vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/EgressAclServiceImpl.java

   1 /*
   2  * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
   3  *
   4  * This program and the accompanying materials are made available under the
   5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
   6  * and is available at http://www.eclipse.org/legal/epl-v10.html
   7  */
   8 package org.opendaylight.netvirt.aclservice;
   9
  10 import java.math.BigInteger;
  11 import java.util.ArrayList;
  12 import java.util.List;
  13 import java.util.Map;
  14
  15 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
  16 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
  17 import org.opendaylight.genius.mdsalutil.ActionInfo;
  18 import org.opendaylight.genius.mdsalutil.ActionType;
  19 import org.opendaylight.genius.mdsalutil.InstructionInfo;
  20 import org.opendaylight.genius.mdsalutil.InstructionType;
  21 import org.opendaylight.genius.mdsalutil.MDSALUtil;
  22 import org.opendaylight.genius.mdsalutil.MatchFieldType;
  23 import org.opendaylight.genius.mdsalutil.MatchInfo;
  24 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
  25 import org.opendaylight.genius.mdsalutil.NwConstants;
  26 import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
  27 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
  28 import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
  29 import org.opendaylight.netvirt.aclservice.utils.AclConstants;
  30 import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder;
  31 import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
  32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
  33 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
  34 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
  35 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
  36 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
  37 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
  38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
  39 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
  40 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
  41 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
  42 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
  43 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress;
  44 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
  45 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
  46 import org.slf4j.Logger;
  47 import org.slf4j.LoggerFactory;
  48
  49 public class EgressAclServiceImpl extends AbstractAclServiceImpl {
  50
  51     private static final Logger LOG = LoggerFactory.getLogger(EgressAclServiceImpl.class);
  52     private final DataBroker dataBroker;
  53
  54     /**
  55      * Initialize the member variables.
  56      * @param dataBroker the data broker instance.
  57      * @param interfaceManager the interface manager instance.
  58      * @param mdsalManager the mdsal manager instance.
  59      */
  60     public EgressAclServiceImpl(DataBroker dataBroker, OdlInterfaceRpcService interfaceManager,
  61                                 IMdsalApiManager mdsalManager) {
  62         super(dataBroker,interfaceManager,mdsalManager);
  63         this.dataBroker = dataBroker;
  64     }
  65
  66     /**
  67      * Bind service.
  68      *
  69      * @param interfaceName the interface name
  70      */
  71     protected void bindService(String interfaceName) {
  72         int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
  73
  74         int instructionKey = 0;
  75         List<Instruction> instructions = new ArrayList<>();
  76         instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(AclConstants.EGRESS_ACL_TABLE_ID, ++instructionKey));
  77         BoundServices serviceInfo = AclServiceUtils.getBoundServices(
  78                 String.format("%s.%s.%s", "vpn", "egressacl", interfaceName), AclConstants.EGRESS_ACL_SERVICE_PRIORITY,
  79                 flowPriority, AclConstants.COOKIE_ACL_BASE, instructions);
  80         InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
  81                 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
  82         MDSALUtil.syncWrite(dataBroker, LogicalDatastoreType.CONFIGURATION, path, serviceInfo);
  83     }
  84
  85     /**
  86      * Unbind service.
  87      *
  88      * @param interfaceName the interface name
  89      */
  90     protected void unbindService(String interfaceName) {
  91         InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
  92                 AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
  93         MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path);
  94     }
  95
  96     /**
  97      * Program the default anti-spoofing rule and the conntrack rules.
  98      *
  99      * @param dpid the dpid
 100      * @param dhcpMacAddress the dhcp mac address.
 101      * @param attachMac The vm mac address
 102      * @param addOrRemove addorRemove
 103      */
 104     protected void programFixedRules(BigInteger dpid, String dhcpMacAddress,
 105                                              String attachMac, int addOrRemove) {
 106         LOG.info("programFixedRules :  adding default rules.");
 107         egressAclDhcpAllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 108         egressAclDhcpv6AllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 109         egressAclDhcpDropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 110         egressAclDhcpv6DropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
 111
 112         //if (securityServicesManager.isConntrackEnabled()) {
 113         programEgressAclFixedConntrackRule(dpid, attachMac, addOrRemove);
 114         //}
 115         programArpRule(dpid,attachMac, addOrRemove);
 116     }
 117
 118     /**
 119      * Programs the custom flows.
 120      *
 121      * @param aclUuidList the list of acl uuid to be applied
 122      * @param dpId the dpId
 123      * @param attachMac the attached mac
 124      * @param addOrRemove whether to delete or add flow
 125      */
 126     protected void programAclRules(List<Uuid> aclUuidList, BigInteger dpId, String attachMac,
 127                                    int addOrRemove) {
 128         LOG.trace("Applying custom rules DpId {}, vmMacAddress {}", dpId, attachMac );
 129         for (Uuid sgUuid :aclUuidList ) {
 130             Acl acl = AclServiceUtils.getAcl(dataBroker, sgUuid.getValue());
 131             AccessListEntries accessListEntries = acl.getAccessListEntries();
 132             List<Ace> aceList = accessListEntries.getAce();
 133             for (Ace ace: aceList) {
 134                 programAceRule(dpId, attachMac, addOrRemove, ace);
 135             }
 136         }
 137
 138     }
 139
 140     protected void programAceRule(BigInteger dpId, String attachMac, int addOrRemove, Ace ace) {
 141         SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
 142         if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
 143             return;
 144         }
 145         Matches matches = ace.getMatches();
 146         AceType aceType = matches.getAceType();
 147         Map<String,List<MatchInfoBase>> flowMap = null;
 148         if (aceType instanceof AceIp) {
 149             flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
 150         }
 151         if (null == flowMap) {
 152             LOG.error("Failed to apply ACL {} vmMacAddress {}", ace.getKey(), attachMac);
 153             return;
 154         }
 155         //The flow map contains list of flows if port range is selected.
 156         for ( String  flowName : flowMap.keySet()) {
 157             List<MatchInfoBase> flows = flowMap.get(flowName);
 158             flowName = flowName + "Egress" + attachMac;
 159             flows .add(new MatchInfo(MatchFieldType.eth_src,
 160                 new String[] { attachMac }));
 161             /*flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 162                 new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE,
 163                              AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));*/
 164             List<InstructionInfo> instructions = new ArrayList<>();
 165             List<ActionInfo> actionsInfos = new ArrayList<>();
 166             actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 167                 new String[] {"1", "0", "0", "255"}, 2));
 168             instructions.add(new InstructionInfo(InstructionType.apply_actions,
 169                 actionsInfos));
 170             instructions.add(new InstructionInfo(InstructionType.goto_table,
 171                 new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 172             syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY,
 173                 "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
 174         }
 175     }
 176
 177     /**
 178      * Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port.
 179      * @param dpId the dpId
 180      * @param dhcpMacAddress the Dhcp mac address
 181      * @param attachMac the attached mac address
 182      * @param addOrRemove add/remove the flow.
 183      */
 184     private void egressAclDhcpDropServerTraffic(BigInteger dpId, String dhcpMacAddress,
 185             String attachMac, int addOrRemove) {
 186         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclConstants.DHCP_SERVER_PORT_IPV4,
 187                 AclConstants.DHCP_CLIENT_PORT_IPV4);
 188         matches.add(new MatchInfo(MatchFieldType.eth_src,
 189             new String[] { attachMac }));
 190         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 191             new long[] { AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
 192
 193         List<InstructionInfo> instructions = new ArrayList<>();
 194
 195         List<ActionInfo> actionsInfos = new ArrayList<>();
 196
 197         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 198             new String[] {}));
 199         String flowName = "Egress_DHCP_Server_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
 200         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 201                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 202     }
 203
 204     /**
 205      * Anti-spoofing rule to block the Ipv6 DHCP server traffic from the port.
 206      * @param dpId the dpId
 207      * @param dhcpMacAddress the Dhcp mac address
 208      * @param attachMac the attached mac address
 209      * @param addOrRemove add/remove the flow.
 210      */
 211     private void egressAclDhcpv6DropServerTraffic(BigInteger dpId, String dhcpMacAddress,
 212                                                   String attachMac, int addOrRemove) {
 213         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclConstants.DHCP_SERVER_PORT_IPV6,
 214                 AclConstants.DHCP_CLIENT_PORT_IPV6);
 215         matches.add(new MatchInfo(MatchFieldType.eth_src,
 216             new String[] { attachMac }));
 217         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 218             new long[] { AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
 219
 220         List<InstructionInfo> instructions = new ArrayList<>();
 221
 222         List<ActionInfo> actionsInfos = new ArrayList<>();
 223
 224         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 225             new String[] {}));
 226         String flowName = "Egress_DHCP_Server_v6" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
 227         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 228                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 229     }
 230
 231     /**
 232      * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
 233      *
 234      * @param dpidLong the dpid
 235      * @param segmentationId the segmentation id
 236      * @param dhcpMacAddress the DHCP server mac address
 237      * @param attachMac the mac address of the port
 238      * @param write is write or delete
 239      * @param protoPortMatchPriority the priority
 240      */
 241     private void egressAclDhcpAllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
 242                                                  String attachMac, int addOrRemove) {
 243         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclConstants.DHCP_CLIENT_PORT_IPV4,
 244                 AclConstants.DHCP_SERVER_PORT_IPV4);
 245         matches.add(new MatchInfo(MatchFieldType.eth_src,
 246             new String[] { attachMac }));
 247         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 248             new long[] { AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
 249
 250         List<InstructionInfo> instructions = new ArrayList<>();
 251
 252         List<ActionInfo> actionsInfos = new ArrayList<>();
 253
 254         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 255             new String[] {"1", "0", "0", "255"}, 2));
 256         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 257             actionsInfos));
 258
 259
 260         instructions.add(new InstructionInfo(InstructionType.goto_table,
 261             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 262         String flowName = "Egress_DHCP_Client_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
 263         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 264                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 265     }
 266
 267     /**
 268      * Add rule to ensure only DHCPv6 server traffic from the specified mac is allowed.
 269      *
 270      * @param dpidLong the dpid
 271      * @param segmentationId the segmentation id
 272      * @param dhcpMacAddress the DHCP server mac address
 273      * @param attachMac the mac address of  the port
 274      * @param write is write or delete
 275      * @param protoPortMatchPriority the priority
 276      */
 277     private void egressAclDhcpv6AllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
 278                                                    String attachMac, int addOrRemove) {
 279         List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclConstants.DHCP_CLIENT_PORT_IPV6,
 280                 AclConstants.DHCP_SERVER_PORT_IPV6);
 281         matches.add(new MatchInfo(MatchFieldType.eth_src,
 282             new String[] { attachMac }));
 283         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 284             new long[] { AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
 285
 286         List<InstructionInfo> instructions = new ArrayList<>();
 287
 288         List<ActionInfo> actionsInfos = new ArrayList<>();
 289
 290         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 291             new String[] {"1", "0", "0", "255"}, 2));
 292         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 293             actionsInfos));
 294
 295         instructions.add(new InstructionInfo(InstructionType.goto_table,
 296             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 297         String flowName = "Egress_DHCP_Client_v6" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
 298         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 299                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 300     }
 301
 302     /**
 303      * Adds the rule to send the packet to the netfilter to check whether it is a known packet.
 304      * @param dpId the dpId
 305      * @param attachMac the attached mac address
 306      * @param priority the priority of the flow
 307      * @param flowId the flowId
 308      * @param conntrackState the conntrack state of the packets thats should be send
 309      * @param conntrackMask the conntrack mask
 310      * @param addOrRemove whether to add or remove the flow
 311      */
 312     private void programConntrackRecircRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 313                                              int conntrackState, int conntrackMask, int addOrRemove) {
 314         List<MatchInfoBase> matches = new ArrayList<>();
 315         matches.add(new MatchInfo(MatchFieldType.eth_type,
 316             new long[] { NwConstants.ETHTYPE_IPV4 }));
 317         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 318             new long[] {conntrackState, conntrackMask}));
 319         matches.add(new MatchInfo(MatchFieldType.eth_src,
 320             new String[] { attachMac }));
 321         List<InstructionInfo> instructions = new ArrayList<>();
 322
 323         List<ActionInfo> actionsInfos = new ArrayList<>();
 324
 325         actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
 326             new String[] {"0", "0", "0", Short.toString(AclConstants.EGRESS_ACL_TABLE_ID)}, 2));
 327         instructions.add(new InstructionInfo(InstructionType.apply_actions,
 328             actionsInfos));
 329         String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
 330         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 331                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 332     }
 333
 334     /**
 335      * Adds the rule to forward the packets known packets.
 336      * @param dpId the dpId
 337      * @param attachMac the attached mac address
 338      * @param priority the priority of the flow
 339      * @param flowId the flowId
 340      * @param conntrackState the conntrack state of the packets thats should be send
 341      * @param conntrackMask the conntrack mask
 342      * @param addOrRemove whether to add or remove the flow
 343      */
 344     private void programConntrackForwardRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 345                                              int conntrackState, int conntrackMask, int addOrRemove) {
 346         List<MatchInfoBase> matches = new ArrayList<>();
 347         matches.add(new MatchInfo(MatchFieldType.eth_type,
 348             new long[] { NwConstants.ETHTYPE_IPV4 }));
 349         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 350             new long[] {conntrackState, conntrackMask}));
 351         matches.add(new MatchInfo(MatchFieldType.eth_src,
 352             new String[] { attachMac }));
 353         List<InstructionInfo> instructions = new ArrayList<>();
 354
 355         List<ActionInfo> actionsInfos = new ArrayList<>();
 356
 357         actionsInfos.add(new ActionInfo(ActionType.goto_table,
 358             new String[] {}));
 359
 360         instructions.add(new InstructionInfo(InstructionType.goto_table,
 361             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 362         String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
 363         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
 364                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 365     }
 366
 367     /**
 368      * Adds  the rule to drop the unknown/invalid packets .
 369      * @param dpId the dpId
 370      * @param attachMac the attached mac address
 371      * @param priority the priority of the flow
 372      * @param flowId the flowId
 373      * @param conntrackState the conntrack state of the packets thats should be send
 374      * @param conntrackMask the conntrack mask
 375      * @param addOrRemove whether to add or remove the flow
 376      */
 377     private void programConntrackDropRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
 378                                           int conntrackState, int conntrackMask, int addOrRemove) {
 379         List<MatchInfoBase> matches = new ArrayList<>();
 380         matches.add(new MatchInfo(MatchFieldType.eth_type,
 381             new long[] { NwConstants.ETHTYPE_IPV4 }));
 382         matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
 383             new long[] { conntrackState, conntrackMask}));
 384         matches.add(new MatchInfo(MatchFieldType.eth_src,
 385             new String[] { attachMac }));
 386         List<InstructionInfo> instructions = new ArrayList<>();
 387
 388         List<ActionInfo> actionsInfos = new ArrayList<>();
 389
 390         actionsInfos.add(new ActionInfo(ActionType.drop_action,
 391             new String[] {}));
 392         String flowName = "Egress_Fixed_Conntrk_NewDrop_" + dpId + "_" + attachMac + "_" + flowId;
 393         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
 394                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 395     }
 396
 397     /**
 398      * Adds  the rule to allow arp packets.
 399      * @param dpId the dpId
 400      * @param attachMac the attached mac address
 401      * @param addOrRemove whether to add or remove the flow
 402      */
 403     private void programArpRule(BigInteger dpId, String attachMac, int addOrRemove) {
 404         List<MatchInfo> matches = new ArrayList<>();
 405         matches.add(new MatchInfo(MatchFieldType.eth_type,
 406             new long[] { NwConstants.ETHTYPE_ARP }));
 407         matches.add(new MatchInfo(MatchFieldType.arp_sha,
 408             new String[] { attachMac }));
 409
 410         List<InstructionInfo> instructions = new ArrayList<>();
 411
 412         List<ActionInfo> actionsInfos = new ArrayList<>();
 413
 414         actionsInfos.add(new ActionInfo(ActionType.goto_table,
 415                 new String[] {}));
 416
 417         instructions.add(new InstructionInfo(InstructionType.goto_table,
 418             new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
 419         String flowName = "Egress_ARP_" + dpId + "_" + attachMac ;
 420         syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
 421                 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
 422     }
 423
 424     /**
 425      * Programs the default connection tracking rules.
 426      * @param dpid the dp id
 427      * @param attachMac the attached mac address
 428      * @param write whether to add or remove the flow.
 429      */
 430     private void programEgressAclFixedConntrackRule(BigInteger dpid, String attachMac, int write) {
 431         programConntrackRecircRule(dpid, attachMac,AclConstants.CT_STATE_UNTRACKED_PRIORITY,
 432             "Untracked",AclConstants.UNTRACKED_CT_STATE,AclConstants.UNTRACKED_CT_STATE_MASK, write );
 433         programConntrackForwardRule(dpid, attachMac, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,
 434             "Tracked_Established", AclConstants.TRACKED_EST_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK,
 435             write );
 436         programConntrackForwardRule(dpid, attachMac, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,
 437             "Tracked_Related", AclConstants.TRACKED_REL_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK, write );
 438         programConntrackDropRule(dpid, attachMac, AclConstants.CT_STATE_NEW_PRIORITY_DROP,
 439             "Tracked_New", AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK, write );
 440         programConntrackDropRule(dpid, attachMac, AclConstants.CT_STATE_NEW_PRIORITY_DROP,
 441             "Tracked_Invalid",AclConstants.TRACKED_INV_CT_STATE, AclConstants.TRACKED_INV_CT_STATE_MASK,
 442             write );
 443         LOG.info("programEgressAclFixedConntrackRule :  default connection tracking rule are added.");
 444     }
 445 }