Code Review / ovsdb.git / blob
? search:


fccaa42b4c369eeaa30855d02059d34d98e7ba4e
[ovsdb.git] / openstack / net-virt-providers / src / main / java / org / opendaylight / ovsdb / openstack / netvirt / providers / openflow13 / services / IngressAclService.java
1 /*
2  * Copyright (C) 2014 Red Hat, Inc.
3  *
4  * This program and the accompanying materials are made available under the
5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6  * and is available at http://www.eclipse.org/legal/epl-v10.html
7  *
8  * Authors : Madhu Venugopal
9  */
10 package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
11
12 import java.math.BigInteger;
13 import java.util.List;
14
15 import org.opendaylight.neutron.spi.NeutronSecurityGroup;
16 import org.opendaylight.neutron.spi.NeutronSecurityRule;
17 import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
18 import org.opendaylight.ovsdb.openstack.netvirt.api.IngressAclProvider;
19 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
20 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
21 import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
22 import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
23 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
24 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
25 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
26 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
27 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
28 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowKey;
29 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
30 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
31 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
32 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.Node;
35 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
36 import org.slf4j.Logger;
37 import org.slf4j.LoggerFactory;
38
39 import com.google.common.collect.Lists;
40
41 public class IngressAclService extends AbstractServiceInstance implements IngressAclProvider {
42
43     static final Logger logger = LoggerFactory.getLogger(IngressAclService.class);
44
45     public IngressAclService() {
46         super(Service.INGRESS_ACL);
47     }
48
49     public IngressAclService(Service service) {
50         super(service);
51     }
52
53     @Override
54     public void programPortSecurityACL(Node node, Long dpid, String segmentationId, String attachedMac,
55             long localPort, NeutronSecurityGroup securityGroup) {
56
57         logger.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
58         List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
59         /* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
60         for (NeutronSecurityRule portSecurityRule : portSecurityList) {
61             /**
62              * Neutron Port Security ACL "ingress" and "IPv4"
63              *
64              * Check that the base conditions for flow based Port Security are true:
65              * Port Security Rule Direction ("ingress") and Protocol ("IPv4")
66              * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
67              * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
68              *
69              */
70             if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
71                     portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("ingress")) {
72                 logger.debug("ACL Rule matching IPv4 and ingress is: {} ", portSecurityRule);
73                 /**
74                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
75                  */
76                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
77                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
78                         !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
79                         (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
80                                 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
81                                         .equalsIgnoreCase("0.0.0.0/0"))) {
82                     logger.debug("Rule #1 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
83                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
84                             portSecurityRule.getSecurityRulePortMax(),
85                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
86                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
87                             Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
88                             true);
89                     ingressACLTcpPortWithPrefix(dpid, segmentationId,
90                             attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
91                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
92                     continue;
93                 }
94                 /**
95                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
96                  */
97                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
98                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
99                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
100                         (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
101                                 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
102                                         .equalsIgnoreCase("0.0.0.0/0"))) {
103                     logger.debug("Rule #2 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
104                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
105                             portSecurityRule.getSecurityRulePortMax(),
106                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
107                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
108                                              Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
109                             true);
110                     ingressACLTcpPortWithPrefix(dpid, segmentationId,
111                             attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
112                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
113                     continue;
114                 }
115                 /**
116                  * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
117                  */
118                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
119                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
120                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
121                         !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
122                     logger.debug("Rule #3 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
123                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
124                             portSecurityRule.getSecurityRulePortMax(),
125                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
126                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PREFIX_MATCH_PRIORITY_DROP,
127                             true);
128                     ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
129                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PREFIX_MATCH_PRIORITY);
130                     continue;
131                 }
132                 /**
133                  * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
134                  */
135                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
136                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
137                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
138                         (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
139                                 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
140                                         .equalsIgnoreCase("0.0.0.0/0"))) {
141                     logger.debug("Rule #4 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
142                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
143                             portSecurityRule.getSecurityRulePortMax(),
144                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
145                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PREFIX_MATCH_PRIORITY_DROP, true);
146                     ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
147                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PREFIX_MATCH_PRIORITY);
148                     continue;
149                 }
150                 /**
151                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
152                  */
153                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
154                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
155                         !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
156                         String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
157                     logger.debug("Rule #5 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
158                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
159                             portSecurityRule.getSecurityRulePortMax(),
160                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
161                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PORT_MATCH_PRIORITY_DROP,
162                             true);
163                     ingressACLTcpSyn(dpid, segmentationId,
164                             attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
165                             Constants.PREFIX_PORT_MATCH_PRIORITY_DROP);
166                     continue;
167                 }
168                 /**
169                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
170                  */
171                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
172                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
173                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
174                         String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
175                     logger.debug("Rule #6 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
176                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
177                             portSecurityRule.getSecurityRulePortMax(),
178                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
179                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
180                                              Constants.PROTO_PORT_MATCH_PRIORITY_DROP, true);
181                     ingressACLTcpSyn(dpid, segmentationId, attachedMac, true,
182                             portSecurityRule.getSecurityRulePortMin(), Constants.PROTO_PORT_MATCH_PRIORITY);
183                     continue;
184                 }
185                 /**
186                  * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
187                  */
188                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
189                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
190                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
191                         ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
192                                 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
193                                         .equalsIgnoreCase("0.0.0.0/0"))) {
194                     logger.debug("Rule #7 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
195                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
196                             portSecurityRule.getSecurityRulePortMax(),
197                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
198                     // No need to drop until UDP/ICMP are implemented
199                     // ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
200                     handleIngressAllowProto(dpid, segmentationId, attachedMac, true,
201                             portSecurityRule.getSecurityRuleProtocol(), Constants.PROTO_MATCH_PRIORITY);
202                     continue;
203                 }
204                 logger.debug("Ingress ACL Match combination not found for rule: {}", portSecurityRule);
205             }
206         }
207     }
208
209     public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
210             Integer securityRulePortMin, Integer protoPortMatchPriority) {
211
212         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
213         PortNumber tcpPort = new PortNumber(securityRulePortMin);
214         MatchBuilder matchBuilder = new MatchBuilder();
215         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
216         FlowBuilder flowBuilder = new FlowBuilder();
217
218         flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort,
219                                                               Constants.TCP_SYN, segmentationId).build());
220
221         logger.debug("ingressACLTcpSyn MatchBuilder contains:  {}", flowBuilder.getMatch());
222         String flowId = "UcastOut_ACL2_" + segmentationId + "_" + attachedMac + securityRulePortMin;
223         // Add Flow Attributes
224         flowBuilder.setId(new FlowId(flowId));
225         FlowKey key = new FlowKey(new FlowId(flowId));
226         flowBuilder.setStrict(false);
227         flowBuilder.setPriority(protoPortMatchPriority);
228         flowBuilder.setBarrier(true);
229         flowBuilder.setTableId(this.getTable());
230         flowBuilder.setKey(key);
231         flowBuilder.setFlowName(flowId);
232         flowBuilder.setHardTimeout(0);
233         flowBuilder.setIdleTimeout(0);
234
235         if (write) {
236             // Instantiate the Builders for the OF Actions and Instructions
237             InstructionBuilder ib = new InstructionBuilder();
238             InstructionsBuilder isb = new InstructionsBuilder();
239             List<Instruction> instructionsList = Lists.newArrayList();
240
241             ib = this.getMutablePipelineInstructionBuilder();
242             ib.setOrder(0);
243             ib.setKey(new InstructionKey(0));
244             instructionsList.add(ib.build());
245             isb.setInstruction(instructionsList);
246
247             logger.debug("Instructions are: {}", ib.getInstruction());
248             // Add InstructionsBuilder to FlowBuilder
249             flowBuilder.setInstructions(isb.build());
250             writeFlow(flowBuilder, nodeBuilder);
251         } else {
252             removeFlow(flowBuilder, nodeBuilder);
253         }
254     }
255
256     public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac,
257             boolean write, Integer securityRulePortMin, String securityRuleIpPrefix,
258             Integer protoPortPrefixMatchPriority) {
259
260         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
261         PortNumber tcpPort = new PortNumber(securityRulePortMin);
262
263         MatchBuilder matchBuilder = new MatchBuilder();
264         NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName);
265         FlowBuilder flowBuilder = new FlowBuilder();
266         Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
267
268         flowBuilder.setMatch(MatchUtils
269                 .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
270                         tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
271
272         logger.debug(" MatchBuilder contains:  {}", flowBuilder.getMatch());
273         String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac +
274                 securityRulePortMin + securityRuleIpPrefix;
275         // Add Flow Attributes
276         flowBuilder.setId(new FlowId(flowId));
277         FlowKey key = new FlowKey(new FlowId(flowId));
278         flowBuilder.setStrict(false);
279         flowBuilder.setPriority(protoPortPrefixMatchPriority);
280         flowBuilder.setBarrier(true);
281         flowBuilder.setTableId(this.getTable());
282         flowBuilder.setKey(key);
283         flowBuilder.setFlowName(flowId);
284         flowBuilder.setHardTimeout(0);
285         flowBuilder.setIdleTimeout(0);
286
287         if (write) {
288             // Instantiate the Builders for the OF Actions and Instructions
289             InstructionBuilder ib = new InstructionBuilder();
290             InstructionsBuilder isb = new InstructionsBuilder();
291
292             List<Instruction> instructionsList = Lists.newArrayList();
293             ib = this.getMutablePipelineInstructionBuilder();
294             ib.setOrder(0);
295             ib.setKey(new InstructionKey(0));
296             instructionsList.add(ib.build());
297             isb.setInstruction(instructionsList);
298
299             logger.debug("Instructions contain: {}", ib.getInstruction());
300             // Add InstructionsBuilder to FlowBuilder
301             flowBuilder.setInstructions(isb.build());
302             writeFlow(flowBuilder, nodeBuilder);
303         } else {
304             removeFlow(flowBuilder, nodeBuilder);
305         }
306     }
307
308     public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
309             String securityRuleProtcol, Integer protoMatchPriority) {
310
311         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
312
313         MatchBuilder matchBuilder = new MatchBuilder();
314         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
315         FlowBuilder flowBuilder = new FlowBuilder();
316
317         flowBuilder.setMatch(MatchUtils
318                 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
319         flowBuilder.setMatch(MatchUtils
320                 .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
321         logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
322
323         String flowId = "UcastOut_" + segmentationId + "_" +
324                 attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol;
325         // Add Flow Attributes
326         flowBuilder.setId(new FlowId(flowId));
327         FlowKey key = new FlowKey(new FlowId(flowId));
328         flowBuilder.setStrict(false);
329         flowBuilder.setPriority(protoMatchPriority);
330         flowBuilder.setBarrier(true);
331         flowBuilder.setTableId(this.getTable());
332         flowBuilder.setKey(key);
333         flowBuilder.setFlowName(flowId);
334         flowBuilder.setHardTimeout(0);
335         flowBuilder.setIdleTimeout(0);
336
337         if (write) {
338             // Instantiate the Builders for the OF Actions and Instructions
339             InstructionBuilder ib = new InstructionBuilder();
340             InstructionsBuilder isb = new InstructionsBuilder();
341             List<Instruction> instructionsList = Lists.newArrayList();
342
343             ib = this.getMutablePipelineInstructionBuilder();
344             ib.setOrder(1);
345             ib.setKey(new InstructionKey(1));
346             instructionsList.add(ib.build());
347             isb.setInstruction(instructionsList);
348             logger.debug("Instructions contain: {}", ib.getInstruction());
349
350             // Add InstructionsBuilder to FlowBuilder
351             flowBuilder.setInstructions(isb.build());
352             writeFlow(flowBuilder, nodeBuilder);
353         } else {
354             removeFlow(flowBuilder, nodeBuilder);
355         }
356     }
357
358
359     public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
360             int priority, boolean write) {
361
362         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
363         MatchBuilder matchBuilder = new MatchBuilder();
364         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
365         FlowBuilder flowBuilder = new FlowBuilder();
366
367         flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder,
368                 attachedMac, Constants.TCP_SYN, segmentationId).build());
369
370         logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
371         String flowId = "PortSec_TCP_Syn_Default_Drop_" + segmentationId + "_" + attachedMac;
372         flowBuilder.setId(new FlowId(flowId));
373         FlowKey key = new FlowKey(new FlowId(flowId));
374         flowBuilder.setStrict(false);
375         flowBuilder.setPriority(priority);
376         flowBuilder.setBarrier(true);
377         flowBuilder.setTableId(this.getTable());
378         flowBuilder.setKey(key);
379         flowBuilder.setFlowName(flowId);
380         flowBuilder.setHardTimeout(0);
381         flowBuilder.setIdleTimeout(0);
382
383         if (write) {
384             // Instantiate the Builders for the OF Actions and Instructions
385             InstructionBuilder ib = new InstructionBuilder();
386             InstructionsBuilder isb = new InstructionsBuilder();
387
388             // Instructions List Stores Individual Instructions
389             List<Instruction> instructions = Lists.newArrayList();
390
391             // Set the Output Port/Iface
392             InstructionUtils.createDropInstructions(ib);
393             ib.setOrder(0);
394             ib.setKey(new InstructionKey(0));
395             instructions.add(ib.build());
396
397             // Add InstructionBuilder to the Instruction(s)Builder List
398             isb.setInstruction(instructions);
399             logger.debug("Instructions contain: {}", ib.getInstruction());
400             // Add InstructionsBuilder to FlowBuilder
401             flowBuilder.setInstructions(isb.build());
402             writeFlow(flowBuilder, nodeBuilder);
403         } else {
404             removeFlow(flowBuilder, nodeBuilder);
405         }
406     }
407
408     public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
409             boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
410
411         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
412         Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
413         MatchBuilder matchBuilder = new MatchBuilder();
414         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
415         FlowBuilder flowBuilder = new FlowBuilder();
416
417         flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
418                 .build());
419         if (securityRuleIpPrefix != null) {
420             flowBuilder.setMatch(MatchUtils
421                     .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
422                     .build());
423         } else {
424             flowBuilder.setMatch(MatchUtils
425                     .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
426                     .build());
427         }
428
429         logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
430         String flowId = "IngressProto_ACL_" + segmentationId + "_" +
431                 attachedMac + "_Permit_" + securityRuleIpPrefix;
432         // Add Flow Attributes
433         flowBuilder.setId(new FlowId(flowId));
434         FlowKey key = new FlowKey(new FlowId(flowId));
435         flowBuilder.setStrict(false);
436         flowBuilder.setPriority(protoPortMatchPriority);
437         flowBuilder.setBarrier(true);
438         flowBuilder.setTableId(this.getTable());
439         flowBuilder.setKey(key);
440         flowBuilder.setFlowName(flowId);
441         flowBuilder.setHardTimeout(0);
442         flowBuilder.setIdleTimeout(0);
443
444         if (write) {
445             // Instantiate the Builders for the OF Actions and Instructions
446             InstructionBuilder ib = new InstructionBuilder();
447             InstructionsBuilder isb = new InstructionsBuilder();
448             List<Instruction> instructionsList = Lists.newArrayList();
449
450             ib = this.getMutablePipelineInstructionBuilder();
451             ib.setOrder(1);
452             ib.setKey(new InstructionKey(0));
453             instructionsList.add(ib.build());
454             isb.setInstruction(instructionsList);
455
456             logger.debug("Instructions contain: {}", ib.getInstruction());
457             // Add InstructionsBuilder to FlowBuilder
458             flowBuilder.setInstructions(isb.build());
459             writeFlow(flowBuilder, nodeBuilder);
460         } else {
461             removeFlow(flowBuilder, nodeBuilder);
462         }
463     }
464 }
Open vSwitch Database Management Protocol