Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
Martin Bjorklund <mbj@tail-f.com> Mon, 08 January 2018 15:46 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D3AB129C53 for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 07:46:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EBCLug-dTpOY for <netmod@ietfa.amsl.com>; Mon, 8 Jan 2018 07:46:55 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 2832B129966 for <netmod@ietf.org>; Mon, 8 Jan 2018 07:46:55 -0800 (PST)
Received: from localhost (unknown [173.38.220.56]) by mail.tail-f.com (Postfix) with ESMTPSA id C77151AE0332; Mon, 8 Jan 2018 16:46:52 +0100 (CET)
Date: Mon, 08 Jan 2018 16:45:09 +0100
Message-Id: <20180108.164509.2179320293753239869.mbj@tail-f.com>
To: rwilton@cisco.com
Cc: einarnn@cisco.com, supjps-ietf@jpshallow.com, mjethanandani@gmail.com, netmod@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <041cd24f-858c-5e94-6bea-6d25f62b4acc@cisco.com>
References: <012301d3886e$f96f08e0$ec4d1aa0$@jpshallow.com> <B0576B62-CB61-45EA-99EF-E5B67545B85C@cisco.com> <041cd24f-858c-5e94-6bea-6d25f62b4acc@cisco.com>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/lWjeqea75tnEMQlVxKHbXTUtAwg>
Subject: Re: [netmod] Netmod ACL - Can "access-lists" be set up as a "grouping"
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2018 15:46:57 -0000
Hi, Robert Wilton <rwilton@cisco.com> wrote: > Hi Einar, Jon, Mahesh, > > My gut instinct is that making this a grouping might not be a good > idea: > > 1) If somebody updates the core ACL model, will then need to check > that anyone using it should be similarly updated (unless they use > import-by-revision). > > 2) Does it make sense to define ACLs in separate places. Would like > be more simple if ACLs were defined in a central place and then just > referenced by other protocols as required. > > 3) I think that groupings are probably overused and I think that they > can detract from the readability of the model. (I regard the > OpenConfig YANG models as an extreme example of this, where it is > necessary to compile the modules together to figure out where > everything fits together). I agree with all three statements. The current acl data model has a top-level grouping "interface-acl" which probably is not intended to be "exported". I think ot should be moved into the "attachment-points" container, in order to make it local. If the entire access-list container is defined as a goruping, and is used in multiple places, how are the multiple interface attachment-points handled? /martin > > Having said that, I don't think that this issue is important enough to > have a long discussion about ... > > Thanks, > Rob > > > On 08/01/2018 15:02, Einar Nilsen-Nygaard (einarnn) wrote: > > Since this is a 7-line change, I see no harm in it if no-one objects? > > Mahesh has the token for rolling in updates discussed just prior to > > the end of 2017. > > > > Here’s a possible diff: > > > > $ git diff -b > > diff --git a/src/yang/ietf-access-control-list.yang > > b/src/yang/ietf-access-control-list.yang > > index 4d698c9..b1a173f 100644 > > --- a/src/yang/ietf-access-control-list.yang > > +++ b/src/yang/ietf-access-control-list.yang > > @@ -402,6 +402,10 @@ module ietf-access-control-list { > > /* > > * Configuration data nodes > > */ > > + grouping access-lists-top { > > + description > > + "Grouping to allow reuse of access lists container elsewhere."; > > + > > container access-lists { > > description > > "This is a top level container for Access Control Lists. > > @@ -576,6 +580,9 @@ module ietf-access-control-list { > > } > > } > > } > > + } > > + uses access-lists-top; > > + > > augment "/if:interfaces/if:interface" { > > description > > "Augment interfaces to allow ACLs to be associated in either > > the > > > > Cheers, > > > > Einar > > > > > >> On 8 Jan 2018, at 10:53, Jon Shallow <supjps-ietf@jpshallow.com > >> <mailto:supjps-ietf@jpshallow.com>> wrote: > >> > >> Hi There, > >> I appreciate that this is late to the table, but is it possible to set > >> up “access-lists” as a “grouping” in the YANG data model so that > >> “access-lists” can be included by “uses” in a higher level YANG data > >> model? > >> I have raised this as issue #22 > >> athttps://github.com/netmod-wg/acl-model/issues > >> Regards > >> Jon > >> _______________________________________________ > >> netmod mailing list > >> netmod@ietf.org <mailto:netmod@ietf.org> > >> https://www.ietf.org/mailman/listinfo/netmod > > > > > > > > _______________________________________________ > > netmod mailing list > > netmod@ietf.org > > https://www.ietf.org/mailman/listinfo/netmod >
- [netmod] Netmod ACL - Can "access-lists" be set u… Jon Shallow
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Einar Nilsen-Nygaard (einarnn)
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Robert Wilton
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Martin Bjorklund
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Jon Shallow
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Einar Nilsen-Nygaard (einarnn)
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Acee Lindem (acee)
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Martin Bjorklund
- Re: [netmod] Netmod ACL - Can "access-lists" be s… Mahesh Jethanandani