robshakir
Multiple base for identity not working in restriction_arg
I have an example where the leaf identityref that I have defined can be used in several leafs
# part of [email protected]
identity pass {
base ingress-action;
base egress-action;
description
"The pass action allows traffic that matches
the rule to proceed through the NSF to reach the
destination.";
reference
"draft-ietf-i2nsf-capability-data-model-32:
I2NSF Capability YANG Data Model - Actions and
Default Action";
}
identity invoke-signaling {
base egress-action;
description
"The invoke-signaling action is used to convey information of
the event triggering this action to a monitoring entity.";
}
container action-capabilities {
description
"Action capabilities.
If a network security function has the action capabilities,
the network security function supports the attendant
actions for policy rules.";
leaf-list ingress-action-capability {
type identityref {
base ingress-action;
}
description
"Ingress-action capabilities";
}
leaf-list egress-action-capability {
type identityref {
base egress-action;
}
description
"Egress-action capabilities";
}
}
However when I run the command pyang --plugindir $PYBINDPLUGIN -f pybind --build-rpcs --build-notifications -o yang/capability_binding.py -p yang yang/[email protected] I get a class which considers "pass" only for leafs of type ingress-action and does not let me use "pass" in leafs of type egreess-action according to "restriction_arg"
self.__ingress_action_capability = YANGDynClass(unique=True, base=TypedListType(allowed_type=RestrictedClassType(base_type=six.text_type, restriction_type="dict_key", restriction_arg={'pass': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'ietf-i2nsf-capability:pass': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'i2nsfcap:pass': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'drop': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'ietf-i2nsf-capability:drop': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'i2nsfcap:drop': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'reject': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'ietf-i2nsf-capability:reject': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'i2nsfcap:reject': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'mirror': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'ietf-i2nsf-capability:mirror': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'i2nsfcap:mirror': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'rate-limit': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'ietf-i2nsf-capability:rate-limit': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'i2nsfcap:rate-limit': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}},)), is_leaf=False, yang_name="ingress-action-capability", parent=self, path_helper=self._path_helper, extmethods=self._extmethods, register_paths=True, namespace='urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability', defining_module='ietf-i2nsf-capability', yang_type='identityref', is_config=True)
self.__egress_action_capability = YANGDynClass(unique=True, base=TypedListType(allowed_type=RestrictedClassType(base_type=six.text_type, restriction_type="dict_key", restriction_arg={'invoke-signaling': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'ietf-i2nsf-capability:invoke-signaling': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'i2nsfcap:invoke-signaling': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'tunnel-encapsulation': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'ietf-i2nsf-capability:tunnel-encapsulation': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'i2nsfcap:tunnel-encapsulation': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'forwarding': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'ietf-i2nsf-capability:forwarding': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'i2nsfcap:forwarding': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'transformation': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'ietf-i2nsf-capability:transformation': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'i2nsfcap:transformation': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'http-to-coap': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'ietf-i2nsf-capability:http-to-coap': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'i2nsfcap:http-to-coap': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'nat': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'ietf-i2nsf-capability:nat': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}, 'i2nsfcap:nat': {'@module': 'ietf-i2nsf-capability', '@namespace': 'urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability'}},)), is_leaf=False, yang_name="egress-action-capability", parent=self, path_helper=self._path_helper, extmethods=self._extmethods, register_paths=True, namespace='urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability', defining_module='ietf-i2nsf-capability', yang_type='identityref', is_config=True)
@guigomcha can you try the change that was abandoned in https://github.com/robshakir/pyangbind/pull/331/files and see if that achieves what you were trying to do?
I wanted to give this a try.... but using pyang 2.6.0 I get 'error: unexpected keyword "base"' when I attempt to validate a YANG model with an identity with multiple bases.
@guigomcha , which is the YANG Model you are using? It is in some public repo?
I restored #248 into https://github.com/robshakir/pyangbind/tree/dimbleby-multiple-bases, with a naive addition to the YANG model used for Unittests. This is failing pyang validation.
Hi @JoseIgnacioTamayo @xavier-contreras , you are right. I have an example for the PR that was not finished.
I am trying to use the I2NSF data models for policies. They are available here
https://datatracker.ietf.org/doc/draft-ietf-i2nsf-consumer-facing-interface-dm/ https://datatracker.ietf.org/doc/draft-ietf-i2nsf-nsf-facing-interface-dm/ https://datatracker.ietf.org/doc/draft-ietf-i2nsf-capability-data-model/ https://datatracker.ietf.org/doc/draft-ietf-i2nsf-registration-interface-dm/
I upload here the yang files that I am usinglocally since I was not able to import them directly from a public repository (if you happen to know how to do that it would be great) ietf-i2nsf-policies.zip Then, for example in the NSF facing interface, you can only use "pass" as an ingress-action but not as an egrees or default actions
identity pass {
base ingress-action;
base egress-action;
base default-action;
description
"The pass action allows traffic that matches
the rule to proceed through the NSF to reach the
destination.";
reference
"draf
[ietf-i2nsf-policies.zip](https://github.com/user-attachments/files/16082366/ietf-i2nsf-policies.zip)
t-ietf-i2nsf-capability-data-model-32:
I2NSF Capability YANG Data Model - Actions and
Default Action";
}
This is an example for the test (rule 1 is not accepted)
{
"i2nsf-security-policy": [
{
"name": "ll_security_policy_for_firewall_and_ddos_attacks",
"rules": [
{
"name": "rule1",
"description": "description from NSF provider",
"enable": true,
"long-connection": {
"enable": true
},
"condition": {
"ipv4": {
"source-ipv4-network": "192.168.137.13/24",
"destination-ipv4-network": "192.168.137.115/24"
}
},
"action": {
"packet-action": {
"egress-action": "pass"
}
}
},
{
"name": "rule2",
"description": "description from NSF provider",
"enable": true,
"long-connection": {
"enable": true
},
"condition": {
"ipv4": {
"source-ipv4-network": "192.168.137.13/24",
"destination-ipv4-network": "192.168.137.115/24"
},
"ddos": {
"alert-packet-rate": 200
}
},
"action": {
"packet-action": {
"egress-action": "rate-limit"
},
"advanced-action": {
"attack-mitigation-control": "anti-ddos"
}
}
}
]
}
]
}
@guigomcha , I restored https://github.com/robshakir/pyangbind/pull/248 maybe from @dimbleby at https://github.com/robshakir/pyangbind/pull/354, could you please that branch a try?