Code Review / groupbasedpolicy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Bug 3540: Implementation of FlowIds based on match data
[groupbasedpolicy.git] / renderers / ofoverlay / src / main / java / org / opendaylight / groupbasedpolicy / renderer / ofoverlay / flow / PolicyEnforcer.java
1 /*
2  * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved.
3  *
4  * This program and the accompanying materials are made available under the
5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6  * and is available at http://www.eclipse.org/legal/epl-v10.html
7  */
8
9 package org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow;
10
11 import static org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.FlowUtils.addNxRegMatch;
12 import static org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.FlowUtils.writeActionIns;
13 import static org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.FlowUtils.applyActionIns;
14 import static org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.FlowUtils.gotoTableIns;
15 import static org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.FlowUtils.instructions;
16 import static org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.FlowUtils.nxOutputRegAction;
17 import static org.opendaylight.groupbasedpolicy.renderer.ofoverlay.EndpointManager.isExternal;
18
19 import java.util.ArrayList;
20 import java.util.Collection;
21 import java.util.Collections;
22 import java.util.Comparator;
23 import java.util.HashMap;
24 import java.util.HashSet;
25 import java.util.List;
26 import java.util.Map;
27 import java.util.Set;
28
29 import javax.annotation.concurrent.Immutable;
30
31 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.OfContext;
32 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.PolicyManager.FlowMap;
33 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.FlowUtils.RegMatch;
34 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.OrdinalFactory.EndpointFwdCtxOrdinals;
35 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.node.SwitchManager;
36 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.Action;
37 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.AllowAction;
38 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.ClassificationResult;
39 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.Classifier;
40 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.ParamDerivator;
41 import org.opendaylight.groupbasedpolicy.renderer.ofoverlay.sf.SubjectFeatures;
42 import org.opendaylight.groupbasedpolicy.resolver.EgKey;
43 import org.opendaylight.groupbasedpolicy.resolver.EndpointConstraint;
44 import org.opendaylight.groupbasedpolicy.resolver.IndexedTenant;
45 import org.opendaylight.groupbasedpolicy.resolver.Policy;
46 import org.opendaylight.groupbasedpolicy.resolver.PolicyInfo;
47 import org.opendaylight.groupbasedpolicy.resolver.RuleGroup;
48 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.IpPrefix;
49 import org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.list.ActionBuilder;
50 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
51 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.Flow;
52 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
53 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.Match;
54 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
55 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
56 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
57 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ClassifierDefinitionId;
58 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ConditionName;
59 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.TenantId;
60 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.endpoint.rev140421.endpoints.Endpoint;
61 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.ofoverlay.rev140528.EndpointLocation.LocationType;
62 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.ofoverlay.rev140528.OfOverlayContext;
63 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.HasDirection.Direction;
64 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.action.refs.ActionRef;
65 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.classifier.refs.ClassifierRef;
66 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.subject.feature.instance.ParameterValue;
67 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.EndpointGroup;
68 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.EndpointGroup.IntraGroupPolicy;
69 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.contract.subject.Rule;
70 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.subject.feature.instances.ActionInstance;
71 import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.tenants.tenant.subject.feature.instances.ClassifierInstance;
72 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeConnectorId;
73 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeId;
74 import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.Layer3Match;
75 import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._3.match.Ipv4MatchBuilder;
76 import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._3.match.Ipv6MatchBuilder;
77 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg0;
78 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg1;
79 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg2;
80 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg3;
81 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg5;
82 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg7;
83 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.overlay.rev150105.TunnelTypeVxlan;
84 import org.slf4j.Logger;
85 import org.slf4j.LoggerFactory;
86
87 import com.google.common.collect.ComparisonChain;
88 import com.google.common.collect.Ordering;
89 import com.google.common.collect.Table.Cell;
90
91 /**
92  * Manage the table that enforces policy on the traffic. Traffic is denied
93  * unless specifically allowed by policy
94  */
95 public class PolicyEnforcer extends FlowTable {
96
97     protected static final Logger LOG = LoggerFactory.getLogger(PolicyEnforcer.class);
98
99     private static org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.Instruction gotoEgressNatInstruction;
100     private static org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.Instruction gotoExternalInstruction;
101
102     public static short TABLE_ID;
103
104     public PolicyEnforcer(OfContext ctx, short tableId) {
105         super(ctx);
106         this.TABLE_ID=tableId;
107         this.gotoEgressNatInstruction = gotoTableIns(ctx.getPolicyManager().getTABLEID_EGRESS_NAT());
108         this.gotoExternalInstruction = gotoTableIns(ctx.getPolicyManager().getTABLEID_EGRESS_NAT());
109     }
110
111
112
113
114
115     @Override
116     public short getTableId() {
117         return TABLE_ID;
118     }
119
120     @Override
121     public void sync(NodeId nodeId, PolicyInfo policyInfo, FlowMap flowMap) throws Exception {
122
123         flowMap.writeFlow(nodeId, TABLE_ID, dropFlow(Integer.valueOf(1), null, TABLE_ID));
124
125         NodeConnectorId tunPort = SwitchManager.getTunnelPort(nodeId, TunnelTypeVxlan.class);
126         if (tunPort != null) {
127             flowMap.writeFlow(nodeId, TABLE_ID, allowFromTunnel(tunPort));
128         }
129
130         HashSet<CgPair> visitedPairs = new HashSet<>();
131
132         // Used for ARP flows
133         Set<Integer> fdIds = new HashSet<>();
134
135         for (Endpoint srcEp : ctx.getEndpointManager().getEndpointsForNode(nodeId)) {
136             for (EgKey srcEpgKey : ctx.getEndpointManager().getEgKeysForEndpoint(srcEp)) {
137                 Set<EgKey> peers = policyInfo.getPeers(srcEpgKey);
138                 for (EgKey dstEpgKey : peers) {
139                     Set<Endpoint> dstEndpoints = new HashSet<>();
140                     dstEndpoints.addAll(ctx.getEndpointManager().getEndpointsForGroup(dstEpgKey));
141                     dstEndpoints.addAll(ctx.getEndpointManager().getExtEpsNoLocForGroup(dstEpgKey));
142                     for (Endpoint dstEp : dstEndpoints) {
143                         // mEPG ordinals
144                         EndpointFwdCtxOrdinals srcEpFwdCxtOrds = OrdinalFactory.getEndpointFwdCtxOrdinals(ctx,
145                                 policyInfo, srcEp);
146                         EndpointFwdCtxOrdinals dstEpFwdCxtOrds = OrdinalFactory.getEndpointFwdCtxOrdinals(ctx,
147                                 policyInfo, dstEp);
148                         int dcgId = dstEpFwdCxtOrds.getCgId();
149                         int depgId = dstEpFwdCxtOrds.getEpgId();
150                         int scgId = srcEpFwdCxtOrds.getCgId();
151                         int sepgId = srcEpFwdCxtOrds.getEpgId();
152                         NetworkElements netElements = new NetworkElements(srcEp, dstEp, nodeId, ctx, policyInfo);
153                         fdIds.add(srcEpFwdCxtOrds.getFdId());
154
155                         Policy policy = policyInfo.getPolicy(dstEpgKey, srcEpgKey);
156                         for (Cell<EndpointConstraint, EndpointConstraint, List<RuleGroup>> activeRulesByConstraints: getActiveRulesBetweenEps(policy, dstEp, srcEp)) {
157                             Set<IpPrefix> sIpPrefixes = Policy.getIpPrefixesFrom(activeRulesByConstraints.getRowKey()
158                                 .getL3EpPrefixes());
159                             Set<IpPrefix> dIpPrefixes = Policy.getIpPrefixesFrom(activeRulesByConstraints.getColumnKey()
160                                 .getL3EpPrefixes());
161                             CgPair p = new CgPair(depgId, sepgId, dcgId, scgId, dIpPrefixes, sIpPrefixes);
162                             if (visitedPairs.contains(p))
163                                 continue;
164                             visitedPairs.add(p);
165                             syncPolicy(flowMap, netElements, activeRulesByConstraints.getValue(), p);
166                         }
167
168                         // Reverse
169                         policy = policyInfo.getPolicy(srcEpgKey, dstEpgKey);
170                         for (Cell<EndpointConstraint, EndpointConstraint, List<RuleGroup>> activeRulesByConstraints : getActiveRulesBetweenEps(policy, srcEp, dstEp)) {
171                             Set<IpPrefix> sIpPrefixes = Policy.getIpPrefixesFrom(activeRulesByConstraints.getRowKey()
172                                 .getL3EpPrefixes());
173                             Set<IpPrefix> dIpPrefixes = Policy.getIpPrefixesFrom(activeRulesByConstraints.getColumnKey()
174                                 .getL3EpPrefixes());
175                             CgPair p = new CgPair(sepgId, depgId, scgId, dcgId, sIpPrefixes, dIpPrefixes);
176                             if (visitedPairs.contains(p))
177                                 continue;
178                             visitedPairs.add(p);
179                             syncPolicy(flowMap, netElements, activeRulesByConstraints.getValue(), p);
180                         }
181                     }
182                 }
183             }
184         }
185
186         // Allow same EPG
187         // Set<Endpoint> visitedEps = new HashSet<>();
188         for (Endpoint srcEp : ctx.getEndpointManager().getEndpointsForNode(nodeId)) {
189             // visitedEps.add(srcEp);
190             for (EgKey srcEpgKey : ctx.getEndpointManager().getEgKeysForEndpoint(srcEp)) {
191
192                 IndexedTenant tenant = ctx.getPolicyResolver().getTenant(srcEpgKey.getTenantId());
193                 EndpointGroup group = tenant.getEndpointGroup(srcEpgKey.getEgId());
194                 IntraGroupPolicy igp = group.getIntraGroupPolicy();
195
196                 if (igp == null || igp.equals(IntraGroupPolicy.Allow)) {
197                     for (Endpoint dstEp : ctx.getEndpointManager().getEndpointsForGroup(srcEpgKey)) {
198                         // mEPG ordinals
199                         // if(visitedEps.contains(dstEp)) {
200                         // continue;
201                         // }
202                         // visitedEps.add(dstEp);
203                         EndpointFwdCtxOrdinals srcEpFwdCxtOrds = OrdinalFactory.getEndpointFwdCtxOrdinals(ctx,
204                                 policyInfo, srcEp);
205                         EndpointFwdCtxOrdinals dstEpFwdCxtOrds = OrdinalFactory.getEndpointFwdCtxOrdinals(ctx,
206                                 policyInfo, dstEp);
207                         int depgId = dstEpFwdCxtOrds.getEpgId();
208                         int sepgId = srcEpFwdCxtOrds.getEpgId();
209                         flowMap.writeFlow(nodeId, TABLE_ID, allowSameEpg(sepgId, depgId));
210                         flowMap.writeFlow(nodeId, TABLE_ID, allowSameEpg(depgId, sepgId));
211                     }
212                 }
213             }
214         }
215
216         // Write ARP flows per flood domain.
217         for (Integer fdId : fdIds) {
218             flowMap.writeFlow(nodeId, TABLE_ID, createArpFlow(fdId));
219         }
220     }
221
222     private Flow createArpFlow(Integer fdId) {
223
224         Long etherType = FlowUtils.ARP;
225         // L2 Classifier so 20,000 for now
226         Integer priority = 20000;
227
228         MatchBuilder mb = new MatchBuilder().setEthernetMatch(FlowUtils.ethernetMatch(null, null, etherType));
229
230         addNxRegMatch(mb, RegMatch.of(NxmNxReg5.class, Long.valueOf(fdId)));
231
232         Match match = mb.build();
233         FlowId flowid = FlowIdUtils.newFlowId(TABLE_ID, "arp", match);
234         Flow flow = base().setPriority(priority)
235             .setId(flowid)
236             .setMatch(match)
237             .setInstructions(instructions(applyActionIns(nxOutputRegAction(NxmNxReg7.class))))
238             .build();
239         return flow;
240     }
241
242     private Flow allowSameEpg(int sepgId, int depgId) {
243
244         MatchBuilder mb = new MatchBuilder();
245         addNxRegMatch(mb, RegMatch.of(NxmNxReg0.class, Long.valueOf(sepgId)),
246                 RegMatch.of(NxmNxReg2.class, Long.valueOf(depgId)));
247         Match match = mb.build();
248         FlowId flowId = FlowIdUtils.newFlowId(TABLE_ID, "intraallow", match);
249         FlowBuilder flow = base().setId(flowId)
250             .setMatch(match)
251             .setPriority(65000)
252             .setInstructions(instructions(applyActionIns(nxOutputRegAction(NxmNxReg7.class))));
253         return flow.build();
254     }
255
256     private Flow allowFromTunnel(NodeConnectorId tunPort) {
257
258         MatchBuilder mb = new MatchBuilder().setInPort(tunPort);
259         addNxRegMatch(mb, RegMatch.of(NxmNxReg1.class, Long.valueOf(0xffffff)));
260         Match match = mb.build();
261         FlowId flowId = FlowIdUtils.newFlowId(TABLE_ID, "tunnelallow", match);
262         FlowBuilder flow = base().setId(flowId)
263             .setMatch(match)
264             .setPriority(65000)
265             .setInstructions(instructions(applyActionIns(nxOutputRegAction(NxmNxReg7.class))));
266         return flow.build();
267
268     }
269
270     private void syncPolicy(FlowMap flowMap, NetworkElements netElements, List<RuleGroup> rgs, CgPair p) {
271         int priority = 65000;
272         for (RuleGroup rg : rgs) {
273             TenantId tenantId = rg.getContractTenant().getId();
274             IndexedTenant tenant = ctx.getPolicyResolver().getTenant(tenantId);
275             for (Rule r : rg.getRules()) {
276                 syncDirection(flowMap, netElements, tenant, p, r, Direction.In, priority);
277                 syncDirection(flowMap, netElements, tenant, p, r, Direction.Out, priority);
278
279                 priority -= 1;
280             }
281         }
282     }
283
284     /**
285      * Private internal class for ordering Actions in Rules. The order is
286      * determined first by the value of the order parameter, with the lower
287      * order actions being applied first; for Actions with either the same order
288      * or no order, ordering is lexicographical by name.
289      */
290     private static class ActionRefComparator implements Comparator<ActionRef> {
291
292         public static final ActionRefComparator INSTANCE = new ActionRefComparator();
293
294         @Override
295         public int compare(ActionRef arg0, ActionRef arg1) {
296             return ComparisonChain.start()
297                 .compare(arg0.getOrder(), arg1.getOrder(), Ordering.natural().nullsLast())
298                 .compare(arg0.getName().getValue(), arg1.getName().getValue(), Ordering.natural().nullsLast())
299                 .result();
300         }
301
302     }
303
304     private void syncDirection(FlowMap flowMap, NetworkElements netElements, IndexedTenant contractTenant, CgPair cgPair, Rule rule,
305             Direction direction, int priority) {
306         /*
307          * Create the ordered action list. The implicit action is "allow", and
308          * is therefore always in the list
309          *
310          * TODO: revisit implicit vs. default for "allow" TODO: look into
311          * incorporating operational policy for actions
312          */
313
314         // TODO: can pass Comparator ActionRefComparator to List constructor, rather than
315         // referencing in sort
316         List<ActionBuilder> actionBuilderList = new ArrayList<ActionBuilder>();
317         if (rule.getActionRef() != null) {
318             /*
319              * Pre-sort by references using order, then name
320              */
321             List<ActionRef> actionRefList = new ArrayList<ActionRef>(rule.getActionRef());
322             Collections.sort(actionRefList, ActionRefComparator.INSTANCE);
323
324             for (ActionRef actionRule : actionRefList) {
325                 ActionInstance actionInstance = contractTenant.getAction(actionRule.getName());
326                 if (actionInstance == null) {
327                     // XXX TODO fail the match and raise an exception
328                     LOG.warn("Action instance {} not found", actionRule.getName().getValue());
329                     return;
330                 }
331                 Action action = SubjectFeatures.getAction(actionInstance.getActionDefinitionId());
332                 if (action == null) {
333                     // XXX TODO fail the match and raise an exception
334                     LOG.warn("Action definition {} not found", actionInstance.getActionDefinitionId().getValue());
335                     return;
336                 }
337
338                 Map<String, Object> params = new HashMap<>();
339                 if (actionInstance.getParameterValue() != null) {
340                     for (ParameterValue v : actionInstance.getParameterValue()) {
341                         if (v.getName() == null)
342                             continue;
343                         if (v.getIntValue() != null) {
344                             params.put(v.getName().getValue(), v.getIntValue());
345                         } else if (v.getStringValue() != null) {
346                             params.put(v.getName().getValue(), v.getStringValue());
347                         }
348                     }
349                 }
350                 /*
351                  * Convert the GBP Action to one or more OpenFlow Actions
352                  */
353                 actionBuilderList = action.updateAction(actionBuilderList, params, actionRule.getOrder(),netElements);
354             }
355         } else {
356             Action act = SubjectFeatures.getAction(AllowAction.DEFINITION.getId());
357             actionBuilderList = act.updateAction(actionBuilderList, new HashMap<String, Object>(), 0, netElements);
358         }
359
360         Map<String, ParameterValue> paramsFromClassifier = new HashMap<>();
361         Set<ClassifierDefinitionId> classifiers = new HashSet<>();
362         for (ClassifierRef cr : rule.getClassifierRef()) {
363             if (cr.getDirection() != null && !cr.getDirection().equals(Direction.Bidirectional)
364                     && !cr.getDirection().equals(direction)) {
365                 continue;
366             }
367
368             // XXX - TODO - implement connection tracking (requires openflow
369             // extension and data plane support - in 2.4. Will need to handle
370             // case where we are working with mix of nodes.
371
372             ClassifierInstance ci = contractTenant.getClassifier(cr.getName());
373             if (ci == null) {
374                 // XXX TODO fail the match and raise an exception
375                 LOG.warn("Classifier instance {} not found", cr.getName().getValue());
376                 return;
377             }
378             Classifier cfier = SubjectFeatures.getClassifier(ci.getClassifierDefinitionId());
379             if (cfier == null) {
380                 // XXX TODO fail the match and raise an exception
381                 LOG.warn("Classifier definition {} not found", ci.getClassifierDefinitionId().getValue());
382                 return;
383             }
384             classifiers.add(new ClassifierDefinitionId(ci.getClassifierDefinitionId()));
385             for (ParameterValue v : ci.getParameterValue()) {
386                 if (paramsFromClassifier.get(v.getName().getValue()) == null) {
387                     if (v.getIntValue() != null
388                             || v.getStringValue() != null
389                             || v.getRangeValue() != null) {
390                         paramsFromClassifier.put(v.getName().getValue(), v);
391                     }
392                 } else {
393                     if (!paramsFromClassifier.get(v.getName().getValue()).equals(v)) {
394                         throw new IllegalArgumentException("Classification error in rule: " + rule.getName()
395                                 + ".\nCause: " + "Classification conflict detected at parameter " + v.getName());
396                     }
397                 }
398             }
399         }
400         if(classifiers.isEmpty()) {
401             return;
402         }
403         List<Map<String, ParameterValue>> derivedParamsByName = ParamDerivator.ETHER_TYPE_DERIVATOR.deriveParameter(paramsFromClassifier);
404         String baseId = createBaseFlowId(direction, cgPair, priority);
405         List<MatchBuilder> flowMatchBuilders = new ArrayList<>();
406         for (Map<String, ParameterValue> params : derivedParamsByName) {
407             List<MatchBuilder> matchBuildersToResolve = new ArrayList<>();
408             if (cgPair.sIpPrefixes.isEmpty() && cgPair.dIpPrefixes.isEmpty()) {
409                 matchBuildersToResolve.add(createBaseMatch(direction, cgPair, null, null));
410             } else if (!cgPair.sIpPrefixes.isEmpty() && cgPair.dIpPrefixes.isEmpty()) {
411                 for (IpPrefix sIpPrefix : cgPair.sIpPrefixes) {
412                     matchBuildersToResolve.add(createBaseMatch(direction, cgPair, sIpPrefix, null));
413                 }
414             } else if (cgPair.sIpPrefixes.isEmpty() && !cgPair.dIpPrefixes.isEmpty()) {
415                 for (IpPrefix dIpPrefix : cgPair.sIpPrefixes) {
416                     matchBuildersToResolve.add(createBaseMatch(direction, cgPair, null, dIpPrefix));
417                 }
418             } else {
419                 for (IpPrefix sIpPrefix : cgPair.sIpPrefixes) {
420                     for (IpPrefix dIpPrefix : cgPair.sIpPrefixes) {
421                         matchBuildersToResolve.add(createBaseMatch(direction, cgPair, sIpPrefix, dIpPrefix));
422                     }
423                 }
424             }
425             for (ClassifierDefinitionId clDefId : classifiers) {
426                 Classifier classifier = SubjectFeatures.getClassifier(clDefId);
427                 ClassificationResult result = classifier.updateMatch(matchBuildersToResolve, params);
428                 if (!result.isSuccessfull()) {
429                     // TODO consider different handling.
430                     throw new IllegalArgumentException("Classification conflict detected in rule: " + rule.getName() + ".\nCause: "
431                             + result.getErrorMessage());
432                 }
433                 matchBuildersToResolve = new ArrayList<>(result.getMatchBuilders());
434             }
435             flowMatchBuilders.addAll(matchBuildersToResolve);
436         }
437
438         FlowBuilder flow = base().setPriority(Integer.valueOf(priority));
439         for (MatchBuilder mb : flowMatchBuilders) {
440             Match match = mb.build();
441             FlowId flowId = FlowIdUtils.newFlowId(TABLE_ID, "cg", match);
442             flow.setMatch(match)
443                 .setId(flowId)
444                 .setPriority(Integer.valueOf(priority));
445                         // If destination is External, the last Action ALLOW must be changed to goto NAT/External table.
446         if (isExternal(netElements.getDst())) {
447             flow.setInstructions(instructions(getGotoEgressNatInstruction()));
448         } else {
449             flow.setInstructions(instructions(applyActionIns(actionBuilderList)));
450         }
451             flowMap.writeFlow(netElements.getNodeId(), TABLE_ID, flow.build());
452         }
453     }
454
455     private String createBaseFlowId(Direction direction, CgPair cgPair, int priority) {
456         StringBuilder idb = new StringBuilder();
457         if (direction.equals(Direction.In)) {
458             idb.append(cgPair.sepg)
459                     .append("|")
460                     .append(cgPair.scgId)
461                     .append("|")
462                     .append(cgPair.depg)
463                     .append("|")
464                     .append(cgPair.dcgId)
465                     .append("|")
466                     .append(priority);
467         } else {
468             idb.append(cgPair.depg)
469                     .append("|")
470                     .append(cgPair.dcgId)
471                     .append("|")
472                     .append(cgPair.sepg)
473                     .append("|")
474                     .append(cgPair.scgId)
475                     .append("|")
476                     .append(priority);
477         }
478         return idb.toString();
479     }
480
481     private MatchBuilder createBaseMatch(Direction direction, CgPair cgPair, IpPrefix sIpPrefix, IpPrefix dIpPrefix) {
482         MatchBuilder baseMatch = new MatchBuilder();
483         if (direction.equals(Direction.In)) {
484             addNxRegMatch(baseMatch,
485                     RegMatch.of(NxmNxReg0.class, Long.valueOf(cgPair.sepg)),
486                     RegMatch.of(NxmNxReg1.class, Long.valueOf(cgPair.scgId)),
487                     RegMatch.of(NxmNxReg2.class, Long.valueOf(cgPair.depg)),
488                     RegMatch.of(NxmNxReg3.class, Long.valueOf(cgPair.dcgId)));
489             if (sIpPrefix != null) {
490                 baseMatch.setLayer3Match(createLayer3Match(sIpPrefix, true));
491             }
492             if (dIpPrefix != null) {
493                 baseMatch.setLayer3Match(createLayer3Match(dIpPrefix, true));
494             }
495         } else {
496             addNxRegMatch(baseMatch,
497                     RegMatch.of(NxmNxReg0.class, Long.valueOf(cgPair.depg)),
498                     RegMatch.of(NxmNxReg1.class, Long.valueOf(cgPair.dcgId)),
499                     RegMatch.of(NxmNxReg2.class, Long.valueOf(cgPair.sepg)),
500                     RegMatch.of(NxmNxReg3.class, Long.valueOf(cgPair.scgId)));
501             if (sIpPrefix != null) {
502                 baseMatch.setLayer3Match(createLayer3Match(sIpPrefix, false));
503             }
504             if (dIpPrefix != null) {
505                 baseMatch.setLayer3Match(createLayer3Match(dIpPrefix, false));
506             }
507         }
508         return baseMatch;
509     }
510
511     private Layer3Match createLayer3Match(IpPrefix ipPrefix, boolean isSrc) {
512         if (ipPrefix.getIpv4Prefix() != null) {
513             if (isSrc) {
514                 return new Ipv4MatchBuilder().setIpv4Source(ipPrefix.getIpv4Prefix()).build();
515             } else {
516                 return new Ipv4MatchBuilder().setIpv4Destination(ipPrefix.getIpv4Prefix()).build();
517             }
518         } else {
519             if (isSrc) {
520                 return new Ipv6MatchBuilder().setIpv6Source(ipPrefix.getIpv6Prefix()).build();
521             } else {
522                 return new Ipv6MatchBuilder().setIpv6Destination(ipPrefix.getIpv6Prefix()).build();
523             }
524         }
525     }
526
527     // TODO: move to a common utils for all renderers
528     public List<Cell<EndpointConstraint, EndpointConstraint, List<RuleGroup>>>
529                 getActiveRulesBetweenEps(Policy policy, Endpoint consEp, Endpoint provEp) {
530         List<Cell<EndpointConstraint, EndpointConstraint, List<RuleGroup>>> rulesWithEpConstraints = new ArrayList<>();
531         if (policy.getRuleMap() != null) {
532             for (Cell<EndpointConstraint, EndpointConstraint, List<RuleGroup>> cell : policy.getRuleMap().cellSet()) {
533                 EndpointConstraint consEpConstraint = cell.getRowKey();
534                 EndpointConstraint provEpConstraint = cell.getColumnKey();
535                 if (epMatchesConstraint(consEp, consEpConstraint) && epMatchesConstraint(provEp, provEpConstraint)) {
536                     rulesWithEpConstraints.add(cell);
537                 }
538             }
539         }
540         return rulesWithEpConstraints;
541     }
542
543     private boolean epMatchesConstraint(Endpoint ep, EndpointConstraint constraint) {
544         List<ConditionName> epConditions = Collections.emptyList();
545         if (ep.getCondition() != null) {
546             epConditions = ep.getCondition();
547         }
548         return constraint.getConditionSet().matches(epConditions);
549     }
550
551     private static org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.Instruction getGotoEgressNatInstruction() {
552         return gotoEgressNatInstruction;
553     }
554
555     private static org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.Instruction getGotoExternalInstruction() {
556         return gotoExternalInstruction;
557     }
558
559     @Immutable
560     private static class CgPair {
561
562         private final int sepg;
563         private final int depg;
564         private final int scgId;
565         private final int dcgId;
566         private final Set<IpPrefix> sIpPrefixes;
567         private final Set<IpPrefix> dIpPrefixes;
568
569         public CgPair(int sepg, int depg, int scgId, int dcgId, Set<IpPrefix> sIpPrefixes, Set<IpPrefix> dIpPrefixes) {
570             super();
571             this.sepg = sepg;
572             this.depg = depg;
573             this.scgId = scgId;
574             this.dcgId = dcgId;
575             this.sIpPrefixes = sIpPrefixes;
576             this.dIpPrefixes = dIpPrefixes;
577         }
578
579         @Override
580         public int hashCode() {
581             final int prime = 31;
582             int result = 1;
583             result = prime * result + ((dIpPrefixes == null) ? 0 : dIpPrefixes.hashCode());
584             result = prime * result + dcgId;
585             result = prime * result + depg;
586             result = prime * result + ((sIpPrefixes == null) ? 0 : sIpPrefixes.hashCode());
587             result = prime * result + scgId;
588             result = prime * result + sepg;
589             return result;
590         }
591
592         @Override
593         public boolean equals(Object obj) {
594             if (this == obj)
595                 return true;
596             if (obj == null)
597                 return false;
598             if (getClass() != obj.getClass())
599                 return false;
600             CgPair other = (CgPair) obj;
601             if (dIpPrefixes == null) {
602                 if (other.dIpPrefixes != null)
603                     return false;
604             } else if (!dIpPrefixes.equals(other.dIpPrefixes))
605                 return false;
606             if (dcgId != other.dcgId)
607                 return false;
608             if (sIpPrefixes == null) {
609                 if (other.sIpPrefixes != null)
610                     return false;
611             } else if (!sIpPrefixes.equals(other.sIpPrefixes))
612                 return false;
613             if (depg != other.depg)
614                 return false;
615             if (scgId != other.scgId)
616                 return false;
617             if (sepg != other.sepg)
618                 return false;
619             return true;
620         }
621     }
622
623     public class NetworkElements {
624         Endpoint src;
625         Endpoint dst;
626         NodeId nodeId;
627         EndpointFwdCtxOrdinals srcOrds;
628         EndpointFwdCtxOrdinals dstOrds;
629
630         public NetworkElements(Endpoint src, Endpoint dst, NodeId nodeId, OfContext ctx, PolicyInfo policyInfo) throws Exception {
631             this.src=src;
632             this.dst=dst;
633             this.nodeId = nodeId;
634             this.srcOrds=OrdinalFactory.getEndpointFwdCtxOrdinals(ctx, policyInfo, src);
635             this.dstOrds=OrdinalFactory.getEndpointFwdCtxOrdinals(ctx, policyInfo, dst);
636         }
637
638
639
640         public EndpointFwdCtxOrdinals getSrcOrds() {
641             return srcOrds;
642         }
643
644
645
646         public EndpointFwdCtxOrdinals getDstOrds() {
647             return dstOrds;
648         }
649
650
651         public Endpoint getSrc() {
652             return src;
653         }
654
655
656         public Endpoint getDst() {
657             return dst;
658         }
659
660
661         public NodeId getNodeId() {
662             return nodeId;
663         }
664
665
666     }
667 }
OpenDaylight Group Based Policy Plugin