vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/EgressAclServiceImpl.java

   1 /*
   2  * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
   3  *
   4  * This program and the accompanying materials are made available under the
   5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
   6  * and is available at http://www.eclipse.org/legal/epl-v10.html
   7  */
   8 package org.opendaylight.netvirt.aclservice;
   9
  10 import java.math.BigInteger;
  11 import java.util.ArrayList;
  12 import java.util.List;
  13 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
  14 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
  15 import org.opendaylight.genius.mdsalutil.ActionInfo;
  16 import org.opendaylight.genius.mdsalutil.ActionType;
  17 import org.opendaylight.genius.mdsalutil.InstructionInfo;
  18 import org.opendaylight.genius.mdsalutil.InstructionType;
  19 import org.opendaylight.genius.mdsalutil.MDSALUtil;
  20 import org.opendaylight.genius.mdsalutil.MatchFieldType;
  21 import org.opendaylight.genius.mdsalutil.MatchInfo;
  22 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
  23 import org.opendaylight.genius.mdsalutil.NwConstants;
  24 import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
  25 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
  26 import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
  27 import org.opendaylight.netvirt.aclservice.api.AclServiceListener;
  28 import org.opendaylight.netvirt.aclservice.utils.AclConstants;
  29 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface;
  30 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
  31 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
  32 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
  33 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
  34 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
  35 import org.slf4j.Logger;
  36 import org.slf4j.LoggerFactory;
  37
  38 public class EgressAclServiceImpl implements AclServiceListener {
  39
  40     private static final Logger logger = LoggerFactory.getLogger(EgressAclServiceImpl.class);
  41
  42     private IMdsalApiManager mdsalManager;
  43     private OdlInterfaceRpcService interfaceManager;
  44     private DataBroker dataBroker;
  45
  46     /**
  47      * Initialize the member variables.
  48      * @param dataBroker the data broker instance.
  49      * @param interfaceManager the interface manager instance.
  50      * @param mdsalManager the mdsal manager instance.
  51      */
  52     public EgressAclServiceImpl(DataBroker dataBroker, OdlInterfaceRpcService interfaceManager,
  53                                 IMdsalApiManager mdsalManager) {
  54         this.dataBroker = dataBroker;
  55         this.interfaceManager = interfaceManager;
  56         this.mdsalManager = mdsalManager;
  57     }
  58
  59     @Override
  60     public boolean applyAcl(Interface port) {
  61
  62         if (!AclServiceUtils.isPortSecurityEnabled(port, dataBroker)) {
  63             return false;
  64         }
  65         BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
  66         org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
  67             interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
  68         String attachMac = interfaceState.getPhysAddress().getValue();
  69         programFixedSecurityGroup(dpId, "", attachMac, NwConstants.ADD_FLOW);
  70
  71         // TODO: uncomment bindservice() when the acl flow programming is
  72         // implemented
  73         // bindService(port.getName());
  74         return true;
  75     }
  76
  77     @Override
  78     public boolean updateAcl(Interface port) {
  79         return false;
  80     }
  81
  82     @Override
  83     public boolean removeAcl(Interface port) {
  84         if (!AclServiceUtils.isPortSecurityEnabled(port, dataBroker)) {
  85             return false;
  86         }
  87         BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
  88         org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
  89             interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
  90         String attachMac = interfaceState.getPhysAddress().getValue();
  91         programFixedSecurityGroup(dpId, "", attachMac, NwConstants.DEL_FLOW);
  92
  93         // TODO: uncomment unbindService() when the acl flow programming is
  94         // implemented
  95         // unbindService(port.getName());
  96         return true;
  97     }
  98
  99     /**
 100      * Bind service.
 101      *
 102      * @param interfaceName the interface name
 103      */
 104     private void bindService(String interfaceName) {
 105         int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
 106
 107         int instructionKey = 0;
 108         List<Instruction> instructions = new ArrayList<>();
 109         instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(AclConstants.EGRESS_ACL_TABLE_ID, ++instructionKey));
 110         BoundServices serviceInfo = AclServiceUtils.getBoundServices(
 111                 String.format("%s.%s.%s", "vpn", "egressacl", interfaceName), AclConstants.EGRESS_ACL_SERVICE_PRIORITY,
 112                 flowPriority, AclServiceUtils.COOKIE_ACL_BASE, instructions);
 113         InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
 114                 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
 115         MDSALUtil.syncWrite(dataBroker, LogicalDatastoreType.CONFIGURATION, path, serviceInfo);
 116     }
 117
 118     /**
 119      * Unbind service.
 120      *
 121      * @param interfaceName the interface name
 122      */
 123     private void unbindService(String interfaceName) {
 124         InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
 125                 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
 126         MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path);
 127     }
 128
 129     /**
 130      * Gets the instructions for dispatcher table resubmit.
 131      *
 132      * @return the instructions for dispatcher table resubmit
 133      */
 134     private List<InstructionInfo> getInstructionsForDispatcherTableResubmit() {
 135         List<InstructionInfo> instructions = new ArrayList<>();
 136         List<ActionInfo> actionsInfos = new ArrayList<>();
 137         actionsInfos.add(new ActionInfo(ActionType.nx_resubmit,
 138                 new String[] {Short.toString(NwConstants.LPORT_DISPATCHER_TABLE)}));
 139         instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
 140         return instructions;
 141     }
 142
 143     /**
 144      * Program the default anti-spoofing rule and the conntrack rules.
 145      *
 146      * @param dpid the dpid
 147      * @param dhcpMacAddress the dhcp mac address.
 148      * @param attachMac The vm mac address
 149      * @param addOrRemove addorRemove
 150      */
 151     private void programFixedSecurityGroup(BigInteger dpid, String dhcpMacAddress,
 152                                            String attachMac, int addOrRemove) {
 153         logger.info("programFixedSecurityGroup :  adding default security group rules.");
 154         egressAclDhcpAllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 155         egressAclDhcpv6AllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 156         egressAclDhcpDropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 157         egressAclDhcpv6DropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 158
 159         //if (securityServicesManager.isConntrackEnabled()) {
 160         programEgressAclFixedConntrackRule(dpid, attachMac, addOrRemove);
 161         //}
 162         programArpRule(dpid,attachMac, addOrRemove);
 163     }
 164
 165     /**
 166      * Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port.
 167      * @param dpId the dpId
 168      * @param dhcpMacAddress the Dhcp mac address
 169      * @param attachMac the attached mac address
 170      * @param addOrRemove add/remove the flow.
 171      */
 172     private void egressAclDhcpDropServerTraffic(BigInteger dpId, String dhcpMacAddress,
 173             String attachMac, int addOrRemove) {
 174         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpServerPort_IpV4,
 175             AclServiceUtils.dhcpClientPort_IpV4);
 176         matches.add(new MatchInfo(MatchFieldType.eth_src,
 177             new String[] { attachMac }));
 178         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 179             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 180
 181         List<InstructionInfo> instructions = new ArrayList<>();
 182
 183         List<ActionInfo> actionsInfos = new ArrayList<>();
 184
 185         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 186             new String[] {}));
 187         String flowName = "Egress_DHCP_Server_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
 188         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 189             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 190     }
 191
 192     /**
 193      * Anti-spoofing rule to block the Ipv6 DHCP server traffic from the port.
 194      * @param dpId the dpId
 195      * @param dhcpMacAddress the Dhcp mac address
 196      * @param attachMac the attached mac address
 197      * @param addOrRemove add/remove the flow.
 198      */
 199     private void egressAclDhcpv6DropServerTraffic(BigInteger dpId, String dhcpMacAddress,
 200                                                   String attachMac, int addOrRemove) {
 201         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpServerPort_Ipv6,
 202             AclServiceUtils.dhcpClientPort_IpV6);
 203         matches.add(new MatchInfo(MatchFieldType.eth_src,
 204             new String[] { attachMac }));
 205         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 206             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 207
 208         List<InstructionInfo> instructions = new ArrayList<>();
 209
 210         List<ActionInfo> actionsInfos = new ArrayList<>();
 211
 212         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 213             new String[] {}));
 214         String flowName = "Egress_DHCP_Server_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
 215         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 216             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 217     }
 218
 219     /**
 220      * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
 221      *
 222      * @param dpidLong the dpid
 223      * @param segmentationId the segmentation id
 224      * @param dhcpMacAddress the DHCP server mac address
 225      * @param attachMac the mac address of  the port
 226      * @param write is write or delete
 227      * @param protoPortMatchPriority the priority
 228      */
 229     private void egressAclDhcpAllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
 230                                                  String attachMac, int addOrRemove) {
 231         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpClientPort_IpV4,
 232             AclServiceUtils.dhcpServerPort_IpV4);
 233         matches.add(new MatchInfo(MatchFieldType.eth_src,
 234             new String[] { attachMac }));
 235         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 236             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 237
 238         List<InstructionInfo> instructions = new ArrayList<>();
 239
 240         List<ActionInfo> actionsInfos = new ArrayList<>();
 241
 242         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 243             new String[] {"1", "0", "0", "255"}, 2));
 244         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 245             actionsInfos));
 246
 247
 248         instructions.add(new InstructionInfo(InstructionType.goto_table,
 249             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 250         String flowName = "Egress_DHCP_Client_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
 251         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 252             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 253     }
 254
 255     /**
 256      * Add rule to ensure only DHCPv6 server traffic from the specified mac is allowed.
 257      *
 258      * @param dpidLong the dpid
 259      * @param segmentationId the segmentation id
 260      * @param dhcpMacAddress the DHCP server mac address
 261      * @param attachMac the mac address of  the port
 262      * @param write is write or delete
 263      * @param protoPortMatchPriority the priority
 264      */
 265     private void egressAclDhcpv6AllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
 266                                                    String attachMac, int addOrRemove) {
 267         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpClientPort_IpV6,
 268             AclServiceUtils.dhcpServerPort_Ipv6);
 269         matches.add(new MatchInfo(MatchFieldType.eth_src,
 270             new String[] { attachMac }));
 271         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 272             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 273
 274         List<InstructionInfo> instructions = new ArrayList<>();
 275
 276         List<ActionInfo> actionsInfos = new ArrayList<>();
 277
 278         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 279             new String[] {"1", "0", "0", "255"}, 2));
 280         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 281             actionsInfos));
 282
 283         instructions.add(new InstructionInfo(InstructionType.goto_table,
 284             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 285         String flowName = "Egress_DHCP_Client_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
 286         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 287             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 288     }
 289
 290     /**
 291      * Adds the rule to send the packet to the netfilter to check whether it is a known packet.
 292      * @param dpId the dpId
 293      * @param attachMac the attached mac address
 294      * @param priority the priority of the flow
 295      * @param flowId the flowId
 296      * @param conntrackState the conntrack state of the packets thats should be send
 297      * @param conntrackMask the conntrack mask
 298      * @param addOrRemove whether to add or remove the flow
 299      */
 300     private void programConntrackRecircRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 301                                              int conntrackState, int conntrackMask, int addOrRemove) {
 302         List<MatchInfoBase> matches = new ArrayList<>();
 303         matches.add(new MatchInfo(MatchFieldType.eth_type,
 304             new long[] { NwConstants.ETHTYPE_IPV4 }));
 305         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 306             new long[] {conntrackState, conntrackMask}));
 307         matches.add(new MatchInfo(MatchFieldType.eth_src,
 308             new String[] { attachMac }));
 309         List<InstructionInfo> instructions = new ArrayList<>();
 310
 311         List<ActionInfo> actionsInfos = new ArrayList<>();
 312
 313         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 314             new String[] {"0", "0", "0", Short.toString(AclConstants.EGRESS_ACL_TABLE_ID)}, 2));
 315         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 316             actionsInfos));
 317         String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
 318         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 319             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 320     }
 321
 322     /**
 323      * Adds  the rule to forward the packets known packets .
 324      * @param dpId the dpId
 325      * @param attachMac the attached mac address
 326      * @param priority the priority of the flow
 327      * @param flowId the flowId
 328      * @param conntrackState the conntrack state of the packets thats should be send
 329      * @param conntrackMask the conntrack mask
 330      * @param addOrRemove whether to add or remove the flow
 331      */
 332     private void programConntrackForwardRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 333                                              int conntrackState, int conntrackMask, int addOrRemove) {
 334         List<MatchInfoBase> matches = new ArrayList<>();
 335         matches.add(new MatchInfo(MatchFieldType.eth_type,
 336             new long[] { NwConstants.ETHTYPE_IPV4 }));
 337         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 338             new long[] {conntrackState, conntrackMask}));
 339         matches.add(new MatchInfo(MatchFieldType.eth_src,
 340             new String[] { attachMac }));
 341         List<InstructionInfo> instructions = new ArrayList<>();
 342
 343         List<ActionInfo> actionsInfos = new ArrayList<>();
 344
 345         actionsInfos.add(new ActionInfo(ActionType.goto_table,
 346             new String[] {}));
 347
 348         instructions.add(new InstructionInfo(InstructionType.goto_table,
 349             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 350         String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
 351         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
 352             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 353     }
 354
 355     /**
 356      * Adds  the rule to drop the unknown/invalid packets .
 357      * @param dpId the dpId
 358      * @param attachMac the attached mac address
 359      * @param priority the priority of the flow
 360      * @param flowId the flowId
 361      * @param conntrackState the conntrack state of the packets thats should be send
 362      * @param conntrackMask the conntrack mask
 363      * @param addOrRemove whether to add or remove the flow
 364      */
 365     private void programConntrackDropRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 366                                           int conntrackState, int conntrackMask, int addOrRemove) {
 367         List<MatchInfoBase> matches = new ArrayList<>();
 368         matches.add(new MatchInfo(MatchFieldType.eth_type,
 369             new long[] { NwConstants.ETHTYPE_IPV4 }));
 370         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 371             new long[] { conntrackState, conntrackMask}));
 372         matches.add(new MatchInfo(MatchFieldType.eth_src,
 373             new String[] { attachMac }));
 374         List<InstructionInfo> instructions = new ArrayList<>();
 375
 376         List<ActionInfo> actionsInfos = new ArrayList<>();
 377
 378         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 379             new String[] {}));
 380         String flowName = "Egress_Fixed_Conntrk_NewDrop_" + dpId + "_" + attachMac + "_" + flowId;
 381         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
 382             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 383     }
 384
 385     /**
 386      * Adds  the rule to allow arp packets.
 387      * @param dpId the dpId
 388      * @param attachMac the attached mac address
 389      * @param addOrRemove whether to add or remove the flow
 390      */
 391     private void programArpRule(BigInteger dpId, String attachMac, int addOrRemove) {
 392         List<MatchInfo> matches = new ArrayList<>();
 393         matches.add(new MatchInfo(MatchFieldType.eth_type,
 394             new long[] { NwConstants.ETHTYPE_IPV4 }));
 395         matches.add(new MatchInfo(MatchFieldType.arp_tpa,
 396             new String[] { attachMac }));
 397
 398         List<InstructionInfo> instructions = new ArrayList<>();
 399
 400         List<ActionInfo> actionsInfos = new ArrayList<>();
 401
 402         actionsInfos.add(new ActionInfo(ActionType.goto_table,
 403                 new String[] {}));
 404
 405         instructions.add(new InstructionInfo(InstructionType.goto_table,
 406             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 407         String flowName = "Egress_ARP_" + dpId + "_" + attachMac ;
 408         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 409             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 410     }
 411
 412     /**
 413      * Writes/remove the flow to/from the datastore.
 414      * @param dpId the dpId
 415      * @param tableId the tableId
 416      * @param flowId the flowId
 417      * @param priority the priority
 418      * @param flowName the flow name
 419      * @param idleTimeOut the idle timeout
 420      * @param hardTimeOut the hard timeout
 421      * @param cookie the cookie
 422      * @param matches the list of matches to be writted
 423      * @param instructions the list of instruction to be written.
 424      * @param addOrRemove add or remove the entries.
 425      */
 426     private void syncFlow(BigInteger dpId, short tableId, String flowId, int priority, String flowName,
 427                           int idleTimeOut, int hardTimeOut, BigInteger cookie, List<? extends MatchInfoBase>  matches,
 428                           List<InstructionInfo> instructions, int addOrRemove) {
 429         if (addOrRemove == NwConstants.DEL_FLOW) {
 430             MDSALUtil.buildFlowEntity(dpId, tableId, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 431                     AclServiceUtils.COOKIE_ACL_BASE, matches, null);
 432             logger.trace("Removing Acl Flow DpId {}, vmMacAddress {}", dpId, flowId);
 433             // TODO Need to be done as a part of genius integration
 434             //mdsalUtil.removeFlow(flowEntity);
 435         } else {
 436             MDSALUtil.buildFlowEntity(dpId, tableId,
 437                 flowId ,priority, flowName, 0, 0, cookie, matches, instructions);
 438             logger.trace("Installing  DpId {}, flowId {}", dpId, flowId);
 439             // TODO Need to be done as a part of genius integration
 440             //mdsalUtil.installFlow(flowEntity);
 441         }
 442     }
 443
 444     /**
 445      * Programs the default connection tracking rules.
 446      * @param dpid the dp id
 447      * @param attachMac the attached mac address
 448      * @param write whether to add or remove the flow.
 449      */
 450     private void programEgressAclFixedConntrackRule(BigInteger dpid, String attachMac, int write) {
 451         programConntrackRecircRule(dpid, attachMac,AclServiceUtils.CT_STATE_UNTRACKED_PRIORITY,
 452             "Untracked",AclServiceUtils.UNTRACKED_CT_STATE,AclServiceUtils.UNTRACKED_CT_STATE_MASK, write );
 453         programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
 454             "Tracked_Established", AclServiceUtils.TRACKED_EST_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK,
 455             write );
 456         programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
 457             "Tracked_Related", AclServiceUtils.TRACKED_REL_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK, write );
 458         programConntrackDropRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
 459             "Tracked_New", AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK, write );
 460         programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
 461             "Tracked_Invalid",AclServiceUtils.TRACKED_INV_CT_STATE, AclServiceUtils.TRACKED_INV_CT_STATE_MASK,
 462             write );
 463         logger.info("programEgressAclFixedConntrackRule :  default connection tracking rule are added.");
 464     }
 465 }