client / client name

action_send_to_host AclBooleanType optional

Direct matching packets to host

AclEntryVplsAction

ACL VPLS Action

FieldTypeLabelDescription
actions_nt AclEntryVplsNonTerminatingAction optional

List of non-terminating actions.

action_t AclEntryVplsTerminatingAction optional

One terminating action

AclEntryVplsNonTerminatingAction

Non-terminating ACL Vpls Actions

FieldTypeLabelDescription
action_count AclActionCounter optional

Count the matching packets

action_log AclBooleanType optional

Log the matching packets

action_syslog AclBooleanType optional

Syslog the matching packets

action_policer AclActionPolicer optional

Police the matching packets. Ensure that the policer exists before usingit.

action_sample AclBooleanType optional

Sample

action_next_term AclBooleanType optional

Next Term

action_no_mac_learn AclBooleanType optional

No Mac Learn

action_copy_to_host AclActionCopyToHost optional

Copy of matching packets to host client name

AclEntryVplsTerminatingAction

Terminating ACL Vpls Actions

FieldTypeLabelDescription
action_accept AclBooleanType optional

Accept the matching packets

action_discard AclBooleanType optional

Discard the matching packets

action_send_to_client AclActionSendToClient optional

Direct matching packets to client client name

action_send_to_host AclBooleanType optional

Direct matching packets to host

action_nh AclActionSetNexthop optional

set nexthop idx

AclEsEntry

An Inet ACL entry

FieldTypeLabelDescription
ace_name string optional

AclEntry name

ace_op AclEntryOperation optional

AclEntry operation

adjacency AclAdjacency optional

Adjacency

matches AclEntryMatchEs optional

Matches

actions AclEntryEsAction optional

Actions

AclInet6Entry

An Inet6 ACL entry

FieldTypeLabelDescription
ace_name string optional

AclEntry name

ace_op AclEntryOperation optional

AclEntry operation

adjacency AclAdjacency optional

Adjacency

matches AclEntryMatchInet6 optional

Matches

actions AclEntryInet6Action optional

Actions

AclInetEntry

FieldTypeLabelDescription
ace_name string optional

AclEntry name

ace_op AclEntryOperation optional

AclEntry operation

adjacency AclAdjacency optional

Adjacency

matches AclEntryMatchInet optional

Matches

actions AclEntryInetAction optional

Actions

AclMatchCfmLevel

FieldTypeLabelDescription
cfm_level uint32 optional

cfm_level value

match_op AclMatchOperation optional

AclMatch op

AclMatchCfmOpcode

FieldTypeLabelDescription
min uint32 optional

Minimum cfm opcode value

max uint32 optional

Maximum cfm opcode Value

match_op AclMatchOperation optional

AclMatch op

AclMatchDscpCode

FieldTypeLabelDescription
min uint32 optional

Minimum Dscp code

max uint32 optional

Maximum Dscp code

match_op AclMatchOperation optional

AclMatch op

AclMatchEtherType

EtherType Match

FieldTypeLabelDescription
min uint32 optional

Minimum Ether type

max uint32 optional

Maximum Ether type

match_op AclMatchOperation optional

AclMatch op

AclMatchFlexOffset

FieldTypeLabelDescription
min uint32 optional

Minimum range value

max uint32 optional

Maximum range value

match_op AclMatchOperation optional

AclMatch op

AclMatchFlexibleMask

A Flexible Mask Match

FieldTypeLabelDescription
start_offset AclEntryMatchFlexStartOffest optional

Flex match start offset

bit_length uint32 optional

Flex match bit length (0 - 32)

bit_offset uint32 optional

Flex match bit offset (0 - 7)

byte_offset uint32 optional

Flex match byte offset

mask uint32 optional

Flex match mask

prefix_string string optional

32 Bit, Flex match value in hex format (0x12345678)

AclMatchFlexibleOffsetMask

A Flexible Offset Mask Match

FieldTypeLabelDescription
flex_mask_match AclMatchFlexibleMask optional

Flexible mask match

AclMatchFlexibleOffsetRange

A Flexible Offset Range Match

FieldTypeLabelDescription
flex_range_match AclMatchFlexibleRange optional

Flexible range match

AclMatchFlexibleRange

A Flexible Range Match

FieldTypeLabelDescription
start_offset AclEntryMatchFlexStartOffest optional

Flex match start offset

bit_length uint32 optional

Flex match bit length (0 - 32)

bit_offset uint32 optional

Flex match bit offset (0 - 7)

byte_offset uint32 optional

Flex match byte offset

range AclMatchFlexOffset optional

Flex match range value

AclMatchForwardingClass

Forwarding class match condition

FieldTypeLabelDescription
fwd_class AclForwardingClass optional

Loss Priority match

match_op AclMatchOperation optional

AclMatch op

AclMatchFragmentOffset

FieldTypeLabelDescription
min uint32 optional

Fragment offset range start

max uint32 optional

Fragment offset range start

match_op AclMatchOperation optional

AclMatch op

AclMatchIcmpCode

FieldTypeLabelDescription
min uint32 optional

Minimum Icmp code

max uint32 optional

Maximum Icmp code

match_op AclMatchOperation optional

AclMatch op

AclMatchIcmpType

FieldTypeLabelDescription
min uint32 optional

Minimum Icmp type

max uint32 optional

Maximum Icmp type

match_op AclMatchOperation optional

AclMatch op

AclMatchIflNameIndex

FieldTypeLabelDescription
ifl_name string optional

Ifl Name

ifl_index uint32 optional

Ifl Index

AclMatchIpAddress

FieldTypeLabelDescription
addr IpAddress optional

address

prefix_len uint32 optional

Destination prefix length

match_op AclMatchOperation optional

AclMatch op

AclMatchIpPrecedence

FieldTypeLabelDescription
min Precedence optional

Minimum precedence

max Precedence optional

Maximum precedence

match_op AclMatchOperation optional

AclMatch op

AclMatchL2Token

FieldTypeLabelDescription
token uint32 optional

L2 token value

match_op AclMatchOperation optional

AclMatch op

AclMatchLearnVlanId

Learn VLAN ID Match

FieldTypeLabelDescription
min uint32 optional

Minimum Learn vlan id

max uint32 optional

Maximum Learn vLan id

match_op AclMatchOperation optional

AclMatch op

AclMatchLearnVlanPriority

Learn VLAN Priority Match

FieldTypeLabelDescription
min uint32 optional

Minimum Learn vlan priority

max uint32 optional

Maximum Learn vLan priority

match_op AclMatchOperation optional

AclMatch op

AclMatchLossPriority

Loss Priority match condition

FieldTypeLabelDescription
lp AclLossPriority optional

Loss Priority match

match_op AclMatchOperation optional

AclMatch op

AclMatchMacAddress

FieldTypeLabelDescription
addr MacAddress optional

Mac address

addr_len uint32 optional

Mac address length

match_op AclMatchOperation optional

AclMatch op

AclMatchMeshGroup

FieldTypeLabelDescription
mesh_group_id uint32 optional

mesh_group_id value

match_op AclMatchOperation optional

AclMatch op

AclMatchMplsLabel

FieldTypeLabelDescription
min uint32 optional

Minimum Label value

max uint32 optional

Maximum Label Value

match_op AclMatchOperation optional

AclMatch op

AclMatchNextHeader

FieldTypeLabelDescription
min uint32 optional

Minimum Label value

max uint32 optional

Maximum Label Value

match_op AclMatchOperation optional

AclMatch op

AclMatchPktLen

FieldTypeLabelDescription
min uint32 optional

Minimum Packet length

max uint32 optional

Maximum Packet length

match_op AclMatchOperation optional

AclMatch op

AclMatchPort

FieldTypeLabelDescription
min int32 optional

Minimum port

max int32 optional

Maximum port

match_op AclMatchOperation optional

AclMatch op

AclMatchProtocol

FieldTypeLabelDescription
min uint32 optional

Minimum Protocol number

max uint32 optional

Maximum Protocol number

match_op AclMatchOperation optional

AclMatch op

AclMatchTrafficClass

FieldTypeLabelDescription
min int32 optional

Minimum value

max int32 optional

Maximum value

match_op AclMatchOperation optional

AclMatch op

AclMatchTtl

FieldTypeLabelDescription
min uint32 optional

Minimum Time to live

max uint32 optional

Maximum Time to live

match_op AclMatchOperation optional

AclMatch op

AclMatchVlanId

FieldTypeLabelDescription
min uint32 optional

Minimum Label value

max uint32 optional

Maximum Label Value

match_op AclMatchOperation optional

AclMatch op

AclMplsEntry

MPLS ACL entry

FieldTypeLabelDescription
ace_name string optional

AclEntry name

ace_op AclEntryOperation optional

AclEntry operation

adjacency AclAdjacency optional

Adjacency

matches AclEntryMatchMpls optional

Matches

actions AclEntryMplsAction optional

Actions

AclMultiServiceEntry

MultiServices ACL entry

FieldTypeLabelDescription
ace_name string optional

AclEntry name

ace_op AclEntryOperation optional

AclEntry operation

adjacency AclAdjacency optional

Adjacency

matches AclEntryMatchMultiService optional

Matches

actions AclEntryMultiServiceAction optional

Actions

AclPolicerHierarchical

FieldTypeLabelDescription
aggregate_rate_unit AclPolicerRate optional

Bandwidth unit

aggregate_rate uint64 optional

Bandwidth rate

aggregate_burst_size_unit AclPolicerBurstSize optional

Burst unit

aggregate_burst_size uint64 optional

Burst size

premium_rate_unit AclPolicerRate optional

Bandwidth unit

premium_rate uint64 optional

Bandwidth rate

premium_burst_size_unit AclPolicerBurstSize optional

Burst unit

premium_burst_size uint64 optional

Burst size

discard AclBooleanType optional

Discard action

AclPolicerParameter

FieldTypeLabelDescription
two_color_parameter AclPolicerTwoColor optional

Two color

sr_three_color_parameter AclPolicerSingleRateThreeColor optional

Three color

tr_three_color_parameter AclPolicerTwoRateThreeColor optional

Three color

hierarchical_parameter AclPolicerHierarchical optional

Hierarchcical

AclPolicerSingleRateThreeColor

FieldTypeLabelDescription
committed_rate_unit AclPolicerRate optional

Bandwidth unit

committed_rate uint64 optional

Bandwidth rate

committed_burst_unit AclPolicerBurstSize optional

Burst unit

committed_burst_size uint64 optional

Burst size

excess_burst_size uint64 optional

Burst size

excess_burst_unit AclPolicerBurstSize optional

Burst unit

discard AclBooleanType optional

Discard action

color_mode AclColorModeType optional

AclPolicerTwoColor

FieldTypeLabelDescription
bw_unit AclPolicerRate optional

Bandwidth unit

bandwidth uint64 optional

Bandwidth rate

burst_unit AclPolicerBurstSize optional

Burst unit

burst_size uint64 optional

Burst size

lp AclLossPriority optional

Loss priority

fc_string string optional

Forwarding class.

discard AclBooleanType optional

Discard action

AclPolicerTwoRateThreeColor

FieldTypeLabelDescription
committed_rate_unit AclPolicerRate optional

Bandwidth unit

committed_rate uint64 optional

Bandwidth rate

committed_burst_unit AclPolicerBurstSize optional

Burst unit

committed_burst_size uint64 optional

Burst size

excess_rate_unit AclPolicerRate optional

Bandwidth unit

excess_rate uint64 optional

Bandwidth rate

excess_burst_unit AclPolicerBurstSize optional

Burst unit

excess_burst_size uint64 optional

Burst size

discard AclBooleanType optional

Discard action

color_mode AclColorModeType optional

AclVplsEntry

VPLS ACL entry

FieldTypeLabelDescription
ace_name string optional

AclEntry name

ace_op AclEntryOperation optional

AclEntry operation

adjacency AclAdjacency optional

Adjacency

matches AclEntryMatchVpls optional

Matches

actions AclEntryVplsAction optional

Actions

AccessListBindObjType

The forwarding element entities to which the ACL can be bound.

NameNumberDescription
ACL_BIND_OBJ_TYPE_INVALID 0

Invalid

ACL_BIND_OBJ_TYPE_INTERFACE 1

Interface

ACL_BIND_OBJ_TYPE_FWD_TABLE 2

Forwarding table

ACL_BIND_OBJ_TYPE_VLAN 3

Forwarding table

ACL_BIND_OBJ_TYPE_BRG_DOMAIN 4

Bridge domain

AccessListFamilies

AccessList Families.

NameNumberDescription
ACL_FAMILY_INVALID 0

Invalid

ACL_FAMILY_INET 1

IPv4 family

ACL_FAMILY_INET6 2

IPv6 family

ACL_FAMILY_ES 3

Ethernet Switching family

ACL_FAMILY_VPLS 4

VPLS family

ACL_FAMILY_MULTISERVICE 5

MULTISERVICE family

ACL_FAMILY_CCC 6

CCC family

ACL_FAMILY_MPLS 7

MPLS family

AccessListFlags

Any proprietory flag to be enabled at the ACL level.

NameNumberDescription
ACL_FLAGS_NONE 0

None

AccessListReturnVal

NameNumberDescription
ACL_STATUS_EOK 0

Success

ACL_STATUS_NULL_MESSAGE 1

The RPC was a NULL buffer

ACL_STATUS_EINVALID_MESSAGE 2

Wrong input

ACL_STATUS_EINTERNAL 3

Server Internal error

ACL_STATUS_EUNSUPPORTED_OP 4

Operation not supported

ACL_STATUS_NO_RESOURCE 5

Resource not available at server

ACL_STATUS_BS_TIMEOUT 6

Bulk Stats timeout

AccessListTypes

AccessList types.

NameNumberDescription
ACL_TYPE_INVALID 0

Invalid ACL type

ACL_TYPE_CLASSIC 1

Classic ACL type

AclAdjacencyType

NameNumberDescription
ACL_ADJACENCY_NONE 0

For first ace

ACL_ADJACENCY_AFTER 1

Add next to the given ace

ACL_ADJACENCY_BEFORE 2

Add before the given ace

AclBindDirection

Direction in which an ACL is bound.

NameNumberDescription
ACL_BIND_DIRECTION_INVALID 0

Invalid bind direction

ACL_BIND_DIRECTION_INPUT 1

Bind on ingress

ACL_BIND_DIRECTION_OUTPUT 2

Bind on egress

AclBooleanType

NameNumberDescription
ACL_FALSE 0

False

ACL_TRUE 1

True

AclColorModeType

NameNumberDescription
ACL_COLOR_MODE_INVALID 0

ACL_COLOR_MODE_COLOR_BLIND 1

ACL_COLOR_MODE_COLOR_AWARE 2

AclEntryActionRejectReason

NameNumberDescription
ACL_ACTION_REJECT_ADMINISTRATIVELY_PROHIBITED 0

Send ICMP Administratively Prohibited message

ACL_ACTION_REJECT_BAD_HOST_TOS 1

Send ICMP Bad Host ToS message

ACL_ACTION_REJECT_BAD_NETWORK_TOS 2

Send ICMP Bad Network ToS message

ACL_ACTION_REJECT_FRAGMENTATION_NEEDED 3

Send ICMP Fragmentation Needed message

ACL_ACTION_REJECT_HOST_PROHIBITED 4

Send ICMP Host Prohibited message

ACL_ACTION_REJECT_HOST_UNKNOWN 5

Send ICMP Host Unknown message

ACL_ACTION_REJECT_HOST_UNREACHABLE 6

Send ICMP Host Unreachable message

ACL_ACTION_REJECT_NETWORK_PROHIBITED 7

Send ICMP Network Prohibited message

ACL_ACTION_REJECT_NETWORK_UNKNOWN 8

Send ICMP Network Unknown message

ACL_ACTION_REJECT_NETWORK_UNREACHABLE 9

Send ICMP Network Unreachable message

ACL_ACTION_REJECT_PORT_UNREACHABLE 10

Send ICMP Port Unreachable message

ACL_ACTION_REJECT_PRECEDENCE_CUTOFF 11

Send ICMP Precedence Cutoff message

ACL_ACTION_REJECT_PRECEDENCE_VIOLATION 12

Send ICMP Precedence Violation message

ACL_ACTION_REJECT_PROTOCOL_UNREACHABLE 13

Send ICMP Protocol Unreachable message

ACL_ACTION_REJECT_SOURCE_HOST_ISOLATED 14

Send ICMP Source Host Isolated message

ACL_ACTION_REJECT_SOURCE_ROUTE_FAILED 15

Send ICMP Source Route Failed message

ACL_ACTION_REJECT_TCP_RESET 16

Send TCP Reset message

AclEntryMatchFlexStartOffest

NameNumberDescription
ACL_FLEX_MATCH_OFFSET_INVALID 0

Invalid Flex match start offset

ACL_FLEX_MATCH_OFFSET_LAYER_THREE 1

Layer-3 Flex match start offset

ACL_FLEX_MATCH_OFFSET_LAYER_FOUR 2

Layer-4 Flex match start offset

ACL_FLEX_MATCH_OFFSET_PAYLOAD 3

Payload Flex match start offset

AclEntryOperation

NameNumberDescription
ACL_ENTRY_OPERATION_INVALID 0

Invalid ACE operation

ACL_ENTRY_OPERATION_ADD 1

Add a new ACE. / Can be used with Add ACL, Change ACL, replace ACL API's

ACL_ENTRY_OPERATION_DELETE 2

Delete a existing ace. / Can be used with change ACL API

ACL_ENTRY_OPERATION_REPLACE 3

Replace a existing ace. Must provide adjacency details to / preserve the order of the ace. Can be used with Change ACL API

AclForwardingClass

NameNumberDescription
ACL_FORWARDING_CLASS_INVALID 0

ACL_FORWARDING_CLASS_ASSURED 1

ACL_FORWARDING_CLASS_BEST_EFFORT 2

ACL_FORWARDING_CLASS_EXPEDITED 3

ACL_FORWARDING_CLASS_NETWORK_CONTROL 4

AclFragmentFlags

NameNumberDescription
ACL_FRAGMENT_NONE 0

None

ACL_DONT_FRAGMENT 1

Dont fragment flag

ACL_IS_FRAGMENT 2

Is fragment flag

ACL_FIRST_FRAGMENT 3

First fragment flag

ACL_LAST_FRAGMENT 4

More last fragment flag

AclLossPriority

NameNumberDescription
ACL_LOSS_PRIORITY_INVALID 0

ACL_LOSS_PRIORITY_HIGH 1

ACL_LOSS_PRIORITY_MEDIUM_HIGH 2

ACL_LOSS_PRIORITY_MEDIUM_LOW 3

ACL_LOSS_PRIORITY_LOW 4

AclMatchOperation

NameNumberDescription
ACL_MATCH_OP_INVALID 0

Invalid match operation

ACL_MATCH_OP_EQUAL 1

Match operation equal

ACL_MATCH_OP_NOT_EQUAL 2

Match operation not equal

AclPolicerBurstSize

NameNumberDescription
ACL_POLICER_BURST_SIZE_INVALID 0

ACL_POLICER_BURST_SIZE_BYTE 1

Bytes

ACL_POLICER_BURST_SIZE_KBYTE 2

KiloBytes

ACL_POLICER_BURST_SIZE_MBYTE 3

MegaBytes

ACL_POLICER_BURST_SIZE_GBYTE 4

GigaBytes

AclPolicerFlags

NameNumberDescription
ACL_POLICER_FLAG_INVALID 0

ACL_POLICER_FLAG_TERM_SPECIFIC 1

The policer instance is activated for each ACE its referenced.

ACL_POLICER_FLAG_FILTER_SPECIFIC 2

The policer instance is activated at global ACL level.

AclPolicerRate

NameNumberDescription
ACL_POLICER_RATE_INVALID 0

ACL_POLICER_RATE_BPS 1

Bits per second

ACL_POLICER_RATE_KBPS 2

Kilobits per second

ACL_POLICER_RATE_MBPS 3

Megabits per second

ACL_POLICER_RATE_GBPS 4

Gigabits per second

AclPolicerType

NameNumberDescription
ACL_POLICER_INVALID 0

Invalid policer type

ACL_TWO_COLOR_POLICER 1

Single rate two color

ACL_SINGLE_RATE_THREE_COLOR_POLICER 2

Singel rate three color

ACL_TWO_RATE_THREE_COLOR_POLICER 3

Two rate three color

ACL_HIERARCHICAL_POLICER 4

Hierarchical

AclStpMatchFlags

NameNumberDescription
ACL_MATCH_STP_FLAG_INVALID 0

ACL_MATCH_STP_FLAG_BLOCKING 1

ACL_MATCH_STP_FLAG_FORWARDING 2

Precedence

NameNumberDescription
ACL_PRECENCE_ROUTINE 0

Routine precedence

ACL_PRECENCE_PRIORITY 1

Priority precedence

ACL_PRECENCE_IMMEDIATE 2

Immediate precedence

ACL_PRECENCE_FLASH 3

Flash precedence

ACL_PRECENCE_FLASH_OVERRIDE 4

Flash override precedence

ACL_PRECENCE_CRITICAL_ECP 5

Critical ecp precedence

ACL_PRECENCE_INTERNET_CONTROL 6

Internet control precedence

ACL_PRECENCE_NET_CONTROL 7

Network control precedence

AclService

ACL Service APIs defines a set of simple RPCs to operate upon the various components, for example: - ACL

- ACE

- Policer

- Attachment Points

- Statistics.

Each of RPCs are named by concatenating the corresponding Acl object and the operation to be performed. This give a easy to understand semantics to the RPCs.

Method NameRequest TypeResponse TypeDescription
AccessListAdd AccessList AccessListReturnStatus

Adds an ACL and returns the result.

AccessListDelete AccessList AccessListReturnStatus

Delete an ACL from the system and return the result. For successful delete to happen, the ACL should not be bound to any object.

AccessListChange AccessList AccessListReturnStatus

Changes an ACL based on the list of ACL entries provided, and returns the result. It is advisable to use this API to for small incremental changes. For wholesale changes, it is recommended to use the 'Replace' version of the API.

AccessListBindAdd AccessListObjBind AccessListReturnStatus

AccessListBindDelete AccessListObjBind AccessListReturnStatus

AccessListPolicerAdd AccessListPolicer AccessListReturnStatus

AccessListPolicerReplace AccessListPolicer AccessListReturnStatus

AccessListPolicerDelete AccessListPolicer AccessListReturnStatus

AccessListPileupStart AccessListVoid AccessListReturnStatus

Following are optimized command to let the server know to <br> accumulate the Access List Entries and configure on when AccessListPileupEnd is received. <br> For every AccessList RPC invocation, the entire ACL is applied to the system <br> For application which wants to do batching for better performance, the AccessListPileupStart <br> and AccessListPileupEnd will help achive that.

AccessListPileupEnd AccessListVoid AccessListReturnStatus

Following are optimized commands to let the server know to <br> accumulate the ace_list and configure on when AccessListPileupEnd is received. <br> For every AccessList RPC invocation, the entire ACL is applied to the system <br> For application which wants to do batching for better performance, the AccessListPileupStart <br> and AccessListPileupEnd will help achive that.

AccessListCounterGet AccessListCounter AccessListCounterVal

Few points to note with this API. The call is going to be blocking for up to 10 seconds which is non configurable. The counter name is expected to be fully resolved. For example, for term specific policer counter it is expected to be passed the full counter name.

AccessListPolicerCounterGet AccessListCounter AccessListCounterVal

AccessListCounterClear AccessListCounter AccessListReturnStatus

AccessListCounterBulkGet AccessListCounterBulk AccessListCounterVal

AccessListPolicerCounterBulkGet AccessListCounterBulk AccessListCounterVal

Scalar Value Types

.proto TypeNotesC++ TypeJava TypePython Type
double double double float
float float float float
int32 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint32 instead. int32 int int
int64 Uses variable-length encoding. Inefficient for encoding negative numbers – if your field is likely to have negative values, use sint64 instead. int64 long int/long
uint32 Uses variable-length encoding. uint32 int int/long
uint64 Uses variable-length encoding. uint64 long int/long
sint32 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int32s. int32 int int
sint64 Uses variable-length encoding. Signed int value. These more efficiently encode negative numbers than regular int64s. int64 long int/long
fixed32 Always four bytes. More efficient than uint32 if values are often greater than 2^28. uint32 int int
fixed64 Always eight bytes. More efficient than uint64 if values are often greater than 2^56. uint64 long int/long
sfixed32 Always four bytes. int32 int int
sfixed64 Always eight bytes. int64 long int/long
bool bool boolean boolean
string A string must always contain UTF-8 encoded or 7-bit ASCII text. string String str/unicode
bytes May contain any arbitrary sequence of bytes. string ByteString str