vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/EgressAclServiceImpl.java

   1 /*
   2  * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
   3  *
   4  * This program and the accompanying materials are made available under the
   5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
   6  * and is available at http://www.eclipse.org/legal/epl-v10.html
   7  */
   8 package org.opendaylight.netvirt.aclservice;
   9
  10 import java.math.BigInteger;
  11 import java.util.ArrayList;
  12 import java.util.List;
  13 import java.util.Map;
  14
  15 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
  16 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
  17 import org.opendaylight.genius.mdsalutil.ActionInfo;
  18 import org.opendaylight.genius.mdsalutil.ActionType;
  19 import org.opendaylight.genius.mdsalutil.FlowEntity;
  20 import org.opendaylight.genius.mdsalutil.InstructionInfo;
  21 import org.opendaylight.genius.mdsalutil.InstructionType;
  22 import org.opendaylight.genius.mdsalutil.MDSALUtil;
  23 import org.opendaylight.genius.mdsalutil.MatchFieldType;
  24 import org.opendaylight.genius.mdsalutil.MatchInfo;
  25 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
  26 import org.opendaylight.genius.mdsalutil.NwConstants;
  27 import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
  28 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
  29 import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
  30 import org.opendaylight.netvirt.aclservice.api.AclServiceListener;
  31 import org.opendaylight.netvirt.aclservice.utils.AclConstants;
  32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
  33 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
  34 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
  35 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
  36 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
  37 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
  38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface;
  39 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
  40 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
  41 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
  42 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
  43 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
  44 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress;
  45 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
  46 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
  47 import org.slf4j.Logger;
  48 import org.slf4j.LoggerFactory;
  49
  50 public class EgressAclServiceImpl implements AclServiceListener {
  51
  52     private static final Logger logger = LoggerFactory.getLogger(EgressAclServiceImpl.class);
  53
  54     private final IMdsalApiManager mdsalManager;
  55     private final OdlInterfaceRpcService interfaceManager;
  56     private final DataBroker dataBroker;
  57
  58     /**
  59      * Initialize the member variables.
  60      * @param dataBroker the data broker instance.
  61      * @param interfaceManager the interface manager instance.
  62      * @param mdsalManager the mdsal manager instance.
  63      */
  64     public EgressAclServiceImpl(DataBroker dataBroker, OdlInterfaceRpcService interfaceManager,
  65                                 IMdsalApiManager mdsalManager) {
  66         this.dataBroker = dataBroker;
  67         this.interfaceManager = interfaceManager;
  68         this.mdsalManager = mdsalManager;
  69     }
  70
  71     @Override
  72     public boolean applyAcl(Interface port) {
  73
  74         if (!AclServiceUtils.isPortSecurityEnabled(port)) {
  75             return false;
  76         }
  77         BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
  78         org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
  79             interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
  80         String attachMac = interfaceState.getPhysAddress().getValue();
  81         programFixedSecurityGroup(dpId, "", attachMac, NwConstants.ADD_FLOW);
  82         List<Uuid> securityGroupsUuid = AclServiceUtils.getPortSecurityGroups(port);
  83         programCustomRules(port, securityGroupsUuid, dpId, attachMac,NwConstants.ADD_FLOW );
  84         // TODO: uncomment bindservice() when the acl flow programming is
  85         // implemented
  86         // bindService(port.getName());
  87         return true;
  88     }
  89
  90     @Override
  91     public boolean updateAcl(Interface port) {
  92         return false;
  93     }
  94
  95     @Override
  96     public boolean removeAcl(Interface port) {
  97         if (!AclServiceUtils.isPortSecurityEnabled(port)) {
  98             return false;
  99         }
 100         BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
 101         org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
 102             interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
 103         String attachMac = interfaceState.getPhysAddress().getValue();
 104         programFixedSecurityGroup(dpId, "", attachMac, NwConstants.DEL_FLOW);
 105         List<Uuid> securityGroupsUuid = AclServiceUtils.getPortSecurityGroups(port);
 106         programCustomRules(port, securityGroupsUuid, dpId, attachMac,NwConstants.DEL_FLOW );
 107
 108         // TODO: uncomment unbindService() when the acl flow programming is
 109         // implemented
 110         // unbindService(port.getName());
 111         return true;
 112     }
 113
 114     /**
 115      * Bind service.
 116      *
 117      * @param interfaceName the interface name
 118      */
 119     private void bindService(String interfaceName) {
 120         int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
 121
 122         int instructionKey = 0;
 123         List<Instruction> instructions = new ArrayList<>();
 124         instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(AclConstants.EGRESS_ACL_TABLE_ID, ++instructionKey));
 125         BoundServices serviceInfo = AclServiceUtils.getBoundServices(
 126                 String.format("%s.%s.%s", "vpn", "egressacl", interfaceName), AclConstants.EGRESS_ACL_SERVICE_PRIORITY,
 127                 flowPriority, AclServiceUtils.COOKIE_ACL_BASE, instructions);
 128         InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
 129                 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
 130         MDSALUtil.syncWrite(dataBroker, LogicalDatastoreType.CONFIGURATION, path, serviceInfo);
 131     }
 132
 133     /**
 134      * Unbind service.
 135      *
 136      * @param interfaceName the interface name
 137      */
 138     private void unbindService(String interfaceName) {
 139         InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
 140                 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
 141         MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path);
 142     }
 143
 144     /**
 145      * Gets the instructions for dispatcher table resubmit.
 146      *
 147      * @return the instructions for dispatcher table resubmit
 148      */
 149     private List<InstructionInfo> getInstructionsForDispatcherTableResubmit() {
 150         List<InstructionInfo> instructions = new ArrayList<>();
 151         List<ActionInfo> actionsInfos = new ArrayList<>();
 152         actionsInfos.add(new ActionInfo(ActionType.nx_resubmit,
 153                 new String[] {Short.toString(NwConstants.LPORT_DISPATCHER_TABLE)}));
 154         instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
 155         return instructions;
 156     }
 157
 158     /**
 159      * Program the default anti-spoofing rule and the conntrack rules.
 160      *
 161      * @param dpid the dpid
 162      * @param dhcpMacAddress the dhcp mac address.
 163      * @param attachMac The vm mac address
 164      * @param addOrRemove addorRemove
 165      */
 166     private void programFixedSecurityGroup(BigInteger dpid, String dhcpMacAddress,
 167                                            String attachMac, int addOrRemove) {
 168         logger.info("programFixedSecurityGroup :  adding default security group rules.");
 169         egressAclDhcpAllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 170         egressAclDhcpv6AllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 171         egressAclDhcpDropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 172         egressAclDhcpv6DropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 173
 174         //if (securityServicesManager.isConntrackEnabled()) {
 175         programEgressAclFixedConntrackRule(dpid, attachMac, addOrRemove);
 176         //}
 177         programArpRule(dpid,attachMac, addOrRemove);
 178     }
 179
 180     /**
 181      * Programs the custom flows.
 182      *
 183      * @param port the interface
 184      * @param securityGroupsUuid the list of SG uuid to be applied
 185      * @param dpId the dpId
 186      * @param attachMac the attached mac
 187      * @param addOrRemove whether to delete or add flow
 188      */
 189     private void programCustomRules(Interface port, List<Uuid> securityGroupsUuid, BigInteger dpId, String attachMac,
 190                                     int addOrRemove) {
 191         logger.trace("Applying custom rules DpId {}, vmMacAddress {}", dpId, attachMac );
 192         for (Uuid sgUuid :securityGroupsUuid ) {
 193             Acl acl = AclServiceUtils.getAcl(dataBroker, sgUuid.getValue());
 194             AccessListEntries accessListEntries = acl.getAccessListEntries();
 195             List<Ace> aceList = accessListEntries.getAce();
 196             for (Ace ace: aceList) {
 197                 SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
 198
 199                 if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
 200                     continue;
 201                 }
 202
 203                 Matches matches = ace.getMatches();
 204                 AceType aceType = matches.getAceType();
 205                 Map<String,List<MatchInfoBase>>  flowMap = null;
 206                 if (aceType instanceof AceIp) {
 207                     flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
 208                 }
 209
 210                 if (null == flowMap) {
 211                     logger.error("Failed to apply ACL {} vmMacAddress {}", ace.getKey(), attachMac);
 212                     continue;
 213                 }
 214                 //The flow map contains list of flows if port range is selected.
 215                 for ( String  flowName : flowMap.keySet()) {
 216                     List<MatchInfoBase> flows = flowMap.get(flowName);
 217                     flowName = flowName + "Egress" + attachMac;
 218                     flows .add(new MatchInfo(MatchFieldType.eth_src,
 219                         new String[] { attachMac }));
 220                     /*flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 221                         new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE,
 222                                      AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));*/
 223                     List<InstructionInfo> instructions = new ArrayList<>();
 224                     List<ActionInfo> actionsInfos = new ArrayList<>();
 225                     actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 226                         new String[] {"1", "0", "0", "255"}, 2));
 227                     instructions.add(new InstructionInfo(InstructionType.apply_actions,
 228                         actionsInfos));
 229                     instructions.add(new InstructionInfo(InstructionType.goto_table,
 230                         new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 231                     syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY,
 232                         "ACL", 0, 0, AclServiceUtils.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
 233                 }
 234             }
 235         }
 236
 237     }
 238
 239     /**
 240      * Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port.
 241      * @param dpId the dpId
 242      * @param dhcpMacAddress the Dhcp mac address
 243      * @param attachMac the attached mac address
 244      * @param addOrRemove add/remove the flow.
 245      */
 246     private void egressAclDhcpDropServerTraffic(BigInteger dpId, String dhcpMacAddress,
 247             String attachMac, int addOrRemove) {
 248         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpServerPort_IpV4,
 249             AclServiceUtils.dhcpClientPort_IpV4);
 250         matches.add(new MatchInfo(MatchFieldType.eth_src,
 251             new String[] { attachMac }));
 252         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 253             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 254
 255         List<InstructionInfo> instructions = new ArrayList<>();
 256
 257         List<ActionInfo> actionsInfos = new ArrayList<>();
 258
 259         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 260             new String[] {}));
 261         String flowName = "Egress_DHCP_Server_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
 262         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 263             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 264     }
 265
 266     /**
 267      * Anti-spoofing rule to block the Ipv6 DHCP server traffic from the port.
 268      * @param dpId the dpId
 269      * @param dhcpMacAddress the Dhcp mac address
 270      * @param attachMac the attached mac address
 271      * @param addOrRemove add/remove the flow.
 272      */
 273     private void egressAclDhcpv6DropServerTraffic(BigInteger dpId, String dhcpMacAddress,
 274                                                   String attachMac, int addOrRemove) {
 275         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpServerPort_Ipv6,
 276             AclServiceUtils.dhcpClientPort_IpV6);
 277         matches.add(new MatchInfo(MatchFieldType.eth_src,
 278             new String[] { attachMac }));
 279         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 280             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 281
 282         List<InstructionInfo> instructions = new ArrayList<>();
 283
 284         List<ActionInfo> actionsInfos = new ArrayList<>();
 285
 286         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 287             new String[] {}));
 288         String flowName = "Egress_DHCP_Server_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
 289         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 290             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 291     }
 292
 293     /**
 294      * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
 295      *
 296      * @param dpidLong the dpid
 297      * @param segmentationId the segmentation id
 298      * @param dhcpMacAddress the DHCP server mac address
 299      * @param attachMac the mac address of  the port
 300      * @param write is write or delete
 301      * @param protoPortMatchPriority the priority
 302      */
 303     private void egressAclDhcpAllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
 304                                                  String attachMac, int addOrRemove) {
 305         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpClientPort_IpV4,
 306             AclServiceUtils.dhcpServerPort_IpV4);
 307         matches.add(new MatchInfo(MatchFieldType.eth_src,
 308             new String[] { attachMac }));
 309         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 310             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 311
 312         List<InstructionInfo> instructions = new ArrayList<>();
 313
 314         List<ActionInfo> actionsInfos = new ArrayList<>();
 315
 316         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 317             new String[] {"1", "0", "0", "255"}, 2));
 318         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 319             actionsInfos));
 320
 321
 322         instructions.add(new InstructionInfo(InstructionType.goto_table,
 323             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 324         String flowName = "Egress_DHCP_Client_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
 325         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 326             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 327     }
 328
 329     /**
 330      * Add rule to ensure only DHCPv6 server traffic from the specified mac is allowed.
 331      *
 332      * @param dpidLong the dpid
 333      * @param segmentationId the segmentation id
 334      * @param dhcpMacAddress the DHCP server mac address
 335      * @param attachMac the mac address of  the port
 336      * @param write is write or delete
 337      * @param protoPortMatchPriority the priority
 338      */
 339     private void egressAclDhcpv6AllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
 340                                                    String attachMac, int addOrRemove) {
 341         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpClientPort_IpV6,
 342             AclServiceUtils.dhcpServerPort_Ipv6);
 343         matches.add(new MatchInfo(MatchFieldType.eth_src,
 344             new String[] { attachMac }));
 345         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 346             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 347
 348         List<InstructionInfo> instructions = new ArrayList<>();
 349
 350         List<ActionInfo> actionsInfos = new ArrayList<>();
 351
 352         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 353             new String[] {"1", "0", "0", "255"}, 2));
 354         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 355             actionsInfos));
 356
 357         instructions.add(new InstructionInfo(InstructionType.goto_table,
 358             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 359         String flowName = "Egress_DHCP_Client_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
 360         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 361             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 362     }
 363
 364     /**
 365      * Adds the rule to send the packet to the netfilter to check whether it is a known packet.
 366      * @param dpId the dpId
 367      * @param attachMac the attached mac address
 368      * @param priority the priority of the flow
 369      * @param flowId the flowId
 370      * @param conntrackState the conntrack state of the packets thats should be send
 371      * @param conntrackMask the conntrack mask
 372      * @param addOrRemove whether to add or remove the flow
 373      */
 374     private void programConntrackRecircRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 375                                              int conntrackState, int conntrackMask, int addOrRemove) {
 376         List<MatchInfoBase> matches = new ArrayList<>();
 377         matches.add(new MatchInfo(MatchFieldType.eth_type,
 378             new long[] { NwConstants.ETHTYPE_IPV4 }));
 379         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 380             new long[] {conntrackState, conntrackMask}));
 381         matches.add(new MatchInfo(MatchFieldType.eth_src,
 382             new String[] { attachMac }));
 383         List<InstructionInfo> instructions = new ArrayList<>();
 384
 385         List<ActionInfo> actionsInfos = new ArrayList<>();
 386
 387         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 388             new String[] {"0", "0", "0", Short.toString(AclConstants.EGRESS_ACL_TABLE_ID)}, 2));
 389         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 390             actionsInfos));
 391         String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
 392         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 393             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 394     }
 395
 396     /**
 397      * Adds  the rule to forward the packets known packets .
 398      * @param dpId the dpId
 399      * @param attachMac the attached mac address
 400      * @param priority the priority of the flow
 401      * @param flowId the flowId
 402      * @param conntrackState the conntrack state of the packets thats should be send
 403      * @param conntrackMask the conntrack mask
 404      * @param addOrRemove whether to add or remove the flow
 405      */
 406     private void programConntrackForwardRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 407                                              int conntrackState, int conntrackMask, int addOrRemove) {
 408         List<MatchInfoBase> matches = new ArrayList<>();
 409         matches.add(new MatchInfo(MatchFieldType.eth_type,
 410             new long[] { NwConstants.ETHTYPE_IPV4 }));
 411         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 412             new long[] {conntrackState, conntrackMask}));
 413         matches.add(new MatchInfo(MatchFieldType.eth_src,
 414             new String[] { attachMac }));
 415         List<InstructionInfo> instructions = new ArrayList<>();
 416
 417         List<ActionInfo> actionsInfos = new ArrayList<>();
 418
 419         actionsInfos.add(new ActionInfo(ActionType.goto_table,
 420             new String[] {}));
 421
 422         instructions.add(new InstructionInfo(InstructionType.goto_table,
 423             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 424         String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
 425         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
 426             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 427     }
 428
 429     /**
 430      * Adds  the rule to drop the unknown/invalid packets .
 431      * @param dpId the dpId
 432      * @param attachMac the attached mac address
 433      * @param priority the priority of the flow
 434      * @param flowId the flowId
 435      * @param conntrackState the conntrack state of the packets thats should be send
 436      * @param conntrackMask the conntrack mask
 437      * @param addOrRemove whether to add or remove the flow
 438      */
 439     private void programConntrackDropRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 440                                           int conntrackState, int conntrackMask, int addOrRemove) {
 441         List<MatchInfoBase> matches = new ArrayList<>();
 442         matches.add(new MatchInfo(MatchFieldType.eth_type,
 443             new long[] { NwConstants.ETHTYPE_IPV4 }));
 444         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 445             new long[] { conntrackState, conntrackMask}));
 446         matches.add(new MatchInfo(MatchFieldType.eth_src,
 447             new String[] { attachMac }));
 448         List<InstructionInfo> instructions = new ArrayList<>();
 449
 450         List<ActionInfo> actionsInfos = new ArrayList<>();
 451
 452         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 453             new String[] {}));
 454         String flowName = "Egress_Fixed_Conntrk_NewDrop_" + dpId + "_" + attachMac + "_" + flowId;
 455         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
 456             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 457     }
 458
 459     /**
 460      * Adds  the rule to allow arp packets.
 461      * @param dpId the dpId
 462      * @param attachMac the attached mac address
 463      * @param addOrRemove whether to add or remove the flow
 464      */
 465     private void programArpRule(BigInteger dpId, String attachMac, int addOrRemove) {
 466         List<MatchInfo> matches = new ArrayList<>();
 467         matches.add(new MatchInfo(MatchFieldType.eth_type,
 468             new long[] { NwConstants.ETHTYPE_ARP }));
 469         matches.add(new MatchInfo(MatchFieldType.arp_sha,
 470             new String[] { attachMac }));
 471
 472         List<InstructionInfo> instructions = new ArrayList<>();
 473
 474         List<ActionInfo> actionsInfos = new ArrayList<>();
 475
 476         actionsInfos.add(new ActionInfo(ActionType.goto_table,
 477                 new String[] {}));
 478
 479         instructions.add(new InstructionInfo(InstructionType.goto_table,
 480             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 481         String flowName = "Egress_ARP_" + dpId + "_" + attachMac ;
 482         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 483             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 484     }
 485
 486     /**
 487      * Writes/remove the flow to/from the datastore.
 488      * @param dpId the dpId
 489      * @param tableId the tableId
 490      * @param flowId the flowId
 491      * @param priority the priority
 492      * @param flowName the flow name
 493      * @param idleTimeOut the idle timeout
 494      * @param hardTimeOut the hard timeout
 495      * @param cookie the cookie
 496      * @param matches the list of matches to be writted
 497      * @param instructions the list of instruction to be written.
 498      * @param addOrRemove add or remove the entries.
 499      */
 500     private void syncFlow(BigInteger dpId, short tableId, String flowId, int priority, String flowName,
 501                           int idleTimeOut, int hardTimeOut, BigInteger cookie, List<? extends MatchInfoBase>  matches,
 502                           List<InstructionInfo> instructions, int addOrRemove) {
 503         if (addOrRemove == NwConstants.DEL_FLOW) {
 504             FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, tableId,flowId,
 505                 priority, flowName , idleTimeOut, hardTimeOut, cookie, matches, null);
 506             logger.trace("Removing Acl Flow DpnId {}, flowId {}", dpId, flowId);
 507             mdsalManager.removeFlow(flowEntity);
 508         } else {
 509             FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, tableId, flowId,
 510                 priority, flowName, idleTimeOut, hardTimeOut, cookie, matches, instructions);
 511             logger.trace("Installing DpnId {}, flowId {}", dpId, flowId);
 512             mdsalManager.installFlow(flowEntity);
 513         }
 514     }
 515
 516     /**
 517      * Programs the default connection tracking rules.
 518      * @param dpid the dp id
 519      * @param attachMac the attached mac address
 520      * @param write whether to add or remove the flow.
 521      */
 522     private void programEgressAclFixedConntrackRule(BigInteger dpid, String attachMac, int write) {
 523         programConntrackRecircRule(dpid, attachMac,AclServiceUtils.CT_STATE_UNTRACKED_PRIORITY,
 524             "Untracked",AclServiceUtils.UNTRACKED_CT_STATE,AclServiceUtils.UNTRACKED_CT_STATE_MASK, write );
 525         programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
 526             "Tracked_Established", AclServiceUtils.TRACKED_EST_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK,
 527             write );
 528         programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
 529             "Tracked_Related", AclServiceUtils.TRACKED_REL_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK, write );
 530         programConntrackDropRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
 531             "Tracked_New", AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK, write );
 532         programConntrackDropRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
 533             "Tracked_Invalid",AclServiceUtils.TRACKED_INV_CT_STATE, AclServiceUtils.TRACKED_INV_CT_STATE_MASK,
 534             write );
 535         logger.info("programEgressAclFixedConntrackRule :  default connection tracking rule are added.");
 536     }
 537 }