2 * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netvirt.aclservice;
10 import java.math.BigInteger;
11 import java.util.ArrayList;
12 import java.util.List;
15 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
16 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
17 import org.opendaylight.genius.mdsalutil.ActionInfo;
18 import org.opendaylight.genius.mdsalutil.ActionType;
19 import org.opendaylight.genius.mdsalutil.InstructionInfo;
20 import org.opendaylight.genius.mdsalutil.InstructionType;
21 import org.opendaylight.genius.mdsalutil.MDSALUtil;
22 import org.opendaylight.genius.mdsalutil.MatchFieldType;
23 import org.opendaylight.genius.mdsalutil.MatchInfo;
24 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
25 import org.opendaylight.genius.mdsalutil.NwConstants;
26 import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
27 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
28 import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
29 import org.opendaylight.netvirt.aclservice.utils.AclConstants;
30 import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder;
31 import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
33 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
34 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
35 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
36 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
37 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
39 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
40 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
41 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
42 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
43 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress;
44 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
45 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
46 import org.slf4j.Logger;
47 import org.slf4j.LoggerFactory;
49 public class EgressAclServiceImpl extends AbstractAclServiceImpl {
51 private static final Logger LOG = LoggerFactory.getLogger(EgressAclServiceImpl.class);
52 private final DataBroker dataBroker;
55 * Initialize the member variables.
56 * @param dataBroker the data broker instance.
57 * @param interfaceManager the interface manager instance.
58 * @param mdsalManager the mdsal manager instance.
60 public EgressAclServiceImpl(DataBroker dataBroker, OdlInterfaceRpcService interfaceManager,
61 IMdsalApiManager mdsalManager) {
62 super(dataBroker,interfaceManager,mdsalManager);
63 this.dataBroker = dataBroker;
69 * @param interfaceName the interface name
71 protected void bindService(String interfaceName) {
72 int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
74 int instructionKey = 0;
75 List<Instruction> instructions = new ArrayList<>();
76 instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(AclConstants.EGRESS_ACL_TABLE_ID, ++instructionKey));
77 BoundServices serviceInfo = AclServiceUtils.getBoundServices(
78 String.format("%s.%s.%s", "vpn", "egressacl", interfaceName), AclConstants.EGRESS_ACL_SERVICE_PRIORITY,
79 flowPriority, AclConstants.COOKIE_ACL_BASE, instructions);
80 InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
81 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
82 MDSALUtil.syncWrite(dataBroker, LogicalDatastoreType.CONFIGURATION, path, serviceInfo);
88 * @param interfaceName the interface name
90 protected void unbindService(String interfaceName) {
91 InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
92 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
93 MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path);
97 * Program the default anti-spoofing rule and the conntrack rules.
99 * @param dpid the dpid
100 * @param dhcpMacAddress the dhcp mac address.
101 * @param attachMac The vm mac address
102 * @param addOrRemove addorRemove
104 protected void programFixedRules(BigInteger dpid, String dhcpMacAddress,
105 String attachMac, int addOrRemove) {
106 LOG.info("programFixedRules : adding default rules.");
107 egressAclDhcpAllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
108 egressAclDhcpv6AllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
109 egressAclDhcpDropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
110 egressAclDhcpv6DropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
112 //if (securityServicesManager.isConntrackEnabled()) {
113 programEgressAclFixedConntrackRule(dpid, attachMac, addOrRemove);
115 programArpRule(dpid,attachMac, addOrRemove);
119 * Programs the custom flows.
121 * @param aclUuidList the list of acl uuid to be applied
122 * @param dpId the dpId
123 * @param attachMac the attached mac
124 * @param addOrRemove whether to delete or add flow
126 protected void programAclRules(List<Uuid> aclUuidList, BigInteger dpId, String attachMac,
128 LOG.trace("Applying custom rules DpId {}, vmMacAddress {}", dpId, attachMac );
129 for (Uuid sgUuid :aclUuidList ) {
130 Acl acl = AclServiceUtils.getAcl(dataBroker, sgUuid.getValue());
131 AccessListEntries accessListEntries = acl.getAccessListEntries();
132 List<Ace> aceList = accessListEntries.getAce();
133 for (Ace ace: aceList) {
134 programAceRule(dpId, attachMac, addOrRemove, ace);
140 protected void programAceRule(BigInteger dpId, String attachMac, int addOrRemove, Ace ace) {
141 SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
142 if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
145 Matches matches = ace.getMatches();
146 AceType aceType = matches.getAceType();
147 Map<String,List<MatchInfoBase>> flowMap = null;
148 if (aceType instanceof AceIp) {
149 flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
151 if (null == flowMap) {
152 LOG.error("Failed to apply ACL {} vmMacAddress {}", ace.getKey(), attachMac);
155 //The flow map contains list of flows if port range is selected.
156 for ( String flowName : flowMap.keySet()) {
157 List<MatchInfoBase> flows = flowMap.get(flowName);
158 flowName = flowName + "Egress" + attachMac;
159 flows .add(new MatchInfo(MatchFieldType.eth_src,
160 new String[] { attachMac }));
161 /*flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
162 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE,
163 AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));*/
164 List<InstructionInfo> instructions = new ArrayList<>();
165 List<ActionInfo> actionsInfos = new ArrayList<>();
166 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
167 new String[] {"1", "0", "0", "255"}, 2));
168 instructions.add(new InstructionInfo(InstructionType.apply_actions,
170 instructions.add(new InstructionInfo(InstructionType.goto_table,
171 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
172 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY,
173 "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
178 * Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port.
179 * @param dpId the dpId
180 * @param dhcpMacAddress the Dhcp mac address
181 * @param attachMac the attached mac address
182 * @param addOrRemove add/remove the flow.
184 private void egressAclDhcpDropServerTraffic(BigInteger dpId, String dhcpMacAddress,
185 String attachMac, int addOrRemove) {
186 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclConstants.DHCP_SERVER_PORT_IPV4,
187 AclConstants.DHCP_CLIENT_PORT_IPV4);
188 matches.add(new MatchInfo(MatchFieldType.eth_src,
189 new String[] { attachMac }));
190 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
191 new long[] { AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
193 List<InstructionInfo> instructions = new ArrayList<>();
195 List<ActionInfo> actionsInfos = new ArrayList<>();
197 actionsInfos.add(new ActionInfo(ActionType.drop_action,
199 String flowName = "Egress_DHCP_Server_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
200 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
201 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
205 * Anti-spoofing rule to block the Ipv6 DHCP server traffic from the port.
206 * @param dpId the dpId
207 * @param dhcpMacAddress the Dhcp mac address
208 * @param attachMac the attached mac address
209 * @param addOrRemove add/remove the flow.
211 private void egressAclDhcpv6DropServerTraffic(BigInteger dpId, String dhcpMacAddress,
212 String attachMac, int addOrRemove) {
213 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclConstants.DHCP_SERVER_PORT_IPV6,
214 AclConstants.DHCP_CLIENT_PORT_IPV6);
215 matches.add(new MatchInfo(MatchFieldType.eth_src,
216 new String[] { attachMac }));
217 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
218 new long[] { AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
220 List<InstructionInfo> instructions = new ArrayList<>();
222 List<ActionInfo> actionsInfos = new ArrayList<>();
224 actionsInfos.add(new ActionInfo(ActionType.drop_action,
226 String flowName = "Egress_DHCP_Server_v6" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
227 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
228 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
232 * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
234 * @param dpidLong the dpid
235 * @param segmentationId the segmentation id
236 * @param dhcpMacAddress the DHCP server mac address
237 * @param attachMac the mac address of the port
238 * @param write is write or delete
239 * @param protoPortMatchPriority the priority
241 private void egressAclDhcpAllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
242 String attachMac, int addOrRemove) {
243 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclConstants.DHCP_CLIENT_PORT_IPV4,
244 AclConstants.DHCP_SERVER_PORT_IPV4);
245 matches.add(new MatchInfo(MatchFieldType.eth_src,
246 new String[] { attachMac }));
247 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
248 new long[] { AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
250 List<InstructionInfo> instructions = new ArrayList<>();
252 List<ActionInfo> actionsInfos = new ArrayList<>();
254 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
255 new String[] {"1", "0", "0", "255"}, 2));
256 instructions.add(new InstructionInfo(InstructionType.apply_actions,
260 instructions.add(new InstructionInfo(InstructionType.goto_table,
261 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
262 String flowName = "Egress_DHCP_Client_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
263 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
264 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
268 * Add rule to ensure only DHCPv6 server traffic from the specified mac is allowed.
270 * @param dpidLong the dpid
271 * @param segmentationId the segmentation id
272 * @param dhcpMacAddress the DHCP server mac address
273 * @param attachMac the mac address of the port
274 * @param write is write or delete
275 * @param protoPortMatchPriority the priority
277 private void egressAclDhcpv6AllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
278 String attachMac, int addOrRemove) {
279 List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclConstants.DHCP_CLIENT_PORT_IPV6,
280 AclConstants.DHCP_SERVER_PORT_IPV6);
281 matches.add(new MatchInfo(MatchFieldType.eth_src,
282 new String[] { attachMac }));
283 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
284 new long[] { AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
286 List<InstructionInfo> instructions = new ArrayList<>();
288 List<ActionInfo> actionsInfos = new ArrayList<>();
290 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
291 new String[] {"1", "0", "0", "255"}, 2));
292 instructions.add(new InstructionInfo(InstructionType.apply_actions,
295 instructions.add(new InstructionInfo(InstructionType.goto_table,
296 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
297 String flowName = "Egress_DHCP_Client_v6" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
298 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
299 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
303 * Adds the rule to send the packet to the netfilter to check whether it is a known packet.
304 * @param dpId the dpId
305 * @param attachMac the attached mac address
306 * @param priority the priority of the flow
307 * @param flowId the flowId
308 * @param conntrackState the conntrack state of the packets thats should be send
309 * @param conntrackMask the conntrack mask
310 * @param addOrRemove whether to add or remove the flow
312 private void programConntrackRecircRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
313 int conntrackState, int conntrackMask, int addOrRemove) {
314 List<MatchInfoBase> matches = new ArrayList<>();
315 matches.add(new MatchInfo(MatchFieldType.eth_type,
316 new long[] { NwConstants.ETHTYPE_IPV4 }));
317 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
318 new long[] {conntrackState, conntrackMask}));
319 matches.add(new MatchInfo(MatchFieldType.eth_src,
320 new String[] { attachMac }));
321 List<InstructionInfo> instructions = new ArrayList<>();
323 List<ActionInfo> actionsInfos = new ArrayList<>();
325 actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
326 new String[] {"0", "0", "0", Short.toString(AclConstants.EGRESS_ACL_TABLE_ID)}, 2));
327 instructions.add(new InstructionInfo(InstructionType.apply_actions,
329 String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
330 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
331 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
335 * Adds the rule to forward the packets known packets.
336 * @param dpId the dpId
337 * @param attachMac the attached mac address
338 * @param priority the priority of the flow
339 * @param flowId the flowId
340 * @param conntrackState the conntrack state of the packets thats should be send
341 * @param conntrackMask the conntrack mask
342 * @param addOrRemove whether to add or remove the flow
344 private void programConntrackForwardRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
345 int conntrackState, int conntrackMask, int addOrRemove) {
346 List<MatchInfoBase> matches = new ArrayList<>();
347 matches.add(new MatchInfo(MatchFieldType.eth_type,
348 new long[] { NwConstants.ETHTYPE_IPV4 }));
349 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
350 new long[] {conntrackState, conntrackMask}));
351 matches.add(new MatchInfo(MatchFieldType.eth_src,
352 new String[] { attachMac }));
353 List<InstructionInfo> instructions = new ArrayList<>();
355 List<ActionInfo> actionsInfos = new ArrayList<>();
357 actionsInfos.add(new ActionInfo(ActionType.goto_table,
360 instructions.add(new InstructionInfo(InstructionType.goto_table,
361 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
362 String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
363 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
364 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
368 * Adds the rule to drop the unknown/invalid packets .
369 * @param dpId the dpId
370 * @param attachMac the attached mac address
371 * @param priority the priority of the flow
372 * @param flowId the flowId
373 * @param conntrackState the conntrack state of the packets thats should be send
374 * @param conntrackMask the conntrack mask
375 * @param addOrRemove whether to add or remove the flow
377 private void programConntrackDropRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
378 int conntrackState, int conntrackMask, int addOrRemove) {
379 List<MatchInfoBase> matches = new ArrayList<>();
380 matches.add(new MatchInfo(MatchFieldType.eth_type,
381 new long[] { NwConstants.ETHTYPE_IPV4 }));
382 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
383 new long[] { conntrackState, conntrackMask}));
384 matches.add(new MatchInfo(MatchFieldType.eth_src,
385 new String[] { attachMac }));
386 List<InstructionInfo> instructions = new ArrayList<>();
388 List<ActionInfo> actionsInfos = new ArrayList<>();
390 actionsInfos.add(new ActionInfo(ActionType.drop_action,
392 String flowName = "Egress_Fixed_Conntrk_NewDrop_" + dpId + "_" + attachMac + "_" + flowId;
393 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
394 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
398 * Adds the rule to allow arp packets.
399 * @param dpId the dpId
400 * @param attachMac the attached mac address
401 * @param addOrRemove whether to add or remove the flow
403 private void programArpRule(BigInteger dpId, String attachMac, int addOrRemove) {
404 List<MatchInfo> matches = new ArrayList<>();
405 matches.add(new MatchInfo(MatchFieldType.eth_type,
406 new long[] { NwConstants.ETHTYPE_ARP }));
407 matches.add(new MatchInfo(MatchFieldType.arp_sha,
408 new String[] { attachMac }));
410 List<InstructionInfo> instructions = new ArrayList<>();
412 List<ActionInfo> actionsInfos = new ArrayList<>();
414 actionsInfos.add(new ActionInfo(ActionType.goto_table,
417 instructions.add(new InstructionInfo(InstructionType.goto_table,
418 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
419 String flowName = "Egress_ARP_" + dpId + "_" + attachMac ;
420 syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
421 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
425 * Programs the default connection tracking rules.
426 * @param dpid the dp id
427 * @param attachMac the attached mac address
428 * @param write whether to add or remove the flow.
430 private void programEgressAclFixedConntrackRule(BigInteger dpid, String attachMac, int write) {
431 programConntrackRecircRule(dpid, attachMac,AclConstants.CT_STATE_UNTRACKED_PRIORITY,
432 "Untracked",AclConstants.UNTRACKED_CT_STATE,AclConstants.UNTRACKED_CT_STATE_MASK, write );
433 programConntrackForwardRule(dpid, attachMac, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,
434 "Tracked_Established", AclConstants.TRACKED_EST_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK,
436 programConntrackForwardRule(dpid, attachMac, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,
437 "Tracked_Related", AclConstants.TRACKED_REL_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK, write );
438 programConntrackDropRule(dpid, attachMac, AclConstants.CT_STATE_NEW_PRIORITY_DROP,
439 "Tracked_New", AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK, write );
440 programConntrackDropRule(dpid, attachMac, AclConstants.CT_STATE_NEW_PRIORITY_DROP,
441 "Tracked_Invalid",AclConstants.TRACKED_INV_CT_STATE, AclConstants.TRACKED_INV_CT_STATE_MASK,
443 LOG.info("programEgressAclFixedConntrackRule : default connection tracking rule are added.");