1 karl 1.1 // ===================================================================
2 // Title: Network Filtering
3 // $State: Preliminary $
4 // $Date: 2004/06/28 18:01:03 $
5 // $Source: /home/dmtf2/dotorg/var/cvs/repositories/dev/Schema/MOF/Network_Filtering.mof,v $
6 // $Revision: 1.3 $
7 // ===================================================================
8 //#pragma inLine ("Includes/copyright.inc")
9 // Copyright 1998-2004 Distributed Management Task Force, Inc. (DMTF).
10 // All rights reserved.
11 // DMTF is a not-for-profit association of industry members dedicated
12 // to promoting enterprise and systems management and interoperability.
13 // DMTF specifications and documents may be reproduced for uses
14 // consistent with this purpose by members and non-members,
15 // provided that correct attribution is given.
16 // As DMTF specifications may be revised from time to time,
17 // the particular version and release date should always be noted.
18 //
19 // Implementation of certain elements of this standard or proposed
20 // standard may be subject to third party patent rights, including
21 // provisional patent rights (herein "patent rights"). DMTF makes
22 karl 1.1 // no representations to users of the standard as to the existence
23 // of such rights, and is not responsible to recognize, disclose, or
24 // identify any or all such third party patent right, owners or
25 // claimants, nor for any incomplete or inaccurate identification or
26 // disclosure of such rights, owners or claimants. DMTF shall have no
27 // liability to any party, in any manner or circumstance, under any
28 // legal theory whatsoever, for failure to recognize, disclose, or
29 // identify any such third party patent rights, or for such party's
30 // reliance on the standard or incorporation thereof in its product,
31 // protocols or testing procedures. DMTF shall have no liability to
32 // any party implementing such standard, whether such implementation
33 // is foreseeable or not, nor to any patent owner or claimant, and shall
34 // have no liability or responsibility for costs or losses incurred if
35 // a standard is withdrawn or modified after publication, and shall be
36 // indemnified and held harmless by any party implementing the
37 // standard from any and all claims of infringement by a patent owner
38 // for such implementations.
39 //
40 // For information about patents held by third-parties which have
41 // notified the DMTF that, in their opinion, such patent may relate to
42 // or impact implementations of DMTF standards, visit
43 karl 1.1 // http://www.dmtf.org/about/policies/disclosures.php.
44 //#pragma inLine
45 // ===================================================================
46 // Description: The Network Model extends the management concepts to
47 // represent protocol interfaces and network/protocol
48 // services. This file defines filtering - filter lists
49 // and filter entries.
50 //
51 // The object classes below are listed in an order that
52 // avoids forward references. Required objects, defined
53 // by other working groups, are omitted.
54 // ==================================================================
55 // Change Log for v2.7
56 // CR793 - Add the Abstract qualifier to FilterEntryBase and update
57 // the description
58 // - Update the description for EntriesInFilterList.EntrySequence
59 // - Deprecate FilterEntriesInSystem and FilterListInSystem
60 // - Add HostedFilterEntryBase and HostedFilterList
61 // - Add 8021Filter and PreambleFilter
62 // - FilterEntry.TrafficType needs an Other value in its
63 // enumerated list, and an OtherTrafficType property should be
64 karl 1.1 // defined
65 // CR800 - Remove FilterEntry.TrafficClass' ModelCorrespondence
66 // CR849 - 8021Filter property names must be changed from 8021HdrXXX to
67 // HdrXXX8021 to comply with the CIM Spec
68 // CR867 - Add Override qualifier to FilterEntryBase and
69 // FilterList.Name
70 // CR982 - Removal of Experimental for preliminary to final
71 // CR983 - Deprecations for v2.7 made final
72 // New Log for V2.8
73 // CR1026 - Add class definitions for IPSec
74 // CR1089 - Clarify IsNegated in FilterEntryBase
75 // CR1128 - Change subclassing from CIM_Dependency to
76 // CIM_HostedDependency for identified classes. This is
77 // needed as a result of the introduction of HostedDependency
78 // in SysDev
79 // CR1194 - Classes in the _Filters MOF to be promoted to FINAL status
80 // and their Version qualifiers set to "2.8.0":
81 // X509CredentialFilterEntry
82 // IPSOFilterEntry
83 // PeerIDPayloadFilterEntry
84 //
85 karl 1.1 // CR1226 - Change all references to CIM_8021Filter to
86 // CIM_Hdr8021Filter.
87 // CR1238 - Fix model correspondece reference problems in final version
88 //
89 // Change Log for V2.9
90 // No changes
91 // ===================================================================
92
93 #pragma Locale ("en_US")
94
95
96 // ===================================================================
97 // FilterEntryBase
98 // ===================================================================
99 [Abstract, Version ( "2.7.0" ), Description (
100 "A FilterList aggregates instances of (subclasses of) "
101 "FilterEntryBase via the aggregation EntriesInFilterList. The "
102 "filter entries are always ANDed together when grouped by the "
103 "FilterList. Note that it is possible to aggregate different "
104 "types of filters into a single FilterList - for example, "
105 "packet header filters (represented by the IpHeadersFilter "
106 karl 1.1 "class) and IPsec security filters. \n"
107 "\n"
108 "A FilterList is weak to the network device (e.g., the "
109 "ComputerSystem) that contains it. Hence, the ComputerSystem "
110 "keys are propagated to this class.")]
111 class CIM_FilterEntryBase : CIM_LogicalElement {
112
113 [Key, Propagated ( "CIM_ComputerSystem.CreationClassName" ),
114 Description (
115 "The scoping ComputerSystem's CreationClassName."),
116 MaxLen ( 256 )]
117 string SystemCreationClassName;
118
119 [Key, Propagated ( "CIM_ComputerSystem.Name" ), Description (
120 "The scoping ComputerSystem's Name."),
121 MaxLen ( 256 )]
122 string SystemName;
123
124 [Key, Description (
125 "CreationClassName indicates the name of the class or the "
126 "subclass used in the creation of an instance. When used "
127 karl 1.1 "with the other key properties of this class, this property "
128 "allows all instances of this class and its subclasses to be "
129 "uniquely identified."),
130 MaxLen ( 256 )]
131 string CreationClassName;
132
133 [Key, Override ( "Name" ), Description (
134 "The Name property defines the label by which the Filter "
135 "Entry is known and uniquely identified."),
136 MaxLen ( 256 )]
137 string Name;
138
139 [Description (
140 "Boolean indicating that the match condition described in "
141 "the properties of the FilterEntryBase subclass should be "
142 "negated. This property is defined for ease of use when "
143 "filtering on simple negations - for example, to select all "
144 "source ports except 162. It is not recommended that this "
145 "Boolean be set to True when filtering on multiple criteria, "
146 "such as defining an IPHeadersFilter based on "
147 "source/destination addresses, ports, and DiffServ Code "
148 karl 1.1 "Points.")]
149 boolean IsNegated;
150 };
151
152
153 // ==================================================================
154 // FilterEntry
155 // ==================================================================
156 [Version ( "2.7.0" ), Description (
157 "A FilterEntry is used by network devices to identify traffic "
158 "and either forward it (with possibly further processing) to "
159 "its destination, or to deny its forwarding. It is one of the "
160 "building block of FilterLists. \n"
161 "\n"
162 "This class is oriented towards packet filtering. Other "
163 "subclasses of FilterEntryBase can be defined to do other types "
164 "of filtering. \n"
165 "\n"
166 "A FilterEntry is weak to the network device (i.e., the "
167 "ComputerSystem) that contains it. Hence, the ComputerSystem "
168 "keys are propagated to this class.")]
169 karl 1.1 class CIM_FilterEntry : CIM_FilterEntryBase {
170
171 [Description (
172 "This defines the type of traffic that is being filtered. "
173 "This will affect the filtering rules in the MatchCondition "
174 "property of this class."),
175 ValueMap { "0", "1", "2", "3", "4", "5" },
176 Values { "Unknown", "IPv4", "IPX", "IPv6", "Any", "Other" },
177 ModelCorrespondence { "CIM_FilterEntry.OtherTrafficType" }]
178 uint16 TrafficType;
179
180 [Description (
181 "If the value of the TrafficType property in this class is 5 "
182 "(i.e., \"Other\"), then the specific type of traffic is "
183 "specified in this property."),
184 ModelCorrespondence { "CIM_FilterEntry.TrafficType" }]
185 string OtherTrafficType;
186
187 [Description (
188 "This specifies one of a set of ways to identify traffic. If "
189 "the value is 1 (i.e., \"Other\"), then the specific type of "
190 karl 1.1 "filtering is specified in the OtherMatchConditionType "
191 "property of this class."),
192 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
193 "11", "12", "13" },
194 Values { "Other", "Source Address and Mask",
195 "Destination Address and Mask", "Source Port",
196 "Source Port Range", "Destination Port",
197 "Destination Port Range", "Protocol Type",
198 "Protocol Type and Option", "DSCP", "ToS Value",
199 "802.1P Priority Value", "Any" },
200 ModelCorrespondence { "CIM_FilterEntry.OtherMatchConditionType"
201 }]
202 uint16 MatchConditionType;
203
204 [Description (
205 "If the value of the MatchConditionType property in this "
206 "class is 1 (i.e., \"Other\"), then the specific type of "
207 "filtering is specified in this property."),
208 ModelCorrespondence { "CIM_FilterEntry.MatchConditionType" }]
209 string OtherMatchConditionType;
210
211 karl 1.1 [Description (
212 "This is the value of the condition that filters the "
213 "traffic. It corresponds to the condition specified in the "
214 "MatchConditionType property. If, however, the value of the "
215 "MatchConditionProperty is 1, then it corresponds to the "
216 "condition specified in the OtherMatchConditionType "
217 "property.")]
218 string MatchConditionValue;
219
220 [Description (
221 "This defines whether the action should be to forward or "
222 "deny traffic meeting the match condition specified in this "
223 "filter."),
224 ValueMap { "1", "2" },
225 Values { "Permit", "Deny" }]
226 uint16 Action;
227
228 [Description (
229 "This defines whether this FilterEntry is the default entry "
230 "to use by its FilterList.")]
231 boolean DefaultFilter;
232 karl 1.1
233 [Description (
234 "This defines the traffic class that is being matched by "
235 "this FilterEntry. Note that FilterEntries are aggregated "
236 "into FilterLists by the EntriesInFilterList relationship. "
237 "If the EntrySequence property of the aggregation is set to "
238 "0, this means that all the Filter Entries should be ANDed "
239 "together. Consequently, the TrafficClass property of each "
240 "of the aggregated Entries should be set to the same value.")]
241 string TrafficClass;
242 };
243
244
245 // ===================================================================
246 // IPHeadersFilter
247 // ===================================================================
248 [Version ( "2.6.0" ), Description (
249 "IPHeadersFilter contains the most commonly required properties "
250 "for performing filtering on IP, TCP or UDP headers. Properties "
251 "not present in an instance of the IPHeadersFilter are treated "
252 "as 'all values'.")]
253 karl 1.1 class CIM_IPHeadersFilter : CIM_FilterEntryBase {
254
255 [Description (
256 "HdrIPVersion identifies the version of the IP addresses for "
257 "IP header filters. It is also used to determine the sizes "
258 "of the OctetStrings in the six properties HdrSrcAddress, "
259 "HdrSrcAddressEndOfRange, HdrSrcMask, HdrDestAddress, "
260 "HdrDestAddressEndOfRange and HdrDestMask, as follows: \n"
261 "ipv4(4): OctetString(SIZE (4)) \n"
262 "ipv6(6): OctetString(SIZE (16|20)), \n"
263 "depending on whether a scope identifier is present. \n"
264 "\n"
265 "If a value for this property is not provided, then the "
266 "filter does not consider IP version in selecting matching "
267 "packets, i.e., IP version matches for all values. In this "
268 "case, the HdrSrcAddress, HdrSrcAddressEndOfRange, "
269 "HdrSrcMask, HdrDestAddress, HdrDestAddressEndOfRange and "
270 "HdrDestMask must also be not present."),
271 ValueMap { "4", "6" },
272 Values { "IPv4", "IPv6" },
273 ModelCorrespondence { "CIM_IPHeadersFilter.HdrSrcAddress",
274 karl 1.1 "CIM_IPHeadersFilter.HdrSrcAddressEndOfRange",
275 "CIM_IPHeadersFilter.HdrSrcMask",
276 "CIM_IPHeadersFilter.HdrDestAddress",
277 "CIM_IPHeadersFilter.HdrDestAddressEndOfRange",
278 "CIM_IPHeadersFilter.HdrDestMask" }]
279 uint8 HdrIPVersion;
280
281 [Description (
282 "HdrSrcAddress is an OctetString, of a size determined by "
283 "the value of the HdrIPVersion property, representing a "
284 "source IP address. When there is no HdrSrcAddressEndOfRange "
285 "value, this value is compared to the source address in the "
286 "IP header, subject to the mask represented in the "
287 "HdrSrcMask property. (Note that the mask is ANDed with the "
288 "address.) When there is a HdrSrcAddressEndOfRange value, "
289 "this value is the start of the specified range (i.e., the "
290 "HdrSrcAddress is lower than the HdrSrcAddressEndOfRange) "
291 "that is compared to the source address in the IP header and "
292 "matches on any value in the range. \n"
293 "\n"
294 "If a value for this property is not provided, then the "
295 karl 1.1 "filter does not consider HdrSrcAddress in selecting "
296 "matching packets, i.e., HdrSrcAddress matches for all "
297 "values."),
298 OctetString,
299 ModelCorrespondence { "CIM_IPHeadersFilter.HdrIPVersion" }]
300 uint8 HdrSrcAddress[];
301
302 [Description (
303 "HdrSrcAddressEndOfRange is an OctetString, of a size "
304 "determined by the value of the HdrIPVersion property, "
305 "representing the end of a range of source IP addresses "
306 "(inclusive), where the start of the range is the "
307 "HdrSrcAddress property value. \n"
308 "\n"
309 "If a value for HdrSrcAddress is not provided, then this "
310 "property also MUST NOT be provided. If a value for this "
311 "property is provided, then HdrSrcMask MUST NOT be provided."),
312 OctetString,
313 ModelCorrespondence { "CIM_IPHeadersFilter.HdrIPVersion" }]
314 uint8 HdrSrcAddressEndOfRange[];
315
316 karl 1.1 [Description (
317 "HdrSrcMask is an OctetString, of a size determined by the "
318 "value of the HdrIPVersion property, representing a mask to "
319 "be used in comparing the source address in the IP header "
320 "with the value represented in the HdrSrcAddress property. \n"
321 "\n"
322 "If a value for this property is not provided, then the "
323 "filter does not consider HdrSrcMask in selecting matching "
324 "packets, i.e., the value of the HdrSrcAddress or the source "
325 "address range must match the source address in the packet "
326 "exactly. If a value for this property is provided, then "
327 "HdrSrcAddressEndOfRange MUST NOT be provided."),
328 OctetString,
329 ModelCorrespondence { "CIM_IPHeadersFilter.HdrIPVersion" }]
330 uint8 HdrSrcMask[];
331
332 [Description (
333 "HdrDestAddress is an OctetString, of a size determined by "
334 "the value of the HdrIPVersion property, representing a "
335 "destination IP address. When there is no "
336 "HdrDestAddressEndOfRange value, this value is compared to "
337 karl 1.1 "the destination address in the IP header, subject to the "
338 "mask represented in the HdrDestMask property. (Note that "
339 "the mask is ANDed with the address.) When there is a "
340 "HdrDestAddressEndOfRange value, this value is the start of "
341 "the specified range (i.e., the HdrDestAddress is lower than "
342 "the HdrDestAddressEndOfRange) that is compared to the "
343 "source address in the IP header and matches on any value in "
344 "the range. \n"
345 "\n"
346 "If a value for this property is not provided, then the "
347 "filter does not consider HdrDestAddress in selecting "
348 "matching packets, i.e., HdrDestAddress matches for all "
349 "values."),
350 OctetString,
351 ModelCorrespondence { "CIM_IPHeadersFilter.HdrIPVersion" }]
352 uint8 HdrDestAddress[];
353
354 [Description (
355 "HdrDestAddressEndOfRange is an OctetString, of a size "
356 "determined by the value of the HdrIPVersion property, "
357 "representing the end of a range of destination IP addresses "
358 karl 1.1 "(inclusive), where the start of the range is the "
359 "HdrDestAddress property value. \n"
360 "\n"
361 "If a value for HdrDestAddress is not provided, then this "
362 "property also MUST NOT be provided. If a value for this "
363 "property is provided, then HdrDestMask MUST NOT be "
364 "provided."),
365 OctetString,
366 ModelCorrespondence { "CIM_IPHeadersFilter.HdrIPVersion" }]
367 uint8 HdrDestAddressEndOfRange[];
368
369 [Description (
370 "HdrDestMask is an OctetString, of a size determined by the "
371 "value of the HdrIPVersion property, representing a mask to "
372 "be used in comparing the destination address in the IP "
373 "header with the value represented in the HdrDestAddress "
374 "property. \n"
375 "\n"
376 "If a value for this property is not provided, then the "
377 "filter does not consider HdrDestMask in selecting matching "
378 "packets, i.e., the value of the HdrDestAddress or the "
379 karl 1.1 "destination address range must match the destination "
380 "address in the packet exactly. If a value for this property "
381 "is provided, then HdrDestAddressEndOfRange MUST NOT be "
382 "provided."),
383 OctetString,
384 ModelCorrespondence { "CIM_IPHeadersFilter.HdrIPVersion" }]
385 uint8 HdrDestMask[];
386
387 [Description (
388 "HdrProtocolID is an 8-bit unsigned integer, representing an "
389 "IP protocol type. This value is compared to the Protocol "
390 "field in the IP header. \n"
391 "\n"
392 "If a value for this property is not provided, then the "
393 "filter does not consider HdrProtocolID in selecting "
394 "matching packets, i.e., HdrProtocolID matches for all "
395 "values.")]
396 uint8 HdrProtocolID;
397
398 [Description (
399 "HdrSrcPortStart represents the lower end of a range of UDP "
400 karl 1.1 "or TCP source ports. The upper end of the range is "
401 "represented by the HdrSrcPortEnd property. The value of "
402 "HdrSrcPortStart MUST be no greater than the value of "
403 "HdrSrcPortEnd. \n"
404 "\n"
405 "A source port filter is evaluated by testing whether the "
406 "source port identified in the IP header falls within the "
407 "range of values between HdrSrcPortStart and HdrSrcPortEnd, "
408 "INCLUDING these two end points. \n"
409 "\n"
410 "If a value for this property is not provided, then the "
411 "filter does not consider HdrSrcPortStart in selecting "
412 "matching packets, i.e., there is no lower bound in matching "
413 "source port values.")]
414 uint16 HdrSrcPortStart;
415
416 [Description (
417 "HdrSrcPortEnd represents the upper end of a range of UDP or "
418 "TCP source ports. The lower end of the range is represented "
419 "by the HdrSrcPortStart property. The value of HdrSrcPortEnd "
420 "MUST be no less than the value of HdrSrcPortStart. A single "
421 karl 1.1 "port is indicated by equal values for HdrSrcPortStart and "
422 "HdrSrcPortEnd. \n"
423 "\n"
424 "A source port filter is evaluated by testing whether the "
425 "source port identified in the IP header falls within the "
426 "range of values between HdrSrcPortStart and HdrSrcPortEnd, "
427 "INCLUDING these two end points. \n"
428 "\n"
429 "If a value for this property is not provided, then the "
430 "filter does not consider HdrSrcPortEnd in selecting "
431 "matching packets, i.e., there is no upper bound in matching "
432 "source port values.")]
433 uint16 HdrSrcPortEnd;
434
435 [Description (
436 "HdrDestPortStart represents the lower end of a range of UDP "
437 "or TCP destination ports. The upper end of the range is "
438 "represented by the HdrDestPortEnd property. The value of "
439 "HdrDestPortStart MUST be no greater than the value of "
440 "HdrDestPortEnd. A single port is indicated by equal values "
441 "for HdrDestPortStart and HdrDestPortEnd. \n"
442 karl 1.1 "\n"
443 "A destination port filter is evaluated by testing whether "
444 "the destination port identified in the IP header falls "
445 "within the range of values between HdrDestPortStart and "
446 "HdrDestPortEnd, INCLUDING these two end points. \n"
447 "\n"
448 "If a value for this property is not provided, then the "
449 "filter does not consider HdrDestPortStart in selecting "
450 "matching packets, i.e., there is no lower bound in matching "
451 "destination port values.")]
452 uint16 HdrDestPortStart;
453
454 [Description (
455 "HdrDestPortEnd represents the upper end of a range of UDP "
456 "or TCP destination ports. The lower end of the range is "
457 "represented by the HdrDestPortStart property. The value of "
458 "HdrDestPortEnd MUST be no less than the value of "
459 "HdrDestPortStart. A single port is indicated by equal "
460 "values for HdrDestPortStart and HdrDestPortEnd. \n"
461 "\n"
462 "A destination port filter is evaluated by testing whether "
463 karl 1.1 "the destination port identified in the IP header falls "
464 "within the range of values between HdrDestPortStart and "
465 "HdrDestPortEnd, INCLUDING these two end points. \n"
466 "\n"
467 "If a value for this property is not provided, then the "
468 "filter does not consider HdrDestPortEnd in selecting "
469 "matching packets, i.e., there is no upper bound in matching "
470 "destination port values.")]
471 uint16 HdrDestPortEnd;
472
473 [Description (
474 "HdrDSCP is defined as a set of discrete DiffServ code "
475 "points, with no inherent structure. There is no "
476 "semantically significant relationship between different "
477 "HdrDSCPs. Consequently, there is no provision for "
478 "specifying a range of HdrDSCPs. \n"
479 "\n"
480 "Since, in IPv4, the HdrDSCP field may contain bits to be "
481 "interpreted as the TOS IP Precedence, this property is also "
482 "used to filter on IP Precedence. Similarly, the IPv6 "
483 "Traffic Class field is also filtered using the value(s) in "
484 karl 1.1 "this property. \n"
485 "\n"
486 "HdrDSCP is defined as an array, to provide the ability to "
487 "specify several discrete DSCPs in a single instance of "
488 "IPHeadersFilter, that would be OR'ed together to define the "
489 "filter criteria. \n"
490 "\n"
491 "If a value for this property is not provided, then the "
492 "filter does not consider HdrDSCP in selecting matching "
493 "packets, i.e., HdrDSCP matches for all values."),
494 MaxValue ( 63 )]
495 uint8 HdrDSCP[];
496
497 [Description (
498 "The 20-bit Flow Label field in the IPv6 header may be used "
499 "by a source to label sequences of packets for which it "
500 "requests special handling by the IPv6 devices, such as "
501 "non-default quality of service or 'real-time' service. In "
502 "the filter, this 20-bit string is encoded in a 24-bit "
503 "octetstring by right-adjusting the value and padding on the "
504 "left with b'0000'. \n"
505 karl 1.1 "\n"
506 "If a value for this property is not provided, then the "
507 "filter does not consider HdrFlowLabel in selecting matching "
508 "packets, i.e., HdrFlowLabel matches for all values."),
509 OctetString]
510 uint8 HdrFlowLabel[];
511 };
512
513
514 // ==================================================================
515 // Hdr8021Filter
516 // ==================================================================
517 [Version ( "2.7.0" ), Description (
518 "8021Filter allows 802.1.source and destination MAC addresses, "
519 "as well as the 802.1 protocol ID, priority, and VLAN "
520 "identifier fields, to be expressed in a single object to "
521 "classify and identify traffic.")]
522 class CIM_Hdr8021Filter : CIM_FilterEntryBase {
523
524 [Description (
525 "This property is an OctetString of size 6, representing a "
526 karl 1.1 "48-bit source MAC address in canonical format. This value "
527 "is compared to the SourceAddress field in the MAC header, "
528 "subject to the mask represented in the 8021HdrSrcMACMask "
529 "property. If a value for this property is not provided, "
530 "then the filter does not consider 8021HdrSrcMACAddr in "
531 "selecting matching packets, i.e., 8021HdrSrcMACAddr matches "
532 "for all values."),
533 OctetString]
534 uint8 HdrSrcMACAddr8021[6];
535
536 [Description (
537 "This property is an OctetString of size 6, representing a "
538 "48-bit mask to be used in comparing the SourceAddress field "
539 "in the MAC header with the value represented in the "
540 "8021HdrSrcMACAddr property. If a value for this property is "
541 "not provided, then the filter does not consider "
542 "8021HdrSrcMACMask in selecting matching packets, i.e., the "
543 "value of 8021HdrSrcMACAddr must match the source MAC "
544 "address in the packet exactly."),
545 OctetString]
546 uint8 HdrSrcMACMask8021[6];
547 karl 1.1
548 [Description (
549 "This property is an OctetString of size 6, representing a "
550 "48-bit destination MAC address in canonical format. This "
551 "value is compared to the DestinationAddress field in the "
552 "MAC header, subject to the mask represented in the "
553 "8021HdrDestMACMask property. If a value for this property "
554 "is not provided, then the filter does not consider "
555 "8021HdrDestMACAddr in selecting matching packets, i.e., "
556 "8021HdrDestMACAddr matches for all values."),
557 OctetString]
558 uint8 HdrDestMACAddr8021[6];
559
560 [Description (
561 "This property is an OctetString of size 6, representing a "
562 "48-bit mask to be used in comparing the DestinationAddress "
563 "field in the MAC header with the value represented in the "
564 "8021HdrDestMACAddr property. If a value for this property "
565 "is not provided, then the filter does not consider "
566 "8021HdrDestMACMask in selecting matching packets, i.e., the "
567 "value of 8021HdrDestMACAddr must match the destination MAC "
568 karl 1.1 "address in the packet exactly."),
569 OctetString]
570 uint8 HdrDestMACMask8021[6];
571
572 [Description (
573 "This property is a 16-bit unsigned integer, representing an "
574 "Ethernet protocol type. This value is compared to the "
575 "Ethernet Type field in the 802.3 MAC header. If a value for "
576 "this property is not provided, then the filter does not "
577 "consider 8021HdrProtocolID in selecting matching packets, "
578 "i.e., 8021HdrProtocolID matches for all values.")]
579 uint16 HdrProtocolID8021;
580
581 [Description (
582 "This property is an 8-bit unsigned integer, representing an "
583 "802.1Q priority. This value is compared to the Priority "
584 "field in the 802.1Q header. Since the 802.1Q Priority field "
585 "consists of 3 bits, the values for this property are "
586 "limited to the range 0..7. If a value for this property is "
587 "not provided, then the filter does not consider "
588 "8021HdrPriorityValue in selecting matching packets, i.e., "
589 karl 1.1 "8021HdrPriorityValue matches for all values."),
590 MinValue ( 0 ), MaxValue ( 7 )]
591 uint8 HdrPriorityValue8021;
592
593 [Description (
594 "This property is an 32-bit unsigned integer, representing "
595 "an 802.1Q VLAN Identifier. This value is compared to the "
596 "VLAN ID field in the 802.1Q header. Since the 802.1Q VLAN "
597 "ID field consists of 12 bits, the values for this property "
598 "are limited to the range 0..4095. If a value for this "
599 "property is not provided, then the filter does not consider "
600 "8021HdrVLANID in selecting matching packets, i.e., "
601 "8021HdrVLANID matches for all values."),
602 MinValue ( 0 ), MaxValue ( 4095 )]
603 uint32 HdrVLANID8021;
604 };
605
606
607 // ==================================================================
608 // PreambleFilter
609 // ==================================================================
610 karl 1.1 [Version ( "2.7.0" ), Description (
611 "PreambleFilter allows the classification of packets using "
612 "traffic-conditioning results (where the results are determined "
613 "by a PreambleMarkerService and stored in a 'packet preamble'). "
614 "This permits information about the treatment that a packet "
615 "receives on an ingress interface to be communicated along with "
616 "the packet to the egress interface. An instance of "
617 "PreambleFilter selects packets based on a two-part string "
618 "(type and value pair) identifying a specific entry in the "
619 "preamble. The logic for this match is 'at least one.' That is, "
620 "a packet with multiple entries/results in its preamble matches "
621 "a filter if at least one of these matches the filter.")]
622 class CIM_PreambleFilter : CIM_FilterEntryBase {
623
624 [Description (
625 "To foster interoperability, the basic format of the "
626 "information captured by a PreambleMarker is specified. That "
627 "information is contained in the FilterItemList property (an "
628 "ordered, string array). Each entry in the array takes the "
629 "form 'type,value'. When entries are added, they are "
630 "appended to the end of the list. \n"
631 karl 1.1 "\n"
632 "A limited set of standardized 'type's exist. They are: \n"
633 "- ConformingFromMeter, NonConformingFromMeter and "
634 "PartConformingFromMeter to convey metering results (where "
635 "the 'value' is the name of the meter) \n"
636 "- VlanId to describe the traffic's VLAN information (where "
637 "the 'value' is the VLAN ID). \n"
638 "An implementation is free to define and use other preamble "
639 "'types'. \n"
640 "\n"
641 "Note that a wildcard value of \"any\" is allowed to "
642 "indicate that the preamble entry matches for any 'value' of "
643 "the specified 'type'. For example, using the wildcard, an "
644 "administrator can define a filter to select all packets "
645 "that were found to be conforming ('type' = "
646 "\"ConformingFromMeter\") without having to name each meter "
647 "individually."),
648 ArrayType ( "Ordered" )]
649 string FilterItemList[];
650 };
651
652 karl 1.1
653 // ==================================================================
654 // FilterList
655 // ==================================================================
656 [Version ( "2.7.0" ), Description (
657 "A FilterList is used by network devices to identify routes by "
658 "aggregating a set of FilterEntries into a unit, called a "
659 "FilterList. FilterLists can also be used to accept or deny "
660 "routing updates. \n"
661 "\n"
662 "A FilterList is weak to the network device (i.e., the "
663 "ComputerSystem) that contains it. Hence, the ComputerSystem "
664 "keys are propagated to this class.")]
665 class CIM_FilterList : CIM_LogicalElement {
666
667 [Key, Propagated ( "CIM_ComputerSystem.CreationClassName" ),
668 Description (
669 "The scoping ComputerSystem's CreationClassName."),
670 MaxLen ( 256 )]
671 string SystemCreationClassName;
672
673 karl 1.1 [Key, Propagated ( "CIM_ComputerSystem.Name" ), Description (
674 "The scoping ComputerSystem's Name."),
675 MaxLen ( 256 )]
676 string SystemName;
677
678 [Key, Description (
679 "The type of class that this instance is.")]
680 string CreationClassName;
681
682 [Key, Override ( "Name" ), Description (
683 "This is the name of the FilterList."),
684 MaxLen ( 256 )]
685 string Name;
686
687 [Description (
688 "This defines whether the FilterList is used for input, "
689 "output, or both input and output filtering. All values are "
690 "used with respect to the interface for which the FilterList "
691 "applies. \n"
692 "\n"
693 "\"Not Applicable\" (0) is used when there is no direction "
694 karl 1.1 "applicable to the FilterList. \"Input\" (1) is used when "
695 "the FilterList applies to packets that are inbound on the "
696 "related interface. \"Output\" (2) is used when the "
697 "FilterList applies to packets that are outbound on the "
698 "related interface. \"Both\" (3) is used to indicate that "
699 "the direction is immaterial, e.g., to filter on a source "
700 "subnet regardless of whether the flow is inbound or "
701 "outbound. \"Mirrored\" (4) is also applicable to both "
702 "inbound and outbound flow processing, but indicates that "
703 "the filter criteria are applied asymmetrically to traffic "
704 "in both directions and, thus, specifies the reversal of "
705 "source and destination criteria (as opposed to the equality "
706 "of these criteria as indicated by \"Both\"). The match "
707 "conditions in the aggregated FilterEntryBase subclass "
708 "instances are defined from the perspective of outbound "
709 "flows and applied to inbound flows as well by reversing the "
710 "source and destination criteria. So, for example, consider "
711 "a FilterList with 3 FilterEntries indicating destination "
712 "port = 80, and source and destination addresses of a and b, "
713 "respectively. Then, for the outbound direction, the filter "
714 "entries match as specified and the 'mirror' (for the "
715 karl 1.1 "inbound direction) matches on source port = 80 and source "
716 "and destination addresses of b and a, respectively."),
717 ValueMap { "0", "1", "2", "3", "4" },
718 Values { "Not Applicable", "Input", "Output", "Both",
719 "Mirrored" }]
720 uint16 Direction;
721 };
722
723
724 // ==================================================================
725 // FilterEntryInSystem
726 // ==================================================================
727 [Association, Deprecated { "CIM_HostedFilterEntryBase" },
728 Aggregation, Version ( "2.7.0" ), Description (
729 "All filter entries (FilterEntryBase and its subclasses) are "
730 "defined in the context of a ComputerSystem/network device, "
731 "where they are used to identify and act on network traffic. "
732 "Note that this class is deprecated since its subclassing is "
733 "not correct. It subclasses from System Component, but a "
734 "FilterEntryBase is NOT a Component of a System. Instead, it is "
735 "hosted/scoped by the System. In versions up to CIM 2.6, "
736 karl 1.1 "FilterEntryInSystem was a mandatory, Weak relationship. This "
737 "is no longer true, beginning with CIM V2.7.")]
738 class CIM_FilterEntryInSystem : CIM_SystemComponent {
739
740 [Deprecated { "CIM_HostedFilterEntryBase.Antecedent" }, Aggregate,
741 Override ( "GroupComponent" ), Max ( 1 ), Description (
742 "The ComputerSystem/network device that scopes the "
743 "FilterEntryBase.")]
744 CIM_ComputerSystem REF GroupComponent;
745
746 [Deprecated { "CIM_HostedFilterEntryBase.Dependent" },
747 Override ( "PartComponent" ), Description (
748 "The FilterEntryBase on the System.")]
749 CIM_FilterEntryBase REF PartComponent;
750 };
751
752
753 // ==================================================================
754 // FilterListInSystem
755 // ==================================================================
756 [Association, Deprecated { "CIM_HostedFilterList" }, Aggregation,
757 karl 1.1 Version ( "2.7.0" ), Description (
758 "FilterLists are defined in the context of a ComputerSystem "
759 "(e.g., a router, firewall or host). Note that this class is "
760 "deprecated since its subclassing is not correct. It subclasses "
761 "from SystemComponent, but a FilterList is NOT a Component of a "
762 "System. Instead, it is hosted/scoped by the System. In "
763 "versions up to CIM 2.6, FilterListInSystem was a mandatory, "
764 "Weak relationship. This is no longer true, beginning with CIM "
765 "V2.7.")]
766 class CIM_FilterListInSystem : CIM_SystemComponent {
767
768 [Deprecated { "CIM_HostedFilterList.Antecedent" }, Aggregate,
769 Override ( "GroupComponent" ), Max ( 1 ), Description (
770 "The ComputerSystem/network device that scopes the "
771 "FilterList and administers it.")]
772 CIM_ComputerSystem REF GroupComponent;
773
774 [Deprecated { "CIM_HostedFilterList.Dependent" },
775 Override ( "PartComponent" ), Description (
776 "The FilterList on the System.")]
777 CIM_FilterList REF PartComponent;
778 karl 1.1 };
779
780
781 // ==================================================================
782 // HostedFilterEntryBase
783 // ==================================================================
784 [Association, Version ( "2.7.0" ), Description (
785 "All filter entries (FilterEntryBase and its subclasses) are "
786 "defined in the context of a ComputerSystem/network device, "
787 "where the filter entries are used and administered.")]
788 class CIM_HostedFilterEntryBase : CIM_HostedDependency {
789
790 [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description (
791 "The ComputerSystem/network device that scopes the "
792 "FilterEntryBase.")]
793 CIM_ComputerSystem REF Antecedent;
794
795 [Override ( "Dependent" ), Weak, Description (
796 "The FilterEntryBase on the System.")]
797 CIM_FilterEntryBase REF Dependent;
798 };
799 karl 1.1
800
801 // ==================================================================
802 // HostedFilterList
803 // ==================================================================
804 [Association, Version ( "2.7.0" ), Description (
805 "FilterLists are defined in the context of a ComputerSystem/ "
806 "network device, where the list is used and administered.")]
807 class CIM_HostedFilterList : CIM_HostedDependency {
808
809 [Override ( "Antecedent" ), Min ( 1 ), Max ( 1 ), Description (
810 "The ComputerSystem/network device that scopes the "
811 "FilterList.")]
812 CIM_ComputerSystem REF Antecedent;
813
814 [Override ( "Dependent" ), Weak, Description (
815 "The FilterList on the System.")]
816 CIM_FilterList REF Dependent;
817 };
818
819
820 karl 1.1 // ==================================================================
821 // EntriesInFilterList
822 // ==================================================================
823 [Association, Aggregation, Version ( "2.7.0" ), Description (
824 "This is a specialization of the CIM_Component aggregation "
825 "which is used to define a set of filter entries (subclasses of "
826 "FilterEntryBase) that are aggregated by a particular "
827 "FilterList.")]
828 class CIM_EntriesInFilterList : CIM_Component {
829
830 [Aggregate, Override ( "GroupComponent" ), Max ( 1 ),
831 Description (
832 "The FilterList, which aggregates the set of FilterEntries.")]
833 CIM_FilterList REF GroupComponent;
834
835 [Override ( "PartComponent" ), Description (
836 "Any subclass of FilterEntryBase which is a part of the "
837 "FilterList.")]
838 CIM_FilterEntryBase REF PartComponent;
839
840 [Description (
841 karl 1.1 "The order of the Entry relative to all others in the "
842 "FilterList. The only permissible value is zero - indicating "
843 "that all the Entries are ANDed together."),
844 ValueMap { "0" }]
845 uint16 EntrySequence = 0;
846 };
847
848 // ==================================================================
849 // X509CredentialFilterEntry
850 // ==================================================================
851 [Version ( "2.8.0" ), Description (
852 "An X509CredentialFilterEntry allows filtering on the "
853 "attributes of an X.509 certificate. Each instance includes a "
854 "value for MatchFieldName that specifies the particular X.509 "
855 "attribute that is being matched."),
856 MappingStrings { "IPSP Policy Model.IETF|CredentialFilterEntry" }]
857 class CIM_X509CredentialFilterEntry : CIM_FilterEntryBase {
858
859 [Required, Description (
860 "MatchFieldName specifies the X.509 attribute to match "
861 "against MatchFieldValue. Note that this enumeration is "
862 karl 1.1 "modified from the IETF's IPSP Policy Model to explicitly "
863 "list the 'standard' X.509 attributes."),
864 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
865 "..", "x8000.." },
866 Values { "Other", "Version", "Serial Number",
867 "Signature Algorithm Identifier", "Issuer Name",
868 "Validity Period", "Subject Name", "Subject Public Key Info",
869 "Key Usage", "Alternate Name", "DMTF Reserved",
870 "Vendor Reserved" },
871 MappingStrings { "IPSP Policy Model.IETF|"
872 "CredentialFilterEntry.MatchFieldName" },
873 ModelCorrespondence {
874 "CIM_X509CredentialFilterEntry.MatchFieldValue" }]
875 string MatchFieldName;
876
877 [Required, Description (
878 "MatchFieldValue specifies the value to compare with the "
879 "credential attribute (defined in MatchFieldName), to "
880 "determine if the credential matches this filter entry. An "
881 "implementation must convert this string to a DER- encoded "
882 "string before matching against the values extracted from "
883 karl 1.1 "credentials at runtime. \n"
884 "\n"
885 "Note that a wildcard mechanism may be used when "
886 "MatchFieldName specifies a general character string (for "
887 "example, if MatchFieldName=7, 'Subject Name'). "
888 "MatchFieldValue may contain a wildcard character, '*', in "
889 "the pattern match specification. For example, for 'Subject "
890 "Name', a MatchFieldValue of "
891 "'cn=*,ou=engineering,o=foo,c=be' will successfully match a "
892 "certificate whose subject attribute is "
893 "'cn=JaneDoe,ou=engineering,o=foo,c=be'. A wildcard can be "
894 "used to represent 0 or more characters as would be "
895 "displayed to the user (i.e., a wildcard pattern match "
896 "operates on displayable character boundaries)."),
897 MappingStrings { "IPSP Policy Model.IETF|"
898 "CredentialFilterEntry.MatchFieldName" },
899 ModelCorrespondence {
900 "CIM_X509CredentialFilterEntry.MatchFieldName" }]
901 string MatchFieldValue;
902 };
903
904 karl 1.1 // (Note that the IPSOFilterEntry is changed from the IPSP Model
905 // definition -
906 // since the IPSP class allows matching on either classification level
907 // or
908 // protection authority, but not both - and is confusing wrt the
909 // enumerated
910 // "values" (combining both classification level and protection
911 // authority into
912 // a single enum). Also, the enumerations start at 1 which is reserved
913 // for 'Other',
914 // and should be an array for ProtectionAuthority. These problems are
915 // corrected
916 // in the class below
917
918 // ==================================================================
919 // IPSOFilterEntry
920 // ==================================================================
921 [Version ( "2.8.0" ), Description (
922 "An IPSOFilterEntry is used to match traffic based on the IP "
923 "Security Options header values (ClassificationLevel and "
924 "ProtectionAuthority) as defined in RFC1108. This type of "
925 karl 1.1 "FilterEntry is used to adjust the IPsec encryption level "
926 "according to the IPSO classification of the traffic (e.g., "
927 "secret, confidential, restricted, etc.)."),
928 MappingStrings { "IPSP Policy Model.IETF|IPSOFilterEntry" }]
929 class CIM_IPSOFilterEntry : CIM_FilterEntryBase {
930
931 [Required, Description (
932 "MatchConditionType specifies whether to match based on "
933 "traffic classification level, protection authority or both. "
934 "Note that this enumeration is modified from its definition "
935 "in the IETF's IPSP Policy Model to allow for both "
936 "classification level and protection authority checking, and "
937 "to allow the enumerated value, \"Other\", to be added in "
938 "the future."),
939 ValueMap { "2", "3", "4" },
940 Values { "Classification Level", "Protection Authority",
941 "Both Classification Level and Protection Authority" },
942 MappingStrings { "IPSP Policy Model.IETF|"
943 "IPSOFilterEntry.MatchConditionType" },
944 ModelCorrespondence { "CIM_IPSOFilterEntry.ClassificationLevel",
945 "CIM_IPSOFilterEntry.ProtectionAuthorities" }]
946 karl 1.1 uint16 MatchConditionType;
947
948 [Required, Description (
949 "This is the value to be matched when MatchConditionType is "
950 "1 or 3 - meaning that \"Classification Level\" should be "
951 "filtered. In RFC1108, the following semantics are "
952 "specified: TopSecret, Secret, Confidential, and "
953 "Unclassified. Note that this enumeration's values are "
954 "different than the RFC list and the IETF's IPSP Policy "
955 "Model since those lists are simply bit maps, and do not "
956 "include specific values for \"Other\" or \"No Filtering\"."),
957 ValueMap { "1", "2", "3", "4", "5", "6", "..", "0x8000.." },
958 Values { "Other", "No Filtering on Classification Level",
959 "Top Secret", "Secret", "Confidential", "Unclassified",
960 "DMTF Reserved", "Vendor Reserved" },
961 MappingStrings { "IPSP Policy Model.IETF|"
962 "IPSOFilterEntry.MatchConditionValue",
963 "RFC1108.IETF|Section 2.3" },
964 ModelCorrespondence { "CIM_IPSOFilterEntry.MatchConditionType",
965 "CIM_IPSOFilterEntry.OtherClassificationLevel" }]
966 uint16 ClassificationLevel;
967 karl 1.1
968 [Description (
969 "Description of the level when the value 1 (\"Other\") is "
970 "specified for the property, ClassificationLevel."),
971 ModelCorrespondence { "CIM_IPSOFilterEntry.ClassificationLevel"
972 }]
973 string OtherClassificationLevel;
974
975 [Required, Description (
976 "These are the values to be matched when MatchConditionType "
977 "is 2 or 3 - meaning that \"Protection Authority\" should be "
978 "filtered. In RFC1108, the following authorities are "
979 "specified: GENSER, SIOP-ESI, SCI, NSA and DOE. Note that "
980 "multiple authorities may be specified. \n"
981 "\n"
982 "This enumeration is modified from its definition in the RFC "
983 "and IETF's IPSP Policy Model. Those lists are simply bit "
984 "maps, and do not include specific values for \"Other\" or "
985 "\"No Filtering\"."),
986 ValueMap { "1", "2", "3", "4", "5", "6", "7", "..", "0x8000.." },
987 Values { "Other", "No Filtering on Protection Authority",
988 karl 1.1 "GENSER", "SIOP-ESI", "SCI", "NSA", "DOE", "DMTF Reserved",
989 "Vendor Reserved" },
990 MappingStrings { "IPSP Policy Model.IETF|"
991 "IPSOFilterEntry.MatchConditionValue",
992 "RFC1108.IETF|Section 2.4" },
993 ModelCorrespondence { "CIM_IPSOFilterEntry.MatchConditionType",
994 "CIM_IPSOFilterEntry.OtherProtectionAuthorities" }]
995 uint16 ProtectionAuthorities[];
996
997 [Description (
998 "Description of the authority when the value 1 (\"Other\") "
999 "is specified for the property, ProtectionAuthorities."),
1000 ModelCorrespondence {
1001 "CIM_IPSOFilterEntry.ProtectionAuthorities" }]
1002 string OtherProtectionAuthorities[];
1003 };
1004
1005
1006 // Note that the PeerIDPayloadFilterEntry is changed from the IPSP Model
1007 // definition - since the 'Type' enumeration starts at 1 in the IPSP
1008 // draft,
1009 karl 1.1 // which is reserved for 'Other'
1010
1011
1012 // ==================================================================
1013 // PeerIDPayloadFilterEntry
1014 // ==================================================================
1015 [Version ( "2.8.0" ), Description (
1016 "PeerIDPayloadFilterEntry defines filters used to match the "
1017 "Identification Type field in the ID Payload of the IKE "
1018 "protocol exchange. It permits the specification of ID values "
1019 "such as \"*@example.com\" or \"192.0.2.0/24\"."),
1020 MappingStrings { "IPSP Policy Model.IETF|PeerIDPayloadFilterEntry"
1021 }]
1022 class CIM_PeerIDPayloadFilterEntry : CIM_FilterEntryBase {
1023
1024 [Required, Description (
1025 "MatchIdentityType specifies the Identification Type "
1026 "provided by the peer in the payload. The list of identities "
1027 "was generated from Section 4.6.2.1 of RFC2407. Note that "
1028 "the enumeration is different than the RFC list, since the "
1029 "value 'Other' is taken into account."),
1030 karl 1.1 ValueMap { "1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
1031 "11", "12", "..", "0x8000.." },
1032 Values { "Other", "IPV4 Address", "FQDN", "User FQDN",
1033 "IPV4 Subnet Address", "IPV6 Address", "IPV6 Subnet Address",
1034 "IPV4 Address Range", "IPV6 Address Range", "DER ASN1 DN",
1035 "DER ASN1 GN", "KEY ID", "DMTF Reserved", "Vendor Reserved" },
1036 MappingStrings { "IPSP Policy Model.IETF|"
1037 "PeerIDPayloadFilterEntry.MatchIdentityType",
1038 "RFC2407.IETF|Section 4.6.2.1" },
1039 ModelCorrespondence {
1040 "CIM_PeerIDPayloadFilterEntry.MatchIdentityValue" }]
1041 uint16 MatchIdentityType;
1042
1043 [Required, Description (
1044 "MatchIdentityValue is the filter value for comparison with "
1045 "the ID payload, e,g, \"*@company.com\". The syntax may need "
1046 "to be converted for comparison. For example, if the type of "
1047 "identity is a DER-encoded distinguished name, (for example, "
1048 "MatchIdentityType = 10, \"DER_ASN1_DN\"), the "
1049 "MatchIdentityValue MUST be converted into a DER-encoded "
1050 "string. This allows it to be matched against the values "
1051 karl 1.1 "extracted from the ID payload at runtime. \n"
1052 "\n"
1053 "Note that a wildcard mechanism may be used when "
1054 "MatchIdentityType specifies a general character string (for "
1055 "example, if MatchIdentityType=3, 'FQDN'). MatchFieldValue "
1056 "may contain a wildcard character, '*', in the pattern match "
1057 "specification. For example, for 'FQDN', a MatchFieldValue "
1058 "of '*@example.com' will successfully match an ID payload of "
1059 "'janedoe@example.com'. A wildcard can be used to represent "
1060 "0 or more characters as is appropriate for the type "
1061 "specified in MatchIdentityType."),
1062 MappingStrings { "IPSP Policy Model.IETF|"
1063 "PeerIDPayloadFilterEntry.MatchIdentityValue" },
1064 ModelCorrespondence {
1065 "CIM_PeerIDPayloadFilterEntry.MatchIdentityType" }]
1066 string MatchIdentityValue;
1067 };
1068
1069 // ===================================================================
1070 // end of file
1071 // ===================================================================
|
Return to
Network_Filtering.mof
CVS log
Up to [Pegasus] / pegasus / Schemas / CIMPrelim29