2 * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netvirt.aclservice;
10 import java.math.BigInteger;
11 import java.util.ArrayList;
12 import java.util.List;
15 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
16 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
17 import org.opendaylight.genius.mdsalutil.ActionInfo;
18 import org.opendaylight.genius.mdsalutil.ActionType;
19 import org.opendaylight.genius.mdsalutil.FlowEntity;
20 import org.opendaylight.genius.mdsalutil.InstructionInfo;
21 import org.opendaylight.genius.mdsalutil.InstructionType;
22 import org.opendaylight.genius.mdsalutil.MDSALUtil;
23 import org.opendaylight.genius.mdsalutil.MatchFieldType;
24 import org.opendaylight.genius.mdsalutil.MatchInfo;
25 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
26 import org.opendaylight.genius.mdsalutil.NwConstants;
27 import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
28 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
29 import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
30 import org.opendaylight.netvirt.aclservice.api.AclServiceListener;
31 import org.opendaylight.netvirt.aclservice.utils.AclConstants;
32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
33 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
34 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
35 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
36 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
37 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface;
39 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
40 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
41 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
42 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
43 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
44 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress;
45 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
46 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
47 import org.slf4j.Logger;
48 import org.slf4j.LoggerFactory;
50 public class EgressAclServiceImpl implements AclServiceListener {
52 private static final Logger logger = LoggerFactory.getLogger(EgressAclServiceImpl.class);
54 private final IMdsalApiManager mdsalManager;
55 private final OdlInterfaceRpcService interfaceManager;
56 private final DataBroker dataBroker;
59 * Initialize the member variables.
60 * @param dataBroker the data broker instance.
61 * @param interfaceManager the interface manager instance.
62 * @param mdsalManager the mdsal manager instance.
64 public EgressAclServiceImpl(DataBroker dataBroker, OdlInterfaceRpcService interfaceManager,
65 IMdsalApiManager mdsalManager) {
66 this.dataBroker = dataBroker;
67 this.interfaceManager = interfaceManager;
68 this.mdsalManager = mdsalManager;
72 public boolean applyAcl(Interface port) {
74 if (!AclServiceUtils.isPortSecurityEnabled(port)) {
77 BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
78 org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
79 interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
80 String attachMac = interfaceState.getPhysAddress().getValue();
81 programFixedSecurityGroup(dpId, "", attachMac, NwConstants.ADD_FLOW);
82 List<Uuid> securityGroupsUuid = AclServiceUtils.getPortSecurityGroups(port);
83 programCustomRules(port, securityGroupsUuid, dpId, attachMac,NwConstants.ADD_FLOW );
84 // TODO: uncomment bindservice() when the acl flow programming is
86 // bindService(port.getName());
91 public boolean updateAcl(Interface port) {
96 public boolean removeAcl(Interface port) {
97 if (!AclServiceUtils.isPortSecurityEnabled(port)) {
100 BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
101 org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
102 interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
103 String attachMac = interfaceState.getPhysAddress().getValue();
104 programFixedSecurityGroup(dpId, "", attachMac, NwConstants.DEL_FLOW);
105 List<Uuid> securityGroupsUuid = AclServiceUtils.getPortSecurityGroups(port);
106 programCustomRules(port, securityGroupsUuid, dpId, attachMac,NwConstants.DEL_FLOW );
108 // TODO: uncomment unbindService() when the acl flow programming is
110 // unbindService(port.getName());
117 * @param interfaceName the interface name
119 private void bindService(String interfaceName) {
120 int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
122 int instructionKey = 0;
123 List<Instruction> instructions = new ArrayList<>();
124 instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(AclConstants.EGRESS_ACL_TABLE_ID, ++instructionKey));
125 BoundServices serviceInfo = AclServiceUtils.getBoundServices(
126 String.format("%s.%s.%s", "vpn", "egressacl", interfaceName), AclConstants.EGRESS_ACL_SERVICE_PRIORITY,
127 flowPriority, AclServiceUtils.COOKIE_ACL_BASE, instructions);
128 InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
129 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
130 MDSALUtil.syncWrite(dataBroker, LogicalDatastoreType.CONFIGURATION, path, serviceInfo);
136 * @param interfaceName the interface name
138 private void unbindService(String interfaceName) {
139 InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
140 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
141 MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path);
145 * Gets the instructions for dispatcher table resubmit.
147 * @return the instructions for dispatcher table resubmit
149 private List<InstructionInfo> getInstructionsForDispatcherTableResubmit() {
150 List<InstructionInfo> instructions = new ArrayList<>();
151 List<ActionInfo> actionsInfos = new ArrayList<>();
152 actionsInfos.add(new ActionInfo(ActionType.nx_resubmit,
153 new String[] {Short.toString(NwConstants.LPORT_DISPATCHER_TABLE)}));
154 instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
159 * Program the default anti-spoofing rule and the conntrack rules.
161 * @param dpid the dpid
162 * @param dhcpMacAddress the dhcp mac address.
163 * @param attachMac The vm mac address
164 * @param addOrRemove addorRemove
166 private void programFixedSecurityGroup(BigInteger dpid, String dhcpMacAddress,
167 String attachMac, int addOrRemove) {
168 logger.info("programFixedSecurityGroup : adding default security group rules.");
169 egressAclDhcpAllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
170 egressAclDhcpv6AllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
171 egressAclDhcpDropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
172 egressAclDhcpv6DropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
174 //if (securityServicesManager.isConntrackEnabled()) {
175 programEgressAclFixedConntrackRule(dpid, attachMac, addOrRemove);
177 programArpRule(dpid,attachMac, addOrRemove);
181 * Programs the custom flows.
183 * @param port the interface
184 * @param securityGroupsUuid the list of SG uuid to be applied
185 * @param dpId the dpId
186 * @param attachMac the attached mac
187 * @param addOrRemove whether to delete or add flow
189 private void programCustomRules(Interface port, List<Uuid> securityGroupsUuid, BigInteger dpId, String attachMac,
191 logger.trace("Applying custom rules DpId {}, vmMacAddress {}", dpId, attachMac );
192 for (Uuid sgUuid :securityGroupsUuid ) {
193 Acl acl = AclServiceUtils.getAcl(dataBroker, sgUuid.getValue());
194 AccessListEntries accessListEntries = acl.getAccessListEntries();
195 List<Ace> aceList = accessListEntries.getAce();
196 for (Ace ace: aceList) {
197 SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
199 if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
203 Matches matches = ace.getMatches();
204 AceType aceType = matches.getAceType();
205 Map<String,List<MatchInfoBase>> flowMap = null;
206 if (aceType instanceof AceIp) {
207 flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
210 if (null == flowMap) {
211 logger.error("Failed to apply ACL {} vmMacAddress {}", ace.getKey(), attachMac);
214 //The flow map contains list of flows if port range is selected.
215 for ( String flowName : flowMap.keySet()) {
216 List<MatchInfoBase> flows = flowMap.get(flowName);
217 flowName = flowName + "Egress" + attachMac;
218 flows .add(new MatchInfo(MatchFieldType.eth_src,
219 new String[] { attachMac }));
220 /*flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
221 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE,
222 AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));*/
223 List<InstructionInfo> instructions = new ArrayList<>();
224 List<ActionInfo> actionsInfos = new ArrayList<>();
225 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
226 new String[] {"1", "0", "0", "255"}, 2));
227 instructions.add(new InstructionInfo(InstructionType.apply_actions,
229 instructions.add(new InstructionInfo(InstructionType.goto_table,
230 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
231 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY,
232 "ACL", 0, 0, AclServiceUtils.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
240 * Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port.
241 * @param dpId the dpId
242 * @param dhcpMacAddress the Dhcp mac address
243 * @param attachMac the attached mac address
244 * @param addOrRemove add/remove the flow.
246 private void egressAclDhcpDropServerTraffic(BigInteger dpId, String dhcpMacAddress,
247 String attachMac, int addOrRemove) {
248 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpServerPort_IpV4,
249 AclServiceUtils.dhcpClientPort_IpV4);
250 matches.add(new MatchInfo(MatchFieldType.eth_src,
251 new String[] { attachMac }));
252 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
253 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
255 List<InstructionInfo> instructions = new ArrayList<>();
257 List<ActionInfo> actionsInfos = new ArrayList<>();
259 actionsInfos.add(new ActionInfo(ActionType.drop_action,
261 String flowName = "Egress_DHCP_Server_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
262 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
263 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
267 * Anti-spoofing rule to block the Ipv6 DHCP server traffic from the port.
268 * @param dpId the dpId
269 * @param dhcpMacAddress the Dhcp mac address
270 * @param attachMac the attached mac address
271 * @param addOrRemove add/remove the flow.
273 private void egressAclDhcpv6DropServerTraffic(BigInteger dpId, String dhcpMacAddress,
274 String attachMac, int addOrRemove) {
275 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpServerPort_Ipv6,
276 AclServiceUtils.dhcpClientPort_IpV6);
277 matches.add(new MatchInfo(MatchFieldType.eth_src,
278 new String[] { attachMac }));
279 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
280 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
282 List<InstructionInfo> instructions = new ArrayList<>();
284 List<ActionInfo> actionsInfos = new ArrayList<>();
286 actionsInfos.add(new ActionInfo(ActionType.drop_action,
288 String flowName = "Egress_DHCP_Server_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
289 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
290 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
294 * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
296 * @param dpidLong the dpid
297 * @param segmentationId the segmentation id
298 * @param dhcpMacAddress the DHCP server mac address
299 * @param attachMac the mac address of the port
300 * @param write is write or delete
301 * @param protoPortMatchPriority the priority
303 private void egressAclDhcpAllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
304 String attachMac, int addOrRemove) {
305 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpClientPort_IpV4,
306 AclServiceUtils.dhcpServerPort_IpV4);
307 matches.add(new MatchInfo(MatchFieldType.eth_src,
308 new String[] { attachMac }));
309 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
310 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
312 List<InstructionInfo> instructions = new ArrayList<>();
314 List<ActionInfo> actionsInfos = new ArrayList<>();
316 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
317 new String[] {"1", "0", "0", "255"}, 2));
318 instructions.add(new InstructionInfo(InstructionType.apply_actions,
322 instructions.add(new InstructionInfo(InstructionType.goto_table,
323 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
324 String flowName = "Egress_DHCP_Client_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
325 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
326 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
330 * Add rule to ensure only DHCPv6 server traffic from the specified mac is allowed.
332 * @param dpidLong the dpid
333 * @param segmentationId the segmentation id
334 * @param dhcpMacAddress the DHCP server mac address
335 * @param attachMac the mac address of the port
336 * @param write is write or delete
337 * @param protoPortMatchPriority the priority
339 private void egressAclDhcpv6AllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
340 String attachMac, int addOrRemove) {
341 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpClientPort_IpV6,
342 AclServiceUtils.dhcpServerPort_Ipv6);
343 matches.add(new MatchInfo(MatchFieldType.eth_src,
344 new String[] { attachMac }));
345 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
346 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
348 List<InstructionInfo> instructions = new ArrayList<>();
350 List<ActionInfo> actionsInfos = new ArrayList<>();
352 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
353 new String[] {"1", "0", "0", "255"}, 2));
354 instructions.add(new InstructionInfo(InstructionType.apply_actions,
357 instructions.add(new InstructionInfo(InstructionType.goto_table,
358 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
359 String flowName = "Egress_DHCP_Client_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
360 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
361 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
365 * Adds the rule to send the packet to the netfilter to check whether it is a known packet.
366 * @param dpId the dpId
367 * @param attachMac the attached mac address
368 * @param priority the priority of the flow
369 * @param flowId the flowId
370 * @param conntrackState the conntrack state of the packets thats should be send
371 * @param conntrackMask the conntrack mask
372 * @param addOrRemove whether to add or remove the flow
374 private void programConntrackRecircRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
375 int conntrackState, int conntrackMask, int addOrRemove) {
376 List<MatchInfoBase> matches = new ArrayList<>();
377 matches.add(new MatchInfo(MatchFieldType.eth_type,
378 new long[] { NwConstants.ETHTYPE_IPV4 }));
379 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
380 new long[] {conntrackState, conntrackMask}));
381 matches.add(new MatchInfo(MatchFieldType.eth_src,
382 new String[] { attachMac }));
383 List<InstructionInfo> instructions = new ArrayList<>();
385 List<ActionInfo> actionsInfos = new ArrayList<>();
387 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
388 new String[] {"0", "0", "0", Short.toString(AclConstants.EGRESS_ACL_TABLE_ID)}, 2));
389 instructions.add(new InstructionInfo(InstructionType.apply_actions,
391 String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
392 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
393 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
397 * Adds the rule to forward the packets known packets .
398 * @param dpId the dpId
399 * @param attachMac the attached mac address
400 * @param priority the priority of the flow
401 * @param flowId the flowId
402 * @param conntrackState the conntrack state of the packets thats should be send
403 * @param conntrackMask the conntrack mask
404 * @param addOrRemove whether to add or remove the flow
406 private void programConntrackForwardRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
407 int conntrackState, int conntrackMask, int addOrRemove) {
408 List<MatchInfoBase> matches = new ArrayList<>();
409 matches.add(new MatchInfo(MatchFieldType.eth_type,
410 new long[] { NwConstants.ETHTYPE_IPV4 }));
411 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
412 new long[] {conntrackState, conntrackMask}));
413 matches.add(new MatchInfo(MatchFieldType.eth_src,
414 new String[] { attachMac }));
415 List<InstructionInfo> instructions = new ArrayList<>();
417 List<ActionInfo> actionsInfos = new ArrayList<>();
419 actionsInfos.add(new ActionInfo(ActionType.goto_table,
422 instructions.add(new InstructionInfo(InstructionType.goto_table,
423 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
424 String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
425 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
426 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
430 * Adds the rule to drop the unknown/invalid packets .
431 * @param dpId the dpId
432 * @param attachMac the attached mac address
433 * @param priority the priority of the flow
434 * @param flowId the flowId
435 * @param conntrackState the conntrack state of the packets thats should be send
436 * @param conntrackMask the conntrack mask
437 * @param addOrRemove whether to add or remove the flow
439 private void programConntrackDropRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
440 int conntrackState, int conntrackMask, int addOrRemove) {
441 List<MatchInfoBase> matches = new ArrayList<>();
442 matches.add(new MatchInfo(MatchFieldType.eth_type,
443 new long[] { NwConstants.ETHTYPE_IPV4 }));
444 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
445 new long[] { conntrackState, conntrackMask}));
446 matches.add(new MatchInfo(MatchFieldType.eth_src,
447 new String[] { attachMac }));
448 List<InstructionInfo> instructions = new ArrayList<>();
450 List<ActionInfo> actionsInfos = new ArrayList<>();
452 actionsInfos.add(new ActionInfo(ActionType.drop_action,
454 String flowName = "Egress_Fixed_Conntrk_NewDrop_" + dpId + "_" + attachMac + "_" + flowId;
455 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
456 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
460 * Adds the rule to allow arp packets.
461 * @param dpId the dpId
462 * @param attachMac the attached mac address
463 * @param addOrRemove whether to add or remove the flow
465 private void programArpRule(BigInteger dpId, String attachMac, int addOrRemove) {
466 List<MatchInfo> matches = new ArrayList<>();
467 matches.add(new MatchInfo(MatchFieldType.eth_type,
468 new long[] { NwConstants.ETHTYPE_ARP }));
469 matches.add(new MatchInfo(MatchFieldType.arp_sha,
470 new String[] { attachMac }));
472 List<InstructionInfo> instructions = new ArrayList<>();
474 List<ActionInfo> actionsInfos = new ArrayList<>();
476 actionsInfos.add(new ActionInfo(ActionType.goto_table,
479 instructions.add(new InstructionInfo(InstructionType.goto_table,
480 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
481 String flowName = "Egress_ARP_" + dpId + "_" + attachMac ;
482 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
483 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
487 * Writes/remove the flow to/from the datastore.
488 * @param dpId the dpId
489 * @param tableId the tableId
490 * @param flowId the flowId
491 * @param priority the priority
492 * @param flowName the flow name
493 * @param idleTimeOut the idle timeout
494 * @param hardTimeOut the hard timeout
495 * @param cookie the cookie
496 * @param matches the list of matches to be writted
497 * @param instructions the list of instruction to be written.
498 * @param addOrRemove add or remove the entries.
500 private void syncFlow(BigInteger dpId, short tableId, String flowId, int priority, String flowName,
501 int idleTimeOut, int hardTimeOut, BigInteger cookie, List<? extends MatchInfoBase> matches,
502 List<InstructionInfo> instructions, int addOrRemove) {
503 if (addOrRemove == NwConstants.DEL_FLOW) {
504 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, tableId,flowId,
505 priority, flowName , idleTimeOut, hardTimeOut, cookie, matches, null);
506 logger.trace("Removing Acl Flow DpnId {}, flowId {}", dpId, flowId);
507 mdsalManager.removeFlow(flowEntity);
509 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, tableId, flowId,
510 priority, flowName, idleTimeOut, hardTimeOut, cookie, matches, instructions);
511 logger.trace("Installing DpnId {}, flowId {}", dpId, flowId);
512 mdsalManager.installFlow(flowEntity);
517 * Programs the default connection tracking rules.
518 * @param dpid the dp id
519 * @param attachMac the attached mac address
520 * @param write whether to add or remove the flow.
522 private void programEgressAclFixedConntrackRule(BigInteger dpid, String attachMac, int write) {
523 programConntrackRecircRule(dpid, attachMac,AclServiceUtils.CT_STATE_UNTRACKED_PRIORITY,
524 "Untracked",AclServiceUtils.UNTRACKED_CT_STATE,AclServiceUtils.UNTRACKED_CT_STATE_MASK, write );
525 programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
526 "Tracked_Established", AclServiceUtils.TRACKED_EST_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK,
528 programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
529 "Tracked_Related", AclServiceUtils.TRACKED_REL_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK, write );
530 programConntrackDropRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
531 "Tracked_New", AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK, write );
532 programConntrackDropRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
533 "Tracked_Invalid",AclServiceUtils.TRACKED_INV_CT_STATE, AclServiceUtils.TRACKED_INV_CT_STATE_MASK,
535 logger.info("programEgressAclFixedConntrackRule : default connection tracking rule are added.");