vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/EgressAclServiceImpl.java

   1 /*
   2  * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
   3  *
   4  * This program and the accompanying materials are made available under the
   5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
   6  * and is available at http://www.eclipse.org/legal/epl-v10.html
   7  */
   8 package org.opendaylight.netvirt.aclservice;
   9
  10 import java.math.BigInteger;
  11 import java.util.ArrayList;
  12 import java.util.List;
  13 import java.util.Map;
  14
  15 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
  16 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
  17 import org.opendaylight.genius.mdsalutil.ActionInfo;
  18 import org.opendaylight.genius.mdsalutil.ActionType;
  19 import org.opendaylight.genius.mdsalutil.FlowEntity;
  20 import org.opendaylight.genius.mdsalutil.InstructionInfo;
  21 import org.opendaylight.genius.mdsalutil.InstructionType;
  22 import org.opendaylight.genius.mdsalutil.MDSALUtil;
  23 import org.opendaylight.genius.mdsalutil.MatchFieldType;
  24 import org.opendaylight.genius.mdsalutil.MatchInfo;
  25 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
  26 import org.opendaylight.genius.mdsalutil.NwConstants;
  27 import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
  28 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
  29 import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
  30 import org.opendaylight.netvirt.aclservice.api.AclServiceListener;
  31 import org.opendaylight.netvirt.aclservice.utils.AclConstants;
  32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
  33 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
  34 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
  35 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
  36 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
  37 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
  38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface;
  39 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
  40 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
  41 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
  42 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
  43 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
  44 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress;
  45 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
  46 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
  47 import org.slf4j.Logger;
  48 import org.slf4j.LoggerFactory;
  49
  50 public class EgressAclServiceImpl implements AclServiceListener {
  51
  52     private static final Logger LOG = LoggerFactory.getLogger(EgressAclServiceImpl.class);
  53
  54     private final IMdsalApiManager mdsalManager;
  55     private final OdlInterfaceRpcService interfaceManager;
  56     private final DataBroker dataBroker;
  57
  58     /**
  59      * Initialize the member variables.
  60      * @param dataBroker the data broker instance.
  61      * @param interfaceManager the interface manager instance.
  62      * @param mdsalManager the mdsal manager instance.
  63      */
  64     public EgressAclServiceImpl(DataBroker dataBroker, OdlInterfaceRpcService interfaceManager,
  65                                 IMdsalApiManager mdsalManager) {
  66         this.dataBroker = dataBroker;
  67         this.interfaceManager = interfaceManager;
  68         this.mdsalManager = mdsalManager;
  69     }
  70
  71     @Override
  72     public boolean applyAcl(Interface port) {
  73
  74         if (!AclServiceUtils.isPortSecurityEnabled(port)) {
  75             return false;
  76         }
  77         BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
  78         org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
  79             interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
  80         String attachMac = interfaceState.getPhysAddress().getValue();
  81         programFixedSecurityGroup(dpId, "", attachMac, NwConstants.ADD_FLOW);
  82         List<Uuid> securityGroupsUuid = AclServiceUtils.getPortSecurityGroups(port);
  83         programCustomRules(port, securityGroupsUuid, dpId, attachMac,NwConstants.ADD_FLOW );
  84         // TODO: uncomment bindservice() when the acl flow programming is
  85         // implemented
  86         // bindService(port.getName());
  87         return true;
  88     }
  89
  90     @Override
  91     public boolean updateAcl(Interface portBefore, Interface portAfter) {
  92         boolean result = false;
  93         boolean isPortSecurityEnable = AclServiceUtils.isPortSecurityEnabled(portAfter);
  94         boolean isPortSecurityEnableBefore = AclServiceUtils.isPortSecurityEnabled(portBefore);
  95         // if port security is changed, apply/remove Acls
  96         if (isPortSecurityEnableBefore != isPortSecurityEnable) {
  97             if (isPortSecurityEnable) {
  98                 result = applyAcl(portAfter);
  99             } else {
 100                 result = removeAcl(portAfter);
 101             }
 102         } else if (isPortSecurityEnable) {
 103             // Acls has been updated, find added/removed Acls and act accordingly.
 104             this.processInterfaceUpdate(portBefore, portAfter);
 105         }
 106
 107         return result;
 108     }
 109
 110     private void processInterfaceUpdate(Interface portBefore, Interface portAfter) {
 111         List<Uuid> addedGroup = AclServiceUtils.getUpdatedAclList(portAfter, portBefore);
 112         List<Uuid> deletedGroup = AclServiceUtils.getUpdatedAclList(portBefore, portAfter);
 113         if (addedGroup != null && !addedGroup.isEmpty()) {
 114             updateCustomRules(portAfter, deletedGroup, NwConstants.ADD_FLOW);
 115         }
 116         if (deletedGroup != null && !deletedGroup.isEmpty()) {
 117             updateCustomRules(portAfter, deletedGroup, NwConstants.DEL_FLOW);
 118         }
 119     }
 120
 121     private void updateCustomRules(Interface portAfter, List<Uuid> deletedGroup, int action) {
 122         BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, portAfter.getName());
 123         org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
 124                 interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, portAfter.getName());
 125         String attachMac = interfaceState.getPhysAddress().getValue();
 126         programCustomRules(portAfter, deletedGroup, dpId, attachMac, action);
 127     }
 128
 129     @Override
 130     public boolean removeAcl(Interface port) {
 131         if (!AclServiceUtils.isPortSecurityEnabled(port)) {
 132             return false;
 133         }
 134         BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
 135         org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
 136             interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
 137         String attachMac = interfaceState.getPhysAddress().getValue();
 138         programFixedSecurityGroup(dpId, "", attachMac, NwConstants.DEL_FLOW);
 139         List<Uuid> securityGroupsUuid = AclServiceUtils.getPortSecurityGroups(port);
 140         programCustomRules(port, securityGroupsUuid, dpId, attachMac,NwConstants.DEL_FLOW );
 141
 142         // TODO: uncomment unbindService() when the acl flow programming is
 143         // implemented
 144         // unbindService(port.getName());
 145         return true;
 146     }
 147
 148     @Override
 149     public boolean applyAce(Interface port, Ace ace) {
 150         return false;
 151     }
 152
 153     @Override
 154     public boolean removeAce(Interface port, Ace ace) {
 155         return false;
 156     }
 157
 158     /**
 159      * Bind service.
 160      *
 161      * @param interfaceName the interface name
 162      */
 163     private void bindService(String interfaceName) {
 164         int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
 165
 166         int instructionKey = 0;
 167         List<Instruction> instructions = new ArrayList<>();
 168         instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(AclConstants.EGRESS_ACL_TABLE_ID, ++instructionKey));
 169         BoundServices serviceInfo = AclServiceUtils.getBoundServices(
 170                 String.format("%s.%s.%s", "vpn", "egressacl", interfaceName), AclConstants.EGRESS_ACL_SERVICE_PRIORITY,
 171                 flowPriority, AclServiceUtils.COOKIE_ACL_BASE, instructions);
 172         InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
 173                 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
 174         MDSALUtil.syncWrite(dataBroker, LogicalDatastoreType.CONFIGURATION, path, serviceInfo);
 175     }
 176
 177     /**
 178      * Unbind service.
 179      *
 180      * @param interfaceName the interface name
 181      */
 182     private void unbindService(String interfaceName) {
 183         InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
 184                 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
 185         MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path);
 186     }
 187
 188     /**
 189      * Gets the instructions for dispatcher table resubmit.
 190      *
 191      * @return the instructions for dispatcher table resubmit
 192      */
 193     private List<InstructionInfo> getInstructionsForDispatcherTableResubmit() {
 194         List<InstructionInfo> instructions = new ArrayList<>();
 195         List<ActionInfo> actionsInfos = new ArrayList<>();
 196         actionsInfos.add(new ActionInfo(ActionType.nx_resubmit,
 197                 new String[] {Short.toString(NwConstants.LPORT_DISPATCHER_TABLE)}));
 198         instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
 199         return instructions;
 200     }
 201
 202     /**
 203      * Program the default anti-spoofing rule and the conntrack rules.
 204      *
 205      * @param dpid the dpid
 206      * @param dhcpMacAddress the dhcp mac address.
 207      * @param attachMac The vm mac address
 208      * @param addOrRemove addorRemove
 209      */
 210     private void programFixedSecurityGroup(BigInteger dpid, String dhcpMacAddress,
 211                                            String attachMac, int addOrRemove) {
 212         LOG.info("programFixedSecurityGroup :  adding default security group rules.");
 213         egressAclDhcpAllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 214         egressAclDhcpv6AllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 215         egressAclDhcpDropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 216         egressAclDhcpv6DropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 217
 218         //if (securityServicesManager.isConntrackEnabled()) {
 219         programEgressAclFixedConntrackRule(dpid, attachMac, addOrRemove);
 220         //}
 221         programArpRule(dpid,attachMac, addOrRemove);
 222     }
 223
 224     /**
 225      * Programs the custom flows.
 226      *
 227      * @param port the interface
 228      * @param securityGroupsUuid the list of SG uuid to be applied
 229      * @param dpId the dpId
 230      * @param attachMac the attached mac
 231      * @param addOrRemove whether to delete or add flow
 232      */
 233     private void programCustomRules(Interface port, List<Uuid> securityGroupsUuid, BigInteger dpId, String attachMac,
 234                                     int addOrRemove) {
 235         LOG.trace("Applying custom rules DpId {}, vmMacAddress {}", dpId, attachMac );
 236         for (Uuid sgUuid :securityGroupsUuid ) {
 237             Acl acl = AclServiceUtils.getAcl(dataBroker, sgUuid.getValue());
 238             AccessListEntries accessListEntries = acl.getAccessListEntries();
 239             List<Ace> aceList = accessListEntries.getAce();
 240             for (Ace ace: aceList) {
 241                 SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
 242
 243                 if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
 244                     continue;
 245                 }
 246
 247                 Matches matches = ace.getMatches();
 248                 AceType aceType = matches.getAceType();
 249                 Map<String,List<MatchInfoBase>>  flowMap = null;
 250                 if (aceType instanceof AceIp) {
 251                     flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
 252                 }
 253
 254                 if (null == flowMap) {
 255                     LOG.error("Failed to apply ACL {} vmMacAddress {}", ace.getKey(), attachMac);
 256                     continue;
 257                 }
 258                 //The flow map contains list of flows if port range is selected.
 259                 for ( String  flowName : flowMap.keySet()) {
 260                     List<MatchInfoBase> flows = flowMap.get(flowName);
 261                     flowName = flowName + "Egress" + attachMac;
 262                     flows .add(new MatchInfo(MatchFieldType.eth_src,
 263                         new String[] { attachMac }));
 264                     /*flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 265                         new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE,
 266                                      AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));*/
 267                     List<InstructionInfo> instructions = new ArrayList<>();
 268                     List<ActionInfo> actionsInfos = new ArrayList<>();
 269                     actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 270                         new String[] {"1", "0", "0", "255"}, 2));
 271                     instructions.add(new InstructionInfo(InstructionType.apply_actions,
 272                         actionsInfos));
 273                     instructions.add(new InstructionInfo(InstructionType.goto_table,
 274                         new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 275                     syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY,
 276                         "ACL", 0, 0, AclServiceUtils.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
 277                 }
 278             }
 279         }
 280
 281     }
 282
 283     /**
 284      * Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port.
 285      * @param dpId the dpId
 286      * @param dhcpMacAddress the Dhcp mac address
 287      * @param attachMac the attached mac address
 288      * @param addOrRemove add/remove the flow.
 289      */
 290     private void egressAclDhcpDropServerTraffic(BigInteger dpId, String dhcpMacAddress,
 291             String attachMac, int addOrRemove) {
 292         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.DHCP_SERVER_PORT_IPV4,
 293             AclServiceUtils.DHCP_CLIENT_PORT_IPV4);
 294         matches.add(new MatchInfo(MatchFieldType.eth_src,
 295             new String[] { attachMac }));
 296         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 297             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 298
 299         List<InstructionInfo> instructions = new ArrayList<>();
 300
 301         List<ActionInfo> actionsInfos = new ArrayList<>();
 302
 303         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 304             new String[] {}));
 305         String flowName = "Egress_DHCP_Server_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
 306         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 307             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 308     }
 309
 310     /**
 311      * Anti-spoofing rule to block the Ipv6 DHCP server traffic from the port.
 312      * @param dpId the dpId
 313      * @param dhcpMacAddress the Dhcp mac address
 314      * @param attachMac the attached mac address
 315      * @param addOrRemove add/remove the flow.
 316      */
 317     private void egressAclDhcpv6DropServerTraffic(BigInteger dpId, String dhcpMacAddress,
 318                                                   String attachMac, int addOrRemove) {
 319         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.DHCP_SERVER_PORT_IPV6,
 320             AclServiceUtils.DHCP_CLIENT_PORT_IPV6);
 321         matches.add(new MatchInfo(MatchFieldType.eth_src,
 322             new String[] { attachMac }));
 323         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 324             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 325
 326         List<InstructionInfo> instructions = new ArrayList<>();
 327
 328         List<ActionInfo> actionsInfos = new ArrayList<>();
 329
 330         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 331             new String[] {}));
 332         String flowName = "Egress_DHCP_Server_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
 333         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 334             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 335     }
 336
 337     /**
 338      * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
 339      *
 340      * @param dpidLong the dpid
 341      * @param segmentationId the segmentation id
 342      * @param dhcpMacAddress the DHCP server mac address
 343      * @param attachMac the mac address of the port
 344      * @param write is write or delete
 345      * @param protoPortMatchPriority the priority
 346      */
 347     private void egressAclDhcpAllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
 348                                                  String attachMac, int addOrRemove) {
 349         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.DHCP_CLIENT_PORT_IPV4,
 350             AclServiceUtils.DHCP_SERVER_PORT_IPV4);
 351         matches.add(new MatchInfo(MatchFieldType.eth_src,
 352             new String[] { attachMac }));
 353         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 354             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 355
 356         List<InstructionInfo> instructions = new ArrayList<>();
 357
 358         List<ActionInfo> actionsInfos = new ArrayList<>();
 359
 360         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 361             new String[] {"1", "0", "0", "255"}, 2));
 362         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 363             actionsInfos));
 364
 365
 366         instructions.add(new InstructionInfo(InstructionType.goto_table,
 367             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 368         String flowName = "Egress_DHCP_Client_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
 369         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 370             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 371     }
 372
 373     /**
 374      * Add rule to ensure only DHCPv6 server traffic from the specified mac is allowed.
 375      *
 376      * @param dpidLong the dpid
 377      * @param segmentationId the segmentation id
 378      * @param dhcpMacAddress the DHCP server mac address
 379      * @param attachMac the mac address of  the port
 380      * @param write is write or delete
 381      * @param protoPortMatchPriority the priority
 382      */
 383     private void egressAclDhcpv6AllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
 384                                                    String attachMac, int addOrRemove) {
 385         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.DHCP_CLIENT_PORT_IPV6,
 386             AclServiceUtils.DHCP_SERVER_PORT_IPV6);
 387         matches.add(new MatchInfo(MatchFieldType.eth_src,
 388             new String[] { attachMac }));
 389         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 390             new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
 391
 392         List<InstructionInfo> instructions = new ArrayList<>();
 393
 394         List<ActionInfo> actionsInfos = new ArrayList<>();
 395
 396         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 397             new String[] {"1", "0", "0", "255"}, 2));
 398         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 399             actionsInfos));
 400
 401         instructions.add(new InstructionInfo(InstructionType.goto_table,
 402             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 403         String flowName = "Egress_DHCP_Client_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
 404         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 405             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 406     }
 407
 408     /**
 409      * Adds the rule to send the packet to the netfilter to check whether it is a known packet.
 410      * @param dpId the dpId
 411      * @param attachMac the attached mac address
 412      * @param priority the priority of the flow
 413      * @param flowId the flowId
 414      * @param conntrackState the conntrack state of the packets thats should be send
 415      * @param conntrackMask the conntrack mask
 416      * @param addOrRemove whether to add or remove the flow
 417      */
 418     private void programConntrackRecircRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 419                                              int conntrackState, int conntrackMask, int addOrRemove) {
 420         List<MatchInfoBase> matches = new ArrayList<>();
 421         matches.add(new MatchInfo(MatchFieldType.eth_type,
 422             new long[] { NwConstants.ETHTYPE_IPV4 }));
 423         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 424             new long[] {conntrackState, conntrackMask}));
 425         matches.add(new MatchInfo(MatchFieldType.eth_src,
 426             new String[] { attachMac }));
 427         List<InstructionInfo> instructions = new ArrayList<>();
 428
 429         List<ActionInfo> actionsInfos = new ArrayList<>();
 430
 431         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 432             new String[] {"0", "0", "0", Short.toString(AclConstants.EGRESS_ACL_TABLE_ID)}, 2));
 433         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 434             actionsInfos));
 435         String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
 436         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 437             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 438     }
 439
 440     /**
 441      * Adds the rule to forward the packets known packets.
 442      * @param dpId the dpId
 443      * @param attachMac the attached mac address
 444      * @param priority the priority of the flow
 445      * @param flowId the flowId
 446      * @param conntrackState the conntrack state of the packets thats should be send
 447      * @param conntrackMask the conntrack mask
 448      * @param addOrRemove whether to add or remove the flow
 449      */
 450     private void programConntrackForwardRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 451                                              int conntrackState, int conntrackMask, int addOrRemove) {
 452         List<MatchInfoBase> matches = new ArrayList<>();
 453         matches.add(new MatchInfo(MatchFieldType.eth_type,
 454             new long[] { NwConstants.ETHTYPE_IPV4 }));
 455         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 456             new long[] {conntrackState, conntrackMask}));
 457         matches.add(new MatchInfo(MatchFieldType.eth_src,
 458             new String[] { attachMac }));
 459         List<InstructionInfo> instructions = new ArrayList<>();
 460
 461         List<ActionInfo> actionsInfos = new ArrayList<>();
 462
 463         actionsInfos.add(new ActionInfo(ActionType.goto_table,
 464             new String[] {}));
 465
 466         instructions.add(new InstructionInfo(InstructionType.goto_table,
 467             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 468         String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
 469         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
 470             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 471     }
 472
 473     /**
 474      * Adds  the rule to drop the unknown/invalid packets .
 475      * @param dpId the dpId
 476      * @param attachMac the attached mac address
 477      * @param priority the priority of the flow
 478      * @param flowId the flowId
 479      * @param conntrackState the conntrack state of the packets thats should be send
 480      * @param conntrackMask the conntrack mask
 481      * @param addOrRemove whether to add or remove the flow
 482      */
 483     private void programConntrackDropRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 484                                           int conntrackState, int conntrackMask, int addOrRemove) {
 485         List<MatchInfoBase> matches = new ArrayList<>();
 486         matches.add(new MatchInfo(MatchFieldType.eth_type,
 487             new long[] { NwConstants.ETHTYPE_IPV4 }));
 488         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 489             new long[] { conntrackState, conntrackMask}));
 490         matches.add(new MatchInfo(MatchFieldType.eth_src,
 491             new String[] { attachMac }));
 492         List<InstructionInfo> instructions = new ArrayList<>();
 493
 494         List<ActionInfo> actionsInfos = new ArrayList<>();
 495
 496         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 497             new String[] {}));
 498         String flowName = "Egress_Fixed_Conntrk_NewDrop_" + dpId + "_" + attachMac + "_" + flowId;
 499         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
 500             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 501     }
 502
 503     /**
 504      * Adds  the rule to allow arp packets.
 505      * @param dpId the dpId
 506      * @param attachMac the attached mac address
 507      * @param addOrRemove whether to add or remove the flow
 508      */
 509     private void programArpRule(BigInteger dpId, String attachMac, int addOrRemove) {
 510         List<MatchInfo> matches = new ArrayList<>();
 511         matches.add(new MatchInfo(MatchFieldType.eth_type,
 512             new long[] { NwConstants.ETHTYPE_ARP }));
 513         matches.add(new MatchInfo(MatchFieldType.arp_sha,
 514             new String[] { attachMac }));
 515
 516         List<InstructionInfo> instructions = new ArrayList<>();
 517
 518         List<ActionInfo> actionsInfos = new ArrayList<>();
 519
 520         actionsInfos.add(new ActionInfo(ActionType.goto_table,
 521                 new String[] {}));
 522
 523         instructions.add(new InstructionInfo(InstructionType.goto_table,
 524             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 525         String flowName = "Egress_ARP_" + dpId + "_" + attachMac ;
 526         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 527             AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 528     }
 529
 530     /**
 531      * Writes/remove the flow to/from the datastore.
 532      * @param dpId the dpId
 533      * @param tableId the tableId
 534      * @param flowId the flowId
 535      * @param priority the priority
 536      * @param flowName the flow name
 537      * @param idleTimeOut the idle timeout
 538      * @param hardTimeOut the hard timeout
 539      * @param cookie the cookie
 540      * @param matches the list of matches to be writted
 541      * @param instructions the list of instruction to be written.
 542      * @param addOrRemove add or remove the entries.
 543      */
 544     private void syncFlow(BigInteger dpId, short tableId, String flowId, int priority, String flowName,
 545                           int idleTimeOut, int hardTimeOut, BigInteger cookie, List<? extends MatchInfoBase>  matches,
 546                           List<InstructionInfo> instructions, int addOrRemove) {
 547         if (addOrRemove == NwConstants.DEL_FLOW) {
 548             FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, tableId,flowId,
 549                 priority, flowName , idleTimeOut, hardTimeOut, cookie, matches, null);
 550             LOG.trace("Removing Acl Flow DpnId {}, flowId {}", dpId, flowId);
 551             mdsalManager.removeFlow(flowEntity);
 552         } else {
 553             FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, tableId, flowId,
 554                 priority, flowName, idleTimeOut, hardTimeOut, cookie, matches, instructions);
 555             LOG.trace("Installing DpnId {}, flowId {}", dpId, flowId);
 556             mdsalManager.installFlow(flowEntity);
 557         }
 558     }
 559
 560     /**
 561      * Programs the default connection tracking rules.
 562      * @param dpid the dp id
 563      * @param attachMac the attached mac address
 564      * @param write whether to add or remove the flow.
 565      */
 566     private void programEgressAclFixedConntrackRule(BigInteger dpid, String attachMac, int write) {
 567         programConntrackRecircRule(dpid, attachMac,AclServiceUtils.CT_STATE_UNTRACKED_PRIORITY,
 568             "Untracked",AclServiceUtils.UNTRACKED_CT_STATE,AclServiceUtils.UNTRACKED_CT_STATE_MASK, write );
 569         programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
 570             "Tracked_Established", AclServiceUtils.TRACKED_EST_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK,
 571             write );
 572         programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
 573             "Tracked_Related", AclServiceUtils.TRACKED_REL_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK, write );
 574         programConntrackDropRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
 575             "Tracked_New", AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK, write );
 576         programConntrackDropRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
 577             "Tracked_Invalid",AclServiceUtils.TRACKED_INV_CT_STATE, AclServiceUtils.TRACKED_INV_CT_STATE_MASK,
 578             write );
 579         LOG.info("programEgressAclFixedConntrackRule :  default connection tracking rule are added.");
 580     }
 581 }