Introduce MATCH_ACTION policy-forwarding#1417
Conversation
|
No major YANG version changes in commit 7d88278 |
* Add GLOME YANG paths. cloned from #1378 * Update with changes from comments * Update with changes from comments * Fix typo * Remove the oc-ap augment --------- Co-authored-by: Darren Loher <dloher@google.com> Co-authored-by: Caleb Geiger <48812321+ElodinLaarz@users.noreply.github.com>
* Add FEC statistics and update descriptions in YANG * (M) release/models/optical-transport/openconfig-terminal-device.yang * (M) release/models/interfaces/openconfig-if-ethernet.yang --------- Co-authored-by: Darren Loher <dloher@google.com>
robshakir
left a comment
robshakir
left a comment
There was a problem hiding this comment.
Thanks for the changes, this LGTM. I added a couple of small nit comments.
|
Reviewed at OC Operators Meeting on January 27th: We can set last call to 2 weeks from now and bring it up at the community meeting. |
| base oc-types:ADDRESS_FAMILY; | ||
| } | ||
| description | ||
| "The type determines the address family allowed in the |
There was a problem hiding this comment.
Please include information about transport layer match handling in the description, since the address family is limited to L2, IPV4, IPV6 and MPLS.
| "Unique sequence number for the policy rule."; | ||
| } | ||
|
|
||
| leaf address-family { |
There was a problem hiding this comment.
Since this is introduced as a non-key node to the rule list, the model can allow for mixing different address families within the same PF policy - this differs in design from the ACL modeling where there is an additional key at a parent level (often the same implementation)
And to the point raised on the OC community call 2026-02-05, there are a number of child containers that may only apply based on how this non-mandatory/non-key value is set. If the modeling does not define these possibilities and restrictions, I feel we are going to see divergence amongst implementation behavior that may not align to use-cases, not to mention corner cases and logic that needs handling outside of the modeling.
There was a problem hiding this comment.
Making this node mandatory or adding it as a key in the list are both breaking changes to the model which are not easily absorbed as the model is in production use.
We chose the tradeoff of adding to the existing model for operational ease versus introducing a new model (where we could define a list with an address-family as a key or as a mandatory node).
There was a problem hiding this comment.
I do have an open issue from OC community to clarify if the address family constrains both match and actions, or just the match rules. I'll complete that investigation shortly.
…cies.yang fix typo
|
Discussed at OC Operators Meeting on Feb 24, 2026: Asked Darren to finish doing some due-diligence to include any precedence in cross AFI match / action use-cases. If we think that we would want to remove the constraint in the future, it seems okay to use it as-is. (encap/decap actions might have an ambiguous address family, for instance.) If Darren finds any examples, seems okay to merge. |
|
I will merge this as is, without the actions container constrained to an address family. Some actions are Address Family Neutral, meaning they don't care about the IP version. However, some are Address Family Specific. Which actions can be used are relevant to the match and can be rejected on a logical basis (such as ipv4 matching with an action for an ipv4 next-hop or implemention specific limitations). Address family neutral actions:
Address family specific actions:
Exceptions exist for cross-family redirection. You can match an IPv4 packet and redirect it to a 6PE (IPv6 Provider Edge) label or an Recursive Next-hop that eventually resolves via an IPv6 transport, but the "Match" is still strictly IPv4. It would be complex and generally against OC style to attempt to model all these conditions with logic in the yang model. |
set-dscp is mentioned under address family neutral actions, but in the merged code we have address-family specific dscp action. Is that intentional? |
Yes, there are containers for address family in the match and action containers for readability. The topic of this thread is whether there should be yang constraints modeled to formally restrict the address family for match rules and actions. In the (now merged) model, there is no use of yang |
8 participants
Change Scope
next-rule,countandsampleactions.Platform Implementations
See #1371 which includes references to implementation.
Tree View
module: openconfig-network-instance +--rw network-instances +--rw network-instance* [name] +--rw policy-forwarding | +--rw config | | +--rw global-decap-policy? string | +--ro state | | +--ro global-decap-policy? string | +--rw policies | | +--rw policy* [policy-id] | | +--rw policy-id -> ../config/policy-id | | +--rw config | | | +--rw policy-id? string | | | +--rw type? enumeration | | +--ro state | | | +--ro policy-id? string | | | +--ro type? enumeration | | +--rw rules | | +--rw rule* [sequence-id] | | +--rw sequence-id -> ../config/sequence-id | | +--rw config | | | +--rw sequence-id? uint32 + | | | +--rw address-family? identityref + | | | +--rw description? string | | +--ro state | | | +--ro sequence-id? uint32 + | | | +--ro address-family? identityref + | | | +--ro description? string | | | +--ro matched-pkts? oc-yang:counter64 | | | +--ro matched-octets? oc-yang:counter64 | | +--rw l2 | | | +--rw config | | | | +--rw source-mac? oc-yang:mac-address | | | | +--rw source-mac-mask? oc-yang:mac-address | | | | +--rw destination-mac? oc-yang:mac-address | | | | +--rw destination-mac-mask? oc-yang:mac-address | | | | +--rw ethertype? oc-pkt-match-types:ethertype-type | | | +--ro state | | | +--ro source-mac? oc-yang:mac-address | | | +--ro source-mac-mask? oc-yang:mac-address | | | +--ro destination-mac? oc-yang:mac-address | | | +--ro destination-mac-mask? oc-yang:mac-address | | | +--ro ethertype? oc-pkt-match-types:ethertype-type | | +--rw ipv4 | | | +--rw config | | | | +--rw source-address? oc-inet:ipv4-prefix | | | | +--rw source-address-prefix-set? -> /oc-sets:defined-sets/ipv4-prefix-sets/ipv4-prefix-set/name | | | | +--rw destination-address? oc-inet:ipv4-prefix | | | | +--rw destination-address-prefix-set? -> /oc-sets:defined-sets/ipv4-prefix-sets/ipv4-prefix-set/name | | | | +--rw fragment-offsets* oc-pkt-match-types:fragment-offset-range | | | | +--rw dscp? oc-inet:dscp | | | | +--rw dscp-set* oc-inet:dscp | | | | +--rw length? uint16 | | | | +--rw protocol? oc-pkt-match-types:ip-protocol-type | | | | +--rw hop-limit? uint8 | | | +--ro state | | | | +--ro source-address? oc-inet:ipv4-prefix | | | | +--ro source-address-prefix-set? -> /oc-sets:defined-sets/ipv4-prefix-sets/ipv4-prefix-set/name | | | | +--ro destination-address? oc-inet:ipv4-prefix | | | | +--ro destination-address-prefix-set? -> /oc-sets:defined-sets/ipv4-prefix-sets/ipv4-prefix-set/name | | | | +--ro fragment-offsets* oc-pkt-match-types:fragment-offset-range | | | | +--ro dscp? oc-inet:dscp | | | | +--ro dscp-set* oc-inet:dscp | | | | +--ro length? uint16 | | | | +--ro protocol? oc-pkt-match-types:ip-protocol-type | | | | +--ro hop-limit? uint8 | | | +--rw icmpv4 | | | +--rw config | | | | +--rw type? identityref | | | | +--rw code? identityref | | | +--ro state | | | +--ro type? identityref | | | +--ro code? identityref | | +--rw ipv6 | | | +--rw config | | | | +--rw source-address? oc-inet:ipv6-prefix | | | | +--rw source-address-prefix-set? -> /oc-sets:defined-sets/ipv6-prefix-sets/ipv6-prefix-set/name | | | | +--rw source-flow-label? oc-inet:ipv6-flow-label | | | | +--rw destination-address? oc-inet:ipv6-prefix | | | | +--rw destination-address-prefix-set? -> /oc-sets:defined-sets/ipv6-prefix-sets/ipv6-prefix-set/name | | | | +--rw destination-flow-label? oc-inet:ipv6-flow-label | | | | +--rw dscp? oc-inet:dscp | | | | +--rw dscp-set* oc-inet:dscp | | | | +--rw length? uint16 | | | | +--rw protocol? oc-pkt-match-types:ip-protocol-type | | | | +--rw hop-limit? uint8 | | | +--ro state | | | | +--ro source-address? oc-inet:ipv6-prefix | | | | +--ro source-address-prefix-set? -> /oc-sets:defined-sets/ipv6-prefix-sets/ipv6-prefix-set/name | | | | +--ro source-flow-label? oc-inet:ipv6-flow-label | | | | +--ro destination-address? oc-inet:ipv6-prefix | | | | +--ro destination-address-prefix-set? -> /oc-sets:defined-sets/ipv6-prefix-sets/ipv6-prefix-set/name | | | | +--ro destination-flow-label? oc-inet:ipv6-flow-label | | | | +--ro dscp? oc-inet:dscp | | | | +--ro dscp-set* oc-inet:dscp | | | | +--ro length? uint16 | | | | +--ro protocol? oc-pkt-match-types:ip-protocol-type | | | | +--ro hop-limit? uint8 | | | +--rw icmpv6 | | | +--rw config | | | | +--rw type? identityref | | | | +--rw code? identityref | | | +--ro state | | | +--ro type? identityref | | | +--ro code? identityref | | +--rw transport | | | +--rw config | | | | +--rw source-port? oc-pkt-match-types:port-num-range | | | | +--rw source-port-set? -> /oc-sets:defined-sets/port-sets/port-set/name | | | | +--rw destination-port? oc-pkt-match-types:port-num-range | | | | +--rw destination-port-set? -> /oc-sets:defined-sets/port-sets/port-set/name | | | | +--rw detail-mode? enumeration | | | | +--rw explicit-detail-match-mode? enumeration | | | | +--rw explicit-tcp-flags* identityref | | | | +--rw builtin-detail? enumeration | | | +--ro state | | | +--ro source-port? oc-pkt-match-types:port-num-range | | | +--ro source-port-set? -> /oc-sets:defined-sets/port-sets/port-set/name | | | +--ro destination-port? oc-pkt-match-types:port-num-range | | | +--ro destination-port-set? -> /oc-sets:defined-sets/port-sets/port-set/name | | | +--ro detail-mode? enumeration | | | +--ro explicit-detail-match-mode? enumeration | | | +--ro explicit-tcp-flags* identityref | | | +--ro builtin-detail? enumeration | | +--rw action | | | +--rw config - | | | | +--rw discard? boolean + | | | | x--rw discard? boolean | | | | +--rw decapsulate-gre? boolean | | | | +--rw decap-network-instance? -> /network-instances/network-instance/config/name | | | | +--rw decap-fallback-network-instance? -> /network-instances/network-instance/config/name + | | | | +--rw log? boolean | | | | +--rw post-decap-network-instance? -> /network-instances/network-instance/config/name | | | | +--rw network-instance? -> /network-instances/network-instance/config/name | | | | +--rw path-selection-group? -> ../../../../../../../path-selection-groups/path-selection-group/config/group-id | | | | +--rw next-hop? oc-inet:ip-address | | | | +--rw next-hop-group? -> ../../../../../../../../static/next-hop-groups/next-hop-group/config/name | | | | +--rw decapsulate-mpls-in-udp? boolean | | | | +--rw decapsulate-gue? boolean - | | | | +--rw ip-ttl? uint8 + | | | | x--rw ip-ttl? uint8 | | | +--ro state - | | | | +--ro discard? boolean + | | | | x--ro discard? boolean | | | | +--ro decapsulate-gre? boolean | | | | +--ro decap-network-instance? -> /network-instances/network-instance/config/name | | | | +--ro decap-fallback-network-instance? -> /network-instances/network-instance/config/name + | | | | +--ro log? boolean | | | | +--ro post-decap-network-instance? -> /network-instances/network-instance/config/name | | | | +--ro network-instance? -> /network-instances/network-instance/config/name | | | | +--ro path-selection-group? -> ../../../../../../../path-selection-groups/path-selection-group/config/group-id | | | | +--ro next-hop? oc-inet:ip-address | | | | +--ro next-hop-group? -> ../../../../../../../../static/next-hop-groups/next-hop-group/config/name | | | | +--ro decapsulate-mpls-in-udp? boolean | | | | +--ro decapsulate-gue? boolean - | | | | +--ro ip-ttl? uint8 + | | | | x--ro ip-ttl? uint8 | | | +--rw encapsulate-gre | | | | +--rw config | | | | | +--rw identifying-prefix? oc-inet:ip-prefix | | | | +--ro state | | | | | +--ro identifying-prefix? oc-inet:ip-prefix | | | | +--rw targets | | | | +--rw target* [id] | | | | +--rw id -> ../config/id | | | | +--rw config | | | | | +--rw id? string | | | | | +--rw source? oc-inet:ip-address | | | | | +--rw destination? oc-inet:ip-prefix | | | | | +--rw ip-ttl? uint8 | | | | +--ro state | | | | +--ro id? string | | | | +--ro source? oc-inet:ip-address | | | | +--ro destination? oc-inet:ip-prefix | | | | +--ro ip-ttl? uint8 + | | | +--rw ipv4 + | | | | +--rw config + | | | | | +--rw dscp? oc-inet-types:dscp + | | | | | +--rw ttl? uint8 + | | | | +--ro state + | | | | +--ro dscp? oc-inet-types:dscp + | | | | +--ro ttl? uint8 + | | | +--rw ipv6 + | | | | +--rw config + | | | | | +--rw dscp? oc-inet-types:dscp + | | | | | +--rw hop-limit? uint8 + | | | | +--ro state + | | | | +--ro dscp? oc-inet-types:dscp + | | | | +--ro hop-limit? uint8 + | | | +--rw mpls + | | | | +--rw config + | | | | | +--rw mpls-traffic-class? oc-mplst:mpls-tc + | | | | +--ro state + | | | | +--ro mpls-traffic-class? oc-mplst:mpls-tc + | | | +--rw forwarding + | | | | +--rw config + | | | | | +--rw forwarding-action? identityref + | | | | | +--rw qos-forwarding-group? -> /oc-qos:qos/forwarding-groups/forwarding-group/config/name + | | | | +--ro state + | | | | +--ro forwarding-action? identityref + | | | | +--ro qos-forwarding-group? -> /oc-qos:qos/forwarding-groups/forwarding-group/config/name | | | +--rw oc-pf-srte:segment-lists | | | +--rw oc-pf-srte:segment-list* [index] | | | +--rw oc-pf-srte:index -> ../config/index | | | +--rw oc-pf-srte:config | | | | +--rw oc-pf-srte:index? uint64 | | | | +--rw oc-pf-srte:weight? uint32 | | | +--ro oc-pf-srte:state | | | | +--ro oc-pf-srte:index? uint64 | | | | +--ro oc-pf-srte:weight? uint32 | | | +--rw oc-pf-srte:sids | | | +--rw oc-pf-srte:sid* [index] | | | +--rw oc-pf-srte:index -> ../config/index | | | +--rw oc-pf-srte:config | | | | +--rw oc-pf-srte:index? uint64 | | | | +--rw oc-pf-srte:value? oc-srt:sr-sid-type | | | | +--rw oc-pf-srte:mpls-ttl? uint8 | | | | +--rw oc-pf-srte:mpls-tc? uint8 | | | +--ro oc-pf-srte:state | | | +--ro oc-pf-srte:index? uint64 | | | +--ro oc-pf-srte:value? oc-srt:sr-sid-type | | | +--ro oc-pf-srte:mpls-ttl? uint8 | | | +--ro oc-pf-srte:mpls-tc? uint8 | | +--rw oc-pf-srte:srte | | +--rw oc-pf-srte:config | | | +--rw oc-pf-srte:mpls-bsid? oc-mplst:mpls-label | | | +--rw oc-pf-srte:srte-endpoint? oc-inet:ip-address | | | +--rw oc-pf-srte:srte-color? uint32 | | | +--rw oc-pf-srte:srte-preference? uint32 | | +--ro oc-pf-srte:state | | +--ro oc-pf-srte:mpls-bsid? oc-mplst:mpls-label | | +--ro oc-pf-srte:srte-endpoint? oc-inet:ip-address | | +--ro oc-pf-srte:srte-color? uint32 | | +--ro oc-pf-srte:srte-preference? uint32