2 * Copyright (C) 2014 Red Hat, Inc.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 * Authors : Madhu Venugopal
10 package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
12 import java.math.BigInteger;
13 import java.util.List;
15 import org.opendaylight.controller.networkconfig.neutron.NeutronSecurityGroup;
16 import org.opendaylight.controller.networkconfig.neutron.NeutronSecurityRule;
17 import org.opendaylight.controller.sal.core.Node;
18 import org.opendaylight.ovsdb.openstack.netvirt.api.IngressAclProvider;
19 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
20 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
21 import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
22 import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
23 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
24 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
25 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
26 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
27 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
28 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowKey;
29 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
30 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
31 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
32 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
35 import org.slf4j.Logger;
36 import org.slf4j.LoggerFactory;
38 import com.google.common.collect.Lists;
40 public class IngressAclService extends AbstractServiceInstance implements IngressAclProvider {
42 static final Logger logger = LoggerFactory.getLogger(IngressAclService.class);
43 public static final Integer PROTO_MATCH_PRIORITY_DROP = 36006;
44 public static final Integer PROTO_PORT_MATCH_PRIORITY_DROP = 36005;
45 public static final Integer PREFIX_MATCH_PRIORITY_DROP = 36004;
46 public static final Integer PROTO_PREFIX_MATCH_PRIORITY_DROP = 36003;
47 public static final Integer PREFIX_PORT_MATCH_PRIORITY_DROP = 36002;
48 public static final Integer PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP = 36001;
50 public static final Integer PROTO_MATCH_PRIORITY = 61010;
51 public static final Integer PREFIX_MATCH_PRIORITY = 61009;
52 public static final Integer PROTO_PREFIX_MATCH_PRIORITY = 61008;
53 public static final Integer PROTO_PORT_MATCH_PRIORITY = 61007;
54 public static final Integer PROTO_PORT_PREFIX_MATCH_PRIORITY = 61007;
56 public static final int TCP_SYN = 0x002;
57 public static final short INGRESS_ACL = 40; // Flows Destined to the VM Port go here
58 // TODO: break out egress to the egress table and create a parent for both ingress/egress
59 public static final short EGRESS_ACL = 100; // Flows Sourced from the VM Port go here
60 public static final short OUTBOUND_SNAT = 110; // Ingress ACL table drains traffic to this table
62 private static final String OPENFLOW = "openflow:";
63 private static Long groupId = 1L;
65 public IngressAclService() {
66 super(Service.INGRESS_ACL);
69 public IngressAclService(Service service) {
74 public boolean isBridgeInPipeline(String nodeId) {
79 public void programPortSecurityACL(Node node, Long dpid, String segmentationId, String attachedMac,
80 long localPort, NeutronSecurityGroup securityGroup) {
82 logger.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
83 List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
84 /* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
85 for (NeutronSecurityRule portSecurityRule : portSecurityList) {
87 * Neutron Port Security ACL "ingress" and "IPv4"
89 * Check that the base conditions for flow based Port Security are true:
90 * Port Security Rule Direction ("ingress") and Protocol ("IPv4")
91 * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
92 * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
95 if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
96 portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("ingress")) {
97 logger.debug("ACL Rule matching IPv4 and ingress is: {} ", portSecurityRule);
99 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
101 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
102 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
103 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
104 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
105 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
106 .equalsIgnoreCase("0.0.0.0/0"))) {
107 logger.debug("Rule #1 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
108 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
109 portSecurityRule.getSecurityRulePortMax(),
110 portSecurityRule.getSecurityRuleRemoteIpPrefix());
111 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
112 PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
114 ingressACLTcpPortWithPrefix(dpid, segmentationId,
115 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
116 portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PORT_PREFIX_MATCH_PRIORITY);
120 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
122 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
123 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
124 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
125 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
126 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
127 .equalsIgnoreCase("0.0.0.0/0"))) {
128 logger.debug("Rule #2 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
129 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
130 portSecurityRule.getSecurityRulePortMax(),
131 portSecurityRule.getSecurityRuleRemoteIpPrefix());
132 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
133 PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
135 ingressACLTcpPortWithPrefix(dpid, segmentationId,
136 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
137 portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PORT_PREFIX_MATCH_PRIORITY);
141 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
143 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
144 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
145 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
146 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
147 logger.debug("Rule #3 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
148 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
149 portSecurityRule.getSecurityRulePortMax(),
150 portSecurityRule.getSecurityRuleRemoteIpPrefix());
151 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_PREFIX_MATCH_PRIORITY_DROP,
153 ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
154 portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PREFIX_MATCH_PRIORITY);
158 * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
160 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
161 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
162 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
163 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
164 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
165 .equalsIgnoreCase("0.0.0.0/0"))) {
166 logger.debug("Rule #4 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
167 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
168 portSecurityRule.getSecurityRulePortMax(),
169 portSecurityRule.getSecurityRuleRemoteIpPrefix());
170 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PREFIX_MATCH_PRIORITY_DROP, true);
171 ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
172 portSecurityRule.getSecurityRuleRemoteIpPrefix(), PREFIX_MATCH_PRIORITY);
176 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
178 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
179 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
180 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
181 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
182 logger.debug("Rule #5 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
183 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
184 portSecurityRule.getSecurityRulePortMax(),
185 portSecurityRule.getSecurityRuleRemoteIpPrefix());
186 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_PORT_MATCH_PRIORITY_DROP,
188 ingressACLTcpSyn(dpid, segmentationId,
189 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
190 PREFIX_PORT_MATCH_PRIORITY_DROP);
194 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
196 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
197 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
198 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
199 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
200 logger.debug("Rule #6 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
201 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
202 portSecurityRule.getSecurityRulePortMax(),
203 portSecurityRule.getSecurityRuleRemoteIpPrefix());
204 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
205 PROTO_PORT_MATCH_PRIORITY_DROP, true);
206 ingressACLTcpSyn(dpid, segmentationId, attachedMac, true,
207 portSecurityRule.getSecurityRulePortMin(), PROTO_PORT_MATCH_PRIORITY);
211 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
213 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
214 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
215 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
216 ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
217 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
218 .equalsIgnoreCase("0.0.0.0/0"))) {
219 logger.debug("Rule #7 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
220 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
221 portSecurityRule.getSecurityRulePortMax(),
222 portSecurityRule.getSecurityRuleRemoteIpPrefix());
223 // No need to drop until UDP/ICMP are implemented
224 // ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
225 handleIngressAllowProto(dpid, segmentationId, attachedMac, true,
226 portSecurityRule.getSecurityRuleProtocol(), PROTO_MATCH_PRIORITY);
229 logger.debug("Ingress ACL Match combination not found for rule: {}", portSecurityRule);
233 * Neutron Port Security ACL "egress" and "IPv4"
235 * Check that the base conditions for flow based Port Security are true:
236 * Port Security Rule Direction ("egress") and Protocol ("IPv4")
237 * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
238 * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
241 if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
242 portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("egress")) {
243 logger.debug("Egress IPV4 ACL Port Security Rule: {} ", portSecurityRule);
244 // TODO Move to EgressAclService and Implement Port Range
247 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
249 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
250 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
251 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
252 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
253 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
254 .equalsIgnoreCase("0.0.0.0/0"))) {
255 logger.debug("Rule #1 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
256 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
257 portSecurityRule.getSecurityRulePortMax(),
258 portSecurityRule.getSecurityRuleRemoteIpPrefix());
259 egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
260 PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
262 egressACLTcpPortWithPrefix(dpid, segmentationId,
263 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
264 portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PORT_PREFIX_MATCH_PRIORITY);
268 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
270 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
271 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
272 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
273 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
274 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
275 .equalsIgnoreCase("0.0.0.0/0"))) {
276 logger.debug("Rule #2 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
277 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
278 portSecurityRule.getSecurityRulePortMax(),
279 portSecurityRule.getSecurityRuleRemoteIpPrefix());
280 egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
281 PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
283 egressACLTcpPortWithPrefix(dpid, segmentationId,
284 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
285 portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PORT_PREFIX_MATCH_PRIORITY);
289 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
291 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
292 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
293 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
294 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
295 logger.debug("Rule #3 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
296 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
297 portSecurityRule.getSecurityRulePortMax(),
298 portSecurityRule.getSecurityRuleRemoteIpPrefix());
299 egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_PREFIX_MATCH_PRIORITY_DROP,
301 egressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
302 portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PREFIX_MATCH_PRIORITY);
306 * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
308 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
309 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
310 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
311 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
312 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
313 .equalsIgnoreCase("0.0.0.0/0"))) {
314 logger.debug("Rule #4 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
315 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
316 portSecurityRule.getSecurityRulePortMax(),
317 portSecurityRule.getSecurityRuleRemoteIpPrefix());
318 egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PREFIX_MATCH_PRIORITY_DROP, true);
319 egressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
320 portSecurityRule.getSecurityRuleRemoteIpPrefix(), PREFIX_MATCH_PRIORITY);
324 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
326 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
327 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
328 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
329 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
330 logger.debug("Rule #5 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
331 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
332 portSecurityRule.getSecurityRulePortMax(),
333 portSecurityRule.getSecurityRuleRemoteIpPrefix());
334 egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_PORT_MATCH_PRIORITY_DROP,
336 egressACLTcpSyn(dpid, segmentationId,
337 attachedMac, true, portSecurityRule.getSecurityRulePortMin(), PROTO_PORT_MATCH_PRIORITY);
341 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
343 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
344 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
345 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
346 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
347 logger.debug("Rule #6 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
348 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
349 portSecurityRule.getSecurityRulePortMax(),
350 portSecurityRule.getSecurityRuleRemoteIpPrefix());
351 egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
352 PROTO_PORT_MATCH_PRIORITY_DROP, true);
353 egressACLTcpSyn(dpid, segmentationId, attachedMac, true,
354 portSecurityRule.getSecurityRulePortMin(), PROTO_PORT_MATCH_PRIORITY);
358 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
360 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
361 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
362 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
363 ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
364 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
365 .equalsIgnoreCase("0.0.0.0/0"))) {
366 logger.debug("Rule #7 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
367 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
368 portSecurityRule.getSecurityRulePortMax(),
369 portSecurityRule.getSecurityRuleRemoteIpPrefix());
370 // No need to drop until UDP/ICMP are implemented
371 // egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
372 egressAllowProto(dpid, segmentationId, attachedMac, true,
373 portSecurityRule.getSecurityRuleProtocol(), PROTO_MATCH_PRIORITY);
376 logger.debug("ACL Match combination not found for rule: {}", portSecurityRule);
382 public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
383 Integer securityRulePortMin, Integer protoPortMatchPriority) {
385 String nodeName = OPENFLOW + dpidLong;
386 PortNumber tcpPort = new PortNumber(securityRulePortMin);
387 MatchBuilder matchBuilder = new MatchBuilder();
388 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
389 FlowBuilder flowBuilder = new FlowBuilder();
391 flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort,
392 TCP_SYN, segmentationId).build());
394 logger.debug("ingressACLTcpSyn MatchBuilder contains: {}", flowBuilder.getMatch());
395 String flowId = "UcastOut_ACL2" + segmentationId + "_" + attachedMac + securityRulePortMin;
396 // Add Flow Attributes
397 flowBuilder.setId(new FlowId(flowId));
398 FlowKey key = new FlowKey(new FlowId(flowId));
399 flowBuilder.setStrict(false);
400 flowBuilder.setPriority(protoPortMatchPriority);
401 flowBuilder.setBarrier(true);
402 flowBuilder.setTableId(INGRESS_ACL);
403 flowBuilder.setKey(key);
404 flowBuilder.setFlowName(flowId);
405 flowBuilder.setHardTimeout(0);
406 flowBuilder.setIdleTimeout(0);
409 // Instantiate the Builders for the OF Actions and Instructions
410 InstructionBuilder ib = new InstructionBuilder();
411 InstructionsBuilder isb = new InstructionsBuilder();
412 List<Instruction> instructionsList = Lists.newArrayList();
414 ib = this.getMutablePipelineInstructionBuilder();
416 ib.setKey(new InstructionKey(0));
417 instructionsList.add(ib.build());
418 isb.setInstruction(instructionsList);
420 logger.debug("Instructions are: {}", ib.getInstruction());
421 // Add InstructionsBuilder to FlowBuilder
422 flowBuilder.setInstructions(isb.build());
423 writeFlow(flowBuilder, nodeBuilder);
425 // removeFlow(flowBuilder, nodeBuilder);
429 public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac,
430 boolean write, Integer securityRulePortMin, String securityRuleIpPrefix,
431 Integer protoPortPrefixMatchPriority) {
433 String nodeName = OPENFLOW + dpidLong;
434 PortNumber tcpPort = new PortNumber(securityRulePortMin);
436 MatchBuilder matchBuilder = new MatchBuilder();
437 NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName);
438 FlowBuilder flowBuilder = new FlowBuilder();
439 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
441 flowBuilder.setMatch(MatchUtils
442 .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
443 tcpPort, TCP_SYN, segmentationId, srcIpPrefix).build());
445 logger.debug(" MatchBuilder contains: {}", flowBuilder.getMatch());
446 String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac +
447 securityRulePortMin + securityRuleIpPrefix;
448 // Add Flow Attributes
449 flowBuilder.setId(new FlowId(flowId));
450 FlowKey key = new FlowKey(new FlowId(flowId));
451 flowBuilder.setStrict(false);
452 flowBuilder.setPriority(protoPortPrefixMatchPriority);
453 flowBuilder.setBarrier(true);
454 flowBuilder.setTableId(INGRESS_ACL);
455 flowBuilder.setKey(key);
456 flowBuilder.setFlowName(flowId);
457 flowBuilder.setHardTimeout(0);
458 flowBuilder.setIdleTimeout(0);
461 // Instantiate the Builders for the OF Actions and Instructions
462 InstructionBuilder ib = new InstructionBuilder();
463 InstructionsBuilder isb = new InstructionsBuilder();
465 List<Instruction> instructionsList = Lists.newArrayList();
466 ib = this.getMutablePipelineInstructionBuilder();
468 ib.setKey(new InstructionKey(0));
469 instructionsList.add(ib.build());
470 isb.setInstruction(instructionsList);
472 logger.debug("Instructions contain: {}", ib.getInstruction());
473 // Add InstructionsBuilder to FlowBuilder
474 flowBuilder.setInstructions(isb.build());
475 writeFlow(flowBuilder, nodeBuilder);
477 // removeFlow(flowBuilder, nodeBuilder);
481 public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
482 String securityRuleProtcol, Integer protoMatchPriority) {
484 String nodeName = OPENFLOW + dpidLong;
486 MatchBuilder matchBuilder = new MatchBuilder();
487 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
488 FlowBuilder flowBuilder = new FlowBuilder();
490 flowBuilder.setMatch(MatchUtils
491 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
492 flowBuilder.setMatch(MatchUtils
493 .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
494 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
496 String flowId = "UcastOut_" + segmentationId + "_" +
497 attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol;
498 // Add Flow Attributes
499 flowBuilder.setId(new FlowId(flowId));
500 FlowKey key = new FlowKey(new FlowId(flowId));
501 flowBuilder.setStrict(false);
502 flowBuilder.setPriority(protoMatchPriority);
503 flowBuilder.setBarrier(true);
504 flowBuilder.setTableId(INGRESS_ACL);
505 flowBuilder.setKey(key);
506 flowBuilder.setFlowName(flowId);
507 flowBuilder.setHardTimeout(0);
508 flowBuilder.setIdleTimeout(0);
511 // Instantiate the Builders for the OF Actions and Instructions
512 InstructionBuilder ib = new InstructionBuilder();
513 InstructionsBuilder isb = new InstructionsBuilder();
514 List<Instruction> instructionsList = Lists.newArrayList();
516 ib = this.getMutablePipelineInstructionBuilder();
518 ib.setKey(new InstructionKey(1));
519 instructionsList.add(ib.build());
520 isb.setInstruction(instructionsList);
521 logger.debug("Instructions contain: {}", ib.getInstruction());
523 // Add InstructionsBuilder to FlowBuilder
524 flowBuilder.setInstructions(isb.build());
525 writeFlow(flowBuilder, nodeBuilder);
527 // removeFlow(flowBuilder, nodeBuilder);
532 public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
533 int priority, boolean write) {
535 String nodeName = OPENFLOW + dpidLong;
536 MatchBuilder matchBuilder = new MatchBuilder();
537 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
538 FlowBuilder flowBuilder = new FlowBuilder();
540 flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder,
541 attachedMac, TCP_SYN, segmentationId).build());
543 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
544 String flowId = "PortSec_TCP_Syn_Default_Drop_" + attachedMac;
545 flowBuilder.setId(new FlowId(flowId));
546 FlowKey key = new FlowKey(new FlowId(flowId));
547 flowBuilder.setStrict(false);
548 flowBuilder.setPriority(priority);
549 flowBuilder.setBarrier(true);
550 flowBuilder.setTableId(INGRESS_ACL);
551 flowBuilder.setKey(key);
552 flowBuilder.setFlowName(flowId);
553 flowBuilder.setHardTimeout(0);
554 flowBuilder.setIdleTimeout(0);
557 // Instantiate the Builders for the OF Actions and Instructions
558 InstructionBuilder ib = new InstructionBuilder();
559 InstructionsBuilder isb = new InstructionsBuilder();
561 // Instructions List Stores Individual Instructions
562 List<Instruction> instructions = Lists.newArrayList();
564 // Set the Output Port/Iface
565 InstructionUtils.createDropInstructions(ib);
567 ib.setKey(new InstructionKey(0));
568 instructions.add(ib.build());
570 // Add InstructionBuilder to the Instruction(s)Builder List
571 isb.setInstruction(instructions);
572 logger.debug("Instructions contain: {}", ib.getInstruction());
573 // Add InstructionsBuilder to FlowBuilder
574 flowBuilder.setInstructions(isb.build());
575 writeFlow(flowBuilder, nodeBuilder);
577 // removeFlow(flowBuilder, nodeBuilder);
581 public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
582 boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
584 String nodeName = OPENFLOW + dpidLong;
585 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
586 MatchBuilder matchBuilder = new MatchBuilder();
587 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
588 FlowBuilder flowBuilder = new FlowBuilder();
590 flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
592 if (securityRuleIpPrefix != null) {
593 flowBuilder.setMatch(MatchUtils
594 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
597 flowBuilder.setMatch(MatchUtils
598 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
602 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
603 String flowId = "IngressProto_ACL_" + segmentationId + "_" +
604 attachedMac + "_Permit_" + securityRuleIpPrefix;
605 // Add Flow Attributes
606 flowBuilder.setId(new FlowId(flowId));
607 FlowKey key = new FlowKey(new FlowId(flowId));
608 flowBuilder.setStrict(false);
609 flowBuilder.setPriority(protoPortMatchPriority);
610 flowBuilder.setBarrier(true);
611 flowBuilder.setTableId(INGRESS_ACL);
612 flowBuilder.setKey(key);
613 flowBuilder.setFlowName(flowId);
614 flowBuilder.setHardTimeout(0);
615 flowBuilder.setIdleTimeout(0);
618 // Instantiate the Builders for the OF Actions and Instructions
619 InstructionBuilder ib = new InstructionBuilder();
620 InstructionsBuilder isb = new InstructionsBuilder();
621 List<Instruction> instructionsList = Lists.newArrayList();
623 ib = this.getMutablePipelineInstructionBuilder();
625 ib.setKey(new InstructionKey(0));
626 instructionsList.add(ib.build());
627 isb.setInstruction(instructionsList);
629 logger.debug("Instructions contain: {}", ib.getInstruction());
630 // Add InstructionsBuilder to FlowBuilder
631 flowBuilder.setInstructions(isb.build());
632 writeFlow(flowBuilder, nodeBuilder);
634 // // removeFlow(flowBuilder, nodeBuilder);
638 public void egressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
639 int priority, boolean write) {
641 String nodeName = OPENFLOW + dpidLong;
642 MatchBuilder matchBuilder = new MatchBuilder();
643 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
644 FlowBuilder flowBuilder = new FlowBuilder();
646 flowBuilder.setMatch(MatchUtils.createSmacTcpPortWithFlagMatch(matchBuilder,
647 attachedMac, TCP_SYN, segmentationId).build());
648 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
650 String flowId = "TCP_Syn_Egress_Default_Drop_" + attachedMac;
651 flowBuilder.setId(new FlowId(flowId));
652 FlowKey key = new FlowKey(new FlowId(flowId));
653 flowBuilder.setStrict(false);
654 flowBuilder.setPriority(priority);
655 flowBuilder.setBarrier(true);
656 flowBuilder.setTableId(EGRESS_ACL);
657 flowBuilder.setKey(key);
658 flowBuilder.setFlowName(flowId);
659 flowBuilder.setHardTimeout(0);
660 flowBuilder.setIdleTimeout(0);
663 // Instantiate the Builders for the OF Actions and Instructions
664 InstructionBuilder ib = new InstructionBuilder();
665 InstructionsBuilder isb = new InstructionsBuilder();
666 List<Instruction> instructions = Lists.newArrayList();
668 InstructionUtils.createDropInstructions(ib);
670 ib.setKey(new InstructionKey(0));
671 instructions.add(ib.build());
672 // Add InstructionBuilder to the Instruction(s)Builder List
673 isb.setInstruction(instructions);
675 logger.debug("Instructions contain: {}", ib.getInstruction());
676 // Add InstructionsBuilder to FlowBuilder
677 flowBuilder.setInstructions(isb.build());
678 writeFlow(flowBuilder, nodeBuilder);
680 // TODO Add // removeFlow to AnstractServiceInstance
681 //// removeFlow(flowBuilder, nodeBuilder);
685 public void egressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac, boolean write,
686 Integer securityRulePortMin, String securityRuleIpPrefix, Integer protoPortPrefixMatchPriority) {
688 String nodeName = OPENFLOW + dpidLong;
689 PortNumber tcpPort = new PortNumber(securityRulePortMin);
690 MatchBuilder matchBuilder = new MatchBuilder();
691 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
692 FlowBuilder flowBuilder = new FlowBuilder();
693 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
695 flowBuilder.setMatch(MatchUtils
696 .createSmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
697 tcpPort, TCP_SYN, segmentationId, srcIpPrefix).build());
699 logger.debug(" MatchBuilder contains: {}", flowBuilder.getMatch());
700 String flowId = "UcastEgress_" + segmentationId + "_" + attachedMac +
701 securityRulePortMin + securityRuleIpPrefix;
702 // Add Flow Attributes
703 flowBuilder.setId(new FlowId(flowId));
704 FlowKey key = new FlowKey(new FlowId(flowId));
705 flowBuilder.setStrict(false);
706 flowBuilder.setPriority(protoPortPrefixMatchPriority);
707 flowBuilder.setBarrier(true);
708 flowBuilder.setTableId(EGRESS_ACL);
709 flowBuilder.setKey(key);
710 flowBuilder.setFlowName(flowId);
711 flowBuilder.setHardTimeout(0);
712 flowBuilder.setIdleTimeout(0);
715 // Instantiate the Builders for the OF Actions and Instructions
716 InstructionBuilder ib = new InstructionBuilder();
717 InstructionsBuilder isb = new InstructionsBuilder();
718 List<Instruction> instructionsList = Lists.newArrayList();
720 InstructionUtils.createGotoTableInstructions(ib, OUTBOUND_SNAT);
722 ib.setKey(new InstructionKey(0));
723 instructionsList.add(ib.build());
724 isb.setInstruction(instructionsList);
726 logger.debug("Instructions contain: {}", ib.getInstruction());
727 // Add InstructionsBuilder to FlowBuilder
728 flowBuilder.setInstructions(isb.build());
729 writeFlow(flowBuilder, nodeBuilder);
731 // TODO Add // removeFlow to AnstractServiceInstance
732 //// removeFlow(flowBuilder, nodeBuilder);
738 public void egressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
739 String securityRuleProtcol, Integer protoMatchPriority) {
741 String nodeName = OPENFLOW + dpidLong;
742 MatchBuilder matchBuilder = new MatchBuilder();
743 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
744 FlowBuilder flowBuilder = new FlowBuilder();
746 flowBuilder.setMatch(MatchUtils
747 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
748 flowBuilder.setMatch(MatchUtils
749 .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
751 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
752 String flowId = "EgressAllProto_" + segmentationId + "_" +
753 attachedMac + "_AllowEgressTCPSyn_" + securityRuleProtcol;
754 // Add Flow Attributes
755 flowBuilder.setId(new FlowId(flowId));
756 FlowKey key = new FlowKey(new FlowId(flowId));
757 flowBuilder.setStrict(false);
758 flowBuilder.setPriority(protoMatchPriority);
759 flowBuilder.setBarrier(true);
760 flowBuilder.setTableId(EGRESS_ACL);
761 flowBuilder.setKey(key);
762 flowBuilder.setFlowName(flowId);
763 flowBuilder.setHardTimeout(0);
764 flowBuilder.setIdleTimeout(0);
767 // Instantiate the Builders for the OF Actions and Instructions
768 InstructionBuilder ib = new InstructionBuilder();
769 InstructionsBuilder isb = new InstructionsBuilder();
770 List<Instruction> instructionsList = Lists.newArrayList();
772 InstructionUtils.createGotoTableInstructions(ib, OUTBOUND_SNAT);
774 ib.setKey(new InstructionKey(0));
775 instructionsList.add(ib.build());
776 isb.setInstruction(instructionsList);
778 logger.debug("Instructions contain: {}", ib.getInstruction());
779 // Add InstructionsBuilder to FlowBuilder
780 flowBuilder.setInstructions(isb.build());
781 writeFlow(flowBuilder, nodeBuilder);
783 // removeFlow(flowBuilder, nodeBuilder);
787 public void egressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
788 boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
790 String nodeName = OPENFLOW + dpidLong;
791 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
792 MatchBuilder matchBuilder = new MatchBuilder();
793 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
794 FlowBuilder flowBuilder = new FlowBuilder();
796 flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
798 if (securityRuleIpPrefix != null) {
799 flowBuilder.setMatch(MatchUtils
800 .createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
803 flowBuilder.setMatch(MatchUtils
804 .createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
807 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
808 String flowId = "Egress_Proto_ACL" + segmentationId + "_" +
809 attachedMac + "_Permit_" + securityRuleIpPrefix;
810 // Add Flow Attributes
811 flowBuilder.setId(new FlowId(flowId));
812 FlowKey key = new FlowKey(new FlowId(flowId));
813 flowBuilder.setStrict(false);
814 flowBuilder.setPriority(protoPortMatchPriority);
815 flowBuilder.setBarrier(true);
816 flowBuilder.setTableId(EGRESS_ACL);
817 flowBuilder.setKey(key);
818 flowBuilder.setFlowName(flowId);
819 flowBuilder.setHardTimeout(0);
820 flowBuilder.setIdleTimeout(0);
823 // Instantiate the Builders for the OF Actions and Instructions
824 InstructionBuilder ib = new InstructionBuilder();
825 InstructionsBuilder isb = new InstructionsBuilder();
826 List<Instruction> instructionsList = Lists.newArrayList();
828 InstructionUtils.createGotoTableInstructions(ib, OUTBOUND_SNAT);
830 ib.setKey(new InstructionKey(0));
831 instructionsList.add(ib.build());
832 isb.setInstruction(instructionsList);
834 logger.debug("Instructions contain: {}", ib.getInstruction());
835 // Add InstructionsBuilder to FlowBuilder
836 flowBuilder.setInstructions(isb.build());
837 writeFlow(flowBuilder, nodeBuilder);
839 // removeFlow(flowBuilder, nodeBuilder);
844 public void egressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
845 Integer securityRulePortMin, Integer protoPortMatchPriority) {
847 String nodeName = OPENFLOW + dpidLong;
848 PortNumber tcpPort = new PortNumber(securityRulePortMin);
849 MatchBuilder matchBuilder = new MatchBuilder();
850 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
851 FlowBuilder flowBuilder = new FlowBuilder();
853 flowBuilder.setMatch(MatchUtils.createSmacTcpSyn(matchBuilder, attachedMac, tcpPort,
854 TCP_SYN, segmentationId).build());
856 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
857 String flowId = "Ucast_Egress_ACL" + segmentationId + "_" + attachedMac + securityRulePortMin;
858 // Add Flow Attributes
859 flowBuilder.setId(new FlowId(flowId));
860 FlowKey key = new FlowKey(new FlowId(flowId));
861 flowBuilder.setStrict(false);
862 flowBuilder.setPriority(protoPortMatchPriority);
863 flowBuilder.setBarrier(true);
864 flowBuilder.setTableId(EGRESS_ACL);
865 flowBuilder.setKey(key);
866 flowBuilder.setFlowName(flowId);
867 flowBuilder.setHardTimeout(0);
868 flowBuilder.setIdleTimeout(0);
871 // Instantiate the Builders for the OF Actions and Instructions
872 InstructionBuilder ib = new InstructionBuilder();
873 InstructionsBuilder isb = new InstructionsBuilder();
874 List<Instruction> instructionsList = Lists.newArrayList();
876 InstructionUtils.createGotoTableInstructions(ib, OUTBOUND_SNAT);
878 ib.setKey(new InstructionKey(0));
879 instructionsList.add(ib.build());
880 isb.setInstruction(instructionsList);
882 logger.debug("Instructions contain: {}", ib.getInstruction());
883 // Add InstructionsBuilder to FlowBuilder
884 flowBuilder.setInstructions(isb.build());
885 writeFlow(flowBuilder, nodeBuilder);
887 // removeFlow(flowBuilder, nodeBuilder);