2 * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netvirt.aclservice;
10 import java.math.BigInteger;
11 import java.util.ArrayList;
12 import java.util.List;
15 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
16 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
17 import org.opendaylight.genius.mdsalutil.ActionInfo;
18 import org.opendaylight.genius.mdsalutil.ActionType;
19 import org.opendaylight.genius.mdsalutil.FlowEntity;
20 import org.opendaylight.genius.mdsalutil.InstructionInfo;
21 import org.opendaylight.genius.mdsalutil.InstructionType;
22 import org.opendaylight.genius.mdsalutil.MDSALUtil;
23 import org.opendaylight.genius.mdsalutil.MatchFieldType;
24 import org.opendaylight.genius.mdsalutil.MatchInfo;
25 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
26 import org.opendaylight.genius.mdsalutil.NwConstants;
27 import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
28 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
29 import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
30 import org.opendaylight.netvirt.aclservice.api.AclServiceListener;
31 import org.opendaylight.netvirt.aclservice.utils.AclConstants;
32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
33 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
34 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
35 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
36 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
37 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface;
39 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
40 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
41 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
42 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
43 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
44 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress;
45 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
46 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
47 import org.slf4j.Logger;
48 import org.slf4j.LoggerFactory;
50 public class EgressAclServiceImpl implements AclServiceListener {
52 private static final Logger LOG = LoggerFactory.getLogger(EgressAclServiceImpl.class);
54 private final IMdsalApiManager mdsalManager;
55 private final OdlInterfaceRpcService interfaceManager;
56 private final DataBroker dataBroker;
59 * Initialize the member variables.
60 * @param dataBroker the data broker instance.
61 * @param interfaceManager the interface manager instance.
62 * @param mdsalManager the mdsal manager instance.
64 public EgressAclServiceImpl(DataBroker dataBroker, OdlInterfaceRpcService interfaceManager,
65 IMdsalApiManager mdsalManager) {
66 this.dataBroker = dataBroker;
67 this.interfaceManager = interfaceManager;
68 this.mdsalManager = mdsalManager;
72 public boolean applyAcl(Interface port) {
74 if (!AclServiceUtils.isPortSecurityEnabled(port)) {
77 BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
78 org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
79 interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
80 String attachMac = interfaceState.getPhysAddress().getValue();
81 programFixedSecurityGroup(dpId, "", attachMac, NwConstants.ADD_FLOW);
82 List<Uuid> securityGroupsUuid = AclServiceUtils.getPortSecurityGroups(port);
83 programCustomRules(port, securityGroupsUuid, dpId, attachMac,NwConstants.ADD_FLOW );
84 // TODO: uncomment bindservice() when the acl flow programming is
86 // bindService(port.getName());
91 public boolean updateAcl(Interface portBefore, Interface portAfter) {
92 boolean result = false;
93 boolean isPortSecurityEnable = AclServiceUtils.isPortSecurityEnabled(portAfter);
94 boolean isPortSecurityEnableBefore = AclServiceUtils.isPortSecurityEnabled(portBefore);
95 // if port security is changed, apply/remove Acls
96 if (isPortSecurityEnableBefore != isPortSecurityEnable) {
97 if (isPortSecurityEnable) {
98 result = applyAcl(portAfter);
100 result = removeAcl(portAfter);
102 } else if (isPortSecurityEnable) {
103 // Acls has been updated, find added/removed Acls and act accordingly.
104 this.processInterfaceUpdate(portBefore, portAfter);
110 private void processInterfaceUpdate(Interface portBefore, Interface portAfter) {
111 List<Uuid> addedGroup = AclServiceUtils.getUpdatedAclList(portAfter, portBefore);
112 List<Uuid> deletedGroup = AclServiceUtils.getUpdatedAclList(portBefore, portAfter);
113 if (addedGroup != null && !addedGroup.isEmpty()) {
114 updateCustomRules(portAfter, deletedGroup, NwConstants.ADD_FLOW);
116 if (deletedGroup != null && !deletedGroup.isEmpty()) {
117 updateCustomRules(portAfter, deletedGroup, NwConstants.DEL_FLOW);
121 private void updateCustomRules(Interface portAfter, List<Uuid> deletedGroup, int action) {
122 BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, portAfter.getName());
123 org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
124 interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, portAfter.getName());
125 String attachMac = interfaceState.getPhysAddress().getValue();
126 programCustomRules(portAfter, deletedGroup, dpId, attachMac, action);
130 public boolean removeAcl(Interface port) {
131 if (!AclServiceUtils.isPortSecurityEnabled(port)) {
134 BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
135 org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
136 interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
137 String attachMac = interfaceState.getPhysAddress().getValue();
138 programFixedSecurityGroup(dpId, "", attachMac, NwConstants.DEL_FLOW);
139 List<Uuid> securityGroupsUuid = AclServiceUtils.getPortSecurityGroups(port);
140 programCustomRules(port, securityGroupsUuid, dpId, attachMac,NwConstants.DEL_FLOW );
142 // TODO: uncomment unbindService() when the acl flow programming is
144 // unbindService(port.getName());
149 public boolean applyAce(Interface port, Ace ace) {
154 public boolean removeAce(Interface port, Ace ace) {
161 * @param interfaceName the interface name
163 private void bindService(String interfaceName) {
164 int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
166 int instructionKey = 0;
167 List<Instruction> instructions = new ArrayList<>();
168 instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(AclConstants.EGRESS_ACL_TABLE_ID, ++instructionKey));
169 BoundServices serviceInfo = AclServiceUtils.getBoundServices(
170 String.format("%s.%s.%s", "vpn", "egressacl", interfaceName), AclConstants.EGRESS_ACL_SERVICE_PRIORITY,
171 flowPriority, AclServiceUtils.COOKIE_ACL_BASE, instructions);
172 InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
173 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
174 MDSALUtil.syncWrite(dataBroker, LogicalDatastoreType.CONFIGURATION, path, serviceInfo);
180 * @param interfaceName the interface name
182 private void unbindService(String interfaceName) {
183 InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
184 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
185 MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path);
189 * Gets the instructions for dispatcher table resubmit.
191 * @return the instructions for dispatcher table resubmit
193 private List<InstructionInfo> getInstructionsForDispatcherTableResubmit() {
194 List<InstructionInfo> instructions = new ArrayList<>();
195 List<ActionInfo> actionsInfos = new ArrayList<>();
196 actionsInfos.add(new ActionInfo(ActionType.nx_resubmit,
197 new String[] {Short.toString(NwConstants.LPORT_DISPATCHER_TABLE)}));
198 instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
203 * Program the default anti-spoofing rule and the conntrack rules.
205 * @param dpid the dpid
206 * @param dhcpMacAddress the dhcp mac address.
207 * @param attachMac The vm mac address
208 * @param addOrRemove addorRemove
210 private void programFixedSecurityGroup(BigInteger dpid, String dhcpMacAddress,
211 String attachMac, int addOrRemove) {
212 LOG.info("programFixedSecurityGroup : adding default security group rules.");
213 egressAclDhcpAllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
214 egressAclDhcpv6AllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
215 egressAclDhcpDropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
216 egressAclDhcpv6DropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
218 //if (securityServicesManager.isConntrackEnabled()) {
219 programEgressAclFixedConntrackRule(dpid, attachMac, addOrRemove);
221 programArpRule(dpid,attachMac, addOrRemove);
225 * Programs the custom flows.
227 * @param port the interface
228 * @param securityGroupsUuid the list of SG uuid to be applied
229 * @param dpId the dpId
230 * @param attachMac the attached mac
231 * @param addOrRemove whether to delete or add flow
233 private void programCustomRules(Interface port, List<Uuid> securityGroupsUuid, BigInteger dpId, String attachMac,
235 LOG.trace("Applying custom rules DpId {}, vmMacAddress {}", dpId, attachMac );
236 for (Uuid sgUuid :securityGroupsUuid ) {
237 Acl acl = AclServiceUtils.getAcl(dataBroker, sgUuid.getValue());
238 AccessListEntries accessListEntries = acl.getAccessListEntries();
239 List<Ace> aceList = accessListEntries.getAce();
240 for (Ace ace: aceList) {
241 SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
243 if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
247 Matches matches = ace.getMatches();
248 AceType aceType = matches.getAceType();
249 Map<String,List<MatchInfoBase>> flowMap = null;
250 if (aceType instanceof AceIp) {
251 flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
254 if (null == flowMap) {
255 LOG.error("Failed to apply ACL {} vmMacAddress {}", ace.getKey(), attachMac);
258 //The flow map contains list of flows if port range is selected.
259 for ( String flowName : flowMap.keySet()) {
260 List<MatchInfoBase> flows = flowMap.get(flowName);
261 flowName = flowName + "Egress" + attachMac;
262 flows .add(new MatchInfo(MatchFieldType.eth_src,
263 new String[] { attachMac }));
264 /*flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
265 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE,
266 AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));*/
267 List<InstructionInfo> instructions = new ArrayList<>();
268 List<ActionInfo> actionsInfos = new ArrayList<>();
269 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
270 new String[] {"1", "0", "0", "255"}, 2));
271 instructions.add(new InstructionInfo(InstructionType.apply_actions,
273 instructions.add(new InstructionInfo(InstructionType.goto_table,
274 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
275 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY,
276 "ACL", 0, 0, AclServiceUtils.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
284 * Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port.
285 * @param dpId the dpId
286 * @param dhcpMacAddress the Dhcp mac address
287 * @param attachMac the attached mac address
288 * @param addOrRemove add/remove the flow.
290 private void egressAclDhcpDropServerTraffic(BigInteger dpId, String dhcpMacAddress,
291 String attachMac, int addOrRemove) {
292 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.DHCP_SERVER_PORT_IPV4,
293 AclServiceUtils.DHCP_CLIENT_PORT_IPV4);
294 matches.add(new MatchInfo(MatchFieldType.eth_src,
295 new String[] { attachMac }));
296 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
297 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
299 List<InstructionInfo> instructions = new ArrayList<>();
301 List<ActionInfo> actionsInfos = new ArrayList<>();
303 actionsInfos.add(new ActionInfo(ActionType.drop_action,
305 String flowName = "Egress_DHCP_Server_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
306 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
307 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
311 * Anti-spoofing rule to block the Ipv6 DHCP server traffic from the port.
312 * @param dpId the dpId
313 * @param dhcpMacAddress the Dhcp mac address
314 * @param attachMac the attached mac address
315 * @param addOrRemove add/remove the flow.
317 private void egressAclDhcpv6DropServerTraffic(BigInteger dpId, String dhcpMacAddress,
318 String attachMac, int addOrRemove) {
319 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.DHCP_SERVER_PORT_IPV6,
320 AclServiceUtils.DHCP_CLIENT_PORT_IPV6);
321 matches.add(new MatchInfo(MatchFieldType.eth_src,
322 new String[] { attachMac }));
323 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
324 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
326 List<InstructionInfo> instructions = new ArrayList<>();
328 List<ActionInfo> actionsInfos = new ArrayList<>();
330 actionsInfos.add(new ActionInfo(ActionType.drop_action,
332 String flowName = "Egress_DHCP_Server_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
333 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
334 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
338 * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
340 * @param dpidLong the dpid
341 * @param segmentationId the segmentation id
342 * @param dhcpMacAddress the DHCP server mac address
343 * @param attachMac the mac address of the port
344 * @param write is write or delete
345 * @param protoPortMatchPriority the priority
347 private void egressAclDhcpAllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
348 String attachMac, int addOrRemove) {
349 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.DHCP_CLIENT_PORT_IPV4,
350 AclServiceUtils.DHCP_SERVER_PORT_IPV4);
351 matches.add(new MatchInfo(MatchFieldType.eth_src,
352 new String[] { attachMac }));
353 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
354 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
356 List<InstructionInfo> instructions = new ArrayList<>();
358 List<ActionInfo> actionsInfos = new ArrayList<>();
360 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
361 new String[] {"1", "0", "0", "255"}, 2));
362 instructions.add(new InstructionInfo(InstructionType.apply_actions,
366 instructions.add(new InstructionInfo(InstructionType.goto_table,
367 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
368 String flowName = "Egress_DHCP_Client_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
369 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
370 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
374 * Add rule to ensure only DHCPv6 server traffic from the specified mac is allowed.
376 * @param dpidLong the dpid
377 * @param segmentationId the segmentation id
378 * @param dhcpMacAddress the DHCP server mac address
379 * @param attachMac the mac address of the port
380 * @param write is write or delete
381 * @param protoPortMatchPriority the priority
383 private void egressAclDhcpv6AllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
384 String attachMac, int addOrRemove) {
385 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.DHCP_CLIENT_PORT_IPV6,
386 AclServiceUtils.DHCP_SERVER_PORT_IPV6);
387 matches.add(new MatchInfo(MatchFieldType.eth_src,
388 new String[] { attachMac }));
389 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
390 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
392 List<InstructionInfo> instructions = new ArrayList<>();
394 List<ActionInfo> actionsInfos = new ArrayList<>();
396 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
397 new String[] {"1", "0", "0", "255"}, 2));
398 instructions.add(new InstructionInfo(InstructionType.apply_actions,
401 instructions.add(new InstructionInfo(InstructionType.goto_table,
402 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
403 String flowName = "Egress_DHCP_Client_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
404 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
405 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
409 * Adds the rule to send the packet to the netfilter to check whether it is a known packet.
410 * @param dpId the dpId
411 * @param attachMac the attached mac address
412 * @param priority the priority of the flow
413 * @param flowId the flowId
414 * @param conntrackState the conntrack state of the packets thats should be send
415 * @param conntrackMask the conntrack mask
416 * @param addOrRemove whether to add or remove the flow
418 private void programConntrackRecircRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
419 int conntrackState, int conntrackMask, int addOrRemove) {
420 List<MatchInfoBase> matches = new ArrayList<>();
421 matches.add(new MatchInfo(MatchFieldType.eth_type,
422 new long[] { NwConstants.ETHTYPE_IPV4 }));
423 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
424 new long[] {conntrackState, conntrackMask}));
425 matches.add(new MatchInfo(MatchFieldType.eth_src,
426 new String[] { attachMac }));
427 List<InstructionInfo> instructions = new ArrayList<>();
429 List<ActionInfo> actionsInfos = new ArrayList<>();
431 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
432 new String[] {"0", "0", "0", Short.toString(AclConstants.EGRESS_ACL_TABLE_ID)}, 2));
433 instructions.add(new InstructionInfo(InstructionType.apply_actions,
435 String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
436 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
437 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
441 * Adds the rule to forward the packets known packets.
442 * @param dpId the dpId
443 * @param attachMac the attached mac address
444 * @param priority the priority of the flow
445 * @param flowId the flowId
446 * @param conntrackState the conntrack state of the packets thats should be send
447 * @param conntrackMask the conntrack mask
448 * @param addOrRemove whether to add or remove the flow
450 private void programConntrackForwardRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
451 int conntrackState, int conntrackMask, int addOrRemove) {
452 List<MatchInfoBase> matches = new ArrayList<>();
453 matches.add(new MatchInfo(MatchFieldType.eth_type,
454 new long[] { NwConstants.ETHTYPE_IPV4 }));
455 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
456 new long[] {conntrackState, conntrackMask}));
457 matches.add(new MatchInfo(MatchFieldType.eth_src,
458 new String[] { attachMac }));
459 List<InstructionInfo> instructions = new ArrayList<>();
461 List<ActionInfo> actionsInfos = new ArrayList<>();
463 actionsInfos.add(new ActionInfo(ActionType.goto_table,
466 instructions.add(new InstructionInfo(InstructionType.goto_table,
467 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
468 String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
469 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
470 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
474 * Adds the rule to drop the unknown/invalid packets .
475 * @param dpId the dpId
476 * @param attachMac the attached mac address
477 * @param priority the priority of the flow
478 * @param flowId the flowId
479 * @param conntrackState the conntrack state of the packets thats should be send
480 * @param conntrackMask the conntrack mask
481 * @param addOrRemove whether to add or remove the flow
483 private void programConntrackDropRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
484 int conntrackState, int conntrackMask, int addOrRemove) {
485 List<MatchInfoBase> matches = new ArrayList<>();
486 matches.add(new MatchInfo(MatchFieldType.eth_type,
487 new long[] { NwConstants.ETHTYPE_IPV4 }));
488 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
489 new long[] { conntrackState, conntrackMask}));
490 matches.add(new MatchInfo(MatchFieldType.eth_src,
491 new String[] { attachMac }));
492 List<InstructionInfo> instructions = new ArrayList<>();
494 List<ActionInfo> actionsInfos = new ArrayList<>();
496 actionsInfos.add(new ActionInfo(ActionType.drop_action,
498 String flowName = "Egress_Fixed_Conntrk_NewDrop_" + dpId + "_" + attachMac + "_" + flowId;
499 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
500 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
504 * Adds the rule to allow arp packets.
505 * @param dpId the dpId
506 * @param attachMac the attached mac address
507 * @param addOrRemove whether to add or remove the flow
509 private void programArpRule(BigInteger dpId, String attachMac, int addOrRemove) {
510 List<MatchInfo> matches = new ArrayList<>();
511 matches.add(new MatchInfo(MatchFieldType.eth_type,
512 new long[] { NwConstants.ETHTYPE_ARP }));
513 matches.add(new MatchInfo(MatchFieldType.arp_sha,
514 new String[] { attachMac }));
516 List<InstructionInfo> instructions = new ArrayList<>();
518 List<ActionInfo> actionsInfos = new ArrayList<>();
520 actionsInfos.add(new ActionInfo(ActionType.goto_table,
523 instructions.add(new InstructionInfo(InstructionType.goto_table,
524 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
525 String flowName = "Egress_ARP_" + dpId + "_" + attachMac ;
526 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
527 AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
531 * Writes/remove the flow to/from the datastore.
532 * @param dpId the dpId
533 * @param tableId the tableId
534 * @param flowId the flowId
535 * @param priority the priority
536 * @param flowName the flow name
537 * @param idleTimeOut the idle timeout
538 * @param hardTimeOut the hard timeout
539 * @param cookie the cookie
540 * @param matches the list of matches to be writted
541 * @param instructions the list of instruction to be written.
542 * @param addOrRemove add or remove the entries.
544 private void syncFlow(BigInteger dpId, short tableId, String flowId, int priority, String flowName,
545 int idleTimeOut, int hardTimeOut, BigInteger cookie, List<? extends MatchInfoBase> matches,
546 List<InstructionInfo> instructions, int addOrRemove) {
547 if (addOrRemove == NwConstants.DEL_FLOW) {
548 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, tableId,flowId,
549 priority, flowName , idleTimeOut, hardTimeOut, cookie, matches, null);
550 LOG.trace("Removing Acl Flow DpnId {}, flowId {}", dpId, flowId);
551 mdsalManager.removeFlow(flowEntity);
553 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, tableId, flowId,
554 priority, flowName, idleTimeOut, hardTimeOut, cookie, matches, instructions);
555 LOG.trace("Installing DpnId {}, flowId {}", dpId, flowId);
556 mdsalManager.installFlow(flowEntity);
561 * Programs the default connection tracking rules.
562 * @param dpid the dp id
563 * @param attachMac the attached mac address
564 * @param write whether to add or remove the flow.
566 private void programEgressAclFixedConntrackRule(BigInteger dpid, String attachMac, int write) {
567 programConntrackRecircRule(dpid, attachMac,AclServiceUtils.CT_STATE_UNTRACKED_PRIORITY,
568 "Untracked",AclServiceUtils.UNTRACKED_CT_STATE,AclServiceUtils.UNTRACKED_CT_STATE_MASK, write );
569 programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
570 "Tracked_Established", AclServiceUtils.TRACKED_EST_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK,
572 programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
573 "Tracked_Related", AclServiceUtils.TRACKED_REL_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK, write );
574 programConntrackDropRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
575 "Tracked_New", AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK, write );
576 programConntrackDropRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
577 "Tracked_Invalid",AclServiceUtils.TRACKED_INV_CT_STATE, AclServiceUtils.TRACKED_INV_CT_STATE_MASK,
579 LOG.info("programEgressAclFixedConntrackRule : default connection tracking rule are added.");