openstack/net-virt-providers/src/main/java/org/opendaylight/ovsdb/openstack/netvirt/providers/openflow13/services/IngressAclService.java

   1 /*
   2  * Copyright (C) 2014 Red Hat, Inc.
   3  *
   4  * This program and the accompanying materials are made available under the
   5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
   6  * and is available at http://www.eclipse.org/legal/epl-v10.html
   7  *
   8  * Authors : Madhu Venugopal
   9  */
  10 package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
  11
  12 import java.math.BigInteger;
  13 import java.util.List;
  14
  15 import org.opendaylight.neutron.spi.NeutronSecurityGroup;
  16 import org.opendaylight.neutron.spi.NeutronSecurityRule;
  17 import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
  18 import org.opendaylight.ovsdb.openstack.netvirt.api.IngressAclProvider;
  19 import org.opendaylight.ovsdb.openstack.netvirt.providers.ConfigInterface;
  20 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
  21 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
  22 import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
  23 import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
  24 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
  25 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
  26 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
  27 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
  28 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
  29 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowKey;
  30 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
  31 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
  32 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
  33 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
  34 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
  35 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
  36 import org.osgi.framework.BundleContext;
  37 import org.osgi.framework.ServiceReference;
  38 import org.slf4j.Logger;
  39 import org.slf4j.LoggerFactory;
  40
  41 import com.google.common.collect.Lists;
  42
  43 public class IngressAclService extends AbstractServiceInstance implements IngressAclProvider, ConfigInterface {
  44
  45     static final Logger LOG = LoggerFactory.getLogger(IngressAclService.class);
  46
  47     public IngressAclService() {
  48         super(Service.INGRESS_ACL);
  49     }
  50
  51     public IngressAclService(Service service) {
  52         super(service);
  53     }
  54
  55     @Override
  56     public void programPortSecurityACL(Long dpid, String segmentationId, String attachedMac,
  57             long localPort, NeutronSecurityGroup securityGroup) {
  58
  59         LOG.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
  60         List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
  61         /* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
  62         for (NeutronSecurityRule portSecurityRule : portSecurityList) {
  63             /**
  64              * Neutron Port Security ACL "ingress" and "IPv4"
  65              *
  66              * Check that the base conditions for flow based Port Security are true:
  67              * Port Security Rule Direction ("ingress") and Protocol ("IPv4")
  68              * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
  69              * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
  70              *
  71              */
  72             if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
  73                     portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("ingress")) {
  74                 LOG.debug("ACL Rule matching IPv4 and ingress is: {} ", portSecurityRule);
  75                 /**
  76                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
  77                  */
  78                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
  79                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
  80                         !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
  81                         (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
  82                                 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
  83                                         .equalsIgnoreCase("0.0.0.0/0"))) {
  84                     LOG.debug("Rule #1 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
  85                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
  86                             portSecurityRule.getSecurityRulePortMax(),
  87                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
  88                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
  89                             Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
  90                             true);
  91                     ingressACLTcpPortWithPrefix(dpid, segmentationId,
  92                             attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
  93                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
  94                     continue;
  95                 }
  96                 /**
  97                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
  98                  */
  99                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
 100                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 101                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
 102                         (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
 103                                 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
 104                                         .equalsIgnoreCase("0.0.0.0/0"))) {
 105                     LOG.debug("Rule #2 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 106                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 107                             portSecurityRule.getSecurityRulePortMax(),
 108                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 109                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
 110                                              Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
 111                             true);
 112                     ingressACLTcpPortWithPrefix(dpid, segmentationId,
 113                             attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
 114                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
 115                     continue;
 116                 }
 117                 /**
 118                  * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
 119                  */
 120                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
 121                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 122                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
 123                         !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
 124                     LOG.debug("Rule #3 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 125                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 126                             portSecurityRule.getSecurityRulePortMax(),
 127                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 128                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PREFIX_MATCH_PRIORITY_DROP,
 129                             true);
 130                     ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
 131                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PREFIX_MATCH_PRIORITY);
 132                     continue;
 133                 }
 134                 /**
 135                  * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
 136                  */
 137                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
 138                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 139                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 140                         (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
 141                                 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
 142                                         .equalsIgnoreCase("0.0.0.0/0"))) {
 143                     LOG.debug("Rule #4 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 144                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 145                             portSecurityRule.getSecurityRulePortMax(),
 146                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 147                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PREFIX_MATCH_PRIORITY_DROP, true);
 148                     ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
 149                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PREFIX_MATCH_PRIORITY);
 150                     continue;
 151                 }
 152                 /**
 153                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
 154                  */
 155                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
 156                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 157                         !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
 158                         String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
 159                     LOG.debug("Rule #5 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 160                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 161                             portSecurityRule.getSecurityRulePortMax(),
 162                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 163                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PORT_MATCH_PRIORITY_DROP,
 164                             true);
 165                     ingressACLTcpSyn(dpid, segmentationId,
 166                             attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
 167                             Constants.PREFIX_PORT_MATCH_PRIORITY_DROP);
 168                     continue;
 169                 }
 170                 /**
 171                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
 172                  */
 173                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
 174                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 175                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
 176                         String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
 177                     LOG.debug("Rule #6 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 178                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 179                             portSecurityRule.getSecurityRulePortMax(),
 180                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 181                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
 182                                              Constants.PROTO_PORT_MATCH_PRIORITY_DROP, true);
 183                     ingressACLTcpSyn(dpid, segmentationId, attachedMac, true,
 184                             portSecurityRule.getSecurityRulePortMin(), Constants.PROTO_PORT_MATCH_PRIORITY);
 185                     continue;
 186                 }
 187                 /**
 188                  * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
 189                  */
 190                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
 191                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 192                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
 193                         ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
 194                                 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
 195                                         .equalsIgnoreCase("0.0.0.0/0"))) {
 196                     LOG.debug("Rule #7 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 197                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 198                             portSecurityRule.getSecurityRulePortMax(),
 199                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 200                     // No need to drop until UDP/ICMP are implemented
 201                     // ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
 202                     handleIngressAllowProto(dpid, segmentationId, attachedMac, true,
 203                             portSecurityRule.getSecurityRuleProtocol(), Constants.PROTO_MATCH_PRIORITY);
 204                     continue;
 205                 }
 206                 LOG.debug("Ingress ACL Match combination not found for rule: {}", portSecurityRule);
 207             }
 208         }
 209     }
 210
 211     @Override
 212     public void programFixedSecurityACL(Long dpid, String segmentationId, String dhcpMacAddress,
 213           long localPort, boolean isLastPortinSubnet, boolean isComputePort, boolean write){
 214          //If this port is the only port in the compute node add the DHCP server rule.
 215         if (isLastPortinSubnet && isComputePort ) {
 216             ingressACLDHCPAllowServerTraffic(dpid, segmentationId,dhcpMacAddress, write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
 217         }
 218     }
 219
 220     public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
 221             Integer securityRulePortMin, Integer protoPortMatchPriority) {
 222
 223         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
 224         PortNumber tcpPort = new PortNumber(securityRulePortMin);
 225         MatchBuilder matchBuilder = new MatchBuilder();
 226         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
 227         FlowBuilder flowBuilder = new FlowBuilder();
 228
 229         flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort,
 230                                                               Constants.TCP_SYN, segmentationId).build());
 231
 232         LOG.debug("ingressACLTcpSyn MatchBuilder contains:  {}", flowBuilder.getMatch());
 233         String flowId = "UcastOut_ACL2_" + segmentationId + "_" + attachedMac + securityRulePortMin;
 234         // Add Flow Attributes
 235         flowBuilder.setId(new FlowId(flowId));
 236         FlowKey key = new FlowKey(new FlowId(flowId));
 237         flowBuilder.setStrict(false);
 238         flowBuilder.setPriority(protoPortMatchPriority);
 239         flowBuilder.setBarrier(true);
 240         flowBuilder.setTableId(this.getTable());
 241         flowBuilder.setKey(key);
 242         flowBuilder.setFlowName(flowId);
 243         flowBuilder.setHardTimeout(0);
 244         flowBuilder.setIdleTimeout(0);
 245
 246         if (write) {
 247             // Instantiate the Builders for the OF Actions and Instructions
 248             InstructionBuilder ib = new InstructionBuilder();
 249             InstructionsBuilder isb = new InstructionsBuilder();
 250             List<Instruction> instructionsList = Lists.newArrayList();
 251
 252             ib = this.getMutablePipelineInstructionBuilder();
 253             ib.setOrder(0);
 254             ib.setKey(new InstructionKey(0));
 255             instructionsList.add(ib.build());
 256             isb.setInstruction(instructionsList);
 257
 258             LOG.debug("Instructions are: {}", ib.getInstruction());
 259             // Add InstructionsBuilder to FlowBuilder
 260             flowBuilder.setInstructions(isb.build());
 261             writeFlow(flowBuilder, nodeBuilder);
 262         } else {
 263             removeFlow(flowBuilder, nodeBuilder);
 264         }
 265     }
 266
 267     public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac,
 268             boolean write, Integer securityRulePortMin, String securityRuleIpPrefix,
 269             Integer protoPortPrefixMatchPriority) {
 270
 271         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
 272         PortNumber tcpPort = new PortNumber(securityRulePortMin);
 273
 274         MatchBuilder matchBuilder = new MatchBuilder();
 275         NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName);
 276         FlowBuilder flowBuilder = new FlowBuilder();
 277         Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
 278
 279         flowBuilder.setMatch(MatchUtils
 280                 .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
 281                         tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
 282
 283         LOG.debug(" MatchBuilder contains:  {}", flowBuilder.getMatch());
 284         String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac +
 285                 securityRulePortMin + securityRuleIpPrefix;
 286         // Add Flow Attributes
 287         flowBuilder.setId(new FlowId(flowId));
 288         FlowKey key = new FlowKey(new FlowId(flowId));
 289         flowBuilder.setStrict(false);
 290         flowBuilder.setPriority(protoPortPrefixMatchPriority);
 291         flowBuilder.setBarrier(true);
 292         flowBuilder.setTableId(this.getTable());
 293         flowBuilder.setKey(key);
 294         flowBuilder.setFlowName(flowId);
 295         flowBuilder.setHardTimeout(0);
 296         flowBuilder.setIdleTimeout(0);
 297
 298         if (write) {
 299             // Instantiate the Builders for the OF Actions and Instructions
 300             InstructionBuilder ib = new InstructionBuilder();
 301             InstructionsBuilder isb = new InstructionsBuilder();
 302
 303             List<Instruction> instructionsList = Lists.newArrayList();
 304             ib = this.getMutablePipelineInstructionBuilder();
 305             ib.setOrder(0);
 306             ib.setKey(new InstructionKey(0));
 307             instructionsList.add(ib.build());
 308             isb.setInstruction(instructionsList);
 309
 310             LOG.debug("Instructions contain: {}", ib.getInstruction());
 311             // Add InstructionsBuilder to FlowBuilder
 312             flowBuilder.setInstructions(isb.build());
 313             writeFlow(flowBuilder, nodeBuilder);
 314         } else {
 315             removeFlow(flowBuilder, nodeBuilder);
 316         }
 317     }
 318
 319     public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
 320             String securityRuleProtcol, Integer protoMatchPriority) {
 321
 322         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
 323
 324         MatchBuilder matchBuilder = new MatchBuilder();
 325         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
 326         FlowBuilder flowBuilder = new FlowBuilder();
 327
 328         flowBuilder.setMatch(MatchUtils
 329                 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
 330         flowBuilder.setMatch(MatchUtils
 331                 .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
 332         LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
 333
 334         String flowId = "UcastOut_" + segmentationId + "_" +
 335                 attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol;
 336         // Add Flow Attributes
 337         flowBuilder.setId(new FlowId(flowId));
 338         FlowKey key = new FlowKey(new FlowId(flowId));
 339         flowBuilder.setStrict(false);
 340         flowBuilder.setPriority(protoMatchPriority);
 341         flowBuilder.setBarrier(true);
 342         flowBuilder.setTableId(this.getTable());
 343         flowBuilder.setKey(key);
 344         flowBuilder.setFlowName(flowId);
 345         flowBuilder.setHardTimeout(0);
 346         flowBuilder.setIdleTimeout(0);
 347
 348         if (write) {
 349             // Instantiate the Builders for the OF Actions and Instructions
 350             InstructionBuilder ib = new InstructionBuilder();
 351             InstructionsBuilder isb = new InstructionsBuilder();
 352             List<Instruction> instructionsList = Lists.newArrayList();
 353
 354             ib = this.getMutablePipelineInstructionBuilder();
 355             ib.setOrder(1);
 356             ib.setKey(new InstructionKey(1));
 357             instructionsList.add(ib.build());
 358             isb.setInstruction(instructionsList);
 359             LOG.debug("Instructions contain: {}", ib.getInstruction());
 360
 361             // Add InstructionsBuilder to FlowBuilder
 362             flowBuilder.setInstructions(isb.build());
 363             writeFlow(flowBuilder, nodeBuilder);
 364         } else {
 365             removeFlow(flowBuilder, nodeBuilder);
 366         }
 367     }
 368
 369
 370     public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
 371             int priority, boolean write) {
 372
 373         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
 374         MatchBuilder matchBuilder = new MatchBuilder();
 375         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
 376         FlowBuilder flowBuilder = new FlowBuilder();
 377
 378         flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder,
 379                 attachedMac, Constants.TCP_SYN, segmentationId).build());
 380
 381         LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
 382         String flowId = "PortSec_TCP_Syn_Default_Drop_" + segmentationId + "_" + attachedMac;
 383         flowBuilder.setId(new FlowId(flowId));
 384         FlowKey key = new FlowKey(new FlowId(flowId));
 385         flowBuilder.setStrict(false);
 386         flowBuilder.setPriority(priority);
 387         flowBuilder.setBarrier(true);
 388         flowBuilder.setTableId(this.getTable());
 389         flowBuilder.setKey(key);
 390         flowBuilder.setFlowName(flowId);
 391         flowBuilder.setHardTimeout(0);
 392         flowBuilder.setIdleTimeout(0);
 393
 394         if (write) {
 395             // Instantiate the Builders for the OF Actions and Instructions
 396             InstructionBuilder ib = new InstructionBuilder();
 397             InstructionsBuilder isb = new InstructionsBuilder();
 398
 399             // Instructions List Stores Individual Instructions
 400             List<Instruction> instructions = Lists.newArrayList();
 401
 402             // Set the Output Port/Iface
 403             InstructionUtils.createDropInstructions(ib);
 404             ib.setOrder(0);
 405             ib.setKey(new InstructionKey(0));
 406             instructions.add(ib.build());
 407
 408             // Add InstructionBuilder to the Instruction(s)Builder List
 409             isb.setInstruction(instructions);
 410             LOG.debug("Instructions contain: {}", ib.getInstruction());
 411             // Add InstructionsBuilder to FlowBuilder
 412             flowBuilder.setInstructions(isb.build());
 413             writeFlow(flowBuilder, nodeBuilder);
 414         } else {
 415             removeFlow(flowBuilder, nodeBuilder);
 416         }
 417     }
 418
 419     public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
 420             boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
 421
 422         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
 423         Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
 424         MatchBuilder matchBuilder = new MatchBuilder();
 425         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
 426         FlowBuilder flowBuilder = new FlowBuilder();
 427
 428         flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
 429                 .build());
 430         if (securityRuleIpPrefix != null) {
 431             flowBuilder.setMatch(MatchUtils
 432                     .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
 433                     .build());
 434         } else {
 435             flowBuilder.setMatch(MatchUtils
 436                     .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
 437                     .build());
 438         }
 439
 440         LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
 441         String flowId = "IngressProto_ACL_" + segmentationId + "_" +
 442                 attachedMac + "_Permit_" + securityRuleIpPrefix;
 443         // Add Flow Attributes
 444         flowBuilder.setId(new FlowId(flowId));
 445         FlowKey key = new FlowKey(new FlowId(flowId));
 446         flowBuilder.setStrict(false);
 447         flowBuilder.setPriority(protoPortMatchPriority);
 448         flowBuilder.setBarrier(true);
 449         flowBuilder.setTableId(this.getTable());
 450         flowBuilder.setKey(key);
 451         flowBuilder.setFlowName(flowId);
 452         flowBuilder.setHardTimeout(0);
 453         flowBuilder.setIdleTimeout(0);
 454
 455         if (write) {
 456             // Instantiate the Builders for the OF Actions and Instructions
 457             InstructionBuilder ib = new InstructionBuilder();
 458             InstructionsBuilder isb = new InstructionsBuilder();
 459             List<Instruction> instructionsList = Lists.newArrayList();
 460
 461             ib = this.getMutablePipelineInstructionBuilder();
 462             ib.setOrder(1);
 463             ib.setKey(new InstructionKey(0));
 464             instructionsList.add(ib.build());
 465             isb.setInstruction(instructionsList);
 466
 467             LOG.debug("Instructions contain: {}", ib.getInstruction());
 468             // Add InstructionsBuilder to FlowBuilder
 469             flowBuilder.setInstructions(isb.build());
 470             writeFlow(flowBuilder, nodeBuilder);
 471         } else {
 472             removeFlow(flowBuilder, nodeBuilder);
 473         }
 474     }
 475
 476     /**
 477      * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
 478      *
 479      * @param dpidLong the dpid
 480      * @param segmentationId the segmentation id
 481      * @param dhcpMacAddress the DHCP server mac address
 482      * @param write is write or delete
 483      * @param protoPortMatchPriority the priority
 484      */
 485     private void ingressACLDHCPAllowServerTraffic(Long dpidLong, String segmentationId, String dhcpMacAddress,
 486             boolean write, Integer protoPortMatchPriority) {
 487
 488         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
 489         MatchBuilder matchBuilder = new MatchBuilder();
 490         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
 491         FlowBuilder flowBuilder = new FlowBuilder();
 492
 493         flowBuilder.setMatch(MatchUtils.createDHCPServerMatch(matchBuilder, dhcpMacAddress, 67, 68).build());
 494         LOG.debug("ingressACLDHCPAllowServerTraffic: MatchBuilder contains: {}", flowBuilder.getMatch());
 495         String flowId = "Ingress_DHCP_Server" + segmentationId + "_" + dhcpMacAddress + "_Permit_";
 496         // Add Flow Attributes
 497         flowBuilder.setId(new FlowId(flowId));
 498         FlowKey key = new FlowKey(new FlowId(flowId));
 499         flowBuilder.setStrict(false);
 500         flowBuilder.setPriority(protoPortMatchPriority);
 501         flowBuilder.setBarrier(true);
 502         flowBuilder.setTableId(this.getTable());
 503         flowBuilder.setKey(key);
 504         flowBuilder.setFlowName(flowId);
 505         flowBuilder.setHardTimeout(0);
 506         flowBuilder.setIdleTimeout(0);
 507
 508         if (write) {
 509             // Instantiate the Builders for the OF Actions and Instructions
 510             InstructionBuilder ib = new InstructionBuilder();
 511             InstructionsBuilder isb = new InstructionsBuilder();
 512             List<Instruction> instructionsList = Lists.newArrayList();
 513
 514             ib = this.getMutablePipelineInstructionBuilder();
 515             ib.setOrder(0);
 516             ib.setKey(new InstructionKey(0));
 517             instructionsList.add(ib.build());
 518             isb.setInstruction(instructionsList);
 519
 520             LOG.debug("Instructions contain: {}", ib.getInstruction());
 521             // Add InstructionsBuilder to FlowBuilder
 522             flowBuilder.setInstructions(isb.build());
 523             writeFlow(flowBuilder, nodeBuilder);
 524         } else {
 525             removeFlow(flowBuilder, nodeBuilder);
 526         }
 527     }
 528     @Override
 529     public void setDependencies(BundleContext bundleContext, ServiceReference serviceReference) {
 530         super.setDependencies(bundleContext.getServiceReference(IngressAclProvider.class.getName()), this);
 531     }
 532
 533     @Override
 534     public void setDependencies(Object impl) {
 535
 536     }
 537 }