2 * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
9 package org.opendaylight.netvirt.aclservice.utils;
11 import com.google.common.base.Optional;
12 import com.google.common.collect.Lists;
13 import com.google.common.net.InetAddresses;
14 import com.google.common.util.concurrent.ListenableFuture;
15 import java.math.BigInteger;
16 import java.net.InetAddress;
17 import java.net.UnknownHostException;
18 import java.util.ArrayList;
19 import java.util.Collection;
20 import java.util.Collections;
21 import java.util.HashMap;
22 import java.util.HashSet;
23 import java.util.Iterator;
24 import java.util.List;
26 import java.util.Map.Entry;
28 import java.util.SortedSet;
29 import java.util.TreeSet;
30 import java.util.concurrent.ExecutionException;
31 import java.util.concurrent.Future;
32 import javax.annotation.Nullable;
33 import javax.inject.Inject;
34 import javax.inject.Singleton;
35 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
36 import org.opendaylight.controller.md.sal.binding.api.ReadOnlyTransaction;
37 import org.opendaylight.controller.md.sal.binding.api.WriteTransaction;
38 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
39 import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException;
40 import org.opendaylight.controller.md.sal.common.api.data.TransactionCommitFailedException;
41 import org.opendaylight.genius.datastoreutils.SingleTransactionDataBroker;
42 import org.opendaylight.genius.infra.ManagedNewTransactionRunner;
43 import org.opendaylight.genius.infra.ManagedNewTransactionRunnerImpl;
44 import org.opendaylight.genius.interfacemanager.globals.InterfaceServiceUtil;
45 import org.opendaylight.genius.mdsalutil.ActionInfo;
46 import org.opendaylight.genius.mdsalutil.InstructionInfo;
47 import org.opendaylight.genius.mdsalutil.MDSALUtil;
48 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
49 import org.opendaylight.genius.mdsalutil.MetaDataUtil;
50 import org.opendaylight.genius.mdsalutil.NwConstants;
51 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
52 import org.opendaylight.genius.mdsalutil.actions.ActionNxConntrack;
53 import org.opendaylight.genius.mdsalutil.actions.ActionNxConntrack.NxCtAction;
54 import org.opendaylight.genius.mdsalutil.instructions.InstructionApplyActions;
55 import org.opendaylight.genius.mdsalutil.instructions.InstructionGotoTable;
56 import org.opendaylight.genius.mdsalutil.instructions.InstructionWriteMetadata;
57 import org.opendaylight.genius.mdsalutil.matches.MatchArpSpa;
58 import org.opendaylight.genius.mdsalutil.matches.MatchEthernetDestination;
59 import org.opendaylight.genius.mdsalutil.matches.MatchEthernetType;
60 import org.opendaylight.genius.mdsalutil.matches.MatchIcmpv6;
61 import org.opendaylight.genius.mdsalutil.matches.MatchIpProtocol;
62 import org.opendaylight.genius.mdsalutil.matches.MatchIpv4Destination;
63 import org.opendaylight.genius.mdsalutil.matches.MatchIpv4Source;
64 import org.opendaylight.genius.mdsalutil.matches.MatchIpv6Destination;
65 import org.opendaylight.genius.mdsalutil.matches.MatchIpv6Source;
66 import org.opendaylight.genius.mdsalutil.matches.MatchMetadata;
67 import org.opendaylight.genius.mdsalutil.matches.MatchUdpDestinationPort;
68 import org.opendaylight.genius.mdsalutil.matches.MatchUdpSourcePort;
69 import org.opendaylight.genius.mdsalutil.nxmatches.NxMatchRegister;
70 import org.opendaylight.genius.mdsalutil.packet.IPProtocols;
71 import org.opendaylight.netvirt.aclservice.api.AclServiceManager.MatchCriteria;
72 import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
73 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.AccessLists;
74 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.Ipv4Acl;
75 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
76 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.AclKey;
77 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
78 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
79 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
80 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
81 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IpAddress;
82 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IpPrefix;
83 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv4Prefix;
84 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv6Prefix;
85 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.Interfaces;
86 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.InterfacesState;
87 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface;
88 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.InterfaceKey;
89 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.MacAddress;
90 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
91 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
92 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.AllocateIdInput;
93 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.AllocateIdInputBuilder;
94 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.AllocateIdOutput;
95 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.CreateIdPoolInput;
96 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.CreateIdPoolInputBuilder;
97 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.DeleteIdPoolInput;
98 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.DeleteIdPoolInputBuilder;
99 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.IdManagerService;
100 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.ReleaseIdInput;
101 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.ReleaseIdInputBuilder;
102 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.GetDpidFromInterfaceInput;
103 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.GetDpidFromInterfaceInputBuilder;
104 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.GetDpidFromInterfaceOutput;
105 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
106 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceBindings;
107 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeBase;
108 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeEgress;
109 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceTypeFlowBased;
110 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.StypeOpenflow;
111 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.StypeOpenflowBuilder;
112 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.ServicesInfo;
113 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.ServicesInfoKey;
114 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
115 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServicesBuilder;
116 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServicesKey;
117 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeConnectorId;
118 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.config.rev160806.AclserviceConfig;
119 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.AclPortsLookup;
120 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionBase;
121 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.InterfaceAcl;
122 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
123 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.PortsSubnetIpPrefixes;
124 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
125 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.acl.ports.lookup.AclPortsByIp;
126 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.acl.ports.lookup.AclPortsByIpKey;
127 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.acl.ports.lookup.acl.ports.by.ip.AclIpPrefixes;
128 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.acl.ports.lookup.acl.ports.by.ip.AclIpPrefixesKey;
129 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.acl.ports.lookup.acl.ports.by.ip.acl.ip.prefixes.PortIds;
130 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.acl.ports.lookup.acl.ports.by.ip.acl.ip.prefixes.PortIdsBuilder;
131 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.acl.ports.lookup.acl.ports.by.ip.acl.ip.prefixes.PortIdsKey;
132 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs;
133 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.ports.subnet.ip.prefixes.PortSubnetIpPrefixes;
134 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.ports.subnet.ip.prefixes.PortSubnetIpPrefixesKey;
135 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.ElanInstances;
136 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.ElanInterfaces;
137 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.elan.instances.ElanInstance;
138 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.elan.instances.ElanInstanceKey;
139 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.elan.interfaces.ElanInterface;
140 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.elan.interfaces.ElanInterfaceKey;
141 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg6;
142 import org.opendaylight.yangtools.yang.binding.DataObject;
143 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
144 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier.InstanceIdentifierBuilder;
145 import org.opendaylight.yangtools.yang.common.RpcResult;
146 import org.slf4j.Logger;
147 import org.slf4j.LoggerFactory;
150 public final class AclServiceUtils {
152 private static final Logger LOG = LoggerFactory.getLogger(AclServiceUtils.class);
153 public static final AclserviceConfig.DefaultBehavior DEFAULT_DENY = AclserviceConfig.DefaultBehavior.Deny;
154 public static final AclserviceConfig.DefaultBehavior DEFAULT_ALLOW = AclserviceConfig.DefaultBehavior.Allow;
156 private final DataBroker dataBroker;
157 private final ManagedNewTransactionRunner txRunner;
158 private final AclDataUtil aclDataUtil;
159 private final AclserviceConfig config;
160 private final IdManagerService idManager;
163 public AclServiceUtils(DataBroker dataBroker, AclDataUtil aclDataUtil, AclserviceConfig config,
164 IdManagerService idManager) {
165 this.dataBroker = dataBroker;
166 this.txRunner = new ManagedNewTransactionRunnerImpl(dataBroker);
167 this.aclDataUtil = aclDataUtil;
168 this.config = config;
169 this.idManager = idManager;
173 * Retrieves the Interface from the datastore.
174 * @param broker the data broker
175 * @param interfaceName the interface name
176 * @return the interface.
178 public static Optional<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces
179 .Interface> getInterface(DataBroker broker, String interfaceName) {
180 return read(broker, LogicalDatastoreType.CONFIGURATION, getInterfaceIdentifier(interfaceName));
184 * Builds the interface identifier.
185 * @param interfaceName the interface name.
186 * @return the interface identifier.
188 public static InstanceIdentifier<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
189 .interfaces.Interface> getInterfaceIdentifier(String interfaceName) {
190 return InstanceIdentifier.builder(Interfaces.class)
192 org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces
193 .Interface.class, new InterfaceKey(interfaceName)).build();
197 * Retrieves the object from the datastore.
198 * @param broker the data broker.
199 * @param datastoreType the data store type.
200 * @param path the wild card path.
201 * @param <T> type of DataObject
202 * @return the required object.
204 public static <T extends DataObject> Optional<T> read(
205 DataBroker broker, LogicalDatastoreType datastoreType, InstanceIdentifier<T> path) {
206 try (ReadOnlyTransaction tx = broker.newReadOnlyTransaction()) {
207 return tx.read(datastoreType, path).checkedGet();
208 } catch (ReadFailedException e) {
209 LOG.error("Failed to read InstanceIdentifier {} from {}", path, datastoreType, e);
210 return Optional.absent();
215 * Retrieves the acl matching the key from the data store.
217 * @param broker the data broker
218 * @param aclKey the acl key
221 public static Acl getAcl(DataBroker broker, String aclKey) {
222 return read(broker, LogicalDatastoreType.CONFIGURATION, getAclInstanceIdentifier(aclKey)).orNull();
225 /** Creates the Acl instance identifier.
227 * @param aclKey the acl key
228 * @return the instance identifier
230 public static InstanceIdentifier<Acl> getAclInstanceIdentifier(String aclKey) {
231 return InstanceIdentifier.builder(AccessLists.class).child(Acl.class, new AclKey(aclKey, Ipv4Acl.class))
236 * Get the data path number for the interface.
237 * @param interfaceManagerRpcService interfaceManagerRpcService instance.
238 * @param ifName the interface name.
241 public static BigInteger getDpnForInterface(OdlInterfaceRpcService interfaceManagerRpcService, String ifName) {
242 BigInteger nodeId = BigInteger.ZERO;
244 GetDpidFromInterfaceInput dpIdInput =
245 new GetDpidFromInterfaceInputBuilder().setIntfName(ifName).build();
246 Future<RpcResult<GetDpidFromInterfaceOutput>> dpIdOutput =
247 interfaceManagerRpcService.getDpidFromInterface(dpIdInput);
248 RpcResult<GetDpidFromInterfaceOutput> dpIdResult = dpIdOutput.get();
249 if (dpIdResult.isSuccessful()) {
250 nodeId = dpIdResult.getResult().getDpid();
252 LOG.error("Could not retrieve DPN Id for interface {}", ifName);
254 } catch (NullPointerException | InterruptedException | ExecutionException e) {
255 LOG.error("Exception when getting dpn for interface {}", ifName, e);
261 * Retrieves the interface state.
262 * @param dataBroker the data broker.
263 * @param interfaceName the interface name.
264 * @return the interface state.
266 public static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state
267 .Interface getInterfaceStateFromOperDS(DataBroker dataBroker, String interfaceName) {
268 InstanceIdentifier<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
269 .interfaces.state.Interface> ifStateId = buildStateInterfaceId(interfaceName);
270 return MDSALUtil.read(LogicalDatastoreType.OPERATIONAL, ifStateId, dataBroker).orNull();
274 * Build the interface state.
275 * @param interfaceName the interface name.
276 * @return the interface state.
278 public static InstanceIdentifier<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
279 .interfaces.state.Interface> buildStateInterfaceId(String interfaceName) {
280 InstanceIdentifierBuilder<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
281 .interfaces.state.Interface> idBuilder = InstanceIdentifier.builder(InterfacesState.class)
282 .child(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces
283 .state.Interface.class, new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces
284 .rev140508.interfaces.state.InterfaceKey(interfaceName));
285 return idBuilder.build();
289 * Checks whether port security is enabled for the port.
290 * @param port the port.
291 * @return the port security is enabled/not.
293 public static boolean isPortSecurityEnabled(AclInterface port) {
294 return port.isPortSecurityEnabled();
298 * Checks whether port security is enabled for the port.
299 * @param port the port.
300 * @return the list of security groups.
302 public static List<Uuid> getInterfaceAcls(Interface port) {
304 LOG.error("Port is Null");
307 InterfaceAcl aclInPort = port.getAugmentation(InterfaceAcl.class);
308 if (aclInPort == null) {
309 LOG.error("getSecurityGroupInPortList: no security group associated}",
313 return aclInPort.getSecurityGroups();
317 * Retrieves the security rule attribute augmentation from the access list.
318 * @param ace the access list entry
319 * @return the security rule attributes
321 public static SecurityRuleAttr getAccesssListAttributes(Ace ace) {
323 LOG.error("Ace is Null");
326 SecurityRuleAttr aceAttributes = ace.getAugmentation(SecurityRuleAttr.class);
327 if (aceAttributes == null) {
328 LOG.error("Ace is null");
331 return aceAttributes;
335 * Returns the DHCP match.
337 * @param srcPort the source port.
338 * @param dstPort the destination port.
339 * @param lportTag the lport tag
340 * @param serviceMode ingress or egress service
341 * @return list of matches.
343 public static List<MatchInfoBase> buildDhcpMatches(int srcPort, int dstPort, int lportTag,
344 Class<? extends ServiceModeBase> serviceMode) {
345 List<MatchInfoBase> matches = new ArrayList<>(5);
346 matches.add(MatchEthernetType.IPV4);
347 matches.add(MatchIpProtocol.UDP);
348 matches.add(new MatchUdpDestinationPort(dstPort));
349 matches.add(new MatchUdpSourcePort(srcPort));
350 matches.add(AclServiceUtils.buildLPortTagMatch(lportTag, serviceMode));
355 * Returns the DHCPv6 match.
357 * @param srcPort the source port.
358 * @param dstPort the destination port.
359 * @param lportTag the lport tag
360 * @param serviceMode ingress or egress
361 * @return list of matches.
363 public static List<MatchInfoBase> buildDhcpV6Matches(int srcPort, int dstPort, int lportTag,
364 Class<? extends ServiceModeBase> serviceMode) {
365 List<MatchInfoBase> matches = new ArrayList<>(6);
366 matches.add(MatchEthernetType.IPV6);
367 matches.add(MatchIpProtocol.UDP);
368 matches.add(new MatchUdpDestinationPort(dstPort));
369 matches.add(new MatchUdpSourcePort(srcPort));
370 matches.add(AclServiceUtils.buildLPortTagMatch(lportTag, serviceMode));
375 * Returns the ICMPv6 match.
377 * @param icmpType the icmpv6-type.
378 * @param icmpCode the icmpv6-code.
379 * @param lportTag the lport tag
380 * @param serviceMode ingress or egress
381 * @return list of matches.
383 public static List<MatchInfoBase> buildIcmpV6Matches(int icmpType, int icmpCode, int lportTag,
384 Class<? extends ServiceModeBase> serviceMode) {
385 List<MatchInfoBase> matches = new ArrayList<>(6);
386 matches.add(MatchEthernetType.IPV6);
387 matches.add(MatchIpProtocol.ICMPV6);
389 matches.add(new MatchIcmpv6((short) icmpType, (short) icmpCode));
391 matches.add(AclServiceUtils.buildLPortTagMatch(lportTag, serviceMode));
395 public static List<MatchInfoBase> buildBroadcastIpV4Matches(String ipAddr) {
396 List<MatchInfoBase> matches = new ArrayList<>(2);
397 matches.add(new MatchEthernetDestination(new MacAddress(AclConstants.BROADCAST_MAC)));
398 matches.addAll(AclServiceUtils.buildIpMatches(new IpPrefixOrAddress(ipAddr.toCharArray()),
399 MatchCriteria.MATCH_DESTINATION));
403 public static List<MatchInfoBase> buildL2BroadcastMatches() {
404 List<MatchInfoBase> matches = new ArrayList<>();
405 matches.add(new MatchEthernetDestination(new MacAddress(AclConstants.BROADCAST_MAC)));
410 * Builds the service id.
412 * @param interfaceName the interface name
413 * @param serviceIndex the service index
414 * @param serviceMode the service mode
415 * @return the instance identifier
417 public static InstanceIdentifier<BoundServices> buildServiceId(String interfaceName, short serviceIndex,
418 Class<? extends ServiceModeBase> serviceMode) {
419 return InstanceIdentifier.builder(ServiceBindings.class)
420 .child(ServicesInfo.class, new ServicesInfoKey(interfaceName, serviceMode))
421 .child(BoundServices.class, new BoundServicesKey(serviceIndex)).build();
425 * Gets the bound services.
427 * @param serviceName the service name
428 * @param servicePriority the service priority
429 * @param flowPriority the flow priority
430 * @param cookie the cookie
431 * @param instructions the instructions
432 * @return the bound services
434 public static BoundServices getBoundServices(String serviceName, short servicePriority, int flowPriority,
435 BigInteger cookie, List<Instruction> instructions) {
436 StypeOpenflowBuilder augBuilder = new StypeOpenflowBuilder().setFlowCookie(cookie).setFlowPriority(flowPriority)
437 .setInstruction(instructions);
438 return new BoundServicesBuilder().setKey(new BoundServicesKey(servicePriority)).setServiceName(serviceName)
439 .setServicePriority(servicePriority).setServiceType(ServiceTypeFlowBased.class)
440 .addAugmentation(StypeOpenflow.class, augBuilder.build()).build();
443 public static List<Uuid> getUpdatedAclList(List<Uuid> updatedAclList, List<Uuid> currentAclList) {
444 if (updatedAclList == null) {
445 return Collections.emptyList();
447 List<Uuid> newAclList = new ArrayList<>(updatedAclList);
448 if (currentAclList == null) {
451 List<Uuid> origAclList = new ArrayList<>(currentAclList);
452 for (Iterator<Uuid> iterator = newAclList.iterator(); iterator.hasNext();) {
453 Uuid updatedAclUuid = iterator.next();
454 for (Uuid currentAclUuid :origAclList) {
455 if (updatedAclUuid.getValue().equals(currentAclUuid.getValue())) {
463 public static List<AllowedAddressPairs> getUpdatedAllowedAddressPairs(
464 List<AllowedAddressPairs> updatedAllowedAddressPairs,
465 List<AllowedAddressPairs> currentAllowedAddressPairs) {
466 if (updatedAllowedAddressPairs == null) {
469 List<AllowedAddressPairs> newAllowedAddressPairs = new ArrayList<>(updatedAllowedAddressPairs);
470 if (currentAllowedAddressPairs == null) {
471 return newAllowedAddressPairs;
473 List<AllowedAddressPairs> origAllowedAddressPairs = new ArrayList<>(currentAllowedAddressPairs);
474 for (Iterator<AllowedAddressPairs> iterator = newAllowedAddressPairs.iterator(); iterator.hasNext();) {
475 AllowedAddressPairs updatedAllowedAddressPair = iterator.next();
476 for (AllowedAddressPairs currentAllowedAddressPair : origAllowedAddressPairs) {
477 if (updatedAllowedAddressPair.getKey().equals(currentAllowedAddressPair.getKey())) {
483 return newAllowedAddressPairs;
486 public static List<AllowedAddressPairs> getPortAllowedAddresses(Interface port) {
488 LOG.error("Port is Null");
491 InterfaceAcl aclInPort = port.getAugmentation(InterfaceAcl.class);
492 if (aclInPort == null) {
493 LOG.error("getSecurityGroupInPortList: no security group associated to Interface port: {}", port.getName());
496 return aclInPort.getAllowedAddressPairs();
499 public static BigInteger getDpIdFromIterfaceState(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf
500 .interfaces.rev140508.interfaces.state.Interface interfaceState) {
501 BigInteger dpId = null;
502 List<String> ofportIds = interfaceState.getLowerLayerIf();
503 if (ofportIds != null && !ofportIds.isEmpty()) {
504 NodeConnectorId nodeConnectorId = new NodeConnectorId(ofportIds.get(0));
505 dpId = BigInteger.valueOf(MDSALUtil.getDpnIdFromPortName(nodeConnectorId));
510 public static List<String> getIpBroadcastAddresses(List<IpPrefixOrAddress> cidrs) {
511 List<String> ipBroadcastAddresses = new ArrayList<>();
512 for (IpPrefixOrAddress cidr : cidrs) {
513 IpPrefix cidrIpPrefix = cidr.getIpPrefix();
514 if (cidrIpPrefix != null) {
515 Ipv4Prefix cidrIpv4Prefix = cidrIpPrefix.getIpv4Prefix();
516 if (cidrIpv4Prefix != null) {
517 ipBroadcastAddresses.add(getBroadcastAddressFromCidr(cidrIpv4Prefix.getValue()));
521 return ipBroadcastAddresses;
524 public static String getBroadcastAddressFromCidr(String cidr) {
525 String[] ipaddressValues = cidr.split("/");
526 int address = InetAddresses.coerceToInteger(InetAddresses.forString(ipaddressValues[0]));
527 int cidrPart = Integer.parseInt(ipaddressValues[1]);
529 for (int j = 0; j < cidrPart; ++j) {
530 netmask |= 1 << 31 - j;
532 int network = address & netmask;
533 int broadcast = network | ~netmask;
534 return InetAddresses.toAddrString(InetAddresses.fromInteger(broadcast));
538 * Builds the ip matches.
540 * @param ipPrefixOrAddress the ip prefix or address
541 * @param matchCriteria the source_ip or destination_ip used for the match
544 public static List<MatchInfoBase> buildIpMatches(IpPrefixOrAddress ipPrefixOrAddress,
545 MatchCriteria matchCriteria) {
546 List<MatchInfoBase> flowMatches = new ArrayList<>();
547 IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
548 if (ipPrefix != null) {
549 Ipv4Prefix ipv4Prefix = ipPrefix.getIpv4Prefix();
550 if (ipv4Prefix != null) {
551 flowMatches.add(MatchEthernetType.IPV4);
552 if (!ipv4Prefix.getValue().equals(AclConstants.IPV4_ALL_NETWORK)) {
553 flowMatches.add(matchCriteria == MatchCriteria.MATCH_SOURCE ? new MatchIpv4Source(ipv4Prefix)
554 : new MatchIpv4Destination(ipv4Prefix));
557 flowMatches.add(MatchEthernetType.IPV6);
558 flowMatches.add(matchCriteria == MatchCriteria.MATCH_SOURCE ? new MatchIpv6Source(
559 ipPrefix.getIpv6Prefix()) : new MatchIpv6Destination(ipPrefix.getIpv6Prefix()));
562 IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
563 if (ipAddress.getIpv4Address() != null) {
564 flowMatches.add(MatchEthernetType.IPV4);
565 flowMatches.add(matchCriteria == MatchCriteria.MATCH_SOURCE ? new MatchIpv4Source(
566 ipAddress.getIpv4Address().getValue(), "32") : new MatchIpv4Destination(
567 ipAddress.getIpv4Address().getValue(), "32"));
569 flowMatches.add(MatchEthernetType.IPV6);
570 flowMatches.add(matchCriteria == MatchCriteria.MATCH_SOURCE ? new MatchIpv6Source(
571 ipAddress.getIpv6Address().getValue() + "/128") : new MatchIpv6Destination(
572 ipAddress.getIpv6Address().getValue() + "/128"));
579 * Builds the arp ip matches.
580 * @param ipPrefixOrAddress the ip prefix or address
581 * @return the MatchInfoBase list
583 public static List<MatchInfoBase> buildArpIpMatches(IpPrefixOrAddress ipPrefixOrAddress) {
584 List<MatchInfoBase> flowMatches = new ArrayList<>();
585 IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
586 if (ipPrefix != null) {
587 Ipv4Prefix ipv4Prefix = ipPrefix.getIpv4Prefix();
588 if (ipv4Prefix != null && !ipv4Prefix.getValue().equals(AclConstants.IPV4_ALL_NETWORK)) {
589 flowMatches.add(new MatchArpSpa(ipv4Prefix));
592 IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
593 if (ipAddress != null && ipAddress.getIpv4Address() != null) {
594 flowMatches.add(new MatchArpSpa(ipAddress.getIpv4Address().getValue(), "32"));
600 public static MatchInfoBase buildRemoteAclTagMetadataMatch(Integer remoteAclTag) {
601 return new MatchMetadata(getRemoteAclTagMetadata(BigInteger.valueOf(remoteAclTag)),
602 MetaDataUtil.METADATA_MASK_REMOTE_ACL_TAG);
605 public static BigInteger getRemoteAclTagMetadata(BigInteger remoteAclTag) {
606 return remoteAclTag.shiftLeft(4);
610 * Does IPv4 address exists in the list of allowed address pair.
612 * @param aaps the allowed address pairs
613 * @return true, if successful
615 public static boolean doesIpv4AddressExists(List<AllowedAddressPairs> aaps) {
619 for (AllowedAddressPairs aap : aaps) {
620 IpPrefixOrAddress ipPrefixOrAddress = aap.getIpAddress();
621 IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
622 if (ipPrefix != null) {
623 if (ipPrefix.getIpv4Prefix() != null) {
627 IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
628 if (ipAddress != null && ipAddress.getIpv4Address() != null) {
637 * Does IPv6 address exists in the list of allowed address pair.
639 * @param aaps the allowed address pairs
640 * @return true, if successful
642 public static boolean doesIpv6AddressExists(List<AllowedAddressPairs> aaps) {
646 for (AllowedAddressPairs aap : aaps) {
647 IpPrefixOrAddress ipPrefixOrAddress = aap.getIpAddress();
648 IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
649 if (ipPrefix != null) {
650 if (ipPrefix.getIpv6Prefix() != null) {
654 IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
655 if (ipAddress != null && ipAddress.getIpv6Address() != null) {
664 * Gets the lport tag match.
665 * Ingress match is based on metadata and egress match is based on masked reg6
667 * @param lportTag the lport tag
668 * @param serviceMode ingress or egress service mode
669 * @return the lport tag match
671 public static MatchInfoBase buildLPortTagMatch(int lportTag, Class<? extends ServiceModeBase> serviceMode) {
672 if (serviceMode != null && serviceMode.isAssignableFrom(ServiceModeEgress.class)) {
673 return new NxMatchRegister(NxmNxReg6.class, MetaDataUtil.getLportTagForReg6(lportTag).longValue(),
674 MetaDataUtil.getLportTagMaskForReg6());
676 return new MatchMetadata(MetaDataUtil.getLportTagMetaData(lportTag), MetaDataUtil.METADATA_MASK_LPORT_TAG);
680 public static List<MatchInfoBase> buildMatchesForLPortTagAndRemoteAclTag(Integer lportTag, Integer remoteAclTag,
681 Class<? extends ServiceModeBase> serviceMode) {
682 List<MatchInfoBase> matches = new ArrayList<>();
683 if (serviceMode != null && serviceMode.isAssignableFrom(ServiceModeEgress.class)) {
684 matches.add(AclServiceUtils.buildLPortTagMatch(lportTag, serviceMode));
685 matches.add(AclServiceUtils.buildRemoteAclTagMetadataMatch(remoteAclTag));
687 // In case of ingress service mode, only metadata is used for
688 // matching both lportTag and aclTag. Hence performing "or"
689 // operation on both lportTag and aclTag metadata.
690 BigInteger metaData = MetaDataUtil.getLportTagMetaData(lportTag)
691 .or(getRemoteAclTagMetadata(BigInteger.valueOf(remoteAclTag)));
692 BigInteger metaDataMask =
693 MetaDataUtil.METADATA_MASK_LPORT_TAG.or(MetaDataUtil.METADATA_MASK_REMOTE_ACL_TAG);
694 matches.add(new MatchMetadata(metaData, metaDataMask));
699 public static Collection<? extends MatchInfoBase> buildMatchesForLPortTagAndConntrackClassifierType(int lportTag,
700 AclConntrackClassifierType conntrackClassifierType, Class<? extends ServiceModeBase> serviceMode) {
701 List<MatchInfoBase> matches = new ArrayList<>();
702 if (serviceMode != null && serviceMode.isAssignableFrom(ServiceModeEgress.class)) {
703 matches.add(AclServiceUtils.buildLPortTagMatch(lportTag, serviceMode));
704 matches.add(AclServiceUtils.buildAclConntrackClassifierTypeMatch(conntrackClassifierType));
706 // In case of ingress service mode, only metadata is used for
707 // matching both lportTag and conntrackClassifierType. Hence performing "or"
708 // operation on both lportTag and conntrackClassifierType metadata.
709 BigInteger metaData = MetaDataUtil.getLportTagMetaData(lportTag)
710 .or(MetaDataUtil.getAclConntrackClassifierTypeFromMetaData(conntrackClassifierType.getValue()));
711 BigInteger metaDataMask =
712 MetaDataUtil.METADATA_MASK_LPORT_TAG.or(MetaDataUtil.METADATA_MASK_ACL_CONNTRACK_CLASSIFIER_TYPE);
713 matches.add(new MatchMetadata(metaData, metaDataMask));
718 public static InstructionWriteMetadata getWriteMetadataForAclClassifierType(
719 AclConntrackClassifierType conntrackClassifierType) {
720 return new InstructionWriteMetadata(
721 MetaDataUtil.getAclConntrackClassifierTypeFromMetaData(conntrackClassifierType.getValue()),
722 MetaDataUtil.METADATA_MASK_ACL_CONNTRACK_CLASSIFIER_TYPE);
725 public static InstructionWriteMetadata getWriteMetadataForRemoteAclTag(Integer remoteAclTag) {
726 return new InstructionWriteMetadata(getRemoteAclTagMetadata(BigInteger.valueOf(remoteAclTag)),
727 MetaDataUtil.METADATA_MASK_REMOTE_ACL_TAG);
730 public static MatchInfoBase buildAclConntrackClassifierTypeMatch(
731 AclConntrackClassifierType conntrackSupportedType) {
732 return new MatchMetadata(
733 MetaDataUtil.getAclConntrackClassifierTypeFromMetaData(conntrackSupportedType.getValue()),
734 MetaDataUtil.METADATA_MASK_ACL_CONNTRACK_CLASSIFIER_TYPE);
737 public AclserviceConfig getConfig() {
741 public static boolean isIPv4Address(AllowedAddressPairs aap) {
742 IpPrefixOrAddress ipPrefixOrAddress = aap.getIpAddress();
743 IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
744 if (ipPrefix != null) {
745 if (ipPrefix.getIpv4Prefix() != null) {
749 IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
750 if (ipAddress != null && ipAddress.getIpv4Address() != null) {
757 public static Map<String, List<MatchInfoBase>> getFlowForAllowedAddresses(
758 List<AllowedAddressPairs> syncAllowedAddresses, Map<String, List<MatchInfoBase>> flowMatchesMap,
759 boolean isSourceIpMacMatch) {
760 if (flowMatchesMap == null) {
763 Map<String, List<MatchInfoBase>> updatedFlowMatchesMap = new HashMap<>();
764 MatchInfoBase ipv4Match = MatchEthernetType.IPV4;
765 MatchInfoBase ipv6Match = MatchEthernetType.IPV6;
766 for (Entry<String, List<MatchInfoBase>> entry : flowMatchesMap.entrySet()) {
767 String flowName = entry.getKey();
768 List<MatchInfoBase> flows = entry.getValue();
769 // iterate over allow address pair and update match type
770 for (AllowedAddressPairs aap : syncAllowedAddresses) {
771 List<MatchInfoBase> matchInfoBaseList;
773 if (flows.contains(ipv4Match) && isIPv4Address(aap) && isNotIpv4AllNetwork(aap)) {
774 matchInfoBaseList = updateAAPMatches(isSourceIpMacMatch, flows, aap);
775 flowId = flowName + "_ipv4_remoteACL_interface_aap_" + getAapFlowId(aap);
776 updatedFlowMatchesMap.put(flowId, matchInfoBaseList);
777 } else if (flows.contains(ipv6Match) && !isIPv4Address(aap) && isNotIpv6AllNetwork(aap)) {
778 matchInfoBaseList = updateAAPMatches(isSourceIpMacMatch, flows, aap);
779 flowId = flowName + "_ipv6_remoteACL_interface_aap_" + getAapFlowId(aap);
780 updatedFlowMatchesMap.put(flowId, matchInfoBaseList);
784 return updatedFlowMatchesMap;
787 public static boolean isNotIpv4AllNetwork(AllowedAddressPairs aap) {
788 IpPrefix ipPrefix = aap.getIpAddress().getIpPrefix();
789 if (ipPrefix != null && ipPrefix.getIpv4Prefix() != null
790 && ipPrefix.getIpv4Prefix().getValue().equals(AclConstants.IPV4_ALL_NETWORK)) {
796 protected static boolean isNotIpv6AllNetwork(AllowedAddressPairs aap) {
797 IpPrefix ipPrefix = aap.getIpAddress().getIpPrefix();
798 if (ipPrefix != null && ipPrefix.getIpv6Prefix() != null
799 && ipPrefix.getIpv6Prefix().getValue().equals(AclConstants.IPV6_ALL_NETWORK)) {
805 public static boolean isNotIpAllNetwork(AllowedAddressPairs aap) {
806 return isNotIpv4AllNetwork(aap) && isNotIpv6AllNetwork(aap);
809 private static String getAapFlowId(AllowedAddressPairs aap) {
810 return aap.getMacAddress().getValue() + "_" + String.valueOf(aap.getIpAddress().getValue());
813 public static Long getElanIdFromInterface(String elanInterfaceName,DataBroker broker) {
814 ElanInterface elanInterface = getElanInterfaceByElanInterfaceName(elanInterfaceName, broker);
815 if (null != elanInterface) {
816 ElanInstance elanInfo = getElanInstanceByName(elanInterface.getElanInstanceName(), broker);
817 return elanInfo.getElanTag();
822 public static ElanInterface getElanInterfaceByElanInterfaceName(String elanInterfaceName,DataBroker broker) {
823 InstanceIdentifier<ElanInterface> elanInterfaceId = getElanInterfaceConfigurationDataPathId(elanInterfaceName);
824 return read(broker, LogicalDatastoreType.CONFIGURATION, elanInterfaceId).orNull();
827 public static InstanceIdentifier<ElanInterface> getElanInterfaceConfigurationDataPathId(String interfaceName) {
828 return InstanceIdentifier.builder(ElanInterfaces.class)
829 .child(ElanInterface.class, new ElanInterfaceKey(interfaceName)).build();
832 // elan-instances config container
833 public static ElanInstance getElanInstanceByName(String elanInstanceName, DataBroker broker) {
834 InstanceIdentifier<ElanInstance> elanIdentifierId = getElanInstanceConfigurationDataPath(elanInstanceName);
835 return read(broker, LogicalDatastoreType.CONFIGURATION, elanIdentifierId).orNull();
838 public static InstanceIdentifier<ElanInstance> getElanInstanceConfigurationDataPath(String elanInstanceName) {
839 return InstanceIdentifier.builder(ElanInstances.class)
840 .child(ElanInstance.class, new ElanInstanceKey(elanInstanceName)).build();
843 public static List<IpPrefixOrAddress> getSubnetIpPrefixes(DataBroker broker, String portId) {
844 InstanceIdentifier<PortSubnetIpPrefixes> id = InstanceIdentifier.builder(PortsSubnetIpPrefixes.class)
845 .child(PortSubnetIpPrefixes.class, new PortSubnetIpPrefixesKey(portId)).build();
846 Optional<PortSubnetIpPrefixes> portSubnetIpPrefixes = read(broker, LogicalDatastoreType.OPERATIONAL, id);
847 if (portSubnetIpPrefixes.isPresent()) {
848 return portSubnetIpPrefixes.get().getSubnetIpPrefixes();
853 public static void deleteSubnetIpPrefixes(DataBroker broker, String portId) {
854 InstanceIdentifier<PortSubnetIpPrefixes> id = InstanceIdentifier.builder(PortsSubnetIpPrefixes.class)
855 .child(PortSubnetIpPrefixes.class, new PortSubnetIpPrefixesKey(portId)).build();
856 MDSALUtil.syncDelete(broker, LogicalDatastoreType.OPERATIONAL, id);
859 private static List<MatchInfoBase> updateAAPMatches(boolean isSourceIpMacMatch, List<MatchInfoBase> flows,
860 AllowedAddressPairs aap) {
861 List<MatchInfoBase> matchInfoBaseList;
862 if (isSourceIpMacMatch) {
863 matchInfoBaseList = AclServiceUtils.buildIpMatches(aap.getIpAddress(), MatchCriteria.MATCH_SOURCE);
865 matchInfoBaseList = AclServiceUtils.buildIpMatches(aap.getIpAddress(), MatchCriteria.MATCH_DESTINATION);
867 matchInfoBaseList.addAll(flows);
868 return matchInfoBaseList;
871 public static MatchInfoBase getMatchInfoByType(List<MatchInfoBase> flows, Class<? extends NxMatchInfo> type) {
872 for (MatchInfoBase mib : flows) {
873 if (type.isAssignableFrom(mib.getClass())) {
880 public static boolean containsMatchFieldType(List<MatchInfoBase> flows, Class<? extends NxMatchInfo> type) {
881 return getMatchInfoByType(flows, type) != null;
884 public static boolean containsTcpMatchField(List<MatchInfoBase> flows) {
885 return flows.contains(MatchIpProtocol.TCP);
888 public static boolean containsUdpMatchField(List<MatchInfoBase> flows) {
889 return flows.contains(MatchIpProtocol.UDP);
892 public static Integer allocateId(IdManagerService idManager, String poolName, String idKey, Integer defaultId) {
893 AllocateIdInput getIdInput = new AllocateIdInputBuilder().setPoolName(poolName).setIdKey(idKey).build();
895 Future<RpcResult<AllocateIdOutput>> result = idManager.allocateId(getIdInput);
896 RpcResult<AllocateIdOutput> rpcResult = result.get();
897 if (rpcResult.isSuccessful()) {
898 Integer allocatedId = rpcResult.getResult().getIdValue().intValue();
899 LOG.debug("Allocated ACL ID: {} with key: {} into pool: {}", allocatedId, idKey, poolName);
902 LOG.error("RPC Call to Get Unique Id for key {} from pool {} returned with Errors {}",
903 idKey, poolName, rpcResult.getErrors());
905 } catch (InterruptedException | ExecutionException e) {
906 LOG.error("Exception when getting Unique Id for key {} from pool {} ", idKey, poolName, e);
911 public static void releaseId(IdManagerService idManager, String poolName, String idKey) {
912 ReleaseIdInput idInput = new ReleaseIdInputBuilder().setPoolName(poolName).setIdKey(idKey).build();
914 Future<RpcResult<Void>> result = idManager.releaseId(idInput);
915 RpcResult<Void> rpcResult = result.get();
916 if (!rpcResult.isSuccessful()) {
917 LOG.error("RPC Call to release Id with Key {} from pool {} returned with Errors {}",
918 idKey, poolName, rpcResult.getErrors());
920 LOG.debug("Released ACL ID with key: {} from pool: {}", idKey, poolName);
922 } catch (InterruptedException | ExecutionException e) {
923 LOG.error("Exception when releasing Id for key {} from pool {} ", idKey, poolName, e);
928 * Gets the ACL tag from cache. If not found in cache, tries to allocate and
931 * @param aclId the acl id
932 * @return the acl tag
934 public Integer getAclTag(final Uuid aclId) {
935 String aclName = aclId.getValue();
936 Integer aclTag = this.aclDataUtil.getAclTag(aclName);
937 if (aclTag == null) {
938 LOG.debug("ACL tag not found in cache for ACL={}, trying to allocate again.", aclName);
939 aclTag = allocateAclTag(aclName);
940 if (aclTag != null && aclTag != AclConstants.INVALID_ACL_TAG) {
941 this.aclDataUtil.addAclTag(aclName, aclTag);
950 * @param aclName the ACL name
951 * @return the integer
953 public Integer allocateAclTag(String aclName) {
954 Integer aclTag = AclServiceUtils.allocateId(this.idManager, AclConstants.ACL_TAG_POOL_NAME, aclName,
955 AclConstants.INVALID_ACL_TAG);
962 * @param aclName the ACL name
964 public void releaseAclTag(String aclName) {
965 AclServiceUtils.releaseId(this.idManager, AclConstants.ACL_TAG_POOL_NAME, aclName);
969 * Indicates whether the interface has port security enabled.
971 * @param aclInterface the interface.
972 * @return true if port is security enabled.
974 public static boolean isOfInterest(AclInterface aclInterface) {
975 return aclInterface != null && aclInterface.isPortSecurityEnabled();
979 * Creates the id pool for ACL tag.
981 * @param poolName the pool name
983 private void createIdPoolForAclTag(String poolName) {
984 CreateIdPoolInput createPool = new CreateIdPoolInputBuilder()
985 .setPoolName(poolName).setLow(AclConstants.ACL_TAG_POOL_START)
986 .setHigh(AclConstants.ACL_TAG_POOL_END).build();
988 Future<RpcResult<Void>> result = this.idManager.createIdPool(createPool);
989 if (result != null && result.get().isSuccessful()) {
990 LOG.debug("Created IdPool for {}", poolName);
992 } catch (InterruptedException | ExecutionException e) {
993 LOG.error("Failed to create ID pool [{}] for remote ACL ids", poolName, e);
994 throw new RuntimeException("Failed to create ID pool [{}] for remote ACL ids", e);
1001 * @param poolName the pool name
1003 public void deleteIdPool(String poolName) {
1004 DeleteIdPoolInput deletePool = new DeleteIdPoolInputBuilder().setPoolName(poolName).build();
1006 Future<RpcResult<Void>> result = this.idManager.deleteIdPool(deletePool);
1007 if (result != null && result.get().isSuccessful()) {
1008 LOG.debug("Deleted IdPool for {}", poolName);
1010 } catch (InterruptedException | ExecutionException e) {
1011 LOG.error("Failed to delete ID pool [{}]", poolName, e);
1012 throw new RuntimeException("Failed to delete ID pool [" + poolName + "]", e);
1017 * Creates remote the acl id pools.
1019 public void createRemoteAclIdPool() {
1020 createIdPoolForAclTag(AclConstants.ACL_TAG_POOL_NAME);
1024 * Delete remote the acl id pools.
1026 public void deleteRemoteAclIdPool() {
1027 deleteIdPool(AclConstants.ACL_TAG_POOL_NAME);
1030 public static List<? extends MatchInfoBase> buildIpAndSrcServiceMatch(Integer aclTag, AllowedAddressPairs aap) {
1031 List<MatchInfoBase> flowMatches = new ArrayList<>();
1032 flowMatches.add(buildRemoteAclTagMetadataMatch(aclTag));
1033 if (aap.getIpAddress().getIpAddress() != null) {
1034 if (aap.getIpAddress().getIpAddress().getIpv4Address() != null) {
1035 MatchEthernetType ipv4EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV4);
1036 flowMatches.add(ipv4EthMatch);
1037 MatchIpv4Source srcMatch = new MatchIpv4Source(
1038 new Ipv4Prefix(aap.getIpAddress().getIpAddress().getIpv4Address().getValue() + "/32"));
1039 flowMatches.add(srcMatch);
1040 } else if (aap.getIpAddress().getIpAddress().getIpv6Address() != null) {
1041 MatchEthernetType ipv6EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV6);
1042 flowMatches.add(ipv6EthMatch);
1043 MatchIpv6Source srcMatch = new MatchIpv6Source(
1044 new Ipv6Prefix(aap.getIpAddress().getIpAddress().getIpv6Address().getValue() + "/128"));
1045 flowMatches.add(srcMatch);
1047 } else if (aap.getIpAddress().getIpPrefix() != null) {
1048 if (aap.getIpAddress().getIpPrefix().getIpv4Prefix() != null) {
1049 MatchEthernetType ipv4EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV4);
1050 flowMatches.add(ipv4EthMatch);
1051 MatchIpv4Source srcMatch = new MatchIpv4Source(aap.getIpAddress().getIpPrefix().getIpv4Prefix());
1052 flowMatches.add(srcMatch);
1053 } else if (aap.getIpAddress().getIpPrefix().getIpv6Prefix() != null) {
1054 MatchEthernetType ipv6EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV6);
1055 flowMatches.add(ipv6EthMatch);
1056 MatchIpv6Source srcMatch = new MatchIpv6Source(aap.getIpAddress().getIpPrefix().getIpv6Prefix());
1057 flowMatches.add(srcMatch);
1063 public static List<? extends MatchInfoBase> buildIpAndDstServiceMatch(Integer aclTag, AllowedAddressPairs aap) {
1064 List<MatchInfoBase> flowMatches = new ArrayList<>();
1065 flowMatches.add(buildRemoteAclTagMetadataMatch(aclTag));
1067 if (aap.getIpAddress().getIpAddress() != null) {
1068 if (aap.getIpAddress().getIpAddress().getIpv4Address() != null) {
1069 MatchEthernetType ipv4EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV4);
1070 flowMatches.add(ipv4EthMatch);
1071 MatchIpv4Destination dstMatch = new MatchIpv4Destination(
1072 new Ipv4Prefix(aap.getIpAddress().getIpAddress().getIpv4Address().getValue() + "/32"));
1073 flowMatches.add(dstMatch);
1074 } else if (aap.getIpAddress().getIpAddress().getIpv6Address() != null) {
1075 MatchEthernetType ipv6EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV6);
1076 flowMatches.add(ipv6EthMatch);
1077 MatchIpv6Destination dstMatch = new MatchIpv6Destination(
1078 new Ipv6Prefix(aap.getIpAddress().getIpAddress().getIpv6Address().getValue() + "/128"));
1079 flowMatches.add(dstMatch);
1081 } else if (aap.getIpAddress().getIpPrefix() != null) {
1082 if (aap.getIpAddress().getIpPrefix().getIpv4Prefix() != null) {
1083 MatchEthernetType ipv4EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV4);
1084 flowMatches.add(ipv4EthMatch);
1085 MatchIpv4Destination dstMatch =
1086 new MatchIpv4Destination(aap.getIpAddress().getIpPrefix().getIpv4Prefix());
1087 flowMatches.add(dstMatch);
1088 } else if (aap.getIpAddress().getIpPrefix().getIpv6Prefix() != null) {
1089 MatchEthernetType ipv6EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV6);
1090 flowMatches.add(ipv6EthMatch);
1091 MatchIpv6Destination dstMatch =
1092 new MatchIpv6Destination(aap.getIpAddress().getIpPrefix().getIpv6Prefix());
1093 flowMatches.add(dstMatch);
1099 public static boolean isOfAclInterest(Acl acl) {
1100 if (acl.getAccessListEntries() != null) {
1101 List<Ace> aceList = acl.getAccessListEntries().getAce();
1102 if (aceList != null && !aceList.isEmpty()) {
1103 return aceList.get(0).getAugmentation(SecurityRuleAttr.class) != null;
1109 public static void addLportTagMetadataMatch(int lportTag, List<MatchInfoBase> flowMatches,
1110 Class<? extends ServiceModeBase> serviceMode) {
1111 MatchInfoBase lportMatch = buildLPortTagMatch(lportTag, serviceMode);
1112 InterfaceServiceUtil.mergeMetadataMatchsOrAdd(flowMatches, lportMatch);
1116 * Returns ACL specific key for synchronization.
1118 * @param key the generic key
1119 * @return ACL key that can be used with synchronization
1121 public static String getAclKeyForSynchronization(String key) {
1122 return key + AclConstants.ACL_SYNC_KEY_EXT;
1126 * Builds the ip protocol matches.
1128 * @param etherType the ether type
1129 * @param protocol the protocol
1130 * @return the list of matches.
1132 public static List<MatchInfoBase> buildIpProtocolMatches(MatchEthernetType etherType, IPProtocols protocol) {
1133 return Lists.newArrayList(etherType, new MatchIpProtocol(protocol.shortValue()));
1137 * Does ACE have remote group id.
1139 * @param aceAttr the ace attr
1140 * @return true, if successful
1142 public static boolean doesAceHaveRemoteGroupId(final SecurityRuleAttr aceAttr) {
1143 return aceAttr != null && aceAttr.getRemoteGroupId() != null;
1146 public SortedSet<Integer> getRemoteAclTags(List<Uuid> aclIds, Class<? extends DirectionBase> direction) {
1147 SortedSet<Integer> remoteAclTags = new TreeSet<>();
1148 Set<Uuid> remoteAclIds = getRemoteAclIdsByDirection(aclIds, direction);
1149 for (Uuid remoteAclId : remoteAclIds) {
1150 Integer remoteAclTag = getAclTag(remoteAclId);
1151 if (remoteAclTag != null && remoteAclTag != AclConstants.INVALID_ACL_TAG) {
1152 remoteAclTags.add(remoteAclTag);
1155 return remoteAclTags;
1158 public Set<Uuid> getRemoteAclIdsByDirection(List<Uuid> aclIds, Class<? extends DirectionBase> direction) {
1159 Set<Uuid> remoteAclIds = new HashSet<>();
1160 if (aclIds == null || aclIds.isEmpty()) {
1161 return remoteAclIds;
1164 for (Uuid aclId : aclIds) {
1165 Acl acl = this.aclDataUtil.getAcl(aclId.getValue());
1167 LOG.warn("ACL {} not found in cache.", aclId.getValue());
1170 remoteAclIds.addAll(getRemoteAclIdsByDirection(acl, direction));
1172 return remoteAclIds;
1175 public static Set<Uuid> getRemoteAclIdsByDirection(Acl acl, Class<? extends DirectionBase> direction) {
1176 Set<Uuid> remoteAclIds = new HashSet<>();
1177 AccessListEntries accessListEntries = acl.getAccessListEntries();
1178 if (accessListEntries != null && accessListEntries.getAce() != null) {
1179 for (Ace ace : accessListEntries.getAce()) {
1180 SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
1181 if (aceAttr.getDirection().equals(direction) && doesAceHaveRemoteGroupId(aceAttr)) {
1182 remoteAclIds.add(aceAttr.getRemoteGroupId());
1186 return remoteAclIds;
1190 * Skip delete in case of overlapping IP.
1193 * When there are multiple ports (e.g., p1, p2, p3) having same AAP (e.g.,
1194 * 224.0.0.5) configured which are part of single SG, there would be single
1195 * flow in remote ACL table. When one of these ports (say p1) is deleted,
1196 * the single flow which is configured in remote ACL table shouldn't be
1197 * deleted. It should be deleted only when there are no more references to
1200 * @param portId the port id
1201 * @param remoteAclId the remote Acl Id
1202 * @param ipPrefix the ip prefix
1203 * @param addOrRemove the add or remove
1204 * @return true, if successful
1206 public boolean skipDeleteInCaseOfOverlappingIP(String portId, Uuid remoteAclId, IpPrefixOrAddress ipPrefix,
1208 boolean skipDelete = false;
1209 if (addOrRemove != NwConstants.DEL_FLOW) {
1212 AclIpPrefixes aclIpPrefixes = getAclIpPrefixesFromOperDs(remoteAclId.getValue(), ipPrefix);
1213 if (aclIpPrefixes != null && aclIpPrefixes.getPortIds() != null) {
1214 List<String> ignorePorts = Lists.newArrayList(portId);
1215 List<PortIds> portIds = new ArrayList<>(aclIpPrefixes.getPortIds());
1216 // Checking if there are any other ports excluding ignorePorts
1217 long noOfRemotePorts =
1218 portIds.stream().map(x -> x.getPortId()).filter(y -> !ignorePorts.contains(y)).count();
1219 if (noOfRemotePorts > 0) {
1226 public static void deleteAclPortsLookupEntry(String aclName, DataBroker broker)
1227 throws TransactionCommitFailedException {
1228 SingleTransactionDataBroker.syncDelete(broker, LogicalDatastoreType.OPERATIONAL, aclPortsByIpPath(aclName));
1231 public static InstanceIdentifier<AclPortsByIp> aclPortsByIpPath(String aclName) {
1232 return InstanceIdentifier.builder(AclPortsLookup.class)
1233 .child(AclPortsByIp.class, new AclPortsByIpKey(aclName)).build();
1236 public static InstanceIdentifier<AclIpPrefixes> getAclIpPrefixesPath(String aclName, IpPrefixOrAddress ipPrefix) {
1237 return InstanceIdentifier.builder(AclPortsLookup.class).child(AclPortsByIp.class, new AclPortsByIpKey(aclName))
1238 .child(AclIpPrefixes.class, new AclIpPrefixesKey(ipPrefix)).build();
1241 public static InstanceIdentifier<PortIds> getPortIdsPathInAclPortsLookup(String ruleName,
1242 IpPrefixOrAddress ipPrefix, String portId) {
1243 return InstanceIdentifier.builder(AclPortsLookup.class).child(AclPortsByIp.class, new AclPortsByIpKey(ruleName))
1244 .child(AclIpPrefixes.class, new AclIpPrefixesKey(ipPrefix)).child(PortIds.class, new PortIdsKey(portId))
1248 public List<ListenableFuture<Void>> addAclPortsLookupForInterfaceUpdate(AclInterface portBefore,
1249 AclInterface portAfter) {
1250 List<ListenableFuture<Void>> futures = new ArrayList<>();
1251 LOG.debug("Processing interface additions for port {}", portAfter.getInterfaceId());
1252 List<AllowedAddressPairs> addedAllowedAddressPairs = getUpdatedAllowedAddressPairs(
1253 portAfter.getAllowedAddressPairs(), portBefore.getAllowedAddressPairs());
1254 if (addedAllowedAddressPairs != null && !addedAllowedAddressPairs.isEmpty()) {
1255 futures.addAll(addAclPortsLookup(portAfter, portAfter.getSecurityGroups(), addedAllowedAddressPairs));
1258 List<Uuid> addedAcls = getUpdatedAclList(portAfter.getSecurityGroups(), portBefore.getSecurityGroups());
1259 if (addedAcls != null && !addedAcls.isEmpty()) {
1260 futures.addAll(addAclPortsLookup(portAfter, addedAcls, portAfter.getAllowedAddressPairs()));
1265 public List<ListenableFuture<Void>> deleteAclPortsLookupForInterfaceUpdate(AclInterface portBefore,
1266 AclInterface portAfter) {
1267 List<ListenableFuture<Void>> futures = new ArrayList<>();
1268 LOG.debug("Processing interface removals for port {}", portAfter.getInterfaceId());
1269 List<AllowedAddressPairs> deletedAllowedAddressPairs = getUpdatedAllowedAddressPairs(
1270 portBefore.getAllowedAddressPairs(), portAfter.getAllowedAddressPairs());
1271 if (deletedAllowedAddressPairs != null && !deletedAllowedAddressPairs.isEmpty()) {
1272 futures.addAll(deleteAclPortsLookup(portAfter, portAfter.getSecurityGroups(), deletedAllowedAddressPairs));
1275 List<Uuid> deletedAcls = getUpdatedAclList(portBefore.getSecurityGroups(), portAfter.getSecurityGroups());
1276 if (deletedAcls != null && !deletedAcls.isEmpty()) {
1277 futures.addAll(deleteAclPortsLookup(portAfter, deletedAcls, portAfter.getAllowedAddressPairs()));
1282 public List<ListenableFuture<Void>> addAclPortsLookup(AclInterface port, List<Uuid> aclList,
1283 List<AllowedAddressPairs> allowedAddresses) {
1284 String portId = port.getInterfaceId();
1285 LOG.trace("Adding AclPortsLookup for port={}, acls={}, AAPs={}", portId, aclList, allowedAddresses);
1287 if (aclList == null || allowedAddresses == null || allowedAddresses.isEmpty()) {
1288 LOG.warn("aclList or allowedAddresses is null. port={}, acls={}, AAPs={}", portId, aclList,
1290 return Collections.emptyList();
1292 List<ListenableFuture<Void>> futures = new ArrayList<>();
1293 for (Uuid aclId : aclList) {
1294 String aclName = aclId.getValue();
1295 synchronized (aclName.intern()) {
1296 futures.add(txRunner.callWithNewWriteOnlyTransactionAndSubmit(tx -> {
1297 for (AllowedAddressPairs aap : allowedAddresses) {
1299 new PortIdsBuilder().setKey(new PortIdsKey(portId)).setPortId(portId).build();
1300 InstanceIdentifier<PortIds> path =
1301 AclServiceUtils.getPortIdsPathInAclPortsLookup(aclName, aap.getIpAddress(), portId);
1302 tx.put(LogicalDatastoreType.OPERATIONAL, path, portIdObj,
1303 WriteTransaction.CREATE_MISSING_PARENTS);
1311 public List<ListenableFuture<Void>> deleteAclPortsLookup(AclInterface port, List<Uuid> aclList,
1312 List<AllowedAddressPairs> allowedAddresses) {
1313 String portId = port.getInterfaceId();
1314 LOG.trace("Deleting AclPortsLookup for port={}, acls={}, AAPs={}", portId, aclList, allowedAddresses);
1316 if (aclList == null || allowedAddresses == null || allowedAddresses.isEmpty()) {
1317 LOG.warn("aclList or allowedAddresses is null. port={}, acls={}, AAPs={}", portId, aclList,
1319 return Collections.emptyList();
1321 List<ListenableFuture<Void>> futures = new ArrayList<>();
1322 for (Uuid aclId : aclList) {
1323 String aclName = aclId.getValue();
1324 synchronized (aclName.intern()) {
1325 futures.add(txRunner.callWithNewWriteOnlyTransactionAndSubmit(tx -> {
1326 for (AllowedAddressPairs aap : allowedAddresses) {
1327 InstanceIdentifier<PortIds> path =
1328 AclServiceUtils.getPortIdsPathInAclPortsLookup(aclName, aap.getIpAddress(), portId);
1329 tx.delete(LogicalDatastoreType.OPERATIONAL, path);
1332 cleanUpStaleEntriesInAclPortsLookup(aclName, tx);
1339 private void cleanUpStaleEntriesInAclPortsLookup(String aclName, WriteTransaction tx) {
1340 AclPortsByIp aclPortsByIp = getAclPortsByIpFromOperDs(aclName);
1341 if (aclPortsByIp == null) {
1344 boolean deleteEntireAcl;
1345 List<AclIpPrefixes> ipPrefixes = aclPortsByIp.getAclIpPrefixes();
1346 if (ipPrefixes == null || ipPrefixes.isEmpty()) {
1347 deleteEntireAcl = true;
1349 boolean deleteMap = true;
1350 for (AclIpPrefixes ipPrefix : ipPrefixes) {
1351 if (ipPrefix.getPortIds() != null && !ipPrefix.getPortIds().isEmpty()) {
1356 deleteEntireAcl = deleteMap;
1358 if (deleteEntireAcl) {
1359 tx.delete(LogicalDatastoreType.OPERATIONAL, AclServiceUtils.aclPortsByIpPath(aclName));
1361 for (AclIpPrefixes ipPrefix : ipPrefixes) {
1362 if (ipPrefix.getPortIds() == null || ipPrefix.getPortIds().isEmpty()) {
1363 InstanceIdentifier<AclIpPrefixes> delPath =
1364 AclServiceUtils.getAclIpPrefixesPath(aclName, ipPrefix.getIpPrefix());
1365 tx.delete(LogicalDatastoreType.OPERATIONAL, delPath);
1372 private AclPortsByIp getAclPortsByIpFromOperDs(String aclName) {
1373 InstanceIdentifier<AclPortsByIp> path = aclPortsByIpPath(aclName);
1374 try (ReadOnlyTransaction tx = dataBroker.newReadOnlyTransaction()) {
1375 return tx.read(LogicalDatastoreType.OPERATIONAL, path).checkedGet().orNull();
1376 } catch (ReadFailedException e) {
1377 LOG.error("Failed to read ACL ports {}", path, e);
1383 private AclIpPrefixes getAclIpPrefixesFromOperDs(String aclName, IpPrefixOrAddress ipPrefix) {
1384 InstanceIdentifier<AclIpPrefixes> path = getAclIpPrefixesPath(aclName, ipPrefix);
1385 try (ReadOnlyTransaction tx = dataBroker.newReadOnlyTransaction()) {
1386 return tx.read(LogicalDatastoreType.OPERATIONAL, path).checkedGet().orNull();
1387 } catch (ReadFailedException e) {
1388 LOG.error("Failed to read ACL IP prefixes {}", path, e);
1394 * Gets the ace flow priority.
1396 * @param aclName the acl name
1397 * @return the ace flow priority
1399 public Integer getAceFlowPriority(String aclName) {
1400 Integer priority = AclConstants.ACE_DEFAULT_PRIORITY;
1401 Integer aclTag = getAclTag(new Uuid(aclName));
1402 if (aclTag != null && aclTag != AclConstants.INVALID_ACL_TAG) {
1403 // To handle overlapping rules, aclTag is added to priority
1406 LOG.warn("aclTag=[] is null or invalid for aclName={}", aclTag, aclName);
1412 * Returns the hard timeout based on the protocol when a ACL rule removed from the instance.
1413 * It will returns the timeout configured in the {@link AclserviceConfig} class.
1415 * @param ace the ace
1416 * @param aclServiceUtils acl service utils
1417 * @return the hard time out
1419 public static Integer getHardTimoutForApplyStatefulChangeOnExistingTraffic(Ace ace,
1420 AclServiceUtils aclServiceUtils) {
1421 int hardTimeout = AclConstants.SECURITY_GROUP_ICMP_IDLE_TIME_OUT;
1422 Matches matches = ace.getMatches();
1423 AceIp acl = (AceIp) matches.getAceType();
1424 Short protocol = acl.getProtocol();
1425 if (protocol == null) {
1427 } else if (protocol == NwConstants.IP_PROT_TCP) {
1428 hardTimeout = aclServiceUtils.getConfig().getSecurityGroupTcpIdleTimeout();
1429 } else if (protocol == NwConstants.IP_PROT_UDP) {
1430 hardTimeout = aclServiceUtils.getConfig().getSecurityGroupUdpIdleTimeout();
1436 * This method creates and returns the ct_mark instruction when a ACL rule removed from the
1437 * instance. This instruction will reset the ct_mark value and stops the existing traffics.
1439 * @param filterTable the filterTable
1440 * @param elanId the Elan id
1441 * @return list of instruction
1443 public static List<InstructionInfo> createCtMarkInstructionForNewState(Short filterTable, Long elanId) {
1445 List<InstructionInfo> instructions = new ArrayList<>();
1446 List<ActionInfo> actionsInfos = new ArrayList<>();
1447 List<NxCtAction> ctActionsList = new ArrayList<>();
1448 NxCtAction nxCtMarkClearAction = new ActionNxConntrack.NxCtMark(AclConstants.CT_MARK_NEW_STATE);
1449 ctActionsList.add(nxCtMarkClearAction);
1451 ActionNxConntrack actionNxConntrack = new ActionNxConntrack(2, 1, 0, elanId.intValue(),
1452 (short) 255, ctActionsList);
1453 actionsInfos.add(actionNxConntrack);
1454 instructions.add(new InstructionApplyActions(actionsInfos));
1455 instructions.add(new InstructionGotoTable(filterTable));
1457 return instructions;
1460 public static List<AllowedAddressPairs> excludeMulticastAAPs(List<AllowedAddressPairs> allowedAddresses) {
1461 List<AllowedAddressPairs> filteredAAPs = new ArrayList<>();
1462 for (AllowedAddressPairs allowedAddress : allowedAddresses) {
1463 InetAddress inetAddr = getInetAddress(allowedAddress.getIpAddress());
1464 if (inetAddr != null && !inetAddr.isMulticastAddress()) {
1465 filteredAAPs.add(allowedAddress);
1468 return filteredAAPs;
1471 private static InetAddress getInetAddress(IpPrefixOrAddress ipPrefixOrAddress) {
1472 InetAddress inetAddress = null;
1475 IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
1476 if (ipPrefix != null) {
1477 addr = String.valueOf(ipPrefix.getValue()).split("/")[0];
1479 IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
1480 if (ipAddress == null) {
1481 LOG.error("Invalid address : {}", ipPrefixOrAddress);
1484 addr = String.valueOf(ipAddress.getValue());
1488 inetAddress = InetAddress.getByName(addr);
1489 } catch (UnknownHostException e) {
1490 LOG.error("Invalid address : {}", addr, e.getMessage());