2 * Copyright (C) 2014 Red Hat, Inc.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 * Authors : Madhu Venugopal
10 package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
12 import java.math.BigInteger;
13 import java.util.List;
15 import org.opendaylight.neutron.spi.NeutronSecurityGroup;
16 import org.opendaylight.neutron.spi.NeutronSecurityRule;
17 import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
18 import org.opendaylight.ovsdb.openstack.netvirt.api.InboundNatProvider;
19 import org.opendaylight.ovsdb.openstack.netvirt.api.IngressAclProvider;
20 import org.opendaylight.ovsdb.openstack.netvirt.providers.ConfigInterface;
21 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
22 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
23 import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
24 import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
25 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
26 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
27 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
28 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
29 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
30 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowKey;
31 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
32 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
35 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
36 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
37 import org.osgi.framework.BundleContext;
38 import org.osgi.framework.ServiceReference;
39 import org.slf4j.Logger;
40 import org.slf4j.LoggerFactory;
42 import com.google.common.collect.Lists;
44 public class IngressAclService extends AbstractServiceInstance implements IngressAclProvider, ConfigInterface {
46 static final Logger logger = LoggerFactory.getLogger(IngressAclService.class);
48 public IngressAclService() {
49 super(Service.INGRESS_ACL);
52 public IngressAclService(Service service) {
57 public void programPortSecurityACL(Long dpid, String segmentationId, String attachedMac,
58 long localPort, NeutronSecurityGroup securityGroup) {
60 logger.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
61 List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
62 /* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
63 for (NeutronSecurityRule portSecurityRule : portSecurityList) {
65 * Neutron Port Security ACL "ingress" and "IPv4"
67 * Check that the base conditions for flow based Port Security are true:
68 * Port Security Rule Direction ("ingress") and Protocol ("IPv4")
69 * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
70 * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
73 if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
74 portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("ingress")) {
75 logger.debug("ACL Rule matching IPv4 and ingress is: {} ", portSecurityRule);
77 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
79 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
80 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
81 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
82 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
83 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
84 .equalsIgnoreCase("0.0.0.0/0"))) {
85 logger.debug("Rule #1 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
86 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
87 portSecurityRule.getSecurityRulePortMax(),
88 portSecurityRule.getSecurityRuleRemoteIpPrefix());
89 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
90 Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
92 ingressACLTcpPortWithPrefix(dpid, segmentationId,
93 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
94 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
98 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
100 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
101 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
102 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
103 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
104 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
105 .equalsIgnoreCase("0.0.0.0/0"))) {
106 logger.debug("Rule #2 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
107 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
108 portSecurityRule.getSecurityRulePortMax(),
109 portSecurityRule.getSecurityRuleRemoteIpPrefix());
110 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
111 Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
113 ingressACLTcpPortWithPrefix(dpid, segmentationId,
114 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
115 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
119 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
121 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
122 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
123 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
124 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
125 logger.debug("Rule #3 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
126 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
127 portSecurityRule.getSecurityRulePortMax(),
128 portSecurityRule.getSecurityRuleRemoteIpPrefix());
129 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PREFIX_MATCH_PRIORITY_DROP,
131 ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
132 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PREFIX_MATCH_PRIORITY);
136 * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
138 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
139 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
140 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
141 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
142 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
143 .equalsIgnoreCase("0.0.0.0/0"))) {
144 logger.debug("Rule #4 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
145 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
146 portSecurityRule.getSecurityRulePortMax(),
147 portSecurityRule.getSecurityRuleRemoteIpPrefix());
148 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PREFIX_MATCH_PRIORITY_DROP, true);
149 ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
150 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PREFIX_MATCH_PRIORITY);
154 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
156 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
157 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
158 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
159 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
160 logger.debug("Rule #5 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
161 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
162 portSecurityRule.getSecurityRulePortMax(),
163 portSecurityRule.getSecurityRuleRemoteIpPrefix());
164 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PORT_MATCH_PRIORITY_DROP,
166 ingressACLTcpSyn(dpid, segmentationId,
167 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
168 Constants.PREFIX_PORT_MATCH_PRIORITY_DROP);
172 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
174 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
175 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
176 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
177 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
178 logger.debug("Rule #6 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
179 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
180 portSecurityRule.getSecurityRulePortMax(),
181 portSecurityRule.getSecurityRuleRemoteIpPrefix());
182 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
183 Constants.PROTO_PORT_MATCH_PRIORITY_DROP, true);
184 ingressACLTcpSyn(dpid, segmentationId, attachedMac, true,
185 portSecurityRule.getSecurityRulePortMin(), Constants.PROTO_PORT_MATCH_PRIORITY);
189 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
191 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
192 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
193 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
194 ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
195 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
196 .equalsIgnoreCase("0.0.0.0/0"))) {
197 logger.debug("Rule #7 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
198 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
199 portSecurityRule.getSecurityRulePortMax(),
200 portSecurityRule.getSecurityRuleRemoteIpPrefix());
201 // No need to drop until UDP/ICMP are implemented
202 // ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
203 handleIngressAllowProto(dpid, segmentationId, attachedMac, true,
204 portSecurityRule.getSecurityRuleProtocol(), Constants.PROTO_MATCH_PRIORITY);
207 logger.debug("Ingress ACL Match combination not found for rule: {}", portSecurityRule);
212 public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
213 Integer securityRulePortMin, Integer protoPortMatchPriority) {
215 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
216 PortNumber tcpPort = new PortNumber(securityRulePortMin);
217 MatchBuilder matchBuilder = new MatchBuilder();
218 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
219 FlowBuilder flowBuilder = new FlowBuilder();
221 flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort,
222 Constants.TCP_SYN, segmentationId).build());
224 logger.debug("ingressACLTcpSyn MatchBuilder contains: {}", flowBuilder.getMatch());
225 String flowId = "UcastOut_ACL2_" + segmentationId + "_" + attachedMac + securityRulePortMin;
226 // Add Flow Attributes
227 flowBuilder.setId(new FlowId(flowId));
228 FlowKey key = new FlowKey(new FlowId(flowId));
229 flowBuilder.setStrict(false);
230 flowBuilder.setPriority(protoPortMatchPriority);
231 flowBuilder.setBarrier(true);
232 flowBuilder.setTableId(this.getTable());
233 flowBuilder.setKey(key);
234 flowBuilder.setFlowName(flowId);
235 flowBuilder.setHardTimeout(0);
236 flowBuilder.setIdleTimeout(0);
239 // Instantiate the Builders for the OF Actions and Instructions
240 InstructionBuilder ib = new InstructionBuilder();
241 InstructionsBuilder isb = new InstructionsBuilder();
242 List<Instruction> instructionsList = Lists.newArrayList();
244 ib = this.getMutablePipelineInstructionBuilder();
246 ib.setKey(new InstructionKey(0));
247 instructionsList.add(ib.build());
248 isb.setInstruction(instructionsList);
250 logger.debug("Instructions are: {}", ib.getInstruction());
251 // Add InstructionsBuilder to FlowBuilder
252 flowBuilder.setInstructions(isb.build());
253 writeFlow(flowBuilder, nodeBuilder);
255 removeFlow(flowBuilder, nodeBuilder);
259 public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac,
260 boolean write, Integer securityRulePortMin, String securityRuleIpPrefix,
261 Integer protoPortPrefixMatchPriority) {
263 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
264 PortNumber tcpPort = new PortNumber(securityRulePortMin);
266 MatchBuilder matchBuilder = new MatchBuilder();
267 NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName);
268 FlowBuilder flowBuilder = new FlowBuilder();
269 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
271 flowBuilder.setMatch(MatchUtils
272 .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
273 tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
275 logger.debug(" MatchBuilder contains: {}", flowBuilder.getMatch());
276 String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac +
277 securityRulePortMin + securityRuleIpPrefix;
278 // Add Flow Attributes
279 flowBuilder.setId(new FlowId(flowId));
280 FlowKey key = new FlowKey(new FlowId(flowId));
281 flowBuilder.setStrict(false);
282 flowBuilder.setPriority(protoPortPrefixMatchPriority);
283 flowBuilder.setBarrier(true);
284 flowBuilder.setTableId(this.getTable());
285 flowBuilder.setKey(key);
286 flowBuilder.setFlowName(flowId);
287 flowBuilder.setHardTimeout(0);
288 flowBuilder.setIdleTimeout(0);
291 // Instantiate the Builders for the OF Actions and Instructions
292 InstructionBuilder ib = new InstructionBuilder();
293 InstructionsBuilder isb = new InstructionsBuilder();
295 List<Instruction> instructionsList = Lists.newArrayList();
296 ib = this.getMutablePipelineInstructionBuilder();
298 ib.setKey(new InstructionKey(0));
299 instructionsList.add(ib.build());
300 isb.setInstruction(instructionsList);
302 logger.debug("Instructions contain: {}", ib.getInstruction());
303 // Add InstructionsBuilder to FlowBuilder
304 flowBuilder.setInstructions(isb.build());
305 writeFlow(flowBuilder, nodeBuilder);
307 removeFlow(flowBuilder, nodeBuilder);
311 public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
312 String securityRuleProtcol, Integer protoMatchPriority) {
314 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
316 MatchBuilder matchBuilder = new MatchBuilder();
317 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
318 FlowBuilder flowBuilder = new FlowBuilder();
320 flowBuilder.setMatch(MatchUtils
321 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
322 flowBuilder.setMatch(MatchUtils
323 .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
324 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
326 String flowId = "UcastOut_" + segmentationId + "_" +
327 attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol;
328 // Add Flow Attributes
329 flowBuilder.setId(new FlowId(flowId));
330 FlowKey key = new FlowKey(new FlowId(flowId));
331 flowBuilder.setStrict(false);
332 flowBuilder.setPriority(protoMatchPriority);
333 flowBuilder.setBarrier(true);
334 flowBuilder.setTableId(this.getTable());
335 flowBuilder.setKey(key);
336 flowBuilder.setFlowName(flowId);
337 flowBuilder.setHardTimeout(0);
338 flowBuilder.setIdleTimeout(0);
341 // Instantiate the Builders for the OF Actions and Instructions
342 InstructionBuilder ib = new InstructionBuilder();
343 InstructionsBuilder isb = new InstructionsBuilder();
344 List<Instruction> instructionsList = Lists.newArrayList();
346 ib = this.getMutablePipelineInstructionBuilder();
348 ib.setKey(new InstructionKey(1));
349 instructionsList.add(ib.build());
350 isb.setInstruction(instructionsList);
351 logger.debug("Instructions contain: {}", ib.getInstruction());
353 // Add InstructionsBuilder to FlowBuilder
354 flowBuilder.setInstructions(isb.build());
355 writeFlow(flowBuilder, nodeBuilder);
357 removeFlow(flowBuilder, nodeBuilder);
362 public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
363 int priority, boolean write) {
365 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
366 MatchBuilder matchBuilder = new MatchBuilder();
367 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
368 FlowBuilder flowBuilder = new FlowBuilder();
370 flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder,
371 attachedMac, Constants.TCP_SYN, segmentationId).build());
373 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
374 String flowId = "PortSec_TCP_Syn_Default_Drop_" + segmentationId + "_" + attachedMac;
375 flowBuilder.setId(new FlowId(flowId));
376 FlowKey key = new FlowKey(new FlowId(flowId));
377 flowBuilder.setStrict(false);
378 flowBuilder.setPriority(priority);
379 flowBuilder.setBarrier(true);
380 flowBuilder.setTableId(this.getTable());
381 flowBuilder.setKey(key);
382 flowBuilder.setFlowName(flowId);
383 flowBuilder.setHardTimeout(0);
384 flowBuilder.setIdleTimeout(0);
387 // Instantiate the Builders for the OF Actions and Instructions
388 InstructionBuilder ib = new InstructionBuilder();
389 InstructionsBuilder isb = new InstructionsBuilder();
391 // Instructions List Stores Individual Instructions
392 List<Instruction> instructions = Lists.newArrayList();
394 // Set the Output Port/Iface
395 InstructionUtils.createDropInstructions(ib);
397 ib.setKey(new InstructionKey(0));
398 instructions.add(ib.build());
400 // Add InstructionBuilder to the Instruction(s)Builder List
401 isb.setInstruction(instructions);
402 logger.debug("Instructions contain: {}", ib.getInstruction());
403 // Add InstructionsBuilder to FlowBuilder
404 flowBuilder.setInstructions(isb.build());
405 writeFlow(flowBuilder, nodeBuilder);
407 removeFlow(flowBuilder, nodeBuilder);
411 public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
412 boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
414 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
415 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
416 MatchBuilder matchBuilder = new MatchBuilder();
417 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
418 FlowBuilder flowBuilder = new FlowBuilder();
420 flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
422 if (securityRuleIpPrefix != null) {
423 flowBuilder.setMatch(MatchUtils
424 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
427 flowBuilder.setMatch(MatchUtils
428 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
432 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
433 String flowId = "IngressProto_ACL_" + segmentationId + "_" +
434 attachedMac + "_Permit_" + securityRuleIpPrefix;
435 // Add Flow Attributes
436 flowBuilder.setId(new FlowId(flowId));
437 FlowKey key = new FlowKey(new FlowId(flowId));
438 flowBuilder.setStrict(false);
439 flowBuilder.setPriority(protoPortMatchPriority);
440 flowBuilder.setBarrier(true);
441 flowBuilder.setTableId(this.getTable());
442 flowBuilder.setKey(key);
443 flowBuilder.setFlowName(flowId);
444 flowBuilder.setHardTimeout(0);
445 flowBuilder.setIdleTimeout(0);
448 // Instantiate the Builders for the OF Actions and Instructions
449 InstructionBuilder ib = new InstructionBuilder();
450 InstructionsBuilder isb = new InstructionsBuilder();
451 List<Instruction> instructionsList = Lists.newArrayList();
453 ib = this.getMutablePipelineInstructionBuilder();
455 ib.setKey(new InstructionKey(0));
456 instructionsList.add(ib.build());
457 isb.setInstruction(instructionsList);
459 logger.debug("Instructions contain: {}", ib.getInstruction());
460 // Add InstructionsBuilder to FlowBuilder
461 flowBuilder.setInstructions(isb.build());
462 writeFlow(flowBuilder, nodeBuilder);
464 removeFlow(flowBuilder, nodeBuilder);
469 public void setDependencies(BundleContext bundleContext, ServiceReference serviceReference) {
470 super.setOrchestrator(bundleContext.getServiceReference(IngressAclProvider.class.getName()), this);
474 public void setDependencies(Object impl) {