acl.proto¶
AclMgrService¶
watch¶
rpc watch(AclWatchRequest) AclWatchResponse
Subscription to monitor ACL hardware synchronization events. This request stays active until the client cancels or the server shuts down.
EosSdk reference: eos::acl_handler (class)
acls¶
rpc acls(AclsRequest) AclsResponse
Returns a list of the ACLs created by this application.
EosSdk reference: eos::acl_mgr::acl_iter
acls_all¶
rpc acls_all(AclsAllRequest) AclsAllResponse
Returns a list of all the ACLs.
EosSdk reference: eos::acl_mgr::acl_all_iter
acl_rule_ips¶
rpc acl_rule_ips(AclRuleIpsRequest) AclRuleIpsResponse
Returns a list of all the IP ACL rules created by this application for a specified ACL.
EosSdk reference: eos::acl_mgr::acl_rule_ip_iter
acl_all_rule_ips¶
rpc acl_all_rule_ips(AclAllRuleIpsRequest) AclAllRuleIpsResponse
Returns a list of all the IP ACL rules for a specified ACL.
EosSdk reference: eos::acl_mgr::acl_all_rule_ip_iter
acl_rule_eths¶
rpc acl_rule_eths(AclRuleEthsRequest) AclRuleEthsResponse
Returns a list of all the ethernet ACL rules created by this application for a specified ACL.
EosSdk reference: eos::acl_mgr::acl_rule_eth_iter
acl_all_rule_eths¶
rpc acl_all_rule_eths(AclAllRuleEthsRequest) AclAllRuleEthsResponse
Returns a list of all the ethernet ACL rules for a specified ACL.
EosSdk reference: eos::acl_mgr::acl_all_rule_eth_iter
acl_exists¶
rpc acl_exists(AclExistsRequest) AclExistsResponse
Queries whether the specified ACL has been configured in this application.
EosSdk reference: eos::acl_mgr::acl_exists
acl_all_exists¶
rpc acl_all_exists(AclAllExistsRequest) AclAllExistsResponse
Queries whether the specified ACL has been configured.
EosSdk reference: eos::acl_mgr::acl_all_exists
acl_rule_set¶
rpc acl_rule_set(AclRuleSetRequest) AclRuleSetResponse
Adds a rule to an ACL. If the specified ACL does not exist it is created. The type of the rule must be the same as the ACL's type.
Note: Must call acl_commit for this change to take effect Note: An extremely large numbers of ACLs or rules per ACL can result in undefined behavior, including a switch reload.
EosSdk reference: eos::acl_mgr::acl_rule_set
bulk_acl_rule_set¶
rpc bulk_acl_rule_set(BulkAclRuleSetRequest) BulkAclRuleSetResponse
Adds multiple rules to ACLs in a single call. Creates any ACLs that do not exist.
Note: Must call acl_commit for this change to take effect.
EosSdk reference: eos::acl_mgr::acl_rule_set
acl_rule_del¶
rpc acl_rule_del(AclRuleDelRequest) AclRuleDelResponse
Removes a rule from an ACL. If the specified ACL does not exist or there is no rule at the specified sequence number no changes are made.
Note: Must call acl_commit for this change to take effect.
EosSdk reference: eos::acl_mgr::acl_rule_del
bulk_acl_rule_del¶
rpc bulk_acl_rule_del(BulkAclRuleDelRequest) BulkAclRuleDelResponse
Removes multiple rules from ACLs in a single call.
Note: Must call acl_commit for this change to take effect.
EosSdk reference: eos::acl_mgr::acl_rule_del
acl_commit¶
rpc acl_commit(AclCommitRequest) AclCommitResponse
Commits all rule and setting changes made to all ACLs.
Pushes ACLs into Sysdb's active configuration. This commit cannot fail, but it can lead to a state where not all ACLs can be loaded into hardware. You will be notified via an on_acl_sync event when this commit and all other outstanding operations such as interface applications are loaded into hardware, or an on_acl_sync_fail event if the newly committed configuration can't be loaded. If there are no changes pending, you will get one of those events depending on whether the current state in Sysdb can be loaded into hardware or not.
EosSdk reference: eos::acl_mgr::acl_commit
acl_del¶
rpc acl_del(AclDelRequest) AclDelResponse
Deletes the specified ACL removing it from all interfaces and removing all of its rules. Any pending changes to the ACL are discarded. It is effective immediately (no commit needed and no watcher event is provided).
EosSdk reference: eos::acl_mgr::acl_del
bulk_acl_del¶
rpc bulk_acl_del(BulkAclDelRequest) BulkAclDelResponse
Deletes multiple ACLs in a single call.
EosSdk reference: eos::acl_mgr::acl_del
acl_apply¶
rpc acl_apply(AclApplyRequest) AclApplyResponse
Requests that an ACL be (un)applied on the given interface and direction.
ACL is loaded into hardware asynchronously. Like acl_commit, this call results in a watcher event when we have applied, or failed to apply, this ACL configuration. That is, an event will not be sent per call but instead an event will be sent when everything is loaded into hardware, or when we notice problems.
API call ordering note: any acl_rule_set or acl_rule_del calls must be followed by an acl_commit prior to calling this rpc otherwise this call will return an error.
EosSdk reference: eos::acl_mgr::acl_apply
bulk_acl_apply¶
rpc bulk_acl_apply(BulkAclApplyRequest) BulkAclApplyResponse
Apply or unapply multiple ACLs on the specified interfaces and directions in a single call.
EosSdk reference: eos::acl_mgr::acl_apply
acl_counters_enabled_set¶
rpc acl_counters_enabled_set(AclCountersEnabledSetRequest) AclCountersEnabledSetResponse
Enable or disable counters for the ACL.
Note: Must call acl_commit before this setting takes effect.
EosSdk reference: eos::acl_mgr::acl_counters_enabled_set
bulk_acl_counters_enabled_set¶
rpc bulk_acl_counters_enabled_set(BulkAclCountersEnabledSetRequest) BulkAclCountersEnabledSetResponse
Enable or disable counters for multiple ACLs in a single call.
Note: Must call acl_commit before this setting takes effect.
EosSdk reference: eos::acl_mgr::acl_counters_enabled_set
acl_fragments_enabled_set¶
rpc acl_fragments_enabled_set(AclFragmentsEnabledSetRequest) AclFragmentsEnabledSetResponse
Enable or disable fragments matching on the ACL.
Note: Must call acl_commit before this setting takes effect.
EosSdk reference: eos::acl_mgr::acl_fragments_enabled_set
bulk_acl_fragments_enabled_set¶
rpc bulk_acl_fragments_enabled_set(BulkAclFragmentsEnabledSetRequest) BulkAclFragmentsEnabledSetResponse
Enables or disables fragments matching on multiple ACLs in a single call.
Note: Must call acl_commit before this setting takes effect.
EosSdk reference: eos::acl_mgr::acl_fragments_enabled_set
stream_allowed¶
rpc stream_allowed(StreamAllowedRequest) StreamAllowedResponse
Check a connection against any applied ACL to determine if it should be dropped, incrementing the ACL counter if so. For use with SOCK_STREAM or SOCK_DGRAM.
EosSdk reference: eos::acl_mgr::stream_allowed
dgram_allowed¶
rpc dgram_allowed(DgramAllowedRequest) DgramAllowedResponse
Check a packet against any applied ACL to determine if it should be dropped, incrementing the ACL counter if so. For use with SOCK_DGRAM only.
EosSdk reference: eos::acl_mgr::dgram_allowed
Messages¶
AclAllExistsRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of the ACL to query. |
AclAllExistsResponse¶
| Name | Value | Description |
|---|---|---|
| exists | bool | True if the ACL exists in any configuration in the device otherwise false. |
AclAllRuleEthsRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of ACL to get the ethernet rules for. |
AclAllRuleEthsResponse¶
| Name | Value | Description |
|---|---|---|
| eth_rule | AclRuleEthEntry |
AclAllRuleIpsRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of ACL to get the IP rules for. |
AclAllRuleIpsResponse¶
| Name | Value | Description |
|---|---|---|
| ip_rule | AclRuleIpEntry |
AclApplyRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of the ACL to [un]apply. |
| intf_id | IntfId | The inteface ID of the the interface to [un]apply the ACL. |
| direction | AclDirection | The direction in which to [un]apply the ACL. |
| apply | bool | True if the ACL should be applied otherwise false if it should be unapplied. |
AclApplyResponse¶
Empty message.
AclCommitRequest¶
Empty message.
AclCommitResponse¶
Empty message.
AclCountersEnabledSetRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of the ACL to modify. |
| enabled | bool | True if counters should be enabled for the ACL otherwise false if they should be disabled. |
AclCountersEnabledSetResponse¶
Empty message.
AclDelRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of the ACL to remove. |
AclDelResponse¶
Empty message.
AclExistsRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of the ACL to query. |
AclExistsResponse¶
| Name | Value | Description |
|---|---|---|
| exists | bool | True if the ACL exists in the application's configuration otherwise false. |
AclFragmentsEnabledSetRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of the ACL to modify. |
| enabled | bool | True if fragments matching should be enabled for the ACL otherwise false if it should be disabled. |
AclFragmentsEnabledSetResponse¶
Empty message.
AclRuleDelRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of the ACL to modify. |
| sequence_number | uint32 | The sequence number at which to remove the rule. |
AclRuleDelResponse¶
Empty message.
AclRuleEthEntry¶
| Name | Value | Description |
|---|---|---|
| sequence_number | uint32 | |
| eth_rule | AclRuleEth |
AclRuleEthsRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of ACL to get the ethernet rules for. |
AclRuleEthsResponse¶
| Name | Value | Description |
|---|---|---|
| eth_rule | AclRuleEthEntry |
AclRuleIpEntry¶
| Name | Value | Description |
|---|---|---|
| sequence_number | uint32 | |
| ip_rule | AclRuleIp |
AclRuleIpsRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of ACL to get the IP rules for. |
AclRuleIpsResponse¶
| Name | Value | Description |
|---|---|---|
| ip_rule | AclRuleIpEntry |
AclRuleSetRequest¶
| Name | Value | Description |
|---|---|---|
| key | AclKey | The key of the ACL to create or modify. |
| sequence_number | uint32 | The sequence number to add the rule at. |
| oneof acl_rule.ip_rule | AclRuleIp | IP ACL rule to add to the ACL. |
| oneof acl_rule.eth_rule | AclRuleEth | Ethenet ACL rule to add to the ACL. |
AclRuleSetResponse¶
Empty message.
AclWatchRequest¶
| Name | Value | Description |
|---|---|---|
| ack | bool | Set to true if an immediate acknowledgment is desired. |
AclWatchResponse¶
| Name | Value | Description |
|---|---|---|
| oneof acl_event.ack | bool | If true the agent is now actively watching for events. |
| oneof acl_event.on_acl_sync | OnAclSync | All pending transactions have been successfully committed to hardware. |
| oneof acl_event.on_acl_sync_fail | OnAclSyncFail | A problem has stopped the ACL configuration from being committed to hardware. |
AclsAllRequest¶
Empty message.
AclsAllResponse¶
An acl that was created by this application.
| Name | Value | Description |
|---|---|---|
| key | AclKey |
AclsRequest¶
Empty message.
AclsResponse¶
An acl that was created by this application.
| Name | Value | Description |
|---|---|---|
| key | AclKey |
BulkAclApplyRequest¶
| Name | Value | Description |
|---|---|---|
| requests | repeated AclApplyRequest | List of AclApplyRequests. |
BulkAclApplyResponse¶
| Name | Value | Description |
|---|---|---|
| processed | uint64 | Number of consecutive successful requests. |
| status | RpcResponseStatus | Success or error details in the event of failure. |
BulkAclCountersEnabledSetRequest¶
| Name | Value | Description |
|---|---|---|
| requests | repeated AclCountersEnabledSetRequest | List of AclCountersEnabledSetRequests. |
BulkAclCountersEnabledSetResponse¶
| Name | Value | Description |
|---|---|---|
| processed | uint64 | Number of consecutive successful requests. |
| status | RpcResponseStatus | Success or error details in the event of failure. |
BulkAclDelRequest¶
| Name | Value | Description |
|---|---|---|
| requests | repeated AclDelRequest | List of AclDelRequests. |
BulkAclDelResponse¶
| Name | Value | Description |
|---|---|---|
| processed | uint64 | Number of consecutive successful requests. |
| status | RpcResponseStatus | Success or error details in the event of failure. |
BulkAclFragmentsEnabledSetRequest¶
| Name | Value | Description |
|---|---|---|
| requests | repeated AclFragmentsEnabledSetRequest | List of AclFragmentsEnabledSetRequests. |
BulkAclFragmentsEnabledSetResponse¶
| Name | Value | Description |
|---|---|---|
| processed | uint64 | Number of consecutive successful requests. |
| status | RpcResponseStatus | Success or error details in the event of failure. |
BulkAclRuleDelRequest¶
| Name | Value | Description |
|---|---|---|
| requests | repeated AclRuleDelRequest | List of AclRuleDelRequests. |
BulkAclRuleDelResponse¶
| Name | Value | Description |
|---|---|---|
| processed | uint64 | Number of consecutive successful requests. |
| status | RpcResponseStatus | Success or error details in the event of failure. |
BulkAclRuleSetRequest¶
| Name | Value | Description |
|---|---|---|
| requests | repeated AclRuleSetRequest | List of AclRuleSetRequests. |
BulkAclRuleSetResponse¶
| Name | Value | Description |
|---|---|---|
| processed | uint64 | Number of consecutive successful requests. |
| status | RpcResponseStatus | Success or error details in the event of failure. |
DgramAllowedRequest¶
| Name | Value | Description |
|---|---|---|
| source_addr | bytes | The source IP address. |
| dest_addr | bytes | The destination IP address. |
| source_port | uint32 | The source port. Must be in range 0 to 65535. |
| dest_port | uint32 | The desitionation port. Must be in range 0 to 65535. |
| ttl | uint32 | Time to live if IPv4 otherwise hop limit if IPv6. Must be in range 0 to 255. |
| tos | uint32 | Type of service if IPv4 othersiwe traffic class if IPv6. Must be in range 0 to 255 |
| recipient_intf | IntfId | Recipient interface. |
DgramAllowedResponse¶
| Name | Value | Description |
|---|---|---|
| dgram_allowed | bool | True if packet is allowed otherwise false if it should be dropped. |
OnAclSync¶
Notification for when all pending transactions have been successfully committed to hardware. May be called multiple times for a single transaction or only once for a whole bunch of seperate updates. May also be called due to ACL updates made using the CLI.
Empty message.
OnAclSyncFail¶
Notification for when a problem has stopped ACL configuration from being committed to hardware. The config must be modified in some way to get Sysdb and hardware back in sync. The most common problem is too many ACLs or ACL entries. It is up to the client to find and fix the issue. After committing the required modifications an on_acl_sync notification will be sent if the problem is fixed otherwsie another on_acl_sync_fail notification will be sent to indicate there is still a problem.
Note: Multiple nofitications may be sent for a single problem and notifications may be sent due to misconfigurations made using the CLI.
| Name | Value | Description |
|---|---|---|
| linecard | string | The linecard reporting the issue. |
| message | string | An error message describing the problem. |
StreamAllowedRequest¶
| Name | Value | Description |
|---|---|---|
| source_addr | bytes | The source IP address. |
| dest_addr | bytes | The destination IP address. |
| protocol | uint32 | Optional: The protocol. Must be in range 0 to 255. |
| source_port | uint32 | Optional: The source port. Must be in range 0 to 65535. |
| dest_port | uint32 | Optional: The desitionation port. Must be in range 0 to 65535. |
StreamAllowedResponse¶
| Name | Value | Description |
|---|---|---|
| stream_allowed | bool | True if the connection is allowed otherwise false if it should be dropped. |