1 tony 1.1 // ===================================================================
2 // Title: Network Filtering 2.8
3 // Filename: Network28_Filtering.mof
4 // Version: 2.8.0
5 // Status: Preliminary
6 // Date: Aug 4, 2003
7 // ===================================================================
8 // Copyright 1998-2003 Distributed Management Task Force, Inc. (DMTF).
9 // All rights reserved.
10 // DMTF is a not-for-profit association of industry members dedicated
11 // to promoting enterprise and systems management and interoperability.
12 // DMTF specifications and documents may be reproduced for uses
13 // consistent with this purpose by members and non-members,
14 // provided that correct attribution is given.
15 // As DMTF specifications may be revised from time to time,
16 // the particular version and release date should always be noted.
17 //
18 // Implementation of certain elements of this standard or proposed
19 // standard may be subject to third party patent rights, including
20 // provisional patent rights (herein "patent rights"). DMTF makes
21 // no representations to users of the standard as to the existence
22 tony 1.1 // of such rights, and is not responsible to recognize, disclose, or
23 // identify any or all such third party patent right, owners or
24 // claimants, nor for any incomplete or inaccurate identification or
25 // disclosure of such rights, owners or claimants. DMTF shall have no
26 // liability to any party, in any manner or circumstance, under any
27 // legal theory whatsoever, for failure to recognize, disclose, or
28 // identify any such third party patent rights, or for such party's
29 // reliance on the standard or incorporation thereof in its product,
30 // protocols or testing procedures. DMTF shall have no liability to
31 // any party implementing such standard, whether such implementation
32 // is foreseeable or not, nor to any patent owner or claimant, and shall
33 // have no liability or responsibility for costs or losses incurred if
34 // a standard is withdrawn or modified after publication, and shall be
35 // indemnified and held harmless by any party implementing the
36 // standard from any and all claims of infringement by a patent owner
37 // for such implementations.
38 //
39 // For information about patents held by third-parties which have
40 // notified the DMTF that, in their opinion, such patent may relate to
41 // or impact implementations of DMTF standards, visit
42 // http://www.dmtf.org/about/policies/disclosures.php.
43 tony 1.1 // ===================================================================
44 // Description: The Network Model extends the management concepts to
45 // represent protocol interfaces and network/protocol
46 // services. This file defines filtering - filter lists
47 // and filter entries.
48 //
49 // The object classes below are listed in an order that
50 // avoids forward references. Required objects, defined
51 // by other working groups, are omitted.
52 // ==================================================================
53 // New Log for V2.8
54 // CR1026 - Add class definitions for IPSec
55 // CR1089 - Clarify IsNegated in FilterEntryBase
56 // CR1128 - Change subclassing from CIM_Dependency to
57 // CIM_HostedDependency for identified classes. This is
58 // needed as a result of the introduction of HostedDependency
59 // in SysDev
60 //
61 // Change Log for v2.7
62 // CR793 - Add the Abstract qualifier to FilterEntryBase and update
63 // the description
64 tony 1.1 // - Update the description for EntriesInFilterList.EntrySequence
65 // - Deprecate FilterEntriesInSystem and FilterListInSystem
66 // - Add HostedFilterEntryBase and HostedFilterList
67 // - Add 8021Filter and PreambleFilter
68 // - FilterEntry.TrafficType needs an Other value in its
69 // enumerated list, and an OtherTrafficType property should be
70 // defined
71 // CR800 - Remove FilterEntry.TrafficClass' ModelCorrespondence
72 // CR849 - 8021Filter property names must be changed from 8021HdrXXX to
73 // HdrXXX8021 to comply with the CIM Spec
74 // CR867 - Add Override qualifier to FilterEntryBase and
75 // FilterList.Name
76 // CR982 - Removal of Experimental for preliminary to final
77 // CR983 - Deprecations for v2.7 made final
78 // ===================================================================
79
80 #pragma Locale ("en_US")
81
82
83 // ===================================================================
84 // FilterEntryBase
85 tony 1.1 // ===================================================================
86 [Abstract, Version ("2.7.0"), Description (
87 "A FilterList aggregates instances of (subclasses of) "
88 "FilterEntryBase via the aggregation EntriesInFilterList. The "
89 "filter entries are always ANDed together when grouped by the "
90 "FilterList. Note that it is possible to aggregate different "
91 "types of filters into a single FilterList - for example, "
92 "packet header filters (represented by the IpHeadersFilter "
93 "class) and IPsec security filters.\n"
94 "\n"
95 "A FilterList is weak to the network device (e.g., the "
96 "ComputerSystem) that contains it. Hence, the ComputerSystem "
97 "keys are propagated to this class.") ]
98 class CIM_FilterEntryBase : CIM_LogicalElement {
99
100 [Key, Propagated ("CIM_ComputerSystem.CreationClassName"),
101 Description (
102 "The scoping ComputerSystem's CreationClassName."),
103 MaxLen (256) ]
104 string SystemCreationClassName;
105
106 tony 1.1 [Key, Propagated ("CIM_ComputerSystem.Name"), Description (
107 "The scoping ComputerSystem's Name."),
108 MaxLen (256) ]
109 string SystemName;
110
111 [Key, Description (
112 "CreationClassName indicates the name of the class or the "
113 "subclass used in the creation of an instance. When used "
114 "with the other key properties of this class, this property "
115 "allows all instances of this class and its subclasses to be "
116 "uniquely identified."),
117 MaxLen (256) ]
118 string CreationClassName;
119
120 [Key, Override ("Name"), Description (
121 "The Name property defines the label by which the Filter "
122 "Entry is known and uniquely identified."),
123 MaxLen (256) ]
124 string Name;
125
126 [Description (
127 tony 1.1 "Boolean indicating that the match condition described in "
128 "the properties of the FilterEntryBase subclass should be "
129 "negated. This property is defined for ease of use when "
130 "filtering on simple negations - for example, to select all "
131 "source ports except 162. It is not recommended that this "
132 "Boolean be set to True when filtering on multiple criteria, "
133 "such as defining an IPHeadersFilter based on "
134 "source/destination addresses, ports, and DiffServ Code "
135 "Points.") ]
136 boolean IsNegated;
137 };
138
139
140 // ==================================================================
141 // FilterEntry
142 // ==================================================================
143 [Version ("2.7.0"), Description (
144 "A FilterEntry is used by network devices to identify traffic "
145 "and either forward it (with possibly further processing) to "
146 "its destination, or to deny its forwarding. It is one of the "
147 "building block of FilterLists.\n"
148 tony 1.1 "\n"
149 "This class is oriented towards packet filtering. Other "
150 "subclasses of FilterEntryBase can be defined to do other types "
151 "of filtering.\n"
152 "\n"
153 "A FilterEntry is weak to the network device (i.e., the "
154 "ComputerSystem) that contains it. Hence, the ComputerSystem "
155 "keys are propagated to this class.") ]
156 class CIM_FilterEntry : CIM_FilterEntryBase {
157
158 [Description (
159 "This defines the type of traffic that is being filtered. "
160 "This will affect the filtering rules in the MatchCondition "
161 "property of this class."),
162 ValueMap {"0", "1", "2", "3", "4", "5"},
163 Values {"Unknown", "IPv4", "IPX", "IPv6", "Any", "Other"},
164 ModelCorrespondence {"CIM_FilterEntry.OtherTrafficType"} ]
165 uint16 TrafficType;
166
167 [Description (
168 "If the value of the TrafficType property in this class is 5 "
169 tony 1.1 "(i.e., \"Other\"), then the specific type of traffic is "
170 "specified in this property."),
171 ModelCorrespondence {"CIM_FilterEntry.TrafficType"} ]
172 string OtherTrafficType;
173
174 [Description (
175 "This specifies one of a set of ways to identify traffic. "
176 "If the value is 1 (i.e., \"Other\"), then the specific type "
177 "of filtering is specified in the OtherMatchConditionType "
178 "property of this class."),
179 ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
180 "11", "12", "13"},
181 Values {"Other", "Source Address and Mask",
182 "Destination Address and Mask", "Source Port",
183 "Source Port Range", "Destination Port",
184 "Destination Port Range", "Protocol Type",
185 "Protocol Type and Option", "DSCP", "ToS Value",
186 "802.1P Priority Value", "Any"},
187 ModelCorrespondence { "CIM_FilterEntry.OtherMatchConditionType"} ]
188 uint16 MatchConditionType;
189
190 tony 1.1 [Description (
191 "If the value of the MatchConditionType property in this "
192 "class is 1 (i.e., \"Other\"), then the specific type of "
193 "filtering is specified in this property."),
194 ModelCorrespondence { "CIM_FilterEntry.MatchConditionType"} ]
195 string OtherMatchConditionType;
196
197 [Description (
198 "This is the value of the condition that filters the "
199 "traffic. It corresponds to the condition specified in the "
200 "MatchConditionType property. If, however, the value of the "
201 "MatchConditionProperty is 1, then it corresponds to the "
202 "condition specified in the OtherMatchConditionType "
203 "property.") ]
204 string MatchConditionValue;
205
206 [Description (
207 "This defines whether the action should be to forward or "
208 "deny traffic meeting the match condition specified in this "
209 "filter."),
210 ValueMap {"1", "2"},
211 tony 1.1 Values {"Permit", "Deny"} ]
212 uint16 Action;
213
214 [Description (
215 "This defines whether this FilterEntry is the default entry "
216 "to use by its FilterList.") ]
217 boolean DefaultFilter;
218
219 [Description (
220 "This defines the traffic class that is being matched by "
221 "this FilterEntry. Note that FilterEntries are aggregated "
222 "into FilterLists by the EntriesInFilterList relationship. "
223 "If the EntrySequence property of the aggregation is set to "
224 "0, this means that all the Filter Entries should be ANDed "
225 "together. Consequently, the TrafficClass property of each "
226 "of the aggregated Entries should be set to the same value.") ]
227 string TrafficClass;
228 };
229
230
231 // ===================================================================
232 tony 1.1 // IPHeadersFilter
233 // ===================================================================
234 [Version ("2.6.0"), Description (
235 "IPHeadersFilter contains the most commonly required properties "
236 "for performing filtering on IP, TCP or UDP headers. "
237 "Properties not present in an instance of the IPHeadersFilter "
238 "are treated as 'all values'.") ]
239 class CIM_IPHeadersFilter : CIM_FilterEntryBase {
240
241 [Description (
242 "HdrIPVersion identifies the version of the IP addresses for "
243 "IP header filters. It is also used to determine the sizes "
244 "of the OctetStrings in the six properties HdrSrcAddress, "
245 "HdrSrcAddressEndOfRange, HdrSrcMask, HdrDestAddress, "
246 "HdrDestAddressEndOfRange and HdrDestMask, as follows:\n"
247 "ipv4(4): OctetString(SIZE (4))\n"
248 "ipv6(6): OctetString(SIZE (16|20)),\n"
249 "depending on whether a scope identifier is present.\n"
250 "\n"
251 "If a value for this property is not provided, then the "
252 "filter does not consider IP version in selecting matching "
253 tony 1.1 "packets, i.e., IP version matches for all values. In this "
254 "case, the HdrSrcAddress, HdrSrcAddressEndOfRange, "
255 "HdrSrcMask, HdrDestAddress, HdrDestAddressEndOfRange and "
256 "HdrDestMask must also be not present."),
257 ValueMap {"4", "6"},
258 Values {"IPv4", "IPv6"},
259 ModelCorrespondence {"CIM_IPHeadersFilter.HdrSrcAddress",
260 "CIM_IPHeadersFilter.HdrSrcAddressEndOfRange",
261 "CIM_IPHeadersFilter.HdrSrcMask",
262 "CIM_IPHeadersFilter.HdrDestAddress",
263 "CIM_IPHeadersFilter.HdrDestAddressEndOfRange",
264 "CIM_IPHeadersFilter.HdrDestMask"} ]
265 uint8 HdrIPVersion;
266
267 [Description (
268 "HdrSrcAddress is an OctetString, of a size determined by "
269 "the value of the HdrIPVersion property, representing a "
270 "source IP address. When there is no "
271 "HdrSrcAddressEndOfRange value, this value is compared to "
272 "the source address in the IP header, subject to the mask "
273 "represented in the HdrSrcMask property. (Note that the "
274 tony 1.1 "mask is ANDed with the address.) When there is a "
275 "HdrSrcAddressEndOfRange value, this value is the start of "
276 "the specified range (i.e., the HdrSrcAddress is lower than "
277 "the HdrSrcAddressEndOfRange) that is compared to the source "
278 "address in the IP header and matches on any value in the "
279 "range.\n"
280 "\n"
281 "If a value for this property is not provided, then the "
282 "filter does not consider HdrSrcAddress in selecting "
283 "matching packets, i.e., HdrSrcAddress matches for all "
284 "values."),
285 OctetString,
286 ModelCorrespondence {"CIM_IPHeadersFilter.HdrIPVersion"} ]
287 uint8 HdrSrcAddress[];
288
289 [Description (
290 "HdrSrcAddressEndOfRange is an OctetString, of a size "
291 "determined by the value of the HdrIPVersion property, "
292 "representing the end of a range of source IP addresses "
293 "(inclusive), where the start of the range is the "
294 "HdrSrcAddress property value.\n"
295 tony 1.1 "\n"
296 "If a value for HdrSrcAddress is not provided, then this "
297 "property also MUST NOT be provided. If a value for this "
298 "property is provided, then HdrSrcMask MUST NOT be "
299 "provided."),
300 OctetString,
301 ModelCorrespondence {"CIM_IPHeadersFilter.HdrIPVersion"} ]
302 uint8 HdrSrcAddressEndOfRange[];
303
304 [Description (
305 "HdrSrcMask is an OctetString, of a size determined by the "
306 "value of the HdrIPVersion property, representing a mask to "
307 "be used in comparing the source address in the IP header "
308 "with the value represented in the HdrSrcAddress property.\n"
309 "\n"
310 "If a value for this property is not provided, then the "
311 "filter does not consider HdrSrcMask in selecting matching "
312 "packets, i.e., the value of the HdrSrcAddress or the source "
313 "address range must match the source address in the packet "
314 "exactly. If a value for this property is provided, then "
315 "HdrSrcAddressEndOfRange MUST NOT be provided."),
316 tony 1.1 OctetString,
317 ModelCorrespondence {"CIM_IPHeadersFilter.HdrIPVersion"} ]
318 uint8 HdrSrcMask[];
319
320 [Description (
321 "HdrDestAddress is an OctetString, of a size determined by "
322 "the value of the HdrIPVersion property, representing a "
323 "destination IP address. When there is no "
324 "HdrDestAddressEndOfRange value, this value is compared to "
325 "the destination address in the IP header, subject to the "
326 "mask represented in the HdrDestMask property. (Note that "
327 "the mask is ANDed with the address.) When there is a "
328 "HdrDestAddressEndOfRange value, this value is the start of "
329 "the specified range (i.e., the HdrDestAddress is lower than "
330 "the HdrDestAddressEndOfRange) that is compared to the "
331 "source address in the IP header and matches on any value in "
332 "the range.\n"
333 "\n"
334 "If a value for this property is not provided, then the "
335 "filter does not consider HdrDestAddress in selecting "
336 "matching packets, i.e., HdrDestAddress matches for all "
337 tony 1.1 "values."),
338 OctetString,
339 ModelCorrespondence {"CIM_IPHeadersFilter.HdrIPVersion"} ]
340 uint8 HdrDestAddress[];
341
342 [Description (
343 "HdrDestAddressEndOfRange is an OctetString, of a size "
344 "determined by the value of the HdrIPVersion property, "
345 "representing the end of a range of destination IP addresses "
346 "(inclusive), where the start of the range is the "
347 "HdrDestAddress property value.\n"
348 "\n"
349 "If a value for HdrDestAddress is not provided, then this "
350 "property also MUST NOT be provided. If a value for this "
351 "property is provided, then HdrDestMask MUST NOT be "
352 "provided."),
353 OctetString,
354 ModelCorrespondence {"CIM_IPHeadersFilter.HdrIPVersion"} ]
355 uint8 HdrDestAddressEndOfRange[];
356
357 [Description (
358 tony 1.1 "HdrDestMask is an OctetString, of a size determined by the "
359 "value of the HdrIPVersion property, representing a mask to "
360 "be used in comparing the destination address in the IP "
361 "header with the value represented in the HdrDestAddress "
362 "property.\n"
363 "\n"
364 "If a value for this property is not provided, then the "
365 "filter does not consider HdrDestMask in selecting matching "
366 "packets, i.e., the value of the HdrDestAddress or the "
367 "destination address range must match the destination "
368 "address in the packet exactly. If a value for this "
369 "property is provided, then HdrDestAddressEndOfRange MUST "
370 "NOT be provided."),
371 OctetString,
372 ModelCorrespondence {"CIM_IPHeadersFilter.HdrIPVersion"} ]
373 uint8 HdrDestMask[];
374
375 [Description (
376 "HdrProtocolID is an 8-bit unsigned integer, representing an "
377 "IP protocol type. This value is compared to the Protocol "
378 "field in the IP header.\n"
379 tony 1.1 "\n"
380 "If a value for this property is not provided, then the "
381 "filter does not consider HdrProtocolID in selecting "
382 "matching packets, i.e., HdrProtocolID matches for all "
383 "values.") ]
384 uint8 HdrProtocolID;
385
386 [Description (
387 "HdrSrcPortStart represents the lower end of a range of UDP "
388 "or TCP source ports. The upper end of the range is "
389 "represented by the HdrSrcPortEnd property. The value of "
390 "HdrSrcPortStart MUST be no greater than the value of "
391 "HdrSrcPortEnd.\n"
392 "\n"
393 "A source port filter is evaluated by testing whether the "
394 "source port identified in the IP header falls within the "
395 "range of values between HdrSrcPortStart and HdrSrcPortEnd, "
396 "INCLUDING these two end points.\n"
397 "\n"
398 "If a value for this property is not provided, then the "
399 "filter does not consider HdrSrcPortStart in selecting "
400 tony 1.1 "matching packets, i.e., there is no lower bound in matching "
401 "source port values.") ]
402 uint16 HdrSrcPortStart;
403
404 [Description (
405 "HdrSrcPortEnd represents the upper end of a range of UDP or "
406 "TCP source ports. The lower end of the range is "
407 "represented by the HdrSrcPortStart property. The value of "
408 "HdrSrcPortEnd MUST be no less than the value of "
409 "HdrSrcPortStart. A single port is indicated by equal "
410 "values for HdrSrcPortStart and HdrSrcPortEnd.\n"
411 "\n"
412 "A source port filter is evaluated by testing whether the "
413 "source port identified in the IP header falls within the "
414 "range of values between HdrSrcPortStart and HdrSrcPortEnd, "
415 "INCLUDING these two end points.\n"
416 "\n"
417 "If a value for this property is not provided, then the "
418 "filter does not consider HdrSrcPortEnd in selecting "
419 "matching packets, i.e., there is no upper bound in matching "
420 "source port values.") ]
421 tony 1.1 uint16 HdrSrcPortEnd;
422
423 [Description (
424 "HdrDestPortStart represents the lower end of a range of UDP "
425 "or TCP destination ports. The upper end of the range is "
426 "represented by the HdrDestPortEnd property. The value of "
427 "HdrDestPortStart MUST be no greater than the value of "
428 "HdrDestPortEnd. A single port is indicated by equal values "
429 "for HdrDestPortStart and HdrDestPortEnd.\n"
430 "\n"
431 "A destination port filter is evaluated by testing whether "
432 "the destination port identified in the IP header falls "
433 "within the range of values between HdrDestPortStart and "
434 "HdrDestPortEnd, INCLUDING these two end points.\n"
435 "\n"
436 "If a value for this property is not provided, then the "
437 "filter does not consider HdrDestPortStart in selecting "
438 "matching packets, i.e., there is no lower bound in matching "
439 "destination port values.") ]
440 uint16 HdrDestPortStart;
441
442 tony 1.1 [Description (
443 "HdrDestPortEnd represents the upper end of a range of UDP "
444 "or TCP destination ports. The lower end of the range is "
445 "represented by the HdrDestPortStart property. The value of "
446 "HdrDestPortEnd MUST be no less than the value of "
447 "HdrDestPortStart. A single port is indicated by equal "
448 "values for HdrDestPortStart and HdrDestPortEnd.\n"
449 "\n"
450 "A destination port filter is evaluated by testing whether "
451 "the destination port identified in the IP header falls "
452 "within the range of values between HdrDestPortStart and "
453 "HdrDestPortEnd, INCLUDING these two end points.\n"
454 "\n"
455 "If a value for this property is not provided, then the "
456 "filter does not consider HdrDestPortEnd in selecting "
457 "matching packets, i.e., there is no upper bound in matching "
458 "destination port values.") ]
459 uint16 HdrDestPortEnd;
460
461 [Description (
462 "HdrDSCP is defined as a set of discrete DiffServ code "
463 tony 1.1 "points, with no inherent structure. There is no "
464 "semantically significant relationship between different "
465 "HdrDSCPs. Consequently, there is no provision for "
466 "specifying a range of HdrDSCPs.\n"
467 "\n"
468 "Since, in IPv4, the HdrDSCP field may contain bits to be "
469 "interpreted as the TOS IP Precedence, this property is also "
470 "used to filter on IP Precedence. Similarly, the IPv6 "
471 "Traffic Class field is also filtered using the value(s) in "
472 "this property.\n"
473 "\n"
474 "HdrDSCP is defined as an array, to provide the ability to "
475 "specify several discrete DSCPs in a single instance of "
476 "IPHeadersFilter, that would be OR'ed together to define the "
477 "filter criteria.\n"
478 "\n"
479 "If a value for this property is not provided, then the "
480 "filter does not consider HdrDSCP in selecting matching "
481 "packets, i.e., HdrDSCP matches for all values."),
482 MaxValue (63) ]
483 uint8 HdrDSCP[];
484 tony 1.1
485 [Description (
486 "The 20-bit Flow Label field in the IPv6 header may be used "
487 "by a source to label sequences of packets for which it "
488 "requests special handling by the IPv6 devices, such as "
489 "non-default quality of service or 'real-time' service. In "
490 "the filter, this 20-bit string is encoded in a 24-bit "
491 "octetstring by right-adjusting the value and padding on the "
492 "left with b'0000'.\n"
493 "\n"
494 "If a value for this property is not provided, then the "
495 "filter does not consider HdrFlowLabel in selecting matching "
496 "packets, i.e., HdrFlowLabel matches for all values."),
497 OctetString ]
498 uint8 HdrFlowLabel[];
499 };
500
501
502 // ==================================================================
503 // 8021Filter
504 // ==================================================================
505 tony 1.1 [Version ("2.7.0"), Description (
506 "8021Filter allows 802.1.source and destination MAC addresses, "
507 "as well as the 802.1 protocol ID, priority, and VLAN "
508 "identifier fields, to be expressed in a single object to "
509 "classify and identify traffic.") ]
510 class CIM_8021Filter : CIM_FilterEntryBase {
511
512 [Description (
513 "This property is an OctetString of size 6, representing a "
514 "48-bit source MAC address in canonical format. This value "
515 "is compared to the SourceAddress field in the MAC header, "
516 "subject to the mask represented in the 8021HdrSrcMACMask "
517 "property. If a value for this property is not provided, "
518 "then the filter does not consider 8021HdrSrcMACAddr in "
519 "selecting matching packets, i.e., 8021HdrSrcMACAddr matches "
520 "for all values."),
521 OctetString ]
522 uint8 HdrSrcMACAddr8021[6];
523
524 [Description (
525 "This property is an OctetString of size 6, representing a "
526 tony 1.1 "48-bit mask to be used in comparing the SourceAddress field "
527 "in the MAC header with the value represented in the "
528 "8021HdrSrcMACAddr property. If a value for this property "
529 "is not provided, then the filter does not consider "
530 "8021HdrSrcMACMask in selecting matching packets, i.e., the "
531 "value of 8021HdrSrcMACAddr must match the source MAC "
532 "address in the packet exactly."),
533 OctetString ]
534 uint8 HdrSrcMACMask8021[6];
535
536 [Description (
537 "This property is an OctetString of size 6, representing a "
538 "48-bit destination MAC address in canonical format. This "
539 "value is compared to the DestinationAddress field in the "
540 "MAC header, subject to the mask represented in the "
541 "8021HdrDestMACMask property. If a value for this property "
542 "is not provided, then the filter does not consider "
543 "8021HdrDestMACAddr in selecting matching packets, i.e., "
544 "8021HdrDestMACAddr matches for all values."),
545 OctetString ]
546 uint8 HdrDestMACAddr8021[6];
547 tony 1.1
548 [Description (
549 "This property is an OctetString of size 6, representing a "
550 "48-bit mask to be used in comparing the DestinationAddress "
551 "field in the MAC header with the value represented in the "
552 "8021HdrDestMACAddr property. If a value for this property "
553 "is not provided, then the filter does not consider "
554 "8021HdrDestMACMask in selecting matching packets, i.e., the "
555 "value of 8021HdrDestMACAddr must match the destination MAC "
556 "address in the packet exactly."),
557 OctetString ]
558 uint8 HdrDestMACMask8021[6];
559
560 [Description (
561 "This property is a 16-bit unsigned integer, representing an "
562 "Ethernet protocol type. This value is compared to the "
563 "Ethernet Type field in the 802.3 MAC header. If a value "
564 "for this property is not provided, then the filter does not "
565 "consider 8021HdrProtocolID in selecting matching packets, "
566 "i.e., 8021HdrProtocolID matches for all values.") ]
567 uint16 HdrProtocolID8021;
568 tony 1.1
569 [Description (
570 "This property is an 8-bit unsigned integer, representing an "
571 "802.1Q priority. This value is compared to the Priority "
572 "field in the 802.1Q header. Since the 802.1Q Priority "
573 "field consists of 3 bits, the values for this property are "
574 "limited to the range 0..7. If a value for this property is "
575 "not provided, then the filter does not consider "
576 "8021HdrPriorityValue in selecting matching packets, i.e., "
577 "8021HdrPriorityValue matches for all values."),
578 MinValue (0), MaxValue (7) ]
579 uint8 HdrPriorityValue8021;
580
581 [Description (
582 "This property is an 32-bit unsigned integer, representing "
583 "an 802.1Q VLAN Identifier. This value is compared to the "
584 "VLAN ID field in the 802.1Q header. Since the 802.1Q VLAN "
585 "ID field consists of 12 bits, the values for this property "
586 "are limited to the range 0..4095. If a value for this "
587 "property is not provided, then the filter does not consider "
588 "8021HdrVLANID in selecting matching packets, i.e., "
589 tony 1.1 "8021HdrVLANID matches for all values."),
590 MinValue (0), MaxValue (4095) ]
591 uint32 HdrVLANID8021;
592 };
593
594
595 // ==================================================================
596 // PreambleFilter
597 // ==================================================================
598 [Version ("2.7.0"), Description (
599 "PreambleFilter allows the classification of packets using "
600 "traffic-conditioning results (where the results are determined "
601 "by a PreambleMarkerService and stored in a 'packet "
602 "preamble'). This permits information about the treatment that "
603 "a packet receives on an ingress interface to be communicated "
604 "along with the packet to the egress interface. An instance of "
605 "PreambleFilter selects packets based on a two-part string "
606 "(type and value pair) identifying a specific entry in the "
607 "preamble. The logic for this match is 'at least one.' That "
608 "is, a packet with multiple entries/results in its preamble "
609 "matches a filter if at least one of these matches the filter.") ]
610 tony 1.1 class CIM_PreambleFilter : CIM_FilterEntryBase {
611
612 [Description (
613 "To foster interoperability, the basic format of the "
614 "information captured by a PreambleMarker is specified. "
615 "That information is contained in the FilterItemList "
616 "property (an ordered, string array). Each entry in the "
617 "array takes the form 'type,value'. When entries are added, "
618 "they are appended to the end of the list.\n"
619 "\n"
620 "A limited set of standardized 'type's exist. They are:\n"
621 "- ConformingFromMeter, NonConformingFromMeter and "
622 "PartConformingFromMeter to convey metering results (where "
623 "the 'value' is the name of the meter)\n"
624 "- VlanId to describe the traffic's VLAN information (where "
625 "the 'value' is the VLAN ID).\n"
626 "An implementation is free to define and use other preamble "
627 "'types'.\n"
628 "\n"
629 "Note that a wildcard value of \"any\" is allowed to "
630 "indicate that the preamble entry matches for any 'value' of "
631 tony 1.1 "the specified 'type'. For example, using the wildcard, an "
632 "administrator can define a filter to select all packets "
633 "that were found to be conforming ('type' = "
634 "\"ConformingFromMeter\") without having to name each meter "
635 "individually."),
636 ArrayType ("Ordered") ]
637 string FilterItemList[];
638 };
639
640
641 // ==================================================================
642 // FilterList
643 // ==================================================================
644 [Version ("2.7.0"), Description (
645 "A FilterList is used by network devices to identify routes by "
646 "aggregating a set of FilterEntries into a unit, called a "
647 "FilterList. FilterLists can also be used to accept or deny "
648 "routing updates.\n"
649 "\n"
650 "A FilterList is weak to the network device (i.e., the "
651 "ComputerSystem) that contains it. Hence, the ComputerSystem "
652 tony 1.1 "keys are propagated to this class.") ]
653 class CIM_FilterList : CIM_LogicalElement {
654
655 [Key, Propagated ("CIM_ComputerSystem.CreationClassName"),
656 Description (
657 "The scoping ComputerSystem's CreationClassName."),
658 MaxLen (256) ]
659 string SystemCreationClassName;
660
661 [Key, Propagated ("CIM_ComputerSystem.Name"), Description (
662 "The scoping ComputerSystem's Name."),
663 MaxLen (256) ]
664 string SystemName;
665
666 [Key, Description (
667 "The type of class that this instance is.") ]
668 string CreationClassName;
669
670 [Key, Override ("Name"), Description (
671 "This is the name of the FilterList."),
672 MaxLen (256) ]
673 tony 1.1 string Name;
674
675 [Description (
676 "This defines whether the FilterList is used for input, "
677 "output, or both input and output filtering. All values are "
678 "used with respect to the interface for which the FilterList "
679 "applies.\n"
680 "\n"
681 "\"Not Applicable\" (0) is used when there is no direction "
682 "applicable to the FilterList. \"Input\" (1) is used when "
683 "the FilterList applies to packets that are inbound on the "
684 "related interface. \"Output\" (2) is used when the "
685 "FilterList applies to packets that are outbound on the "
686 "related interface. \"Both\" (3) is used to indicate that "
687 "the direction is immaterial, e.g., to filter on a source "
688 "subnet regardless of whether the flow is inbound or "
689 "outbound. \"Mirrored\" (4) is also applicable to both "
690 "inbound and outbound flow processing, but indicates that "
691 "the filter criteria are applied asymmetrically to traffic "
692 "in both directions and, thus, specifies the reversal of "
693 "source and destination criteria (as opposed to the equality "
694 tony 1.1 "of these criteria as indicated by \"Both\"). The match "
695 "conditions in the aggregated FilterEntryBase subclass "
696 "instances are defined from the perspective of outbound "
697 "flows and applied to inbound flows as well by reversing the "
698 "source and destination criteria. So, for example, consider "
699 "a FilterList with 3 FilterEntries indicating destination "
700 "port = 80, and source and destination addresses of a and b, "
701 "respectively. Then, for the outbound direction, the filter "
702 "entries match as specified and the 'mirror' (for the "
703 "inbound direction) matches on source port = 80 and source "
704 "and destination addresses of b and a, respectively."),
705 ValueMap {"0", "1", "2", "3", "4"},
706 Values {"Not Applicable", "Input", "Output", "Both", "Mirrored"} ]
707 uint16 Direction;
708 };
709
710
711 // ==================================================================
712 // FilterEntryInSystem
713 // ==================================================================
714 [Association, Deprecated {"CIM_HostedFilterEntryBase"}, Aggregation,
715 tony 1.1 Version ("2.7.0"), Description (
716 "All filter entries (FilterEntryBase and its subclasses) are "
717 "defined in the context of a ComputerSystem/network device, "
718 "where they are used to identify and act on network traffic. "
719 "Note that this class is deprecated since its subclassing is "
720 "not correct. It subclasses from System Component, but a "
721 "FilterEntryBase is NOT a Component of a System. Instead, it "
722 "is hosted/scoped by the System. In versions up to CIM 2.6, "
723 "FilterEntryInSystem was a mandatory, Weak relationship. This "
724 "is no longer true, beginning with CIM V2.7.") ]
725 class CIM_FilterEntryInSystem : CIM_SystemComponent {
726
727 [Deprecated {"CIM_HostedFilterEntryBase.Antecedent"}, Aggregate,
728 Override ("GroupComponent"), Max (1), Description (
729 "The ComputerSystem/network device that scopes the "
730 "FilterEntryBase.") ]
731 CIM_ComputerSystem REF GroupComponent;
732
733 [Deprecated {"CIM_HostedFilterEntryBase.Dependent"},
734 Override ("PartComponent"), Description (
735 "The FilterEntryBase on the System.") ]
736 tony 1.1 CIM_FilterEntryBase REF PartComponent;
737 };
738
739
740 // ==================================================================
741 // FilterListInSystem
742 // ==================================================================
743 [Association, Deprecated {"CIM_HostedFilterList"}, Aggregation,
744 Version ("2.7.0"), Description (
745 "FilterLists are defined in the context of a ComputerSystem "
746 "(e.g., a router, firewall or host). Note that this class is "
747 "deprecated since its subclassing is not correct. It "
748 "subclasses from SystemComponent, but a FilterList is NOT a "
749 "Component of a System. Instead, it is hosted/scoped by the "
750 "System. In versions up to CIM 2.6, FilterListInSystem was a "
751 "mandatory, Weak relationship. This is no longer true, "
752 "beginning with CIM V2.7.") ]
753 class CIM_FilterListInSystem : CIM_SystemComponent {
754
755 [Deprecated {"CIM_HostedFilterList.Antecedent"}, Aggregate,
756 Override ("GroupComponent"), Max (1), Description (
757 tony 1.1 "The ComputerSystem/network device that scopes the "
758 "FilterList and administers it.") ]
759 CIM_ComputerSystem REF GroupComponent;
760
761 [Deprecated {"CIM_HostedFilterList.Dependent"},
762 Override ("PartComponent"), Description (
763 "The FilterList on the System.") ]
764 CIM_FilterList REF PartComponent;
765 };
766
767
768 // ==================================================================
769 // HostedFilterEntryBase
770 // ==================================================================
771 [Association, Version ("2.7.0"), Description (
772 "All filter entries (FilterEntryBase and its subclasses) are "
773 "defined in the context of a ComputerSystem/network device, "
774 "where the filter entries are used and administered.") ]
775 class CIM_HostedFilterEntryBase : CIM_HostedDependency {
776
777 [Override ("Antecedent"), Min (1), Max (1), Description (
778 tony 1.1 "The ComputerSystem/network device that scopes the "
779 "FilterEntryBase.") ]
780 CIM_ComputerSystem REF Antecedent;
781
782 [Override ("Dependent"), Weak, Description (
783 "The FilterEntryBase on the System.") ]
784 CIM_FilterEntryBase REF Dependent;
785 };
786
787
788 // ==================================================================
789 // HostedFilterList
790 // ==================================================================
791 [Association, Version ("2.7.0"), Description (
792 "FilterLists are defined in the context of a ComputerSystem/ "
793 "network device, where the list is used and administered.") ]
794 class CIM_HostedFilterList : CIM_HostedDependency {
795
796 [Override ("Antecedent"), Min (1), Max (1), Description (
797 "The ComputerSystem/network device that scopes the "
798 "FilterList.") ]
799 tony 1.1 CIM_ComputerSystem REF Antecedent;
800
801 [Override ("Dependent"), Weak, Description (
802 "The FilterList on the System.") ]
803 CIM_FilterList REF Dependent;
804 };
805
806
807 // ==================================================================
808 // EntriesInFilterList
809 // ==================================================================
810 [Association, Aggregation, Version ("2.7.0"), Description (
811 "This is a specialization of the CIM_Component aggregation "
812 "which is used to define a set of filter entries (subclasses of "
813 "FilterEntryBase) that are aggregated by a particular "
814 "FilterList.") ]
815 class CIM_EntriesInFilterList : CIM_Component {
816
817 [Aggregate, Override ("GroupComponent"), Max (1), Description (
818 "The FilterList, which aggregates the set of FilterEntries.") ]
819 CIM_FilterList REF GroupComponent;
820 tony 1.1
821 [Override ("PartComponent"), Description (
822 "Any subclass of FilterEntryBase which is a part of the "
823 "FilterList.") ]
824 CIM_FilterEntryBase REF PartComponent;
825
826 [Description (
827 "The order of the Entry relative to all others in the "
828 "FilterList. The only permissible value is zero - "
829 "indicating that all the Entries are ANDed together."),
830 ValueMap {"0"} ]
831 uint16 EntrySequence = 0;
832 };
833
834 // ==================================================================
835 // X509CredentialFilterEntry
836 // ==================================================================
837 [Experimental, Version ("2.7.1000"), Description (
838 "An X509CredentialFilterEntry allows filtering on the "
839 "attributes of an X.509 certificate. Each instance includes a "
840 "value for MatchFieldName that specifies the particular X.509 "
841 tony 1.1 "attribute that is being matched."),
842 MappingStrings {"IPSP Policy Model.IETF|CredentialFilterEntry"} ]
843 class CIM_X509CredentialFilterEntry : CIM_FilterEntryBase {
844
845 [Required, Description (
846 "MatchFieldName specifies the X.509 attribute to match "
847 "against MatchFieldValue. Note that this enumeration is "
848 "modified from the IETF's IPSP Policy Model to explicitly "
849 "list the 'standard' X.509 attributes."),
850 ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
851 "..", "x8000.."},
852 Values {"Other", "Version", "Serial Number",
853 "Signature Algorithm Identifier", "Issuer Name",
854 "Validity Period", "Subject Name",
855 "Subject Public Key Info", "Key Usage", "Alternate Name",
856 "DMTF Reserved", "Vendor Reserved"},
857 MappingStrings {"IPSP Policy Model.IETF|"
858 "CredentialFilterEntry.MatchFieldName"},
859 ModelCorrespondence {
860 "CIM_X509CredentialFilterEntry.MatchFieldValue"} ]
861 string MatchFieldName;
862 tony 1.1
863 [Required, Description (
864 "MatchFieldValue specifies the value to compare with the "
865 "credential attribute (defined in MatchFieldName), to "
866 "determine if the credential matches this filter entry. An "
867 "implementation must convert this string to a DER- encoded "
868 "string before matching against the values extracted from "
869 "credentials at runtime.\n"
870 "\n"
871 "Note that a wildcard mechanism may be used when "
872 "MatchFieldName specifies a general character string (for "
873 "example, if MatchFieldName=7, 'Subject Name'). "
874 "MatchFieldValue may contain a wildcard character, '*', in "
875 "the pattern match specification. For example, for 'Subject "
876 "Name', a MatchFieldValue of "
877 "'cn=*,ou=engineering,o=foo,c=be' will successfully match a "
878 "certificate whose subject attribute is "
879 "'cn=JaneDoe,ou=engineering,o=foo,c=be'. A wildcard can be "
880 "used to represent 0 or more characters as would be "
881 "displayed to the user (i.e., a wildcard pattern match "
882 "operates on displayable character boundaries)."),
883 tony 1.1 MappingStrings {"IPSP Policy Model.IETF|"
884 "CredentialFilterEntry.MatchFieldName"},
885 ModelCorrespondence {
886 "CIM_X509CredentialFilterEntry.MatchFieldName"} ]
887 string MatchFieldValue;
888 };
889
890 // (Note that the IPSOFilterEntry is changed from the IPSP Model
891 // definition - since the IPSP class allows matching on either
892 // classification level or protection authority, but not both - and is
893 // confusing wrt the enumerated "values" (combining both classification
894 // level and protection authority into a single enum). Also, the
895 // enumerations start at 1 which is reserved for 'Other', and should be
896 // an array for ProtectionAuthority. These problems are corrected
897 // in the class below
898
899 // ==================================================================
900 // IPSOFilterEntry
901 // ==================================================================
902 [Experimental, Version ("2.7.1000"), Description (
903 "An IPSOFilterEntry is used to match traffic based on the IP "
904 tony 1.1 "Security Options header values (ClassificationLevel and "
905 "ProtectionAuthority) as defined in RFC1108. This type of "
906 "FilterEntry is used to adjust the IPsec encryption level "
907 "according to the IPSO classification of the traffic (e.g., "
908 "secret, confidential, restricted, etc.)."),
909 MappingStrings {"IPSP Policy Model.IETF|IPSOFilterEntry"} ]
910 class CIM_IPSOFilterEntry : CIM_FilterEntryBase {
911
912 [Required, Description (
913 "MatchConditionType specifies whether to match based on "
914 "traffic classification level, protection authority or "
915 "both. Note that this enumeration is modified from its "
916 "definition in the IETF's IPSP Policy Model to allow for "
917 "both classification level and protection authority "
918 "checking, and to allow the enumerated value, \"Other\", to "
919 "be added in the future."),
920 ValueMap {"2", "3", "4"},
921 Values {"Classification Level", "Protection Authority",
922 "Both Classification Level and Protection Authority"},
923 MappingStrings {"IPSP Policy Model.IETF|"
924 "IPSOFilterEntry.MatchConditionType"},
925 tony 1.1 ModelCorrespondence { "CIM_IPSOFilterEntry.ClassificationLevel",
926 "CIM_IPSOFilterEntry.ProtectionAuthority"} ]
927 uint16 MatchConditionType;
928
929 [Required, Description (
930 "This is the value to be matched when MatchConditionType is "
931 "1 or 3 - meaning that \"Classification Level\" should be "
932 "filtered. In RFC1108, the following semantics are "
933 "specified: TopSecret, Secret, Confidential, and "
934 "Unclassified. Note that this enumeration's values are "
935 "different than the RFC list and the IETF's IPSP Policy "
936 "Model since those lists are simply bit maps, and do not "
937 "include specific values for \"Other\" or \"No Filtering\"."),
938 ValueMap {"1", "2", "3", "4", "5", "6", "..", "0x8000.."},
939 Values {"Other", "No Filtering on Classification Level",
940 "Top Secret", "Secret", "Confidential", "Unclassified",
941 "DMTF Reserved", "Vendor Reserved"},
942 MappingStrings {"IPSP Policy Model.IETF|"
943 "IPSOFilterEntry.MatchConditionValue",
944 "RFC1108.IETF|Section 2.3"},
945 ModelCorrespondence { "CIM_IPSOFilterEntry.MatchConditionType",
946 tony 1.1 "CIM_IPSOFilterEntry.OtherClassificationLevel"} ]
947 uint16 ClassificationLevel;
948
949 [Description (
950 "Description of the level when the value 1 (\"Other\") is "
951 "specified for the property, ClassificationLevel."),
952 ModelCorrespondence { "CIM_IPSOFilterEntry.ClassificationLevel"} ]
953 string OtherClassificationLevel;
954
955 [Required, Description (
956 "These are the values to be matched when MatchConditionType "
957 "is 2 or 3 - meaning that \"Protection Authority\" should be "
958 "filtered. In RFC1108, the following authorities are "
959 "specified: GENSER, SIOP-ESI, SCI, NSA and DOE. Note that "
960 "multiple authorities may be specified.\n"
961 "\n"
962 "This enumeration is modified from its definition in the RFC "
963 "and IETF's IPSP Policy Model. Those lists are simply bit "
964 "maps, and do not include specific values for \"Other\" or "
965 "\"No Filtering\"."),
966 ValueMap {"1", "2", "3", "4", "5", "6", "7", "..", "0x8000.."},
967 tony 1.1 Values {"Other", "No Filtering on Protection Authority",
968 "GENSER", "SIOP-ESI", "SCI", "NSA", "DOE", "DMTF Reserved",
969 "Vendor Reserved"},
970 MappingStrings {"IPSP Policy Model.IETF|"
971 "IPSOFilterEntry.MatchConditionValue",
972 "RFC1108.IETF|Section 2.4"},
973 ModelCorrespondence { "CIM_IPSOFilterEntry.MatchConditionType",
974 "CIM_IPSOFilterEntry.OtherProtectionAuthorities"} ]
975 uint16 ProtectionAuthorities[];
976
977 [Description (
978 "Description of the authority when the value 1 (\"Other\") "
979 "is specified for the property, ProtectionAuthorities."),
980 ModelCorrespondence {
981 "CIM_IPSOFilterEntry.ProtectionAuthorities"} ]
982 string OtherProtectionAuthorities[];
983 };
984
985
986 // Note that the PeerIDPayloadFilterEntry is changed from the IPSP Model
987 // definition - since the 'Type' enumeration starts at 1 in the IPSP
988 tony 1.1 // draft, which is reserved for 'Other'
989
990
991 // ==================================================================
992 // PeerIDPayloadFilterEntry
993 // ==================================================================
994 [Experimental, Version ("2.7.1000"), Description (
995 "PeerIDPayloadFilterEntry defines filters used to match the "
996 "Identification Type field in the ID Payload of the IKE "
997 "protocol exchange. It permits the specification of ID values "
998 "such as \"*@example.com\" or \"192.0.2.0/24\"."),
999 MappingStrings { "IPSP Policy Model.IETF|PeerIDPayloadFilterEntry"} ]
1000 class CIM_PeerIDPayloadFilterEntry : CIM_FilterEntryBase {
1001
1002 [Required, Description (
1003 "MatchIdentityType specifies the Identification Type "
1004 "provided by the peer in the payload. The list of "
1005 "identities was generated from Section 4.6.2.1 of RFC2407. "
1006 "Note that the enumeration is different than the RFC list, "
1007 "since the value 'Other' is taken into account."),
1008 ValueMap {"1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
1009 tony 1.1 "11", "12", "..", "0x8000.."},
1010 Values {"Other", "IPV4 Address", "FQDN", "User FQDN",
1011 "IPV4 Subnet Address", "IPV6 Address",
1012 "IPV6 Subnet Address", "IPV4 Address Range",
1013 "IPV6 Address Range", "DER ASN1 DN", "DER ASN1 GN",
1014 "KEY ID", "DMTF Reserved", "Vendor Reserved"},
1015 MappingStrings {"IPSP Policy Model.IETF|"
1016 "PeerIDPayloadFilterEntry.MatchIdentityType",
1017 "RFC2407.IETF|Section 4.6.2.1"},
1018 ModelCorrespondence {
1019 "CIM_PeerIDPayloadFilterEntry.MatchIdentityValue"} ]
1020 uint16 MatchIdentityType;
1021
1022 [Required, Description (
1023 "MatchIdentityValue is the filter value for comparison with "
1024 "the ID payload, e,g, \"*@company.com\". The syntax may "
1025 "need to be converted for comparison. For example, if the "
1026 "type of identity is a DER-encoded distinguished name, (for "
1027 "example, MatchIdentityType = 10, \"DER_ASN1_DN\"), the "
1028 "MatchIdentityValue MUST be converted into a DER-encoded "
1029 "string. This allows it to be matched against the values "
1030 tony 1.1 "extracted from the ID payload at runtime.\n"
1031 "\n"
1032 "Note that a wildcard mechanism may be used when "
1033 "MatchIdentityType specifies a general character string (for "
1034 "example, if MatchIdentityType=3, 'FQDN'). MatchFieldValue "
1035 "may contain a wildcard character, '*', in the pattern match "
1036 "specification. For example, for 'FQDN', a MatchFieldValue "
1037 "of '*@example.com' will successfully match an ID payload of "
1038 "'janedoe@example.com'. A wildcard can be used to represent "
1039 "0 or more characters as is appropriate for the type "
1040 "specified in MatchIdentityType."),
1041 MappingStrings {"IPSP Policy Model.IETF|"
1042 "PeerIDPayloadFilterEntry.MatchIdentityValue"},
1043 ModelCorrespondence {
1044 "CIM_PeerIDPayloadFilterEntry.MatchIdentityType" } ]
1045 string MatchIdentityValue;
1046 };
1047
1048 // ===================================================================
1049 // end of file
1050 // ===================================================================
|