2 * Copyright (C) 2014 Red Hat, Inc.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 * Authors : Madhu Venugopal
10 package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
12 import java.math.BigInteger;
13 import java.util.List;
15 import org.opendaylight.neutron.spi.NeutronSecurityGroup;
16 import org.opendaylight.neutron.spi.NeutronSecurityRule;
17 import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
18 import org.opendaylight.ovsdb.openstack.netvirt.api.IngressAclProvider;
19 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
20 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
21 import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
22 import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
23 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
24 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
25 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
26 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
27 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
28 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowKey;
29 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
30 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
31 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
32 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.Node;
35 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
36 import org.slf4j.Logger;
37 import org.slf4j.LoggerFactory;
39 import com.google.common.collect.Lists;
41 public class IngressAclService extends AbstractServiceInstance implements IngressAclProvider {
43 static final Logger logger = LoggerFactory.getLogger(IngressAclService.class);
45 public IngressAclService() {
46 super(Service.INGRESS_ACL);
49 public IngressAclService(Service service) {
54 public void programPortSecurityACL(Node node, Long dpid, String segmentationId, String attachedMac,
55 long localPort, NeutronSecurityGroup securityGroup) {
57 logger.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
58 List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
59 /* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
60 for (NeutronSecurityRule portSecurityRule : portSecurityList) {
62 * Neutron Port Security ACL "ingress" and "IPv4"
64 * Check that the base conditions for flow based Port Security are true:
65 * Port Security Rule Direction ("ingress") and Protocol ("IPv4")
66 * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
67 * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
70 if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
71 portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("ingress")) {
72 logger.debug("ACL Rule matching IPv4 and ingress is: {} ", portSecurityRule);
74 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
76 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
77 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
78 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
79 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
80 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
81 .equalsIgnoreCase("0.0.0.0/0"))) {
82 logger.debug("Rule #1 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
83 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
84 portSecurityRule.getSecurityRulePortMax(),
85 portSecurityRule.getSecurityRuleRemoteIpPrefix());
86 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
87 Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
89 ingressACLTcpPortWithPrefix(dpid, segmentationId,
90 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
91 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
95 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
97 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
98 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
99 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
100 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
101 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
102 .equalsIgnoreCase("0.0.0.0/0"))) {
103 logger.debug("Rule #2 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
104 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
105 portSecurityRule.getSecurityRulePortMax(),
106 portSecurityRule.getSecurityRuleRemoteIpPrefix());
107 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
108 Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
110 ingressACLTcpPortWithPrefix(dpid, segmentationId,
111 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
112 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
116 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
118 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
119 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
120 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
121 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
122 logger.debug("Rule #3 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
123 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
124 portSecurityRule.getSecurityRulePortMax(),
125 portSecurityRule.getSecurityRuleRemoteIpPrefix());
126 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PREFIX_MATCH_PRIORITY_DROP,
128 ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
129 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PREFIX_MATCH_PRIORITY);
133 * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
135 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
136 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
137 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
138 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
139 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
140 .equalsIgnoreCase("0.0.0.0/0"))) {
141 logger.debug("Rule #4 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
142 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
143 portSecurityRule.getSecurityRulePortMax(),
144 portSecurityRule.getSecurityRuleRemoteIpPrefix());
145 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PREFIX_MATCH_PRIORITY_DROP, true);
146 ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
147 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PREFIX_MATCH_PRIORITY);
151 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
153 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
154 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
155 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
156 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
157 logger.debug("Rule #5 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
158 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
159 portSecurityRule.getSecurityRulePortMax(),
160 portSecurityRule.getSecurityRuleRemoteIpPrefix());
161 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PORT_MATCH_PRIORITY_DROP,
163 ingressACLTcpSyn(dpid, segmentationId,
164 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
165 Constants.PREFIX_PORT_MATCH_PRIORITY_DROP);
169 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
171 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
172 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
173 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
174 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
175 logger.debug("Rule #6 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
176 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
177 portSecurityRule.getSecurityRulePortMax(),
178 portSecurityRule.getSecurityRuleRemoteIpPrefix());
179 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
180 Constants.PROTO_PORT_MATCH_PRIORITY_DROP, true);
181 ingressACLTcpSyn(dpid, segmentationId, attachedMac, true,
182 portSecurityRule.getSecurityRulePortMin(), Constants.PROTO_PORT_MATCH_PRIORITY);
186 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
188 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
189 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
190 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
191 ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
192 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
193 .equalsIgnoreCase("0.0.0.0/0"))) {
194 logger.debug("Rule #7 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
195 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
196 portSecurityRule.getSecurityRulePortMax(),
197 portSecurityRule.getSecurityRuleRemoteIpPrefix());
198 // No need to drop until UDP/ICMP are implemented
199 // ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
200 handleIngressAllowProto(dpid, segmentationId, attachedMac, true,
201 portSecurityRule.getSecurityRuleProtocol(), Constants.PROTO_MATCH_PRIORITY);
204 logger.debug("Ingress ACL Match combination not found for rule: {}", portSecurityRule);
209 public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
210 Integer securityRulePortMin, Integer protoPortMatchPriority) {
212 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
213 PortNumber tcpPort = new PortNumber(securityRulePortMin);
214 MatchBuilder matchBuilder = new MatchBuilder();
215 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
216 FlowBuilder flowBuilder = new FlowBuilder();
218 flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort,
219 Constants.TCP_SYN, segmentationId).build());
221 logger.debug("ingressACLTcpSyn MatchBuilder contains: {}", flowBuilder.getMatch());
222 String flowId = "UcastOut_ACL2_" + segmentationId + "_" + attachedMac + securityRulePortMin;
223 // Add Flow Attributes
224 flowBuilder.setId(new FlowId(flowId));
225 FlowKey key = new FlowKey(new FlowId(flowId));
226 flowBuilder.setStrict(false);
227 flowBuilder.setPriority(protoPortMatchPriority);
228 flowBuilder.setBarrier(true);
229 flowBuilder.setTableId(this.getTable());
230 flowBuilder.setKey(key);
231 flowBuilder.setFlowName(flowId);
232 flowBuilder.setHardTimeout(0);
233 flowBuilder.setIdleTimeout(0);
236 // Instantiate the Builders for the OF Actions and Instructions
237 InstructionBuilder ib = new InstructionBuilder();
238 InstructionsBuilder isb = new InstructionsBuilder();
239 List<Instruction> instructionsList = Lists.newArrayList();
241 ib = this.getMutablePipelineInstructionBuilder();
243 ib.setKey(new InstructionKey(0));
244 instructionsList.add(ib.build());
245 isb.setInstruction(instructionsList);
247 logger.debug("Instructions are: {}", ib.getInstruction());
248 // Add InstructionsBuilder to FlowBuilder
249 flowBuilder.setInstructions(isb.build());
250 writeFlow(flowBuilder, nodeBuilder);
252 removeFlow(flowBuilder, nodeBuilder);
256 public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac,
257 boolean write, Integer securityRulePortMin, String securityRuleIpPrefix,
258 Integer protoPortPrefixMatchPriority) {
260 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
261 PortNumber tcpPort = new PortNumber(securityRulePortMin);
263 MatchBuilder matchBuilder = new MatchBuilder();
264 NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName);
265 FlowBuilder flowBuilder = new FlowBuilder();
266 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
268 flowBuilder.setMatch(MatchUtils
269 .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
270 tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
272 logger.debug(" MatchBuilder contains: {}", flowBuilder.getMatch());
273 String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac +
274 securityRulePortMin + securityRuleIpPrefix;
275 // Add Flow Attributes
276 flowBuilder.setId(new FlowId(flowId));
277 FlowKey key = new FlowKey(new FlowId(flowId));
278 flowBuilder.setStrict(false);
279 flowBuilder.setPriority(protoPortPrefixMatchPriority);
280 flowBuilder.setBarrier(true);
281 flowBuilder.setTableId(this.getTable());
282 flowBuilder.setKey(key);
283 flowBuilder.setFlowName(flowId);
284 flowBuilder.setHardTimeout(0);
285 flowBuilder.setIdleTimeout(0);
288 // Instantiate the Builders for the OF Actions and Instructions
289 InstructionBuilder ib = new InstructionBuilder();
290 InstructionsBuilder isb = new InstructionsBuilder();
292 List<Instruction> instructionsList = Lists.newArrayList();
293 ib = this.getMutablePipelineInstructionBuilder();
295 ib.setKey(new InstructionKey(0));
296 instructionsList.add(ib.build());
297 isb.setInstruction(instructionsList);
299 logger.debug("Instructions contain: {}", ib.getInstruction());
300 // Add InstructionsBuilder to FlowBuilder
301 flowBuilder.setInstructions(isb.build());
302 writeFlow(flowBuilder, nodeBuilder);
304 removeFlow(flowBuilder, nodeBuilder);
308 public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
309 String securityRuleProtcol, Integer protoMatchPriority) {
311 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
313 MatchBuilder matchBuilder = new MatchBuilder();
314 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
315 FlowBuilder flowBuilder = new FlowBuilder();
317 flowBuilder.setMatch(MatchUtils
318 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
319 flowBuilder.setMatch(MatchUtils
320 .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
321 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
323 String flowId = "UcastOut_" + segmentationId + "_" +
324 attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol;
325 // Add Flow Attributes
326 flowBuilder.setId(new FlowId(flowId));
327 FlowKey key = new FlowKey(new FlowId(flowId));
328 flowBuilder.setStrict(false);
329 flowBuilder.setPriority(protoMatchPriority);
330 flowBuilder.setBarrier(true);
331 flowBuilder.setTableId(this.getTable());
332 flowBuilder.setKey(key);
333 flowBuilder.setFlowName(flowId);
334 flowBuilder.setHardTimeout(0);
335 flowBuilder.setIdleTimeout(0);
338 // Instantiate the Builders for the OF Actions and Instructions
339 InstructionBuilder ib = new InstructionBuilder();
340 InstructionsBuilder isb = new InstructionsBuilder();
341 List<Instruction> instructionsList = Lists.newArrayList();
343 ib = this.getMutablePipelineInstructionBuilder();
345 ib.setKey(new InstructionKey(1));
346 instructionsList.add(ib.build());
347 isb.setInstruction(instructionsList);
348 logger.debug("Instructions contain: {}", ib.getInstruction());
350 // Add InstructionsBuilder to FlowBuilder
351 flowBuilder.setInstructions(isb.build());
352 writeFlow(flowBuilder, nodeBuilder);
354 removeFlow(flowBuilder, nodeBuilder);
359 public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
360 int priority, boolean write) {
362 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
363 MatchBuilder matchBuilder = new MatchBuilder();
364 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
365 FlowBuilder flowBuilder = new FlowBuilder();
367 flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder,
368 attachedMac, Constants.TCP_SYN, segmentationId).build());
370 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
371 String flowId = "PortSec_TCP_Syn_Default_Drop_" + segmentationId + "_" + attachedMac;
372 flowBuilder.setId(new FlowId(flowId));
373 FlowKey key = new FlowKey(new FlowId(flowId));
374 flowBuilder.setStrict(false);
375 flowBuilder.setPriority(priority);
376 flowBuilder.setBarrier(true);
377 flowBuilder.setTableId(this.getTable());
378 flowBuilder.setKey(key);
379 flowBuilder.setFlowName(flowId);
380 flowBuilder.setHardTimeout(0);
381 flowBuilder.setIdleTimeout(0);
384 // Instantiate the Builders for the OF Actions and Instructions
385 InstructionBuilder ib = new InstructionBuilder();
386 InstructionsBuilder isb = new InstructionsBuilder();
388 // Instructions List Stores Individual Instructions
389 List<Instruction> instructions = Lists.newArrayList();
391 // Set the Output Port/Iface
392 InstructionUtils.createDropInstructions(ib);
394 ib.setKey(new InstructionKey(0));
395 instructions.add(ib.build());
397 // Add InstructionBuilder to the Instruction(s)Builder List
398 isb.setInstruction(instructions);
399 logger.debug("Instructions contain: {}", ib.getInstruction());
400 // Add InstructionsBuilder to FlowBuilder
401 flowBuilder.setInstructions(isb.build());
402 writeFlow(flowBuilder, nodeBuilder);
404 removeFlow(flowBuilder, nodeBuilder);
408 public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
409 boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
411 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
412 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
413 MatchBuilder matchBuilder = new MatchBuilder();
414 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
415 FlowBuilder flowBuilder = new FlowBuilder();
417 flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
419 if (securityRuleIpPrefix != null) {
420 flowBuilder.setMatch(MatchUtils
421 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
424 flowBuilder.setMatch(MatchUtils
425 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
429 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
430 String flowId = "IngressProto_ACL_" + segmentationId + "_" +
431 attachedMac + "_Permit_" + securityRuleIpPrefix;
432 // Add Flow Attributes
433 flowBuilder.setId(new FlowId(flowId));
434 FlowKey key = new FlowKey(new FlowId(flowId));
435 flowBuilder.setStrict(false);
436 flowBuilder.setPriority(protoPortMatchPriority);
437 flowBuilder.setBarrier(true);
438 flowBuilder.setTableId(this.getTable());
439 flowBuilder.setKey(key);
440 flowBuilder.setFlowName(flowId);
441 flowBuilder.setHardTimeout(0);
442 flowBuilder.setIdleTimeout(0);
445 // Instantiate the Builders for the OF Actions and Instructions
446 InstructionBuilder ib = new InstructionBuilder();
447 InstructionsBuilder isb = new InstructionsBuilder();
448 List<Instruction> instructionsList = Lists.newArrayList();
450 ib = this.getMutablePipelineInstructionBuilder();
452 ib.setKey(new InstructionKey(0));
453 instructionsList.add(ib.build());
454 isb.setInstruction(instructionsList);
456 logger.debug("Instructions contain: {}", ib.getInstruction());
457 // Add InstructionsBuilder to FlowBuilder
458 flowBuilder.setInstructions(isb.build());
459 writeFlow(flowBuilder, nodeBuilder);
461 removeFlow(flowBuilder, nodeBuilder);