2 * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netvirt.aclservice;
10 import java.math.BigInteger;
11 import java.util.ArrayList;
12 import java.util.List;
15 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
16 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
17 import org.opendaylight.genius.mdsalutil.ActionInfo;
18 import org.opendaylight.genius.mdsalutil.ActionType;
19 import org.opendaylight.genius.mdsalutil.InstructionInfo;
20 import org.opendaylight.genius.mdsalutil.InstructionType;
21 import org.opendaylight.genius.mdsalutil.MDSALUtil;
22 import org.opendaylight.genius.mdsalutil.MatchFieldType;
23 import org.opendaylight.genius.mdsalutil.MatchInfo;
24 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
25 import org.opendaylight.genius.mdsalutil.NwConstants;
26 import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
27 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
28 import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
29 import org.opendaylight.netvirt.aclservice.utils.AclConstants;
30 import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder;
31 import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
33 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
34 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
35 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
36 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
37 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
39 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
40 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
41 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
42 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
43 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress;
44 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
45 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
46 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
47 import org.slf4j.Logger;
48 import org.slf4j.LoggerFactory;
50 public class EgressAclServiceImpl extends AbstractAclServiceImpl {
52 private static final Logger LOG = LoggerFactory.getLogger(EgressAclServiceImpl.class);
53 private final DataBroker dataBroker;
56 * Initialize the member variables.
57 * @param dataBroker the data broker instance.
58 * @param interfaceManager the interface manager instance.
59 * @param mdsalManager the mdsal manager instance.
61 public EgressAclServiceImpl(DataBroker dataBroker, OdlInterfaceRpcService interfaceManager,
62 IMdsalApiManager mdsalManager) {
63 super(dataBroker,interfaceManager,mdsalManager);
64 this.dataBroker = dataBroker;
70 * @param interfaceName the interface name
72 protected void bindService(String interfaceName) {
73 int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
75 int instructionKey = 0;
76 List<Instruction> instructions = new ArrayList<>();
77 instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(NwConstants.EGRESS_ACL_TABLE_ID, ++instructionKey));
78 BoundServices serviceInfo = AclServiceUtils.getBoundServices(
79 String.format("%s.%s.%s", "vpn", "egressacl", interfaceName), NwConstants.ACL_SERVICE_INDEX,
80 flowPriority, AclConstants.COOKIE_ACL_BASE, instructions);
81 InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
82 NwConstants.ACL_SERVICE_INDEX, ServiceModeIngress.class);
83 MDSALUtil.syncWrite(dataBroker, LogicalDatastoreType.CONFIGURATION, path, serviceInfo);
89 * @param interfaceName the interface name
91 protected void unbindService(String interfaceName) {
92 InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
93 NwConstants.ACL_SERVICE_INDEX, ServiceModeIngress.class);
94 MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path);
98 * Program the default anti-spoofing rule and the conntrack rules.
100 * @param dpid the dpid
101 * @param dhcpMacAddress the dhcp mac address.
102 * @param attachMac The vm mac address
103 * @param addOrRemove addorRemove
105 protected void programFixedRules(BigInteger dpid, String dhcpMacAddress,
106 String attachMac, int addOrRemove) {
107 LOG.info("programFixedRules : adding default rules.");
108 egressAclDhcpAllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
109 egressAclDhcpv6AllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
110 egressAclDhcpDropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
111 egressAclDhcpv6DropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
113 //if (securityServicesManager.isConntrackEnabled()) {
114 programEgressAclFixedConntrackRule(dpid, attachMac, addOrRemove);
116 programArpRule(dpid,attachMac, addOrRemove);
120 * Programs the custom flows.
122 * @param aclUuidList the list of acl uuid to be applied
123 * @param dpId the dpId
124 * @param attachMac the attached mac
125 * @param addOrRemove whether to delete or add flow
127 protected void programAclRules(List<Uuid> aclUuidList, BigInteger dpId, String attachMac,
128 IpPrefixOrAddress attachIp, int addOrRemove) {
129 LOG.trace("Applying custom rules DpId {}, vmMacAddress {}", dpId, attachMac );
130 for (Uuid sgUuid :aclUuidList ) {
131 Acl acl = AclServiceUtils.getAcl(dataBroker, sgUuid.getValue());
133 LOG.warn("The ACL is empty");
136 AccessListEntries accessListEntries = acl.getAccessListEntries();
137 List<Ace> aceList = accessListEntries.getAce();
138 for (Ace ace: aceList) {
139 programAceRule(dpId, attachMac, attachIp, addOrRemove, ace);
145 protected void programAceRule(BigInteger dpId, String attachMac, IpPrefixOrAddress attachIp, int addOrRemove,
147 SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
148 if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
151 Matches matches = ace.getMatches();
152 AceType aceType = matches.getAceType();
153 Map<String,List<MatchInfoBase>> flowMap = null;
154 if (aceType instanceof AceIp) {
155 flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
157 if (null == flowMap) {
158 LOG.error("Failed to apply ACL {} vmMacAddress {}", ace.getKey(), attachMac);
161 //The flow map contains list of flows if port range is selected.
162 for ( String flowName : flowMap.keySet()) {
163 List<MatchInfoBase> flows = flowMap.get(flowName);
164 flowName += "Egress" + attachMac + String.valueOf(attachIp.getValue()) + ace.getKey().getRuleName();
165 flows .add(new MatchInfo(MatchFieldType.eth_src,
166 new String[] { attachMac }));
167 flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
168 new long[] { AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
169 flows.addAll(AclServiceUtils.getAllowedIpMatches(attachIp, MatchFieldType.ipv4_source));
170 List<InstructionInfo> instructions = new ArrayList<>();
171 List<ActionInfo> actionsInfos = new ArrayList<>();
172 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
173 new String[] {"1", "0", "0", "255"}, 2));
174 instructions.add(new InstructionInfo(InstructionType.apply_actions,
176 instructions.add(new InstructionInfo(InstructionType.goto_table,
177 new long[] { NwConstants.EGRESS_ACL_NEXT_TABLE_ID }));
178 syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY,
179 "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
184 * Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port.
185 * @param dpId the dpId
186 * @param dhcpMacAddress the Dhcp mac address
187 * @param attachMac the attached mac address
188 * @param addOrRemove add/remove the flow.
190 private void egressAclDhcpDropServerTraffic(BigInteger dpId, String dhcpMacAddress,
191 String attachMac, int addOrRemove) {
192 List<MatchInfoBase> matches = AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_SERVER_PORT_IPV4,
193 AclConstants.DHCP_CLIENT_PORT_IPV4, attachMac);
195 List<InstructionInfo> instructions = new ArrayList<>();
197 List<ActionInfo> actionsInfos = new ArrayList<>();
199 actionsInfos.add(new ActionInfo(ActionType.drop_action,
201 String flowName = "Egress_DHCP_Server_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
202 syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
203 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
207 * Anti-spoofing rule to block the Ipv6 DHCP server traffic from the port.
208 * @param dpId the dpId
209 * @param dhcpMacAddress the Dhcp mac address
210 * @param attachMac the attached mac address
211 * @param addOrRemove add/remove the flow.
213 private void egressAclDhcpv6DropServerTraffic(BigInteger dpId, String dhcpMacAddress,
214 String attachMac, int addOrRemove) {
215 List<MatchInfoBase> matches = AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_SERVER_PORT_IPV6,
216 AclConstants.DHCP_CLIENT_PORT_IPV6, attachMac);
218 List<InstructionInfo> instructions = new ArrayList<>();
220 List<ActionInfo> actionsInfos = new ArrayList<>();
222 actionsInfos.add(new ActionInfo(ActionType.drop_action,
224 String flowName = "Egress_DHCP_Server_v6" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
225 syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
226 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
230 * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
232 * @param dpId the dpid
233 * @param dhcpMacAddress the DHCP server mac address
234 * @param attachMac the mac address of the port
235 * @param addOrRemove whether to add or remove the flow
237 private void egressAclDhcpAllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
238 String attachMac, int addOrRemove) {
239 final List<MatchInfoBase> matches =
240 AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_CLIENT_PORT_IPV4,
241 AclConstants.DHCP_SERVER_PORT_IPV4, attachMac);
243 List<InstructionInfo> instructions = new ArrayList<>();
245 List<ActionInfo> actionsInfos = new ArrayList<>();
247 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
248 new String[] {"1", "0", "0", "255"}, 2));
249 instructions.add(new InstructionInfo(InstructionType.apply_actions,
253 instructions.add(new InstructionInfo(InstructionType.goto_table,
254 new long[] { NwConstants.EGRESS_ACL_NEXT_TABLE_ID }));
255 String flowName = "Egress_DHCP_Client_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
256 syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
257 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
261 * Add rule to ensure only DHCPv6 server traffic from the specified mac is allowed.
263 * @param dpId the dpid
264 * @param dhcpMacAddress the DHCP server mac address
265 * @param attachMac the mac address of the port
266 * @param addOrRemove whether to add or remove the flow
268 private void egressAclDhcpv6AllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
269 String attachMac, int addOrRemove) {
270 final List<MatchInfoBase> matches =
271 AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_CLIENT_PORT_IPV6,
272 AclConstants.DHCP_SERVER_PORT_IPV6, attachMac);
274 List<InstructionInfo> instructions = new ArrayList<>();
276 List<ActionInfo> actionsInfos = new ArrayList<>();
278 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
279 new String[] {"1", "0", "0", "255"}, 2));
280 instructions.add(new InstructionInfo(InstructionType.apply_actions,
283 instructions.add(new InstructionInfo(InstructionType.goto_table,
284 new long[] { NwConstants.EGRESS_ACL_NEXT_TABLE_ID }));
285 String flowName = "Egress_DHCP_Client_v6" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
286 syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
287 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
291 * Adds the rule to send the packet to the netfilter to check whether it is a known packet.
292 * @param dpId the dpId
293 * @param attachMac the attached mac address
294 * @param priority the priority of the flow
295 * @param flowId the flowId
296 * @param conntrackState the conntrack state of the packets thats should be send
297 * @param conntrackMask the conntrack mask
298 * @param addOrRemove whether to add or remove the flow
300 private void programConntrackRecircRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
301 int conntrackState, int conntrackMask, int addOrRemove) {
302 List<MatchInfoBase> matches = new ArrayList<>();
303 matches.add(new MatchInfo(MatchFieldType.eth_type,
304 new long[] { NwConstants.ETHTYPE_IPV4 }));
305 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
306 new long[] {conntrackState, conntrackMask}));
307 matches.add(new MatchInfo(MatchFieldType.eth_src,
308 new String[] { attachMac }));
309 List<InstructionInfo> instructions = new ArrayList<>();
311 List<ActionInfo> actionsInfos = new ArrayList<>();
313 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
314 new String[] {"0", "0", "0", Short.toString(NwConstants.EGRESS_ACL_TABLE_ID)}, 2));
315 instructions.add(new InstructionInfo(InstructionType.apply_actions,
317 String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
318 syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
319 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
323 * Adds the rule to forward the packets known packets.
324 * @param dpId the dpId
325 * @param attachMac the attached mac address
326 * @param priority the priority of the flow
327 * @param flowId the flowId
328 * @param conntrackState the conntrack state of the packets thats should be send
329 * @param conntrackMask the conntrack mask
330 * @param addOrRemove whether to add or remove the flow
332 private void programConntrackForwardRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
333 int conntrackState, int conntrackMask, int addOrRemove) {
334 List<MatchInfoBase> matches = new ArrayList<>();
335 matches.add(new MatchInfo(MatchFieldType.eth_type,
336 new long[] { NwConstants.ETHTYPE_IPV4 }));
337 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
338 new long[] {conntrackState, conntrackMask}));
339 matches.add(new MatchInfo(MatchFieldType.eth_src,
340 new String[] { attachMac }));
341 List<InstructionInfo> instructions = new ArrayList<>();
343 List<ActionInfo> actionsInfos = new ArrayList<>();
345 actionsInfos.add(new ActionInfo(ActionType.goto_table,
348 instructions.add(new InstructionInfo(InstructionType.goto_table,
349 new long[] { NwConstants.EGRESS_ACL_NEXT_TABLE_ID }));
350 String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
351 syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
352 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
356 * Adds the rule to drop the unknown/invalid packets .
357 * @param dpId the dpId
358 * @param attachMac the attached mac address
359 * @param priority the priority of the flow
360 * @param flowId the flowId
361 * @param conntrackState the conntrack state of the packets thats should be send
362 * @param conntrackMask the conntrack mask
363 * @param addOrRemove whether to add or remove the flow
365 private void programConntrackDropRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
366 int conntrackState, int conntrackMask, int addOrRemove) {
367 List<MatchInfoBase> matches = new ArrayList<>();
368 matches.add(new MatchInfo(MatchFieldType.eth_type,
369 new long[] { NwConstants.ETHTYPE_IPV4 }));
370 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
371 new long[] { conntrackState, conntrackMask}));
372 matches.add(new MatchInfo(MatchFieldType.eth_src,
373 new String[] { attachMac }));
374 List<InstructionInfo> instructions = new ArrayList<>();
376 List<ActionInfo> actionsInfos = new ArrayList<>();
378 actionsInfos.add(new ActionInfo(ActionType.drop_action,
380 String flowName = "Egress_Fixed_Conntrk_NewDrop_" + dpId + "_" + attachMac + "_" + flowId;
381 syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
382 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
386 * Adds the rule to allow arp packets.
387 * @param dpId the dpId
388 * @param attachMac the attached mac address
389 * @param addOrRemove whether to add or remove the flow
391 private void programArpRule(BigInteger dpId, String attachMac, int addOrRemove) {
392 List<MatchInfo> matches = new ArrayList<>();
393 matches.add(new MatchInfo(MatchFieldType.eth_type,
394 new long[] { NwConstants.ETHTYPE_ARP }));
395 matches.add(new MatchInfo(MatchFieldType.arp_sha,
396 new String[] { attachMac }));
398 List<InstructionInfo> instructions = new ArrayList<>();
400 List<ActionInfo> actionsInfos = new ArrayList<>();
402 actionsInfos.add(new ActionInfo(ActionType.goto_table,
405 instructions.add(new InstructionInfo(InstructionType.goto_table,
406 new long[] { NwConstants.EGRESS_ACL_NEXT_TABLE_ID }));
407 String flowName = "Egress_ARP_" + dpId + "_" + attachMac ;
408 syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
409 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
413 * Programs the default connection tracking rules.
414 * @param dpid the dp id
415 * @param attachMac the attached mac address
416 * @param write whether to add or remove the flow.
418 private void programEgressAclFixedConntrackRule(BigInteger dpid, String attachMac, int write) {
419 programConntrackRecircRule(dpid, attachMac,AclConstants.CT_STATE_UNTRACKED_PRIORITY,
420 "Untracked",AclConstants.UNTRACKED_CT_STATE,AclConstants.UNTRACKED_CT_STATE_MASK, write );
421 programConntrackForwardRule(dpid, attachMac, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,
422 "Tracked_Established", AclConstants.TRACKED_EST_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK,
424 programConntrackForwardRule(dpid, attachMac, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,
425 "Tracked_Related", AclConstants.TRACKED_REL_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK, write );
426 programConntrackDropRule(dpid, attachMac, AclConstants.CT_STATE_NEW_PRIORITY_DROP,
427 "Tracked_New", AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK, write );
428 programConntrackDropRule(dpid, attachMac, AclConstants.CT_STATE_NEW_PRIORITY_DROP,
429 "Tracked_Invalid",AclConstants.TRACKED_INV_CT_STATE, AclConstants.TRACKED_INV_CT_STATE_MASK,
431 LOG.info("programEgressAclFixedConntrackRule : default connection tracking rule are added.");