module ietf-acl-enh {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-acl-enh";
prefix acl-enh;
import ietf-inet-types {
prefix inet;
reference
"RFC 6991: Common YANG Data Types";
}
import ietf-netconf-acm {
prefix nacm;
reference
"RFC 8341: Network Configuration Access Control Model";
}
import ietf-access-control-list {
prefix acl;
reference
"RFC 8519: YANG Data Model for Network Access
Control Lists (ACLs), Section 4.1";
}
import ietf-packet-fields {
prefix packet-fields;
reference
"RFC 8519: YANG Data Model for Network Access
Control Lists (ACLs), Section 4.2";
}
import ietf-routing-types {
prefix rt-types;
reference
"RFC 8294: Common YANG Data Types for the Routing Area";
}
import iana-icmpv4-types {
prefix iana-icmpv4-types;
reference
"RFC 9899: Extensions to the YANG Data Model for Access
Control Lists (ACLs)";
}
import iana-icmpv6-types {
prefix iana-icmpv6-types;
reference
"RFC 9899: Extensions to the YANG Data Model for Access
Control Lists (ACLs)";
}
import iana-ipv6-ext-types {
prefix iana-ipv6-ext-types;
reference
"RFC 9899: Extensions to the YANG Data Model for Access
Control Lists (ACLs)";
}
organization
"IETF NETMOD Working Group";
contact
"WG Web:
WG List:
Author: Mohamed Boucadair
Author: Samier Barguil
Author: Oscar Gonzalez de Dios
";
description
"This module contains YANG definitions for enhanced ACLs.
Copyright (c) 2025 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Revised BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC 9899; see the
RFC itself for full legal notices.";
revision 2025-12-22 {
description
"Initial revision.";
reference
"RFC 9899: Extensions to the YANG Data Model for Access
Control Lists (ACLs)";
}
feature match-on-payload {
description
"Match based on a pattern is supported.";
}
feature match-on-vlan-filter {
description
"Match based on a VLAN range is supported.";
}
feature match-on-isid-filter {
description
"Match based on an I-SID range is supported.";
}
feature match-on-alias {
description
"Match based on aliases.";
}
feature match-on-mpls {
description
"Match based on MPLS headers.";
}
identity offset-type {
description
"Base identity for payload offset type.";
}
identity layer2 {
base offset-type;
description
"The offset starts at the beginning of the Data Link Layer
header.";
}
identity layer3 {
base offset-type;
description
"The offset starts at the beginning of the IP header.";
}
identity layer4 {
base offset-type;
description
"The offset starts right after the IP header (including
any options or headers pertaining to that IP layer, e.g.,
IPv6 Extension Headers and the Authentication Header (AH)).
This can be typically the beginning of transport header
(e.g., UDP, TCP, the Stream Control Transmission Protocol
(SCTP), and the Datagram Congestion Control Protocol (DCCP))
or any encapsulation scheme over IP such as IP-in-IP.";
}
identity payload {
base offset-type;
description
"The offset starts right after the end of the transport
header. For example, this represents the beginning of the
TCP data right after any TCP options or the beginning of
the UDP payload right after the UDP header.
This type may be used for matches against any data in
the transport payload and/or any surplus area (if any,
such as in UDP).";
}
identity tcp-flag {
description
"Base identity for the TCP Flags.";
reference
"RFC 9293: Transmission Control Protocol (TCP), Section 3.1";
}
identity ack {
base tcp-flag;
description
"Acknowledgment TCP flag bit.";
reference
"RFC 9293: Transmission Control Protocol (TCP), Section 3.1";
}
identity syn {
base tcp-flag;
description
"Synchronize sequence numbers.";
reference
"RFC 9293: Transmission Control Protocol (TCP), Section 3.1";
}
identity fin {
base tcp-flag;
description
"No more data from the sender.";
reference
"RFC 9293: Transmission Control Protocol (TCP), Section 3.1";
}
identity urg {
base tcp-flag;
description
"Urgent pointer TCP flag bit.";
reference
"RFC 9293: Transmission Control Protocol (TCP), Section 3.1";
}
identity psh {
base tcp-flag;
description
"The Push function flag is similar to the URG flag and tells
the receiver to process these packets as they are received
instead of buffering them.";
reference
"RFC 9293: Transmission Control Protocol (TCP), Section 3.1";
}
identity rst {
base tcp-flag;
description
"Reset TCP flag bit.";
reference
"RFC 9293: Transmission Control Protocol (TCP), Section 3.1";
}
identity ece {
base tcp-flag;
description
"ECN-Echo TCP flag bit.";
reference
"RFC 9293: Transmission Control Protocol (TCP), Section 3.1";
}
identity cwr {
base tcp-flag;
description
"Congestion Window Reduced flag bit.";
reference
"RFC 9293: Transmission Control Protocol (TCP), Section 3.1";
}
identity ae {
base tcp-flag;
description
"Accurate Explicit Congestion Notification (ECN).
Previously used as Nonce Sum (NS), which is now
historic.";
}
identity mpls-acl-type {
base acl:acl-base;
description
"An ACL that matches on fields from the MPLS header.";
}
identity label-position {
description
"Base identity for deriving MPLS label position.";
}
identity top {
base label-position;
description
"Top of the label stack.";
}
identity bottom {
base label-position;
description
"Bottom of the label stack.";
}
identity log-types {
description
"Base identity for deriving the log actions.";
}
identity local-log {
base log-types;
description
"A local log is used to record the ACL results.";
}
identity counter-type {
description
"Base identity for deriving the counter actions.";
}
identity counter-name {
base counter-type;
description
"Identity for counter name to be updated based on
the ACL match actions.";
}
typedef operator {
type bits {
bit not {
position 0;
description
"If set, the logical negation of operation.";
}
bit match {
position 1;
description
"Match bit. This is a bitwise match operation defined as
'(data & value) == value'.";
}
bit any {
position 2;
description
"Any bit. This is a match on any of the bits in bitmask.
It evaluates to 'true' if any of the bits in the
value mask are set in the data, i.e.,
'(data & value) != 0'.";
}
}
description
"Specifies how to apply the defined bitmask. The
'any' and 'match' bits must not be set simultaneously.";
}
typedef fragment-type {
type bits {
bit df {
position 0;
description
"Don't fragment bit for IPv4. Must be set to 0 when it
appears in an IPv6 filter.";
}
bit isf {
position 1;
description
"Is a fragment.";
}
bit ff {
position 2;
description
"First fragment.";
}
bit lf {
position 3;
description
"Last fragment.";
}
}
description
"Different fragment types to match against.";
}
typedef ipv4-prefix-set-ref {
type leafref {
path "/acl:acls/acl-enh:defined-sets/acl-enh:ipv4-prefix-sets"
+ "/acl-enh:prefix-set/acl-enh:name";
}
description
"Defines a reference to an IPv4 prefix set.";
}
typedef ipv6-prefix-set-ref {
type leafref {
path "/acl:acls/acl-enh:defined-sets/acl-enh:ipv6-prefix-sets"
+ "/acl-enh:prefix-set/acl-enh:name";
}
description
"Defines a reference to an IPv6 prefix set.";
}
typedef port-set-ref {
type leafref {
path "/acl:acls/acl-enh:defined-sets/acl-enh:port-sets"
+ "/acl-enh:port-set/acl-enh:name";
}
description
"Defines a reference to a port set.";
}
typedef protocol-set-ref {
type leafref {
path "/acl:acls/acl-enh:defined-sets/acl-enh:protocol-sets"
+ "/acl-enh:protocol-set/acl-enh:name";
}
description
"Defines a reference to a protocol set.";
}
typedef icmpv4-type-set-ref {
type leafref {
path "/acl:acls/acl-enh:defined-sets/acl-enh:icmpv4-type-sets"
+ "/acl-enh:set/acl-enh:name";
}
description
"Defines a reference to an ICMPv4 type set.";
}
typedef icmpv6-type-set-ref {
type leafref {
path "/acl:acls/acl-enh:defined-sets/acl-enh:icmpv6-type-sets"
+ "/acl-enh:set/acl-enh:name";
}
description
"Defines a reference to an ICMPv6 type set.";
}
typedef alias-ref {
type leafref {
path "/acl:acls/acl-enh:defined-sets/acl-enh:aliases"
+ "/acl-enh:alias/acl-enh:name";
}
description
"Defines a reference to an alias.";
}
grouping tcp-flags {
description
"Operations on TCP flags.";
leaf operator {
type operator;
description
"How to interpret the TCP flags.";
}
choice mode {
description
"Choice of how flags are indicated.";
case explicit {
leaf-list explicit-tcp-flag {
type identityref {
base acl-enh:tcp-flag;
}
description
"An explicit list of the TCP flags that are to be
matched.";
}
}
case builtin {
leaf bitmask {
type uint16;
description
"The bitmask matches the last 4 bits of byte 13
and byte 14 of the TCP header.
For clarity, the 4 bits of byte 12
corresponding to the TCP data offset field are not
included in any matching. Assigned TCP flags
and their position are maintained in the IANA
'Transmission Control Protocol (TCP) Parameters'
registry group.";
reference
"RFC 9293: Transmission Control Protocol (TCP),
Section 3.1
IANA: Transmission Control Protocol (TCP) Parameters,
";
}
}
}
}
grouping fragment-fields {
description
"Operations on fragment types.";
leaf operator {
type operator;
default "match";
description
"How to interpret the fragment type.";
}
leaf type {
type fragment-type;
description
"Specifies what fragment type to look for.";
}
}
grouping mpls-match-parameters-config {
description
"Parameters for the configuration of MPLS match rules.";
leaf traffic-class {
type uint8 {
range "0..7";
}
description
"The value of the MPLS Traffic Class (TC) bits,
formerly known as the EXP bits.";
}
leaf label-position {
type identityref {
base acl-enh:label-position;
}
description
"Position of the label.";
}
leaf upper-label-range {
type rt-types:mpls-label;
description
"Match MPLS label value on the MPLS header.
The usage of this field indicates the upper
range value in the top of the stack. This
label value does not include the encodings
of TC and Time-to-Live (TTL).";
reference
"RFC 3032: MPLS Label Stack Encoding";
}
leaf lower-label-range {
type rt-types:mpls-label;
description
"Match MPLS label value on the MPLS header.
The usage of this field indicates the lower
range value in the top of the stack.
This label value does not include the
encodings of TC and TTL.";
reference
"RFC 3032: MPLS Label Stack Encoding";
}
leaf label-block-name {
type string;
description
"Reference to a label block predefined in the
implementation.";
}
leaf ttl-value {
type uint8;
description
"TTL MPLS packet value match.";
reference
"RFC 3032: MPLS Label Stack Encoding";
}
}
grouping payload-match {
description
"Operations on payload match.";
leaf offset {
type identityref {
base acl-enh:offset-type;
}
description
"Indicates the payload offset. This will indicate
the position of the data in the packet to use for
the match.";
}
leaf length {
type uint16;
units "bytes";
description
"Indicates the number of bytes to ignore, starting from
the offset, to perform the pattern match.";
}
leaf operator {
type operator;
default "match";
description
"How to interpret the pattern match.";
}
leaf pattern {
type binary;
description
"The binary pattern to match against starting.
The match starts from the byte indicated by
'offset' + length'.";
}
}
grouping alias {
description
"Specifies an alias.";
leaf-list vlan {
type uint16;
description
"VLAN of the alias.";
reference
"IEEE Std 802.1Q: Bridges and Bridged Networks";
}
leaf-list prefix {
type inet:ip-prefix;
description
"IPv4 or IPv6 prefix of the alias.";
}
list port-range {
key "lower-port";
description
"Port range. When only lower-port is
present, it represents a single port number.";
leaf lower-port {
type inet:port-number;
mandatory true;
description
"Lower port number of the port range.";
}
leaf upper-port {
type inet:port-number;
must '. >= ../lower-port' {
error-message
"The upper-port number must be greater than
or equal to the lower-port number.";
}
description
"Upper port number of the port range.";
}
}
leaf-list protocol {
type uint8;
description
"Identifies the target protocol number.
For example, 6 for TCP or 17 for UDP.";
}
leaf-list fqdn {
type inet:domain-name;
description
"Fully Qualified Domain Name (FQDN) identifying the target.";
}
leaf-list uri {
type inet:uri;
description
"URI identifying the target.";
}
}
grouping icmpv4-header-fields {
description
"Collection of ICMPv4 header fields that can be
used to set up a match filter.";
leaf type {
type iana-icmpv4-types:icmpv4-type;
description
"Also known as control messages.";
reference
"RFC 792: Internet Control Message Protocol.";
}
leaf code {
type uint8;
description
"ICMP subtype.";
reference
"RFC 792: Internet Control Message Protocol.";
}
leaf rest-of-header {
type binary;
description
"Unbounded in length, the contents vary based on the
ICMP type and code.";
reference
"RFC 792: Internet Control Message Protocol";
}
}
grouping icmpv6-header-fields {
description
"Collection of ICMPv6 header fields that can be
used to set up a match filter.";
leaf type {
type iana-icmpv6-types:icmpv6-type;
description
"Also known as control messages.";
reference
"RFC 4443: Internet Control Message Protocol (ICMPv6)
for Internet Protocol Version 6 (IPv6)
Specification.";
}
leaf code {
type uint8;
description
"ICMP code.";
reference
"RFC 4443: Internet Control Message Protocol (ICMPv6)
for Internet Protocol Version 6 (IPv6)
Specification.";
}
leaf rest-of-header {
type binary;
description
"Unbounded in length, the contents vary based on the
ICMP type and code. Also referred to as 'Message Body'
in ICMPv6.";
reference
"RFC 4443: Internet Control Message Protocol (ICMPv6)
for Internet Protocol Version 6 (IPv6)
Specification.";
}
}
grouping acl-complementary-actions {
description
"Collection of complementary ACL actions.";
container log-action {
description
"Container for defining log actions.";
leaf log-type {
type identityref {
base acl-enh:log-types;
}
description
"The type of log action to be performed.";
}
leaf log-id {
when "derived-from-or-self(../log-type, "
+ "'acl-enh:local-log')" {
description
"Name of the log file updated when type is 'local-log'.";
}
type string;
description
"The name of the counter action.";
}
}
container counter-action {
description
"Container for defining counter actions.";
leaf counter-type {
type identityref {
base acl-enh:counter-type;
}
description
"The type of counter action to be performed.";
}
leaf-list counter-name {
when "derived-from-or-self(../counter-type, "
+ "'acl-enh:counter-name')" {
description
"Name for the counter or variable to update when
'counter-type' is 'counter-name'.";
}
type string;
description
"List of possible variables or counter names to
update based on match criteria.";
}
}
}
grouping ipv4-prefix-sets {
description
"Data definitions for a list of IPv4 prefixes,
which are matched as part of a policy.";
list prefix-set {
key "name";
description
"List of the defined prefix sets.";
leaf name {
type string;
description
"Name of the prefix set -- this is used as a label to
reference the set in match conditions.";
}
leaf description {
type string;
description
"Defined set description.";
}
leaf-list prefix {
type inet:ipv4-prefix;
description
"List of IPv4 prefixes to be used in match
conditions.";
}
}
}
grouping ipv6-prefix-sets {
description
"Data definitions for a list of IPv6 prefixes, which are
matched as part of a policy.";
list prefix-set {
key "name";
description
"List of the defined prefix sets.";
leaf name {
type string;
description
"Name of the prefix set -- this is used as a label to
reference the set in match conditions.";
}
leaf description {
type string;
description
"A textual description of the prefix list.";
}
leaf-list prefix {
type inet:ipv6-prefix;
description
"List of IPv6 prefixes to be used in match conditions.";
}
}
}
grouping port-sets {
description
"Data definitions for a list of ports, which can
be matched in policies.";
list port-set {
key "name";
description
"List of port set definitions.";
leaf name {
type string;
description
"Name of the port set -- this is used as a label to
reference the set in match conditions.";
}
list port {
key "id";
description
"Port numbers along with the operator on which to
match.";
leaf id {
type string;
description
"Identifier of the list of port numbers.";
}
choice port {
description
"Choice of specifying the port number or referring to a
group of port numbers.";
container port-range-or-operator {
description
"Indicates a set of ports.";
uses packet-fields:port-range-or-operator;
}
}
}
}
}
grouping protocol-sets {
description
"Data definitions for a list of protocols, which can be
matched in policies.";
list protocol-set {
key "name";
description
"List of protocol set definitions.";
leaf name {
type string;
description
"Name of the protocols set -- this is used as a
label to reference the set in match conditions.";
}
leaf-list protocol {
type union {
type uint8;
type string;
}
description
"Value of the protocol set.";
}
}
}
grouping icmpv4-type-sets {
description
"Data definitions for a list of ICMPv4 types, which can be
matched in policies.";
list set {
key "name";
description
"List of ICMPv4 type set definitions.";
leaf name {
type string;
description
"Name of the ICMPv4 type set -- this is used as a label
to reference the set in match conditions.";
}
list icmpv4-type {
key "type";
description
"Includes a list of ICMPv4 types.";
uses icmpv4-header-fields;
}
}
}
grouping icmpv6-type-sets {
description
"Data definitions for a list of ICMPv6 types, which can be
matched in policies.";
list set {
key "name";
description
"List of ICMP type set definitions.";
leaf name {
type string;
description
"Name of the ICMPv6 type set -- this is used as a label
to reference the set in match conditions.";
}
list icmpv6-type {
key "type";
description
"Includes a list of ICMPv6 types.";
uses icmpv6-header-fields;
}
}
}
grouping aliases {
description
"Grouping for a set of aliases.";
list alias {
key "name";
description
"List of aliases.";
leaf name {
type string;
description
"The name of the alias.";
}
uses alias;
}
}
grouping defined-sets {
description
"Predefined sets of attributes used in policy match
statements.";
container ipv4-prefix-sets {
description
"Data definitions for a list of IPv4 or IPv6
prefixes, which are matched as part of a policy.";
uses ipv4-prefix-sets;
}
container ipv6-prefix-sets {
description
"Data definitions for a list of IPv6 prefixes, which are
matched as part of a policy.";
uses ipv6-prefix-sets;
}
container port-sets {
description
"Data definitions for a list of ports, which can
be matched in policies.";
uses port-sets;
}
container protocol-sets {
description
"Data definitions for a list of protocols, which can be
matched in policies.";
uses protocol-sets;
}
container icmpv4-type-sets {
description
"Data definitions for a list of ICMPv4 types, which can be
matched in policies.";
uses icmpv4-type-sets;
}
container icmpv6-type-sets {
description
"Data definitions for a list of ICMPv6 types, which can be
matched in policies.";
uses icmpv6-type-sets;
}
container aliases {
description
"Top-level container for aliases.";
uses aliases;
}
}
augment "/acl:acls" {
description
"predefined sets.";
container defined-sets {
description
"Predefined sets of attributes used in policy match
statements.";
uses defined-sets;
nacm:default-deny-write;
}
}
augment "/acl:acls/acl:acl/acl:aces/acl:ace"
+ "/acl:matches" {
description
"Adds a match type based on the payload.";
choice payload {
description
"Matches based upon a prefix pattern.";
container pattern {
if-feature "match-on-payload";
description
"Indicates the rule to perform the payload-based match.";
uses payload-match;
}
}
choice alias {
description
"Matches based upon aliases.";
leaf-list alias-name {
type alias-ref;
description
"Indicates one or more aliases.";
}
}
choice mpls {
description
"Matches against MPLS headers, for example, label
values.";
container mpls-values {
if-feature "match-on-mpls";
description
"Provides the rule set that matches MPLS headers.";
uses mpls-match-parameters-config;
}
}
}
augment "/acl:acls/acl:acl/acl:aces"
+ "/acl:ace/acl:matches/acl:l2" {
description
"Adds a match type based on MAC VLAN and I-SID filters.";
container vlan-filter {
if-feature "match-on-vlan-filter";
description
"Indicates how to handle MAC VLANs.";
leaf frame-type {
type string;
description
"Entering the frame type allows the
filter to match a specific type of frame format.";
}
choice vlan-type {
description
"VLAN definition from range or operator.";
case range {
leaf lower-vlan {
type uint16;
must '. <= ../upper-vlan' {
error-message
"The lower-vlan must be less than or equal to
the upper-vlan.";
}
mandatory true;
description
"Lower boundary for a VLAN.";
}
leaf upper-vlan {
type uint16;
mandatory true;
description
"Upper boundary for a VLAN.";
}
}
case operator {
leaf operator {
type packet-fields:operator;
default "eq";
description
"Operator to be applied on the VLAN below.";
}
leaf-list vlan {
type uint16;
description
"VLAN number along with the operator on which to
match.";
reference
"IEEE Std 802.1Q: Bridges and Bridged Networks";
}
}
}
}
container isid-filter {
if-feature "match-on-isid-filter";
description
"Indicates how to handle I-SID filters. The
I-component is responsible for mapping customer
Ethernet traffic to the appropriate I-SID.";
choice isid-type {
description
"I-SID definition from range or operator.";
case range {
leaf lower-isid {
type uint16;
must '. <= ../upper-isid' {
error-message
"The lower-isid must be less than or equal to
the upper-isid.";
}
mandatory true;
description
"Lower boundary for an I-SID.";
}
leaf upper-isid {
type uint16;
mandatory true;
description
"Upper boundary for an I-SID.";
}
}
case operator {
leaf operator {
type packet-fields:operator;
default "eq";
description
"Operator to be applied on the I-SID below.";
}
leaf-list isid {
type uint16;
description
"I-SID number along with the operator on which to
match.";
reference
"IEEE 802.1ah: Provider Backbone Bridges";
}
}
}
}
}
augment "/acl:acls/acl:acl/acl:aces"
+ "/acl:ace/acl:matches/acl:l3/acl:ipv4/acl:ipv4" {
description
"Handle non-initial and initial fragments for IPv4 packets.";
container ipv4-fragment {
must 'not(../acl:flags)' {
error-message
"Either flags or fragment should be provided, but not
both.";
}
description
"Indicates how to handle IPv4 fragments.";
uses fragment-fields;
}
leaf source-ipv4-prefix-list {
type ipv4-prefix-set-ref;
description
"A reference to an IPv4 prefix list to match the source
address.";
}
leaf destination-ipv4-prefix-list {
type ipv4-prefix-set-ref;
description
"A reference to a prefix list to match the destination
address.";
}
leaf protocol-set {
type protocol-set-ref;
description
"A reference to a protocol set to match the protocol
field.";
}
}
augment "/acl:acls/acl:acl/acl:aces"
+ "/acl:ace/acl:matches/acl:l3/acl:ipv6/acl:ipv6" {
description
"Handles non-initial and initial fragments for IPv6 packets.";
container ipv6-fragment {
description
"Indicates how to handle IPv6 fragments.";
uses fragment-fields;
}
leaf source-ipv6-prefix-list {
type ipv6-prefix-set-ref;
description
"A reference to a prefix list to match the source address.";
}
leaf destination-ipv6-prefix-list {
type ipv6-prefix-set-ref;
description
"A reference to a prefix list to match the destination
address.";
}
leaf protocol-set {
type protocol-set-ref;
description
"A reference to a protocol set to match the next-header
field.";
}
leaf extension-header {
type iana-ipv6-ext-types:ipv6-extension-header-type;
description
"IPv6 extension header value.";
}
}
augment "/acl:acls/acl:acl/acl:aces"
+ "/acl:ace/acl:matches/acl:l4/acl:tcp/acl:tcp" {
description
"Handles TCP flags and port sets.";
container flags-bitmask {
must 'not(../acl:flags)' {
error-message
"Either flags or flags-bitmask should be provided, but not
both.";
}
description
"Indicates how to handle TCP flags.";
uses tcp-flags;
}
leaf source-tcp-port-set {
type port-set-ref;
description
"A reference to a port set to match the source port.";
}
leaf destination-tcp-port-set {
type port-set-ref;
description
"A reference to a port set to match the destination port.";
}
}
augment "/acl:acls/acl:acl/acl:aces"
+ "/acl:ace/acl:matches/acl:l4/acl:udp/acl:udp" {
description
"Handle UDP port sets.";
leaf source-udp-port-set {
type port-set-ref;
description
"A reference to a port set to match the source port.";
}
leaf destination-udp-port-set {
type port-set-ref;
description
"A reference to a port set to match the destination port.";
}
}
augment "/acl:acls/acl:acl/acl:aces"
+ "/acl:ace/acl:matches/acl:l4/acl:icmp/acl:icmp" {
description
"Handle ICMP type sets.";
leaf icmpv4-set {
type icmpv4-type-set-ref;
description
"A reference to an ICMPv4 type set to match the ICMPv4 type
field.";
}
leaf icmpv6-set {
type icmpv6-type-set-ref;
description
"A reference to an ICMPv6 type set to match the ICMPv6 type
field.";
}
}
augment "/acl:acls/acl:acl/acl:aces"
+ "/acl:ace/acl:actions" {
description
"Complementary actions including rate-limit action.";
uses acl-complementary-actions;
leaf rate-limit {
when "../acl:forwarding = 'acl:accept'" {
description
"Rate-limit valid only when the accept action is used.";
}
type decimal64 {
fraction-digits 2;
}
units "bytes per second";
description
"Indicates a rate-limit for the matched traffic.";
}
}
}