2 * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
9 package org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow;
11 import java.util.ArrayList;
12 import java.util.Collections;
13 import java.util.Comparator;
14 import java.util.HashMap;
15 import java.util.HashSet;
16 import java.util.List;
20 import javax.annotation.concurrent.Immutable;
22 import org.opendaylight.controller.md.sal.binding.api.ReadWriteTransaction;
23 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.OfContext;
24 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.PolicyManager.Dirty;
25 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.FlowUtils.RegMatch;
26 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.AllowAction;
27 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.Classifier;
28 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.Action;
29 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.SubjectFeatures;
30 import org.opendaylight.groupbasedpolicy.resolver.ConditionGroup;
31 import org.opendaylight.groupbasedpolicy.resolver.EgKey;
32 import org.opendaylight.groupbasedpolicy.resolver.IndexedTenant;
33 import org.opendaylight.groupbasedpolicy.resolver.Policy;
34 import org.opendaylight.groupbasedpolicy.resolver.PolicyInfo;
35 import org.opendaylight.groupbasedpolicy.resolver.RuleGroup;
36 import org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.list.ActionBuilder;
37 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
38 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.Table;
39 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
40 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.Match;
41 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
42 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ConditionName;
43 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.TenantId;
44 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.endpoint.rev140421.endpoints.Endpoint;
45 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.HasDirection.Direction;
46 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.action.refs.ActionRef;
47 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.classifier.refs.ClassifierRef;
48 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.subject.feature.instance.ParameterValue;
49 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.EndpointGroup;
50 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.EndpointGroup.IntraGroupPolicy;
51 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.contract.subject.Rule;
52 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.subject.feature.instances.ActionInstance;
53 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.subject.feature.instances.ClassifierInstance;
54 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeConnectorId;
55 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeId;
56 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg0;
57 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg1;
58 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg2;
59 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg3;
60 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg7;
61 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
62 import org.slf4j.Logger;
63 import org.slf4j.LoggerFactory;
65 import com.google.common.collect.ComparisonChain;
66 import com.google.common.collect.Ordering;
68 import static org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.FlowUtils.*;
71 * Manage the table that enforces policy on the traffic. Traffic is denied
72 * unless specifically allowed by policy
75 public class PolicyEnforcer extends FlowTable {
76 protected static final Logger LOG =
77 LoggerFactory.getLogger(PolicyEnforcer.class);
79 public static final short TABLE_ID = 3;
81 public PolicyEnforcer(OfContext ctx) {
86 public short getTableId() {
91 public void sync(ReadWriteTransaction t, InstanceIdentifier<Table> tiid,
92 Map<String, FlowCtx> flowMap, NodeId nodeId,
93 PolicyInfo policyInfo, Dirty dirty)
95 dropFlow(t, tiid, flowMap, Integer.valueOf(1), null);
96 allowFromTunnel(t, tiid, flowMap, nodeId);
98 HashSet<CgPair> visitedPairs = new HashSet<>();
100 for (EgKey sepg : ctx.getEndpointManager().getGroupsForNode(nodeId)) {
101 // Allow traffic within the same endpoint group if the policy
103 IndexedTenant tenant =
104 ctx.getPolicyResolver().getTenant(sepg.getTenantId());
105 EndpointGroup group =
106 tenant.getEndpointGroup(sepg.getEgId());
107 IntraGroupPolicy igp = group.getIntraGroupPolicy();
109 ctx.getPolicyManager().getContextOrdinal(sepg.getTenantId(),
111 if (igp == null || igp.equals(IntraGroupPolicy.Allow)) {
112 allowSameEpg(t, tiid, flowMap, nodeId, sepgId);
115 for (Endpoint src : ctx.getEndpointManager().getEPsForNode(nodeId, sepg)) {
116 if (src.getTenant() == null || src.getEndpointGroup() == null)
119 List<ConditionName> conds =
120 ctx.getEndpointManager().getCondsForEndpoint(src);
121 ConditionGroup scg = policyInfo.getEgCondGroup(sepg, conds);
122 int scgId = ctx.getPolicyManager().getCondGroupOrdinal(scg);
124 Set<EgKey> peers = policyInfo.getPeers(sepg);
125 for (EgKey depg : peers) {
127 ctx.getPolicyManager().getContextOrdinal(depg.getTenantId(),
130 for (Endpoint dst : ctx.getEndpointManager().getEndpointsForGroup(depg)) {
132 conds = ctx.getEndpointManager().getCondsForEndpoint(dst);
134 policyInfo.getEgCondGroup(new EgKey(dst.getTenant(),
135 dst.getEndpointGroup()),
137 int dcgId = ctx.getPolicyManager().getCondGroupOrdinal(dcg);
139 CgPair p = new CgPair(depgId, sepgId, dcgId, scgId);
140 if (visitedPairs.contains(p)) continue;
142 syncPolicy(t, tiid, flowMap, nodeId, policyInfo,
143 p, depg, sepg, dcg, scg);
145 p = new CgPair(sepgId, depgId, scgId, dcgId);
146 if (visitedPairs.contains(p)) continue;
148 syncPolicy(t, tiid, flowMap, nodeId, policyInfo,
149 p, sepg, depg, scg, dcg);
157 private void allowSameEpg(ReadWriteTransaction t,
158 InstanceIdentifier<Table> tiid,
159 Map<String, FlowCtx> flowMap, NodeId nodeId,
161 FlowId flowId = new FlowId(new StringBuilder()
162 .append("intraallow|")
163 .append(sepgId).toString());
164 if (visit(flowMap, flowId.getValue())) {
165 MatchBuilder mb = new MatchBuilder();
167 RegMatch.of(NxmNxReg0.class,Long.valueOf(sepgId)),
168 RegMatch.of(NxmNxReg2.class,Long.valueOf(sepgId)));
169 FlowBuilder flow = base()
171 .setMatch(mb.build())
173 .setInstructions(instructions(applyActionIns(nxOutputRegAction(NxmNxReg7.class))));
174 writeFlow(t, tiid, flow.build());
178 private void allowFromTunnel(ReadWriteTransaction t,
179 InstanceIdentifier<Table> tiid,
180 Map<String, FlowCtx> flowMap, NodeId nodeId) {
181 NodeConnectorId tunPort =
182 ctx.getSwitchManager().getTunnelPort(nodeId);
183 if (tunPort == null) return;
185 FlowId flowId = new FlowId("tunnelallow");
186 if (visit(flowMap, flowId.getValue())) {
187 MatchBuilder mb = new MatchBuilder()
190 RegMatch.of(NxmNxReg1.class,Long.valueOf(0xffffff)));
191 FlowBuilder flow = base()
193 .setMatch(mb.build())
195 .setInstructions(instructions(applyActionIns(nxOutputRegAction(NxmNxReg7.class))));
196 writeFlow(t, tiid, flow.build());
200 private void syncPolicy(ReadWriteTransaction t,
201 InstanceIdentifier<Table> tiid,
202 Map<String, FlowCtx> flowMap, NodeId nodeId,
203 PolicyInfo policyInfo,
204 CgPair p, EgKey sepg, EgKey depg,
205 ConditionGroup scg, ConditionGroup dcg)
207 // XXX - TODO raise an exception for rules between the same
208 // endpoint group that are asymmetric
209 Policy policy = policyInfo.getPolicy(sepg, depg);
210 List<RuleGroup> rgs = policy.getRules(scg, dcg);
212 int priority = 65000;
213 for (RuleGroup rg : rgs) {
214 TenantId tenantId = rg.getContractTenant().getId();
215 IndexedTenant tenant = ctx.getPolicyResolver().getTenant(tenantId);
216 for (Rule r : rg.getRules()) {
217 syncDirection(t, tiid, flowMap, nodeId, tenant,
218 p, r, Direction.In, priority);
219 syncDirection(t, tiid, flowMap, nodeId, tenant,
220 p, r, Direction.Out, priority);
228 * Private internal class for ordering Actions in Rules. The
229 * order is determined first by the value of the order parameter,
230 * with the lower order actions being applied first; for Actions
231 * with either the same order or no order, ordering is lexicographical
237 private static class ActionRefComparator implements Comparator<ActionRef> {
238 public static final ActionRefComparator INSTANCE = new ActionRefComparator();
241 public int compare(ActionRef arg0, ActionRef arg1) {
242 return ComparisonChain.start()
243 .compare(arg0.getOrder(), arg1.getOrder(),
244 Ordering.natural().nullsLast())
245 .compare(arg0.getName().getValue(), arg1.getName().getValue(),
246 Ordering.natural().nullsLast())
252 private void syncDirection(ReadWriteTransaction t,
253 InstanceIdentifier<Table> tiid,
254 Map<String, FlowCtx> flowMap, NodeId nodeId,
255 IndexedTenant contractTenant,
256 CgPair p, Rule r, Direction d, int priority) {
258 * Create the ordered action list. The implicit action is
259 * "allow", and is therefore always in the list
261 * TODO: revisit implicit vs. default for "allow"
262 * TODO: look into incorporating operational policy for actions
264 List<ActionBuilder> abl = new ArrayList<ActionBuilder>();
265 if (r.getActionRef() != null) {
267 * Pre-sort by references using order, then name
269 List<ActionRef> arl = new ArrayList<ActionRef>(r.getActionRef());
270 Collections.sort(arl, ActionRefComparator.INSTANCE);
272 for (ActionRef ar: arl) {
273 ActionInstance ai = contractTenant.getAction(ar.getName());
275 // XXX TODO fail the match and raise an exception
276 LOG.warn("Action instance {} not found",
277 ar.getName().getValue());
280 Action act = SubjectFeatures.getAction(ai.getActionDefinitionId());
282 // XXX TODO fail the match and raise an exception
283 LOG.warn("Action definition {} not found",
284 ai.getActionDefinitionId().getValue());
288 Map<String,Object> params = new HashMap<>();
289 if (ai.getParameterValue() != null) {
290 for (ParameterValue v : ai.getParameterValue()) {
291 if (v.getName() == null) continue;
292 if (v.getIntValue() != null) {
293 params.put(v.getName().getValue(), v.getIntValue());
294 } else if (v.getStringValue() != null) {
295 params.put(v.getName().getValue(), v.getStringValue());
300 * Convert the GBP Action to one or more OpenFlow
303 abl = act.updateAction(abl, params, ar.getOrder());
307 Action act = SubjectFeatures.getAction(AllowAction.ID);
308 abl = act.updateAction(abl, new HashMap<String,Object>(), 0);
312 for (ClassifierRef cr : r.getClassifierRef()) {
313 if (cr.getDirection() != null &&
314 !cr.getDirection().equals(Direction.Bidirectional) &&
315 !cr.getDirection().equals(d))
318 StringBuilder idb = new StringBuilder();
319 // XXX - TODO - implement connection tracking (requires openflow
320 // extension and data plane support - in 2.4. Will need to handle
321 // case where we are working with mix of nodes.
323 MatchBuilder baseMatch = new MatchBuilder();
325 if (d.equals(Direction.In)) {
335 addNxRegMatch(baseMatch,
336 RegMatch.of(NxmNxReg0.class,Long.valueOf(p.sepg)),
337 RegMatch.of(NxmNxReg1.class,Long.valueOf(p.scgId)),
338 RegMatch.of(NxmNxReg2.class,Long.valueOf(p.depg)),
339 RegMatch.of(NxmNxReg3.class,Long.valueOf(p.dcgId)));
350 addNxRegMatch(baseMatch,
351 RegMatch.of(NxmNxReg0.class,Long.valueOf(p.depg)),
352 RegMatch.of(NxmNxReg1.class,Long.valueOf(p.dcgId)),
353 RegMatch.of(NxmNxReg2.class,Long.valueOf(p.sepg)),
354 RegMatch.of(NxmNxReg3.class,Long.valueOf(p.scgId)));
358 ClassifierInstance ci = contractTenant.getClassifier(cr.getName());
360 // XXX TODO fail the match and raise an exception
361 LOG.warn("Classifier instance {} not found",
362 cr.getName().getValue());
365 Classifier cfier = SubjectFeatures
366 .getClassifier(ci.getClassifierDefinitionId());
368 // XXX TODO fail the match and raise an exception
369 LOG.warn("Classifier definition {} not found",
370 ci.getClassifierDefinitionId().getValue());
374 List<MatchBuilder> matches = Collections.singletonList(baseMatch);
375 Map<String,Object> params = new HashMap<>();
376 for (ParameterValue v : ci.getParameterValue()) {
377 if (v.getName() == null) continue;
378 if (v.getIntValue() != null) {
379 params.put(v.getName().getValue(), v.getIntValue());
380 } else if (v.getStringValue() != null) {
381 params.put(v.getName().getValue(), v.getStringValue());
382 } else if (v.getRangeValue() != null) {
383 params.put(v.getName().getValue(), v.getRangeValue());
387 matches = cfier.updateMatch(matches, params);
388 String baseId = idb.toString();
389 FlowBuilder flow = base()
390 .setPriority(Integer.valueOf(priority));
391 for (MatchBuilder match : matches) {
392 Match m = match.build();
393 FlowId flowId = new FlowId(baseId + "|" + m.toString());
394 if (visit(flowMap, flowId.getValue())) {
397 .setPriority(Integer.valueOf(priority))
398 .setInstructions(instructions(applyActionIns(abl)));
399 writeFlow(t, tiid, flow.build());
407 private static class CgPair {
408 private final int sepg;
409 private final int depg;
410 private final int scgId;
411 private final int dcgId;
413 public CgPair(int sepg, int depg, int scgId, int dcgId) {
422 public int hashCode() {
423 final int prime = 31;
425 result = prime * result + dcgId;
426 result = prime * result + depg;
427 result = prime * result + scgId;
428 result = prime * result + sepg;
433 public boolean equals(Object obj) {
438 if (getClass() != obj.getClass())
440 CgPair other = (CgPair) obj;
441 if (dcgId != other.dcgId)
443 if (depg != other.depg)
445 if (scgId != other.scgId)
447 if (sepg != other.sepg)