2 * Copyright (C) 2014 Red Hat, Inc.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 * Authors : Madhu Venugopal
10 package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
12 import java.math.BigInteger;
13 import java.util.List;
15 import org.opendaylight.neutron.spi.NeutronSecurityGroup;
16 import org.opendaylight.neutron.spi.NeutronSecurityRule;
17 import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
18 import org.opendaylight.ovsdb.openstack.netvirt.api.IngressAclProvider;
19 import org.opendaylight.ovsdb.openstack.netvirt.providers.ConfigInterface;
20 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
21 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
22 import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
23 import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
24 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
25 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
26 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
27 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
28 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
29 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowKey;
30 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
31 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
32 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
35 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
36 import org.osgi.framework.BundleContext;
37 import org.osgi.framework.ServiceReference;
38 import org.slf4j.Logger;
39 import org.slf4j.LoggerFactory;
41 import com.google.common.collect.Lists;
43 public class IngressAclService extends AbstractServiceInstance implements IngressAclProvider, ConfigInterface {
45 static final Logger LOG = LoggerFactory.getLogger(IngressAclService.class);
47 public IngressAclService() {
48 super(Service.INGRESS_ACL);
51 public IngressAclService(Service service) {
56 public void programPortSecurityACL(Long dpid, String segmentationId, String attachedMac,
57 long localPort, NeutronSecurityGroup securityGroup) {
59 LOG.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
60 List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
61 /* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
62 for (NeutronSecurityRule portSecurityRule : portSecurityList) {
64 * Neutron Port Security ACL "ingress" and "IPv4"
66 * Check that the base conditions for flow based Port Security are true:
67 * Port Security Rule Direction ("ingress") and Protocol ("IPv4")
68 * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
69 * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
72 if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
73 portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("ingress")) {
74 LOG.debug("ACL Rule matching IPv4 and ingress is: {} ", portSecurityRule);
76 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
78 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
79 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
80 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
81 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
82 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
83 .equalsIgnoreCase("0.0.0.0/0"))) {
84 LOG.debug("Rule #1 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
85 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
86 portSecurityRule.getSecurityRulePortMax(),
87 portSecurityRule.getSecurityRuleRemoteIpPrefix());
88 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
89 Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
91 ingressACLTcpPortWithPrefix(dpid, segmentationId,
92 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
93 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
97 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
99 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
100 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
101 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
102 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
103 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
104 .equalsIgnoreCase("0.0.0.0/0"))) {
105 LOG.debug("Rule #2 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
106 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
107 portSecurityRule.getSecurityRulePortMax(),
108 portSecurityRule.getSecurityRuleRemoteIpPrefix());
109 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
110 Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
112 ingressACLTcpPortWithPrefix(dpid, segmentationId,
113 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
114 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
118 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
120 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
121 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
122 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
123 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
124 LOG.debug("Rule #3 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
125 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
126 portSecurityRule.getSecurityRulePortMax(),
127 portSecurityRule.getSecurityRuleRemoteIpPrefix());
128 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PREFIX_MATCH_PRIORITY_DROP,
130 ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
131 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PREFIX_MATCH_PRIORITY);
135 * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
137 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
138 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
139 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
140 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
141 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
142 .equalsIgnoreCase("0.0.0.0/0"))) {
143 LOG.debug("Rule #4 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
144 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
145 portSecurityRule.getSecurityRulePortMax(),
146 portSecurityRule.getSecurityRuleRemoteIpPrefix());
147 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PREFIX_MATCH_PRIORITY_DROP, true);
148 ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
149 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PREFIX_MATCH_PRIORITY);
153 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
155 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
156 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
157 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
158 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
159 LOG.debug("Rule #5 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
160 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
161 portSecurityRule.getSecurityRulePortMax(),
162 portSecurityRule.getSecurityRuleRemoteIpPrefix());
163 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PORT_MATCH_PRIORITY_DROP,
165 ingressACLTcpSyn(dpid, segmentationId,
166 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
167 Constants.PREFIX_PORT_MATCH_PRIORITY_DROP);
171 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
173 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
174 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
175 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
176 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
177 LOG.debug("Rule #6 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
178 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
179 portSecurityRule.getSecurityRulePortMax(),
180 portSecurityRule.getSecurityRuleRemoteIpPrefix());
181 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
182 Constants.PROTO_PORT_MATCH_PRIORITY_DROP, true);
183 ingressACLTcpSyn(dpid, segmentationId, attachedMac, true,
184 portSecurityRule.getSecurityRulePortMin(), Constants.PROTO_PORT_MATCH_PRIORITY);
188 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
190 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
191 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
192 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
193 ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
194 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
195 .equalsIgnoreCase("0.0.0.0/0"))) {
196 LOG.debug("Rule #7 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
197 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
198 portSecurityRule.getSecurityRulePortMax(),
199 portSecurityRule.getSecurityRuleRemoteIpPrefix());
200 // No need to drop until UDP/ICMP are implemented
201 // ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
202 handleIngressAllowProto(dpid, segmentationId, attachedMac, true,
203 portSecurityRule.getSecurityRuleProtocol(), Constants.PROTO_MATCH_PRIORITY);
206 LOG.debug("Ingress ACL Match combination not found for rule: {}", portSecurityRule);
212 public void programFixedSecurityACL(Long dpid, String segmentationId, String dhcpMacAddress,
213 long localPort, boolean isLastPortinSubnet, boolean isComputePort, boolean write){
214 //If this port is the only port in the compute node add the DHCP server rule.
215 if (isLastPortinSubnet && isComputePort ) {
216 ingressACLDHCPAllowServerTraffic(dpid, segmentationId,dhcpMacAddress, write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
220 public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
221 Integer securityRulePortMin, Integer protoPortMatchPriority) {
223 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
224 PortNumber tcpPort = new PortNumber(securityRulePortMin);
225 MatchBuilder matchBuilder = new MatchBuilder();
226 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
227 FlowBuilder flowBuilder = new FlowBuilder();
229 flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort,
230 Constants.TCP_SYN, segmentationId).build());
232 LOG.debug("ingressACLTcpSyn MatchBuilder contains: {}", flowBuilder.getMatch());
233 String flowId = "UcastOut_ACL2_" + segmentationId + "_" + attachedMac + securityRulePortMin;
234 // Add Flow Attributes
235 flowBuilder.setId(new FlowId(flowId));
236 FlowKey key = new FlowKey(new FlowId(flowId));
237 flowBuilder.setStrict(false);
238 flowBuilder.setPriority(protoPortMatchPriority);
239 flowBuilder.setBarrier(true);
240 flowBuilder.setTableId(this.getTable());
241 flowBuilder.setKey(key);
242 flowBuilder.setFlowName(flowId);
243 flowBuilder.setHardTimeout(0);
244 flowBuilder.setIdleTimeout(0);
247 // Instantiate the Builders for the OF Actions and Instructions
248 InstructionBuilder ib = new InstructionBuilder();
249 InstructionsBuilder isb = new InstructionsBuilder();
250 List<Instruction> instructionsList = Lists.newArrayList();
252 ib = this.getMutablePipelineInstructionBuilder();
254 ib.setKey(new InstructionKey(0));
255 instructionsList.add(ib.build());
256 isb.setInstruction(instructionsList);
258 LOG.debug("Instructions are: {}", ib.getInstruction());
259 // Add InstructionsBuilder to FlowBuilder
260 flowBuilder.setInstructions(isb.build());
261 writeFlow(flowBuilder, nodeBuilder);
263 removeFlow(flowBuilder, nodeBuilder);
267 public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac,
268 boolean write, Integer securityRulePortMin, String securityRuleIpPrefix,
269 Integer protoPortPrefixMatchPriority) {
271 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
272 PortNumber tcpPort = new PortNumber(securityRulePortMin);
274 MatchBuilder matchBuilder = new MatchBuilder();
275 NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName);
276 FlowBuilder flowBuilder = new FlowBuilder();
277 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
279 flowBuilder.setMatch(MatchUtils
280 .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
281 tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
283 LOG.debug(" MatchBuilder contains: {}", flowBuilder.getMatch());
284 String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac +
285 securityRulePortMin + securityRuleIpPrefix;
286 // Add Flow Attributes
287 flowBuilder.setId(new FlowId(flowId));
288 FlowKey key = new FlowKey(new FlowId(flowId));
289 flowBuilder.setStrict(false);
290 flowBuilder.setPriority(protoPortPrefixMatchPriority);
291 flowBuilder.setBarrier(true);
292 flowBuilder.setTableId(this.getTable());
293 flowBuilder.setKey(key);
294 flowBuilder.setFlowName(flowId);
295 flowBuilder.setHardTimeout(0);
296 flowBuilder.setIdleTimeout(0);
299 // Instantiate the Builders for the OF Actions and Instructions
300 InstructionBuilder ib = new InstructionBuilder();
301 InstructionsBuilder isb = new InstructionsBuilder();
303 List<Instruction> instructionsList = Lists.newArrayList();
304 ib = this.getMutablePipelineInstructionBuilder();
306 ib.setKey(new InstructionKey(0));
307 instructionsList.add(ib.build());
308 isb.setInstruction(instructionsList);
310 LOG.debug("Instructions contain: {}", ib.getInstruction());
311 // Add InstructionsBuilder to FlowBuilder
312 flowBuilder.setInstructions(isb.build());
313 writeFlow(flowBuilder, nodeBuilder);
315 removeFlow(flowBuilder, nodeBuilder);
319 public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
320 String securityRuleProtcol, Integer protoMatchPriority) {
322 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
324 MatchBuilder matchBuilder = new MatchBuilder();
325 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
326 FlowBuilder flowBuilder = new FlowBuilder();
328 flowBuilder.setMatch(MatchUtils
329 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
330 flowBuilder.setMatch(MatchUtils
331 .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
332 LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
334 String flowId = "UcastOut_" + segmentationId + "_" +
335 attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol;
336 // Add Flow Attributes
337 flowBuilder.setId(new FlowId(flowId));
338 FlowKey key = new FlowKey(new FlowId(flowId));
339 flowBuilder.setStrict(false);
340 flowBuilder.setPriority(protoMatchPriority);
341 flowBuilder.setBarrier(true);
342 flowBuilder.setTableId(this.getTable());
343 flowBuilder.setKey(key);
344 flowBuilder.setFlowName(flowId);
345 flowBuilder.setHardTimeout(0);
346 flowBuilder.setIdleTimeout(0);
349 // Instantiate the Builders for the OF Actions and Instructions
350 InstructionBuilder ib = new InstructionBuilder();
351 InstructionsBuilder isb = new InstructionsBuilder();
352 List<Instruction> instructionsList = Lists.newArrayList();
354 ib = this.getMutablePipelineInstructionBuilder();
356 ib.setKey(new InstructionKey(1));
357 instructionsList.add(ib.build());
358 isb.setInstruction(instructionsList);
359 LOG.debug("Instructions contain: {}", ib.getInstruction());
361 // Add InstructionsBuilder to FlowBuilder
362 flowBuilder.setInstructions(isb.build());
363 writeFlow(flowBuilder, nodeBuilder);
365 removeFlow(flowBuilder, nodeBuilder);
370 public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
371 int priority, boolean write) {
373 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
374 MatchBuilder matchBuilder = new MatchBuilder();
375 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
376 FlowBuilder flowBuilder = new FlowBuilder();
378 flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder,
379 attachedMac, Constants.TCP_SYN, segmentationId).build());
381 LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
382 String flowId = "PortSec_TCP_Syn_Default_Drop_" + segmentationId + "_" + attachedMac;
383 flowBuilder.setId(new FlowId(flowId));
384 FlowKey key = new FlowKey(new FlowId(flowId));
385 flowBuilder.setStrict(false);
386 flowBuilder.setPriority(priority);
387 flowBuilder.setBarrier(true);
388 flowBuilder.setTableId(this.getTable());
389 flowBuilder.setKey(key);
390 flowBuilder.setFlowName(flowId);
391 flowBuilder.setHardTimeout(0);
392 flowBuilder.setIdleTimeout(0);
395 // Instantiate the Builders for the OF Actions and Instructions
396 InstructionBuilder ib = new InstructionBuilder();
397 InstructionsBuilder isb = new InstructionsBuilder();
399 // Instructions List Stores Individual Instructions
400 List<Instruction> instructions = Lists.newArrayList();
402 // Set the Output Port/Iface
403 InstructionUtils.createDropInstructions(ib);
405 ib.setKey(new InstructionKey(0));
406 instructions.add(ib.build());
408 // Add InstructionBuilder to the Instruction(s)Builder List
409 isb.setInstruction(instructions);
410 LOG.debug("Instructions contain: {}", ib.getInstruction());
411 // Add InstructionsBuilder to FlowBuilder
412 flowBuilder.setInstructions(isb.build());
413 writeFlow(flowBuilder, nodeBuilder);
415 removeFlow(flowBuilder, nodeBuilder);
419 public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
420 boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
422 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
423 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
424 MatchBuilder matchBuilder = new MatchBuilder();
425 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
426 FlowBuilder flowBuilder = new FlowBuilder();
428 flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
430 if (securityRuleIpPrefix != null) {
431 flowBuilder.setMatch(MatchUtils
432 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
435 flowBuilder.setMatch(MatchUtils
436 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
440 LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
441 String flowId = "IngressProto_ACL_" + segmentationId + "_" +
442 attachedMac + "_Permit_" + securityRuleIpPrefix;
443 // Add Flow Attributes
444 flowBuilder.setId(new FlowId(flowId));
445 FlowKey key = new FlowKey(new FlowId(flowId));
446 flowBuilder.setStrict(false);
447 flowBuilder.setPriority(protoPortMatchPriority);
448 flowBuilder.setBarrier(true);
449 flowBuilder.setTableId(this.getTable());
450 flowBuilder.setKey(key);
451 flowBuilder.setFlowName(flowId);
452 flowBuilder.setHardTimeout(0);
453 flowBuilder.setIdleTimeout(0);
456 // Instantiate the Builders for the OF Actions and Instructions
457 InstructionBuilder ib = new InstructionBuilder();
458 InstructionsBuilder isb = new InstructionsBuilder();
459 List<Instruction> instructionsList = Lists.newArrayList();
461 ib = this.getMutablePipelineInstructionBuilder();
463 ib.setKey(new InstructionKey(0));
464 instructionsList.add(ib.build());
465 isb.setInstruction(instructionsList);
467 LOG.debug("Instructions contain: {}", ib.getInstruction());
468 // Add InstructionsBuilder to FlowBuilder
469 flowBuilder.setInstructions(isb.build());
470 writeFlow(flowBuilder, nodeBuilder);
472 removeFlow(flowBuilder, nodeBuilder);
477 * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
479 * @param dpidLong the dpid
480 * @param segmentationId the segmentation id
481 * @param dhcpMacAddress the DHCP server mac address
482 * @param write is write or delete
483 * @param protoPortMatchPriority the priority
485 private void ingressACLDHCPAllowServerTraffic(Long dpidLong, String segmentationId, String dhcpMacAddress,
486 boolean write, Integer protoPortMatchPriority) {
488 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
489 MatchBuilder matchBuilder = new MatchBuilder();
490 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
491 FlowBuilder flowBuilder = new FlowBuilder();
493 flowBuilder.setMatch(MatchUtils.createDHCPServerMatch(matchBuilder, dhcpMacAddress, 67, 68).build());
494 LOG.debug("ingressACLDHCPAllowServerTraffic: MatchBuilder contains: {}", flowBuilder.getMatch());
495 String flowId = "Ingress_DHCP_Server" + segmentationId + "_" + dhcpMacAddress + "_Permit_";
496 // Add Flow Attributes
497 flowBuilder.setId(new FlowId(flowId));
498 FlowKey key = new FlowKey(new FlowId(flowId));
499 flowBuilder.setStrict(false);
500 flowBuilder.setPriority(protoPortMatchPriority);
501 flowBuilder.setBarrier(true);
502 flowBuilder.setTableId(this.getTable());
503 flowBuilder.setKey(key);
504 flowBuilder.setFlowName(flowId);
505 flowBuilder.setHardTimeout(0);
506 flowBuilder.setIdleTimeout(0);
509 // Instantiate the Builders for the OF Actions and Instructions
510 InstructionBuilder ib = new InstructionBuilder();
511 InstructionsBuilder isb = new InstructionsBuilder();
512 List<Instruction> instructionsList = Lists.newArrayList();
514 ib = this.getMutablePipelineInstructionBuilder();
516 ib.setKey(new InstructionKey(0));
517 instructionsList.add(ib.build());
518 isb.setInstruction(instructionsList);
520 LOG.debug("Instructions contain: {}", ib.getInstruction());
521 // Add InstructionsBuilder to FlowBuilder
522 flowBuilder.setInstructions(isb.build());
523 writeFlow(flowBuilder, nodeBuilder);
525 removeFlow(flowBuilder, nodeBuilder);
529 public void setDependencies(BundleContext bundleContext, ServiceReference serviceReference) {
530 super.setDependencies(bundleContext.getServiceReference(IngressAclProvider.class.getName()), this);
534 public void setDependencies(Object impl) {