Code Review / netvirt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Merge "L3: Add support for distributed arp responder and l3 forwarding"
[netvirt.git] / openstack / net-virt-providers / src / main / java / org / opendaylight / ovsdb / openstack / netvirt / providers / openflow13 / services / EgressAclService.java
1 /*
2  * Copyright (C) 2014 Red Hat, Inc.
3  *
4  * This program and the accompanying materials are made available under the
5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6  * and is available at http://www.eclipse.org/legal/epl-v10.html
7  *
8  * Authors : Madhu Venugopal
9  */
10 package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
11
12 import org.opendaylight.controller.networkconfig.neutron.NeutronSecurityGroup;
13 import org.opendaylight.controller.networkconfig.neutron.NeutronSecurityRule;
14 import org.opendaylight.controller.sal.core.Node;
15 import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
16 import org.opendaylight.ovsdb.openstack.netvirt.api.EgressAclProvider;
17 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
18 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
19 import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
20 import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
21 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
22 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
23 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
24 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
25 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
26 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowKey;
27 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
28 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
29 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
30 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
31 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
32 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
33
34 import com.google.common.collect.Lists;
35
36 import org.slf4j.Logger;
37 import org.slf4j.LoggerFactory;
38
39 import java.math.BigInteger;
40 import java.util.List;
41
42 public class EgressAclService extends AbstractServiceInstance implements EgressAclProvider {
43
44     static final Logger logger = LoggerFactory.getLogger(EgressAclService.class);
45
46     public EgressAclService() {
47         super(Service.EGRESS_ACL);
48     }
49
50     public EgressAclService(Service service) {
51         super(service);
52     }
53
54
55     @Override
56     public boolean isBridgeInPipeline (String nodeId) {
57         return true;
58     }
59
60     @Override
61     public void programPortSecurityACL(Node node, Long dpid, String segmentationId, String attachedMac, long localPort,
62                                        NeutronSecurityGroup securityGroup) {
63
64         logger.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
65         List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
66         /* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
67         for (NeutronSecurityRule portSecurityRule : portSecurityList) {
68             /**
69              * Neutron Port Security ACL "egress" and "IPv4"
70              *
71              * Check that the base conditions for flow based Port Security are true:
72              * Port Security Rule Direction ("egress") and Protocol ("IPv4")
73              * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
74              * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
75              *
76              */
77             if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
78                 portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("egress")) {
79                 logger.debug("Egress IPV4 ACL  Port Security Rule: {} ", portSecurityRule);
80                 // ToDo: Implement Port Range
81
82                 /**
83                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
84                  */
85                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
86                     !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
87                     !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
88                     (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
89                      !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
90                              .equalsIgnoreCase("0.0.0.0/0"))) {
91                     logger.debug(
92                             "Rule #1 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
93                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
94                             portSecurityRule.getSecurityRulePortMax(),
95                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
96                     egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
97                                             Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
98                                             true);
99                     egressACLTcpPortWithPrefix(dpid, segmentationId,
100                                                attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
101                                                portSecurityRule.getSecurityRuleRemoteIpPrefix(),
102                                                Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
103                     continue;
104                 }
105                 /**
106                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
107                  */
108                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
109                     !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
110                     String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
111                     (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
112                      !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
113                              .equalsIgnoreCase("0.0.0.0/0"))) {
114                     logger.debug(
115                             "Rule #2 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
116                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
117                             portSecurityRule.getSecurityRulePortMax(),
118                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
119                     egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
120                                             Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
121                                             true);
122                     egressACLTcpPortWithPrefix(dpid, segmentationId,
123                                                attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
124                                                portSecurityRule.getSecurityRuleRemoteIpPrefix(),
125                                                Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
126                     continue;
127                 }
128                 /**
129                  * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
130                  */
131                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
132                     String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
133                     String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
134                     !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
135                     logger.debug(
136                             "Rule #3 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
137                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
138                             portSecurityRule.getSecurityRulePortMax(),
139                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
140                     egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PREFIX_MATCH_PRIORITY_DROP,
141                                             true);
142                     egressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
143                                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PREFIX_MATCH_PRIORITY);
144                     continue;
145                 }
146                 /**
147                  * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
148                  */
149                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
150                     String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
151                     String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
152                     (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
153                      !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
154                              .equalsIgnoreCase("0.0.0.0/0"))) {
155                     logger.debug(
156                             "Rule #4 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
157                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
158                             portSecurityRule.getSecurityRulePortMax(),
159                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
160                     egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PREFIX_MATCH_PRIORITY_DROP, true);
161                     egressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
162                                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PREFIX_MATCH_PRIORITY);
163                     continue;
164                 }
165                 /**
166                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
167                  */
168                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
169                     !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
170                     !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
171                     String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
172                     logger.debug(
173                             "Rule #5 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
174                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
175                             portSecurityRule.getSecurityRulePortMax(),
176                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
177                     egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PORT_MATCH_PRIORITY_DROP,
178                                             true);
179                     egressACLTcpSyn(dpid, segmentationId,
180                                     attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
181                                     Constants.PROTO_PORT_MATCH_PRIORITY);
182                     continue;
183                 }
184                 /**
185                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
186                  */
187                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
188                     !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
189                     String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
190                     String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
191                     logger.debug(
192                             "Rule #6 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
193                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
194                             portSecurityRule.getSecurityRulePortMax(),
195                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
196                     egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
197                                             Constants.PROTO_PORT_MATCH_PRIORITY_DROP, true);
198                     egressACLTcpSyn(dpid, segmentationId, attachedMac, true,
199                                     portSecurityRule.getSecurityRulePortMin(), Constants.PROTO_PORT_MATCH_PRIORITY);
200                     continue;
201                 }
202                 /**
203                  * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
204                  */
205                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
206                     String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
207                     String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
208                     ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
209                      String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
210                              .equalsIgnoreCase("0.0.0.0/0"))) {
211                     logger.debug(
212                             "Rule #7 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
213                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
214                             portSecurityRule.getSecurityRulePortMax(),
215                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
216                     // No need to drop until UDP/ICMP are implemented
217                     // egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
218                     egressAllowProto(dpid, segmentationId, attachedMac, true,
219                                      portSecurityRule.getSecurityRuleProtocol(), Constants.PROTO_MATCH_PRIORITY);
220                     continue;
221                 }
222                 logger.debug("ACL Match combination not found for rule: {}", portSecurityRule);
223             }
224         }
225     }
226
227     public void egressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
228                                         int priority, boolean write) {
229
230         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
231         MatchBuilder matchBuilder = new MatchBuilder();
232         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
233         FlowBuilder flowBuilder = new FlowBuilder();
234
235         flowBuilder.setMatch(MatchUtils.createSmacTcpPortWithFlagMatch(matchBuilder,
236                                                                        attachedMac, Constants.TCP_SYN, segmentationId).build());
237         logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
238
239         String flowId = "TCP_Syn_Egress_Default_Drop_" + attachedMac;
240         flowBuilder.setId(new FlowId(flowId));
241         FlowKey key = new FlowKey(new FlowId(flowId));
242         flowBuilder.setStrict(false);
243         flowBuilder.setPriority(priority);
244         flowBuilder.setBarrier(true);
245         flowBuilder.setTableId(this.getTable());
246         flowBuilder.setKey(key);
247         flowBuilder.setFlowName(flowId);
248         flowBuilder.setHardTimeout(0);
249         flowBuilder.setIdleTimeout(0);
250
251         if (write) {
252             // Instantiate the Builders for the OF Actions and Instructions
253             InstructionBuilder ib = new InstructionBuilder();
254             InstructionsBuilder isb = new InstructionsBuilder();
255             List<Instruction> instructions = Lists.newArrayList();
256
257             InstructionUtils.createDropInstructions(ib);
258             ib.setOrder(0);
259             ib.setKey(new InstructionKey(0));
260             instructions.add(ib.build());
261             // Add InstructionBuilder to the Instruction(s)Builder List
262             isb.setInstruction(instructions);
263
264             logger.debug("Instructions contain: {}", ib.getInstruction());
265             // Add InstructionsBuilder to FlowBuilder
266             flowBuilder.setInstructions(isb.build());
267             writeFlow(flowBuilder, nodeBuilder);
268         } else {
269             removeFlow(flowBuilder, nodeBuilder);
270         }
271     }
272
273     public void egressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac, boolean write,
274                                            Integer securityRulePortMin, String securityRuleIpPrefix, Integer protoPortPrefixMatchPriority) {
275
276         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
277         PortNumber tcpPort = new PortNumber(securityRulePortMin);
278         MatchBuilder matchBuilder = new MatchBuilder();
279         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
280         FlowBuilder flowBuilder = new FlowBuilder();
281         Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
282
283         flowBuilder.setMatch(MatchUtils
284                                      .createSmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
285                                                                          tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
286
287         logger.debug(" MatchBuilder contains:  {}", flowBuilder.getMatch());
288         String flowId = "UcastEgress_" + segmentationId + "_" + attachedMac +
289                         securityRulePortMin + securityRuleIpPrefix;
290         // Add Flow Attributes
291         flowBuilder.setId(new FlowId(flowId));
292         FlowKey key = new FlowKey(new FlowId(flowId));
293         flowBuilder.setStrict(false);
294         flowBuilder.setPriority(protoPortPrefixMatchPriority);
295         flowBuilder.setBarrier(true);
296         flowBuilder.setTableId(this.getTable());
297         flowBuilder.setKey(key);
298         flowBuilder.setFlowName(flowId);
299         flowBuilder.setHardTimeout(0);
300         flowBuilder.setIdleTimeout(0);
301
302         if (write) {
303             // Instantiate the Builders for the OF Actions and Instructions
304             InstructionBuilder ib = new InstructionBuilder();
305             InstructionsBuilder isb = new InstructionsBuilder();
306             List<Instruction> instructionsList = Lists.newArrayList();
307
308             ib = this.getMutablePipelineInstructionBuilder();
309             ib.setOrder(0);
310             ib.setKey(new InstructionKey(0));
311             instructionsList.add(ib.build());
312             isb.setInstruction(instructionsList);
313
314             logger.debug("Instructions contain: {}", ib.getInstruction());
315             // Add InstructionsBuilder to FlowBuilder
316             flowBuilder.setInstructions(isb.build());
317             writeFlow(flowBuilder, nodeBuilder);
318         } else {
319             removeFlow(flowBuilder, nodeBuilder);
320         }
321     }
322
323
324
325     public void egressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
326                                  String securityRuleProtcol, Integer protoMatchPriority) {
327
328         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
329         MatchBuilder matchBuilder = new MatchBuilder();
330         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
331         FlowBuilder flowBuilder = new FlowBuilder();
332
333         flowBuilder.setMatch(MatchUtils
334                                      .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
335         flowBuilder.setMatch(MatchUtils
336                                      .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
337
338         logger.debug("MatchBuilder contains:  {}", flowBuilder.getMatch());
339         String flowId = "EgressAllProto_" + segmentationId + "_" +
340                         attachedMac + "_AllowEgressTCPSyn_" + securityRuleProtcol;
341         // Add Flow Attributes
342         flowBuilder.setId(new FlowId(flowId));
343         FlowKey key = new FlowKey(new FlowId(flowId));
344         flowBuilder.setStrict(false);
345         flowBuilder.setPriority(protoMatchPriority);
346         flowBuilder.setBarrier(true);
347         flowBuilder.setTableId(this.getTable());
348         flowBuilder.setKey(key);
349         flowBuilder.setFlowName(flowId);
350         flowBuilder.setHardTimeout(0);
351         flowBuilder.setIdleTimeout(0);
352
353         if (write) {
354             // Instantiate the Builders for the OF Actions and Instructions
355             InstructionBuilder ib = new InstructionBuilder();
356             InstructionsBuilder isb = new InstructionsBuilder();
357             List<Instruction> instructionsList = Lists.newArrayList();
358
359             ib = this.getMutablePipelineInstructionBuilder();
360             ib.setOrder(0);
361             ib.setKey(new InstructionKey(0));
362             instructionsList.add(ib.build());
363             isb.setInstruction(instructionsList);
364
365             logger.debug("Instructions contain: {}", ib.getInstruction());
366             // Add InstructionsBuilder to FlowBuilder
367             flowBuilder.setInstructions(isb.build());
368             writeFlow(flowBuilder, nodeBuilder);
369         } else {
370             removeFlow(flowBuilder, nodeBuilder);
371         }
372     }
373
374     public void egressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
375                                         boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
376
377         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
378         Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
379         MatchBuilder matchBuilder = new MatchBuilder();
380         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
381         FlowBuilder flowBuilder = new FlowBuilder();
382
383         flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
384                                      .build());
385         if (securityRuleIpPrefix != null) {
386             flowBuilder.setMatch(MatchUtils
387                                          .createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
388                                          .build());
389         } else {
390             flowBuilder.setMatch(MatchUtils
391                                          .createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
392                                          .build());
393         }
394         logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
395         String flowId = "Egress_Proto_ACL" + segmentationId + "_" +
396                         attachedMac + "_Permit_" + securityRuleIpPrefix;
397         // Add Flow Attributes
398         flowBuilder.setId(new FlowId(flowId));
399         FlowKey key = new FlowKey(new FlowId(flowId));
400         flowBuilder.setStrict(false);
401         flowBuilder.setPriority(protoPortMatchPriority);
402         flowBuilder.setBarrier(true);
403         flowBuilder.setTableId(this.getTable());
404         flowBuilder.setKey(key);
405         flowBuilder.setFlowName(flowId);
406         flowBuilder.setHardTimeout(0);
407         flowBuilder.setIdleTimeout(0);
408
409         if (write) {
410             // Instantiate the Builders for the OF Actions and Instructions
411             InstructionBuilder ib = new InstructionBuilder();
412             InstructionsBuilder isb = new InstructionsBuilder();
413             List<Instruction> instructionsList = Lists.newArrayList();
414
415             ib = this.getMutablePipelineInstructionBuilder();
416             ib.setOrder(0);
417             ib.setKey(new InstructionKey(0));
418             instructionsList.add(ib.build());
419             isb.setInstruction(instructionsList);
420
421             logger.debug("Instructions contain: {}", ib.getInstruction());
422             // Add InstructionsBuilder to FlowBuilder
423             flowBuilder.setInstructions(isb.build());
424             writeFlow(flowBuilder, nodeBuilder);
425         } else {
426             removeFlow(flowBuilder, nodeBuilder);
427         }
428     }
429
430
431     public void egressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
432                                 Integer securityRulePortMin, Integer protoPortMatchPriority) {
433
434         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
435         PortNumber tcpPort = new PortNumber(securityRulePortMin);
436         MatchBuilder matchBuilder = new MatchBuilder();
437         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
438         FlowBuilder flowBuilder = new FlowBuilder();
439
440         flowBuilder.setMatch(MatchUtils.createSmacTcpSyn(matchBuilder, attachedMac, tcpPort,
441                                                          Constants.TCP_SYN, segmentationId).build());
442
443         logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
444         String flowId = "Ucast_this.getTable()" + segmentationId + "_" + attachedMac + securityRulePortMin;
445         // Add Flow Attributes
446         flowBuilder.setId(new FlowId(flowId));
447         FlowKey key = new FlowKey(new FlowId(flowId));
448         flowBuilder.setStrict(false);
449         flowBuilder.setPriority(protoPortMatchPriority);
450         flowBuilder.setBarrier(true);
451         flowBuilder.setTableId(this.getTable());
452         flowBuilder.setKey(key);
453         flowBuilder.setFlowName(flowId);
454         flowBuilder.setHardTimeout(0);
455         flowBuilder.setIdleTimeout(0);
456
457         if (write) {
458             // Instantiate the Builders for the OF Actions and Instructions
459             InstructionBuilder ib = new InstructionBuilder();
460             InstructionsBuilder isb = new InstructionsBuilder();
461             List<Instruction> instructionsList = Lists.newArrayList();
462
463             ib = this.getMutablePipelineInstructionBuilder();
464             ib.setOrder(0);
465             ib.setKey(new InstructionKey(0));
466             instructionsList.add(ib.build());
467             isb.setInstruction(instructionsList);
468
469             logger.debug("Instructions contain: {}", ib.getInstruction());
470             // Add InstructionsBuilder to FlowBuilder
471             flowBuilder.setInstructions(isb.build());
472             writeFlow(flowBuilder, nodeBuilder);
473         } else {
474             removeFlow(flowBuilder, nodeBuilder);
475         }
476     }
477 }
NetVirt - Archived