Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"

"Jon Shallow" <> Mon, 08 January 2018 15:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 64D90129966 for <>; Mon, 8 Jan 2018 07:47:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vJU44eU9Z9Vr for <>; Mon, 8 Jan 2018 07:47:17 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7E9A3126579 for <>; Mon, 8 Jan 2018 07:47:17 -0800 (PST)
Received: from [] (helo=N01332) by with smtps (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from <>) id 1eYZdn-0005df-61; Mon, 08 Jan 2018 15:47:11 +0000
From: "Jon Shallow" <>
To: "'Robert Wilton'" <>, <>, "'Einar Nilsen-Nygaard \(einarnn\)'" <>, "'Mahesh Jethanandani'" <>
References: <012301d3886e$f96f08e0$ec4d1aa0$> <> <>
In-Reply-To: <>
Date: Mon, 8 Jan 2018 15:47:11 -0000
Message-ID: <022401d38897$f2aa1b70$d7fe5250$>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0225_01D38897.F2ABA210"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQKQyRuXL6dM12jnz185RKPboCEftgLUfB8AAmARq32hxfarIA==
Content-Language: en-gb
Archived-At: <>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Jan 2018 15:47:19 -0000

Hi Robert,


A good set of points.


My particular use case (hence raising the question) is defining a YANG model where there are multiple appliances and where ACLs are defined for each appliance, but there is the likelihood of the different appliances using the same “acl-name”, but the contents of “acl-name” are different.  Having a grouping (using import-by-revision) would help me considerably here.






From: Robert Wilton [mailto:] 
Sent: 08 January 2018 15:31
To: Einar Nilsen-Nygaard (einarnn); Jon Shallow; Mahesh Jethanandani
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"


Hi Einar, Jon, Mahesh,

My gut instinct is that making this a grouping might not be a good idea:

1) If somebody updates the core ACL model, will then need to check that anyone using it should be similarly updated (unless they use import-by-revision).

2) Does it make sense to define ACLs in separate places.  Would like be more simple if ACLs were defined in a central place and then just referenced by other protocols as required.

3) I think that groupings are probably overused and I think that they can detract from the readability of the model.  (I regard the OpenConfig YANG models as an extreme example of this, where it is necessary to compile the modules together to figure out where everything fits together).

Having said that, I don't think that this issue is important enough to have a long discussion about ...


On 08/01/2018 15:02, Einar Nilsen-Nygaard (einarnn) wrote:

Since this is a 7-line change, I see no harm in it if no-one objects? Mahesh has the token for rolling in updates discussed just prior to the end of 2017. 


Here’s a possible diff: 


$ git diff -b

diff --git a/src/yang/ietf-access-control-list.yang b/src/yang/ietf-access-control-list.yang

index 4d698c9..b1a173f 100644

--- a/src/yang/ietf-access-control-list.yang

+++ b/src/yang/ietf-access-control-list.yang

@@ -402,6 +402,10 @@ module ietf-access-control-list {


    * Configuration data nodes


+  grouping access-lists-top {

+    description

+      "Grouping to allow reuse of access lists container elsewhere.";


     container access-lists {


         "This is a top level container for Access Control Lists.

@@ -576,6 +580,9 @@ module ietf-access-control-list {




+  }

+  uses access-lists-top;


   augment "/if:interfaces/if:interface" {


       "Augment interfaces to allow ACLs to be associated in either the






On 8 Jan 2018, at 10:53, Jon Shallow <> wrote:


Hi There,


I appreciate that this is late to the table, but is it possible to set up “access-lists” as a “grouping” in the YANG data model so that “access-lists” can be included by “uses” in a higher level YANG data model?


I have raised this as issue #22 at  <>





netmod mailing list


netmod mailing list