vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/EgressAclServiceImpl.java

   1 /*
   2  * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
   3  *
   4  * This program and the accompanying materials are made available under the
   5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
   6  * and is available at http://www.eclipse.org/legal/epl-v10.html
   7  */
   8 package org.opendaylight.netvirt.aclservice;
   9
  10 import java.math.BigInteger;
  11 import java.util.ArrayList;
  12 import java.util.List;
  13 import java.util.Map;
  14
  15 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
  16 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
  17 import org.opendaylight.genius.mdsalutil.ActionInfo;
  18 import org.opendaylight.genius.mdsalutil.ActionType;
  19 import org.opendaylight.genius.mdsalutil.InstructionInfo;
  20 import org.opendaylight.genius.mdsalutil.InstructionType;
  21 import org.opendaylight.genius.mdsalutil.MDSALUtil;
  22 import org.opendaylight.genius.mdsalutil.MatchFieldType;
  23 import org.opendaylight.genius.mdsalutil.MatchInfo;
  24 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
  25 import org.opendaylight.genius.mdsalutil.NwConstants;
  26 import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
  27 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
  28 import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
  29 import org.opendaylight.netvirt.aclservice.utils.AclConstants;
  30 import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder;
  31 import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
  32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
  33 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
  34 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
  35 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
  36 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
  37 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
  38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
  39 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
  40 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
  41 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
  42 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
  43 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress;
  44 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
  45 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
  46 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
  47 import org.slf4j.Logger;
  48 import org.slf4j.LoggerFactory;
  49
  50 public class EgressAclServiceImpl extends AbstractAclServiceImpl {
  51
  52     private static final Logger LOG = LoggerFactory.getLogger(EgressAclServiceImpl.class);
  53     private final DataBroker dataBroker;
  54
  55     /**
  56      * Initialize the member variables.
  57      * @param dataBroker the data broker instance.
  58      * @param interfaceManager the interface manager instance.
  59      * @param mdsalManager the mdsal manager instance.
  60      */
  61     public EgressAclServiceImpl(DataBroker dataBroker, OdlInterfaceRpcService interfaceManager,
  62                                 IMdsalApiManager mdsalManager) {
  63         super(dataBroker,interfaceManager,mdsalManager);
  64         this.dataBroker = dataBroker;
  65     }
  66
  67     /**
  68      * Bind service.
  69      *
  70      * @param interfaceName the interface name
  71      */
  72     protected void bindService(String interfaceName) {
  73         int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
  74
  75         int instructionKey = 0;
  76         List<Instruction> instructions = new ArrayList<>();
  77         instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(NwConstants.EGRESS_ACL_TABLE_ID, ++instructionKey));
  78         BoundServices serviceInfo = AclServiceUtils.getBoundServices(
  79                 String.format("%s.%s.%s", "vpn", "egressacl", interfaceName), NwConstants.ACL_SERVICE_INDEX,
  80                 flowPriority, AclConstants.COOKIE_ACL_BASE, instructions);
  81         InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
  82                 NwConstants.ACL_SERVICE_INDEX, ServiceModeIngress.class);
  83         MDSALUtil.syncWrite(dataBroker, LogicalDatastoreType.CONFIGURATION, path, serviceInfo);
  84     }
  85
  86     /**
  87      * Unbind service.
  88      *
  89      * @param interfaceName the interface name
  90      */
  91     protected void unbindService(String interfaceName) {
  92         InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
  93                 NwConstants.ACL_SERVICE_INDEX, ServiceModeIngress.class);
  94         MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path);
  95     }
  96
  97     /**
  98      * Program the default anti-spoofing rule and the conntrack rules.
  99      *
 100      * @param dpid the dpid
 101      * @param dhcpMacAddress the dhcp mac address.
 102      * @param attachMac The vm mac address
 103      * @param addOrRemove addorRemove
 104      */
 105     protected void programFixedRules(BigInteger dpid, String dhcpMacAddress,
 106                                              String attachMac, int addOrRemove) {
 107         LOG.info("programFixedRules :  adding default rules.");
 108         egressAclDhcpAllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 109         egressAclDhcpv6AllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 110         egressAclDhcpDropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 111         egressAclDhcpv6DropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 112
 113         //if (securityServicesManager.isConntrackEnabled()) {
 114         programEgressAclFixedConntrackRule(dpid, attachMac, addOrRemove);
 115         //}
 116         programArpRule(dpid,attachMac, addOrRemove);
 117     }
 118
 119     /**
 120      * Programs the custom flows.
 121      *
 122      * @param aclUuidList the list of acl uuid to be applied
 123      * @param dpId the dpId
 124      * @param attachMac the attached mac
 125      * @param addOrRemove whether to delete or add flow
 126      */
 127     protected void programAclRules(List<Uuid> aclUuidList, BigInteger dpId, String attachMac,
 128                                    IpPrefixOrAddress attachIp, int addOrRemove) {
 129         LOG.trace("Applying custom rules DpId {}, vmMacAddress {}", dpId, attachMac );
 130         for (Uuid sgUuid :aclUuidList ) {
 131             Acl acl = AclServiceUtils.getAcl(dataBroker, sgUuid.getValue());
 132             if (null == acl) {
 133                 LOG.warn("The ACL is empty");
 134                 continue;
 135             }
 136             AccessListEntries accessListEntries = acl.getAccessListEntries();
 137             List<Ace> aceList = accessListEntries.getAce();
 138             for (Ace ace: aceList) {
 139                 programAceRule(dpId, attachMac, attachIp, addOrRemove, ace);
 140             }
 141         }
 142
 143     }
 144
 145     protected void programAceRule(BigInteger dpId, String attachMac, IpPrefixOrAddress attachIp, int addOrRemove,
 146                                   Ace ace) {
 147         SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
 148         if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
 149             return;
 150         }
 151         Matches matches = ace.getMatches();
 152         AceType aceType = matches.getAceType();
 153         Map<String,List<MatchInfoBase>> flowMap = null;
 154         if (aceType instanceof AceIp) {
 155             flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
 156         }
 157         if (null == flowMap) {
 158             LOG.error("Failed to apply ACL {} vmMacAddress {}", ace.getKey(), attachMac);
 159             return;
 160         }
 161         //The flow map contains list of flows if port range is selected.
 162         for ( String  flowName : flowMap.keySet()) {
 163             List<MatchInfoBase> flows = flowMap.get(flowName);
 164             flowName += "Egress" + attachMac + String.valueOf(attachIp.getValue()) + ace.getKey().getRuleName();
 165             flows .add(new MatchInfo(MatchFieldType.eth_src,
 166                 new String[] { attachMac }));
 167             flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 168                 new long[] { AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
 169             flows.addAll(AclServiceUtils.getAllowedIpMatches(attachIp, MatchFieldType.ipv4_source));
 170             List<InstructionInfo> instructions = new ArrayList<>();
 171             List<ActionInfo> actionsInfos = new ArrayList<>();
 172             actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 173                 new String[] {"1", "0", "0", "255"}, 2));
 174             instructions.add(new InstructionInfo(InstructionType.apply_actions,
 175                 actionsInfos));
 176             instructions.add(new InstructionInfo(InstructionType.goto_table,
 177                 new long[] { NwConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 178             syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY,
 179                 "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
 180         }
 181     }
 182
 183     /**
 184      * Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port.
 185      * @param dpId the dpId
 186      * @param dhcpMacAddress the Dhcp mac address
 187      * @param attachMac the attached mac address
 188      * @param addOrRemove add/remove the flow.
 189      */
 190     private void egressAclDhcpDropServerTraffic(BigInteger dpId, String dhcpMacAddress,
 191             String attachMac, int addOrRemove) {
 192         List<MatchInfoBase> matches = AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_SERVER_PORT_IPV4,
 193                 AclConstants.DHCP_CLIENT_PORT_IPV4, attachMac);
 194
 195         List<InstructionInfo> instructions = new ArrayList<>();
 196
 197         List<ActionInfo> actionsInfos = new ArrayList<>();
 198
 199         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 200             new String[] {}));
 201         String flowName = "Egress_DHCP_Server_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
 202         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 203                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 204     }
 205
 206     /**
 207      * Anti-spoofing rule to block the Ipv6 DHCP server traffic from the port.
 208      * @param dpId the dpId
 209      * @param dhcpMacAddress the Dhcp mac address
 210      * @param attachMac the attached mac address
 211      * @param addOrRemove add/remove the flow.
 212      */
 213     private void egressAclDhcpv6DropServerTraffic(BigInteger dpId, String dhcpMacAddress,
 214                                                   String attachMac, int addOrRemove) {
 215         List<MatchInfoBase> matches = AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_SERVER_PORT_IPV6,
 216                 AclConstants.DHCP_CLIENT_PORT_IPV6, attachMac);
 217
 218         List<InstructionInfo> instructions = new ArrayList<>();
 219
 220         List<ActionInfo> actionsInfos = new ArrayList<>();
 221
 222         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 223             new String[] {}));
 224         String flowName = "Egress_DHCP_Server_v6" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
 225         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 226                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 227     }
 228
 229     /**
 230      * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
 231      *
 232      * @param dpId the dpid
 233      * @param dhcpMacAddress the DHCP server mac address
 234      * @param attachMac the mac address of the port
 235      * @param addOrRemove whether to add or remove the flow
 236      */
 237     private void egressAclDhcpAllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
 238                                                  String attachMac, int addOrRemove) {
 239         final List<MatchInfoBase> matches =
 240                 AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_CLIENT_PORT_IPV4,
 241                         AclConstants.DHCP_SERVER_PORT_IPV4, attachMac);
 242
 243         List<InstructionInfo> instructions = new ArrayList<>();
 244
 245         List<ActionInfo> actionsInfos = new ArrayList<>();
 246
 247         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 248             new String[] {"1", "0", "0", "255"}, 2));
 249         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 250             actionsInfos));
 251
 252
 253         instructions.add(new InstructionInfo(InstructionType.goto_table,
 254             new long[] { NwConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 255         String flowName = "Egress_DHCP_Client_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
 256         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 257                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 258     }
 259
 260     /**
 261      * Add rule to ensure only DHCPv6 server traffic from the specified mac is allowed.
 262      *
 263      * @param dpId the dpid
 264      * @param dhcpMacAddress the DHCP server mac address
 265      * @param attachMac the mac address of  the port
 266      * @param addOrRemove whether to add or remove the flow
 267      */
 268     private void egressAclDhcpv6AllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
 269                                                    String attachMac, int addOrRemove) {
 270         final List<MatchInfoBase> matches =
 271                 AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_CLIENT_PORT_IPV6,
 272                         AclConstants.DHCP_SERVER_PORT_IPV6, attachMac);
 273
 274         List<InstructionInfo> instructions = new ArrayList<>();
 275
 276         List<ActionInfo> actionsInfos = new ArrayList<>();
 277
 278         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 279             new String[] {"1", "0", "0", "255"}, 2));
 280         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 281             actionsInfos));
 282
 283         instructions.add(new InstructionInfo(InstructionType.goto_table,
 284             new long[] { NwConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 285         String flowName = "Egress_DHCP_Client_v6" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
 286         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 287                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 288     }
 289
 290     /**
 291      * Adds the rule to send the packet to the netfilter to check whether it is a known packet.
 292      * @param dpId the dpId
 293      * @param attachMac the attached mac address
 294      * @param priority the priority of the flow
 295      * @param flowId the flowId
 296      * @param conntrackState the conntrack state of the packets thats should be send
 297      * @param conntrackMask the conntrack mask
 298      * @param addOrRemove whether to add or remove the flow
 299      */
 300     private void programConntrackRecircRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 301                                              int conntrackState, int conntrackMask, int addOrRemove) {
 302         List<MatchInfoBase> matches = new ArrayList<>();
 303         matches.add(new MatchInfo(MatchFieldType.eth_type,
 304             new long[] { NwConstants.ETHTYPE_IPV4 }));
 305         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 306             new long[] {conntrackState, conntrackMask}));
 307         matches.add(new MatchInfo(MatchFieldType.eth_src,
 308             new String[] { attachMac }));
 309         List<InstructionInfo> instructions = new ArrayList<>();
 310
 311         List<ActionInfo> actionsInfos = new ArrayList<>();
 312
 313         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 314             new String[] {"0", "0", "0", Short.toString(NwConstants.EGRESS_ACL_TABLE_ID)}, 2));
 315         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 316             actionsInfos));
 317         String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
 318         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 319                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 320     }
 321
 322     /**
 323      * Adds the rule to forward the packets known packets.
 324      * @param dpId the dpId
 325      * @param attachMac the attached mac address
 326      * @param priority the priority of the flow
 327      * @param flowId the flowId
 328      * @param conntrackState the conntrack state of the packets thats should be send
 329      * @param conntrackMask the conntrack mask
 330      * @param addOrRemove whether to add or remove the flow
 331      */
 332     private void programConntrackForwardRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 333                                              int conntrackState, int conntrackMask, int addOrRemove) {
 334         List<MatchInfoBase> matches = new ArrayList<>();
 335         matches.add(new MatchInfo(MatchFieldType.eth_type,
 336             new long[] { NwConstants.ETHTYPE_IPV4 }));
 337         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 338             new long[] {conntrackState, conntrackMask}));
 339         matches.add(new MatchInfo(MatchFieldType.eth_src,
 340             new String[] { attachMac }));
 341         List<InstructionInfo> instructions = new ArrayList<>();
 342
 343         List<ActionInfo> actionsInfos = new ArrayList<>();
 344
 345         actionsInfos.add(new ActionInfo(ActionType.goto_table,
 346             new String[] {}));
 347
 348         instructions.add(new InstructionInfo(InstructionType.goto_table,
 349             new long[] { NwConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 350         String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
 351         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
 352                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 353     }
 354
 355     /**
 356      * Adds  the rule to drop the unknown/invalid packets .
 357      * @param dpId the dpId
 358      * @param attachMac the attached mac address
 359      * @param priority the priority of the flow
 360      * @param flowId the flowId
 361      * @param conntrackState the conntrack state of the packets thats should be send
 362      * @param conntrackMask the conntrack mask
 363      * @param addOrRemove whether to add or remove the flow
 364      */
 365     private void programConntrackDropRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 366                                           int conntrackState, int conntrackMask, int addOrRemove) {
 367         List<MatchInfoBase> matches = new ArrayList<>();
 368         matches.add(new MatchInfo(MatchFieldType.eth_type,
 369             new long[] { NwConstants.ETHTYPE_IPV4 }));
 370         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 371             new long[] { conntrackState, conntrackMask}));
 372         matches.add(new MatchInfo(MatchFieldType.eth_src,
 373             new String[] { attachMac }));
 374         List<InstructionInfo> instructions = new ArrayList<>();
 375
 376         List<ActionInfo> actionsInfos = new ArrayList<>();
 377
 378         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 379             new String[] {}));
 380         String flowName = "Egress_Fixed_Conntrk_NewDrop_" + dpId + "_" + attachMac + "_" + flowId;
 381         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
 382                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 383     }
 384
 385     /**
 386      * Adds  the rule to allow arp packets.
 387      * @param dpId the dpId
 388      * @param attachMac the attached mac address
 389      * @param addOrRemove whether to add or remove the flow
 390      */
 391     private void programArpRule(BigInteger dpId, String attachMac, int addOrRemove) {
 392         List<MatchInfo> matches = new ArrayList<>();
 393         matches.add(new MatchInfo(MatchFieldType.eth_type,
 394             new long[] { NwConstants.ETHTYPE_ARP }));
 395         matches.add(new MatchInfo(MatchFieldType.arp_sha,
 396             new String[] { attachMac }));
 397
 398         List<InstructionInfo> instructions = new ArrayList<>();
 399
 400         List<ActionInfo> actionsInfos = new ArrayList<>();
 401
 402         actionsInfos.add(new ActionInfo(ActionType.goto_table,
 403                 new String[] {}));
 404
 405         instructions.add(new InstructionInfo(InstructionType.goto_table,
 406             new long[] { NwConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 407         String flowName = "Egress_ARP_" + dpId + "_" + attachMac ;
 408         syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 409                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 410     }
 411
 412     /**
 413      * Programs the default connection tracking rules.
 414      * @param dpid the dp id
 415      * @param attachMac the attached mac address
 416      * @param write whether to add or remove the flow.
 417      */
 418     private void programEgressAclFixedConntrackRule(BigInteger dpid, String attachMac, int write) {
 419         programConntrackRecircRule(dpid, attachMac,AclConstants.CT_STATE_UNTRACKED_PRIORITY,
 420             "Untracked",AclConstants.UNTRACKED_CT_STATE,AclConstants.UNTRACKED_CT_STATE_MASK, write );
 421         programConntrackForwardRule(dpid, attachMac, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,
 422             "Tracked_Established", AclConstants.TRACKED_EST_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK,
 423             write );
 424         programConntrackForwardRule(dpid, attachMac, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,
 425             "Tracked_Related", AclConstants.TRACKED_REL_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK, write );
 426         programConntrackDropRule(dpid, attachMac, AclConstants.CT_STATE_NEW_PRIORITY_DROP,
 427             "Tracked_New", AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK, write );
 428         programConntrackDropRule(dpid, attachMac, AclConstants.CT_STATE_NEW_PRIORITY_DROP,
 429             "Tracked_Invalid",AclConstants.TRACKED_INV_CT_STATE, AclConstants.TRACKED_INV_CT_STATE_MASK,
 430             write );
 431         LOG.info("programEgressAclFixedConntrackRule :  default connection tracking rule are added.");
 432     }
 433 }