Code Review / netvirt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Bug 8400 - ACL changes doesn't affect the existing connections
[netvirt.git] / vpnservice / aclservice / impl / src / main / java / org / opendaylight / netvirt / aclservice / AbstractIngressAclServiceImpl.java
1 /*
2  * Copyright (c) 2016 HPE, Inc. and others. All rights reserved.
3  *
4  * This program and the accompanying materials are made available under the
5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6  * and is available at http://www.eclipse.org/legal/epl-v10.html
7  */
8 package org.opendaylight.netvirt.aclservice;
9
10 import java.math.BigInteger;
11 import java.util.ArrayList;
12 import java.util.Collections;
13 import java.util.List;
14 import java.util.Map;
15 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
16 import org.opendaylight.controller.md.sal.binding.api.WriteTransaction;
17 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
18 import org.opendaylight.genius.mdsalutil.ActionInfo;
19 import org.opendaylight.genius.mdsalutil.InstructionInfo;
20 import org.opendaylight.genius.mdsalutil.MDSALUtil;
21 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
22 import org.opendaylight.genius.mdsalutil.MetaDataUtil;
23 import org.opendaylight.genius.mdsalutil.NwConstants;
24 import org.opendaylight.genius.mdsalutil.instructions.InstructionGotoTable;
25 import org.opendaylight.genius.mdsalutil.instructions.InstructionWriteMetadata;
26 import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
27 import org.opendaylight.genius.mdsalutil.matches.MatchEthernetType;
28 import org.opendaylight.genius.utils.ServiceIndex;
29 import org.opendaylight.infrautils.jobcoordinator.JobCoordinator;
30 import org.opendaylight.netvirt.aclservice.api.AclInterfaceCache;
31 import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
32 import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
33 import org.opendaylight.netvirt.aclservice.utils.AclConstants;
34 import org.opendaylight.netvirt.aclservice.utils.AclDataUtil;
35 import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder;
36 import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
37 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
39 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
40 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
41 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
42 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
43 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
44 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
45 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeEgress;
46 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
47 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
48 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionIngress;
49 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
50 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
51 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs;
52 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
53 import org.slf4j.Logger;
54 import org.slf4j.LoggerFactory;
55
56 /**
57  * Provides abstract implementation for ingress (w.r.t VM) ACL service.
58  *
59  * <p>
60  * Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress
61  * and vice versa.
62  */
63 public abstract class AbstractIngressAclServiceImpl extends AbstractAclServiceImpl {
64
65     private static final Logger LOG = LoggerFactory.getLogger(AbstractIngressAclServiceImpl.class);
66
67     /**
68      * Initialize the member variables.
69      */
70     public AbstractIngressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager, AclDataUtil aclDataUtil,
71             AclServiceUtils aclServiceUtils, JobCoordinator jobCoordinator, AclInterfaceCache aclInterfaceCache) {
72         // Service mode is w.rt. switch
73         super(ServiceModeEgress.class, dataBroker, mdsalManager, aclDataUtil, aclServiceUtils,
74                 jobCoordinator, aclInterfaceCache);
75     }
76
77     /**
78      * Bind service.
79      *
80      * @param aclInterface the acl interface
81      */
82     @Override
83     public void bindService(AclInterface aclInterface) {
84         String interfaceName = aclInterface.getInterfaceId();
85         jobCoordinator.enqueueJob(interfaceName,
86             () -> {
87                 int instructionKey = 0;
88                 List<Instruction> instructions = new ArrayList<>();
89                 Long vpnId = aclInterface.getVpnId();
90                 if (vpnId != null) {
91                     instructions.add(MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getVpnIdMetadata(vpnId),
92                         MetaDataUtil.METADATA_MASK_VRFID, ++instructionKey));
93                     LOG.debug("Binding ACL service for interface {} with vpnId {}", interfaceName, vpnId);
94                 } else {
95                     Long elanTag = aclInterface.getElanId();
96                     instructions.add(
97                             MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getElanTagMetadata(elanTag),
98                             MetaDataUtil.METADATA_MASK_SERVICE, ++instructionKey));
99                     LOG.debug("Binding ACL service for interface {} with ElanTag {}", interfaceName, elanTag);
100                 }
101                 instructions.add(
102                         MDSALUtil.buildAndGetGotoTableInstruction(NwConstants.EGRESS_ACL_TABLE, ++instructionKey));
103                 int flowPriority = AclConstants.INGRESS_ACL_DEFAULT_FLOW_PRIORITY;
104                 short serviceIndex = ServiceIndex.getIndex(NwConstants.EGRESS_ACL_SERVICE_NAME,
105                         NwConstants.EGRESS_ACL_SERVICE_INDEX);
106                 BoundServices serviceInfo = AclServiceUtils.getBoundServices(
107                         String.format("%s.%s.%s", "acl", "ingressacl", interfaceName), serviceIndex, flowPriority,
108                         AclConstants.COOKIE_ACL_BASE, instructions);
109                 InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
110                         ServiceIndex.getIndex(NwConstants.EGRESS_ACL_SERVICE_NAME,
111                         NwConstants.EGRESS_ACL_SERVICE_INDEX), ServiceModeEgress.class);
112
113                 WriteTransaction writeTxn = dataBroker.newWriteOnlyTransaction();
114                 writeTxn.put(LogicalDatastoreType.CONFIGURATION, path, serviceInfo,
115                         WriteTransaction.CREATE_MISSING_PARENTS);
116
117                 return Collections.singletonList(writeTxn.submit());
118             });
119     }
120
121     /**
122      * Unbind service.
123      *
124      * @param aclInterface the acl interface
125      */
126     @Override
127     protected void unbindService(AclInterface aclInterface) {
128         String interfaceName = aclInterface.getInterfaceId();
129         InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
130                 ServiceIndex.getIndex(NwConstants.EGRESS_ACL_SERVICE_NAME, NwConstants.EGRESS_ACL_SERVICE_INDEX),
131                 ServiceModeEgress.class);
132
133         LOG.debug("UnBinding ACL service for interface {}", interfaceName);
134         jobCoordinator.enqueueJob(interfaceName,
135             () -> {
136                 WriteTransaction writeTxn = dataBroker.newWriteOnlyTransaction();
137                 writeTxn.delete(LogicalDatastoreType.CONFIGURATION, path);
138
139                 return Collections.singletonList(writeTxn.submit());
140             });
141     }
142
143     /**
144      * Program conntrack rules.
145      *
146      * @param dpid the dpid
147      * @param dhcpMacAddress the dhcp mac address.
148      * @param allowedAddresses the allowed addresses
149      * @param lportTag the lport tag
150      * @param addOrRemove add or remove the flow
151      */
152     @Override
153     protected abstract void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress,
154             List<AllowedAddressPairs> allowedAddresses, int lportTag, String portId, Action action, int addOrRemove);
155
156     @Override
157     protected void programGeneralFixedRules(AclInterface port, String dhcpMacAddress,
158             List<AllowedAddressPairs> allowedAddresses, Action action, int addOrRemove) {
159         LOG.info("programFixedRules : {} default rules.", action == Action.ADD ? "adding" : "removing");
160
161         BigInteger dpid = port.getDpId();
162         int lportTag = port.getLPortTag();
163         if (action == Action.ADD || action == Action.REMOVE) {
164             ingressAclDhcpAllowServerTraffic(dpid, dhcpMacAddress, lportTag, addOrRemove,
165                     AclConstants.PROTO_PREFIX_MATCH_PRIORITY);
166             ingressAclDhcpv6AllowServerTraffic(dpid, dhcpMacAddress, lportTag, addOrRemove,
167                     AclConstants.PROTO_PREFIX_MATCH_PRIORITY);
168             ingressAclIcmpv6AllowedTraffic(dpid, lportTag, addOrRemove);
169
170             programArpRule(dpid, lportTag, addOrRemove);
171             programIpv4BroadcastRule(port, addOrRemove);
172         }
173     }
174
175     @Override
176     protected void updateArpForAllowedAddressPairs(BigInteger dpId, int lportTag, List<AllowedAddressPairs> deletedAAP,
177             List<AllowedAddressPairs> addedAAP) {
178         // Nothing to do for port update as ingress ARP flow is based only on lportTag
179
180     }
181
182     @Override
183     protected boolean programAclRules(AclInterface port, List<Uuid> aclUuidList,int addOrRemove) {
184         BigInteger dpId = port.getDpId();
185         LOG.debug("Applying custom rules on DpId {}, lportTag {}", dpId, port.getLPortTag());
186         if (aclUuidList == null || dpId == null) {
187             LOG.warn("one of the ingress acl parameters can not be null. sg {}, dpId {}",
188                     aclUuidList, dpId);
189             return false;
190         }
191
192         for (Uuid sgUuid :aclUuidList) {
193             Acl acl = AclServiceUtils.getAcl(dataBroker, sgUuid.getValue());
194             if (null == acl) {
195                 LOG.warn("The ACL is empty");
196                 continue;
197             }
198             AccessListEntries accessListEntries = acl.getAccessListEntries();
199             List<Ace> aceList = accessListEntries.getAce();
200             for (Ace ace : aceList) {
201                 programAceRule(port, addOrRemove, acl.getAclName(), ace, null);
202             }
203         }
204         return true;
205     }
206
207     @Override
208     protected void programAceRule(AclInterface port, int addOrRemove, String aclName, Ace ace,
209             List<AllowedAddressPairs> syncAllowedAddresses) {
210         SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
211         if (!aceAttr.getDirection().equals(DirectionIngress.class)) {
212             return;
213         }
214         Matches matches = ace.getMatches();
215         AceType aceType = matches.getAceType();
216         Map<String, List<MatchInfoBase>> flowMap = null;
217         if (aceType instanceof AceIp) {
218             flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
219             if (syncAllowedAddresses != null) {
220                 flowMap = AclServiceUtils.getFlowForAllowedAddresses(syncAllowedAddresses, flowMap, true);
221             } else if (aceAttr.getRemoteGroupId() != null) {
222                 flowMap = aclServiceUtils.getFlowForRemoteAcl(port, aceAttr.getRemoteGroupId(), port.getInterfaceId(),
223                         flowMap, true);
224             }
225         }
226         int lportTag = port.getLPortTag();
227         if (null == flowMap) {
228             LOG.error("Failed to apply ACL {} lportTag {}", ace.getKey(), lportTag);
229             return;
230         }
231         for (String flowName : flowMap.keySet()) {
232             syncSpecificAclFlow(port.getDpId(), lportTag, addOrRemove, ace, port.getInterfaceId(), flowMap, flowName);
233         }
234     }
235
236     @Override
237     protected void updateRemoteAclTableForPort(AclInterface port, Uuid acl, int addOrRemove,
238             AllowedAddressPairs ip, BigInteger aclId, BigInteger dpId) {
239         Long elanTag = port.getElanId();
240         Long vpnId = port.getVpnId();
241         List<MatchInfoBase> flowMatches = new ArrayList<>();
242         flowMatches.addAll(AclServiceUtils.buildIpAndSrcServiceMatch(elanTag, ip, dataBroker, vpnId));
243
244         List<InstructionInfo> instructions = new ArrayList<>();
245
246         InstructionWriteMetadata writeMetatdata =
247                 new InstructionWriteMetadata(AclServiceUtils.getAclIdMetadata(aclId),
248                         MetaDataUtil.METADATA_MASK_REMOTE_ACL_ID);
249         instructions.add(writeMetatdata);
250         instructions.add(new InstructionGotoTable(getStatefulIngressAclApplyOnExistingTrafficTable()));
251
252         Long serviceTag = vpnId != null ? vpnId : elanTag;
253         String flowNameAdded = "Acl_Filter_Ingress_" + new String(ip.getIpAddress().getValue()) + "_" + serviceTag;
254
255         syncFlow(dpId, getIngressAclRemoteAclTable(), flowNameAdded, AclConstants.NO_PRIORITY, "ACL", 0, 0,
256                 AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove);
257     }
258
259     protected short getIngressAclFilterTable() {
260         return NwConstants.EGRESS_ACL_FILTER_TABLE;
261     }
262
263     protected short getIngressAclRemoteAclTable() {
264         return NwConstants.EGRESS_ACL_REMOTE_ACL_TABLE;
265     }
266
267     protected short getStatefulIngressAclApplyOnExistingTrafficTable() {
268         return NwConstants.EGRESS_ACL_STATEFUL_APPLY_CHANGE_EXIST_TRAFFIC_TABLE;
269     }
270
271     protected abstract String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace,
272             String portId, Map<String, List<MatchInfoBase>> flowMap, String flowName);
273
274     /**
275      * Add rule to ensure only DHCP server traffic from the specified mac is
276      * allowed.
277      *
278      * @param dpId the dpid
279      * @param dhcpMacAddress the DHCP server mac address
280      * @param lportTag the lport tag
281      * @param addOrRemove is write or delete
282      * @param protoPortMatchPriority the priority
283      */
284     protected void ingressAclDhcpAllowServerTraffic(BigInteger dpId, String dhcpMacAddress, int lportTag,
285             int addOrRemove, int protoPortMatchPriority) {
286         final List<MatchInfoBase> matches = AclServiceUtils.buildDhcpMatches(AclConstants.DHCP_SERVER_PORT_IPV4,
287                 AclConstants.DHCP_CLIENT_PORT_IPV4, lportTag, ServiceModeIngress.class);
288
289         List<ActionInfo> actionsInfos = new ArrayList<>();
290         List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions(actionsInfos);
291
292         String flowName = "Ingress_DHCP_Server_v4" + dpId + "_" + lportTag + "_" + dhcpMacAddress + "_Permit_";
293         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, AclConstants.PROTO_DHCP_SERVER_MATCH_PRIORITY, "ACL", 0,
294                 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
295     }
296
297     /**
298      * Add rule to ensure only DHCPv6 server traffic from the specified mac is
299      * allowed.
300      *
301      * @param dpId the dpid
302      * @param dhcpMacAddress the DHCP server mac address
303      * @param lportTag the lport tag
304      * @param addOrRemove is write or delete
305      * @param protoPortMatchPriority the priority
306      */
307     protected void ingressAclDhcpv6AllowServerTraffic(BigInteger dpId, String dhcpMacAddress, int lportTag,
308             int addOrRemove, Integer protoPortMatchPriority) {
309         final List<MatchInfoBase> matches = AclServiceUtils.buildDhcpV6Matches(AclConstants.DHCP_SERVER_PORT_IPV6,
310                 AclConstants.DHCP_CLIENT_PORT_IPV6, lportTag, ServiceModeIngress.class);
311
312         List<ActionInfo> actionsInfos = new ArrayList<>();
313         List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions(actionsInfos);
314
315         String flowName =
316                 "Ingress_DHCP_Server_v6" + "_" + dpId + "_" + lportTag + "_" + "_" + dhcpMacAddress + "_Permit_";
317         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, AclConstants.PROTO_DHCP_SERVER_MATCH_PRIORITY, "ACL", 0,
318                 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
319     }
320
321     /**
322      * Add rules to ensure that certain ICMPv6 like MLD_QUERY (130), NS (135), NA (136) are allowed into the VM.
323      *
324      * @param dpId the dpid
325      * @param lportTag the lport tag
326      * @param addOrRemove is write or delete
327      */
328     private void ingressAclIcmpv6AllowedTraffic(BigInteger dpId, int lportTag, int addOrRemove) {
329         List<ActionInfo> actionsInfos = new ArrayList<>();
330         List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions(actionsInfos);
331
332         // Allow ICMPv6 Multicast Listener Query packets.
333         List<MatchInfoBase> matches = AclServiceUtils.buildIcmpV6Matches(AclConstants.ICMPV6_TYPE_MLD_QUERY,
334                 0, lportTag, ServiceModeIngress.class);
335
336         String flowName =
337                 "Ingress_ICMPv6" + "_" + dpId + "_" + lportTag + "_" + AclConstants.ICMPV6_TYPE_MLD_QUERY + "_Permit_";
338         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, AclConstants.PROTO_IPV6_ALLOWED_PRIORITY, "ACL", 0,
339                 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
340
341         // Allow ICMPv6 Neighbor Solicitation packets.
342         matches = AclServiceUtils.buildIcmpV6Matches(AclConstants.ICMPV6_TYPE_NS, 0, lportTag,
343                 ServiceModeIngress.class);
344
345         flowName =
346                 "Ingress_ICMPv6" + "_" + dpId + "_" + lportTag + "_" + AclConstants.ICMPV6_TYPE_NS + "_Permit_";
347         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, AclConstants.PROTO_IPV6_ALLOWED_PRIORITY, "ACL", 0,
348                 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
349
350         // Allow ICMPv6 Neighbor Advertisement packets.
351         matches = AclServiceUtils.buildIcmpV6Matches(AclConstants.ICMPV6_TYPE_NA, 0, lportTag,
352                 ServiceModeIngress.class);
353
354         flowName =
355                 "Ingress_ICMPv6" + "_" + dpId + "_" + lportTag + "_" + AclConstants.ICMPV6_TYPE_NA + "_Permit_";
356         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, AclConstants.PROTO_IPV6_ALLOWED_PRIORITY, "ACL", 0,
357                 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
358     }
359
360     /**
361      * Adds the rule to allow arp packets.
362      *
363      * @param dpId the dpId
364      * @param lportTag the lport tag
365      * @param addOrRemove whether to add or remove the flow
366      */
367     protected void programArpRule(BigInteger dpId, int lportTag, int addOrRemove) {
368         List<MatchInfoBase> matches = new ArrayList<>();
369         matches.add(MatchEthernetType.ARP);
370         matches.add(buildLPortTagMatch(lportTag));
371         List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions(new ArrayList<>());
372         LOG.debug(addOrRemove == NwConstants.DEL_FLOW ? "Deleting " : "Adding " + "ARP Rule on DPID {}, "
373                 + "lportTag {}", dpId, lportTag);
374         String flowName = "Ingress_ARP_" + dpId + "_" + lportTag;
375         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName,
376                 AclConstants.PROTO_ARP_TRAFFIC_MATCH_PRIORITY, "ACL", 0, 0,
377                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
378     }
379
380
381     /**
382      * Programs broadcast rules.
383      *
384      * @param port the Acl Interface port
385      * @param addOrRemove whether to delete or add flow
386      */
387     @Override
388     protected void programBroadcastRules(AclInterface port, int addOrRemove) {
389         programIpv4BroadcastRule(port, addOrRemove);
390     }
391
392     /**
393      * Programs IPv4 broadcast rules.
394      *
395      * @param port the Acl Interface port
396      * @param addOrRemove whether to delete or add flow
397      */
398     private void programIpv4BroadcastRule(AclInterface port, int addOrRemove) {
399         BigInteger dpId = port.getDpId();
400         int lportTag = port.getLPortTag();
401         MatchInfoBase lportMatchInfo = buildLPortTagMatch(lportTag);
402         List<IpPrefixOrAddress> cidrs = port.getSubnetIpPrefixes();
403         if (cidrs != null) {
404             List<String> broadcastAddresses = AclServiceUtils.getIpBroadcastAddresses(cidrs);
405             for (String broadcastAddress : broadcastAddresses) {
406                 List<MatchInfoBase> matches =
407                         AclServiceUtils.buildBroadcastIpV4Matches(broadcastAddress);
408                 matches.add(lportMatchInfo);
409                 List<InstructionInfo> instructions = new ArrayList<>();
410                 instructions.add(new InstructionGotoTable(NwConstants.EGRESS_ACL_REMOTE_ACL_TABLE));
411                 String flowName = "Ingress_v4_Broadcast_" + dpId + "_" + lportTag + "_" + broadcastAddress + "_Permit";
412                 syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName,
413                         AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, matches,
414                         instructions, addOrRemove);
415             }
416         } else {
417             LOG.warn("IP Broadcast CIDRs are missing for port {}", port.getInterfaceId());
418         }
419     }
420
421     protected MatchInfoBase buildLPortTagMatch(int lportTag) {
422         return AclServiceUtils.buildLPortTagMatch(lportTag, ServiceModeIngress.class);
423     }
424 }
NetVirt - Archived