Support for ACL with netmask set with non-contiguous bits

[Pull-eckermann]

In the current OpenConfig, configuration of source-address and destination-address leaves in the /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config (or ipv6) xpath are only supported with netmasks that are left-contiguous, cause this leaves are defined with type oc-inet:ipv4-prefix or oc-inet:ipv6-prefix, which only allows CIDR mask format.

The contiguous mask is applicable when assigning an IP address to an interface, or while adding routes. However, it does not necessarily need to be contiguos for ACLs. ACL's should be capable of filtering based on any kinds of masks. This way multiple non consecutive ranges of networks can be covered in one shot.

Ipinfusiuon OcNOS implements this in the yang ipi-acl-types.yang with the typedef acl_any_ipv4_src_addr_t (line 244), as a union.

Please let me know if this is possible and if OpenConfig was designed to work in this way.

[dplore]

Hi, this is possible to address. However, you will need to show evidence that multiple NOS implementations support this capability in your PR

[Pull-eckermann]

Hello dplore, thanks for the reply. The ACL wildcard mask with noncontiguous bits is supported by many vendors. Here are some examples:

• For CISCO, documentatin of this type of configuration can be found here in "Wildcard Mask for Addresses in an Access List" section.
• JUNO OS from Junyper also have support to this, docs can be found here in "Understanding Wildcard Addresses" section.
• FortiOS from Fortinet also have support to this and an example is found in this page.
• Huawei documentation about this can be found here in Table 1-4.

Hopes it is sufficient evidences.

[github-actions[bot]]

This issue is stale because it has been open 180 days with no activity. If you wish to keep this issue active, please remove the stale label or add a comment, otherwise will be closed in 14 days.