2 * Copyright (c) 2016 Ericsson India Global Services Pvt Ltd. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
9 package org.opendaylight.netvirt.aclservice.listeners;
11 import java.math.BigInteger;
12 import java.util.ArrayList;
13 import java.util.List;
14 import javax.annotation.PostConstruct;
15 import javax.inject.Inject;
16 import javax.inject.Singleton;
17 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
18 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
19 import org.opendaylight.genius.datastoreutils.AsyncDataTreeChangeListenerBase;
20 import org.opendaylight.genius.mdsalutil.ActionInfo;
21 import org.opendaylight.genius.mdsalutil.FlowEntity;
22 import org.opendaylight.genius.mdsalutil.InstructionInfo;
23 import org.opendaylight.genius.mdsalutil.MDSALUtil;
24 import org.opendaylight.genius.mdsalutil.MatchInfo;
25 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
26 import org.opendaylight.genius.mdsalutil.NwConstants;
27 import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
28 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
29 import org.opendaylight.genius.mdsalutil.actions.ActionDrop;
30 import org.opendaylight.genius.mdsalutil.actions.ActionNxResubmit;
31 import org.opendaylight.genius.mdsalutil.instructions.InstructionApplyActions;
32 import org.opendaylight.genius.mdsalutil.instructions.InstructionGotoTable;
33 import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
34 import org.opendaylight.genius.mdsalutil.matches.MatchEthernetType;
35 import org.opendaylight.genius.mdsalutil.matches.MatchIpProtocol;
36 import org.opendaylight.genius.mdsalutil.matches.MatchTcpFlags;
37 import org.opendaylight.netvirt.aclservice.utils.AclConstants;
38 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowCapableNode;
39 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.Nodes;
40 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.Node;
41 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeKey;
42 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.config.rev160806.AclserviceConfig;
43 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.config.rev160806.AclserviceConfig.SecurityGroupMode;
44 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
45 import org.slf4j.Logger;
46 import org.slf4j.LoggerFactory;
49 * Listener to handle flow capable node updates.
52 @SuppressWarnings("deprecation")
53 public class AclNodeListener extends AsyncDataTreeChangeListenerBase<FlowCapableNode, AclNodeListener>
54 implements AutoCloseable {
56 private static final Logger LOG = LoggerFactory.getLogger(AclNodeListener.class);
58 private final IMdsalApiManager mdsalManager;
59 private final AclserviceConfig config;
60 private final DataBroker dataBroker;
62 private SecurityGroupMode securityGroupMode = null;
65 public AclNodeListener(final IMdsalApiManager mdsalManager, DataBroker dataBroker, AclserviceConfig config) {
66 super(FlowCapableNode.class, AclNodeListener.class);
68 this.mdsalManager = mdsalManager;
69 this.dataBroker = dataBroker;
76 LOG.info("{} start", getClass().getSimpleName());
78 this.securityGroupMode = config.getSecurityGroupMode();
80 registerListener(LogicalDatastoreType.OPERATIONAL, dataBroker);
81 LOG.info("AclserviceConfig: {}", this.config);
85 protected InstanceIdentifier<FlowCapableNode> getWildCardPath() {
86 return InstanceIdentifier.create(Nodes.class).child(Node.class).augmentation(FlowCapableNode.class);
90 protected void remove(InstanceIdentifier<FlowCapableNode> key, FlowCapableNode dataObjectModification) {
95 protected void update(InstanceIdentifier<FlowCapableNode> key, FlowCapableNode dataObjectModificationBefore,
96 FlowCapableNode dataObjectModificationAfter) {
101 protected void add(InstanceIdentifier<FlowCapableNode> key, FlowCapableNode dataObjectModification) {
102 LOG.trace("FlowCapableNode Added: key: {}", key);
103 NodeKey nodeKey = key.firstKeyOf(Node.class);
104 BigInteger dpnId = MDSALUtil.getDpnIdFromNodeName(nodeKey.getId());
105 createTableDefaultEntries(dpnId);
109 * Creates the table miss entries.
111 * @param dpnId the dpn id
113 private void createTableDefaultEntries(BigInteger dpnId) {
114 LOG.info("Adding default ACL entries for mode: "
115 + (securityGroupMode == null ? SecurityGroupMode.Stateful : securityGroupMode));
116 if (securityGroupMode == null || securityGroupMode == SecurityGroupMode.Stateful) {
117 addIngressAclTableMissFlow(dpnId);
118 addEgressAclTableMissFlow(dpnId);
119 addConntrackRules(dpnId, NwConstants.LPORT_DISPATCHER_TABLE, NwConstants.INGRESS_ACL_FILTER_TABLE,
120 NwConstants.ADD_FLOW);
121 addConntrackRules(dpnId, NwConstants.EGRESS_LPORT_DISPATCHER_TABLE, NwConstants.EGRESS_ACL_FILTER_TABLE,
122 NwConstants.ADD_FLOW);
123 } else if (securityGroupMode == SecurityGroupMode.Transparent) {
124 addTransparentIngressAclTableMissFlow(dpnId);
125 addTransparentEgressAclTableMissFlow(dpnId);
126 } else if (securityGroupMode == SecurityGroupMode.Stateless) {
127 addStatelessIngressAclTableMissFlow(dpnId);
128 addStatelessEgressAclTableMissFlow(dpnId);
129 } else if (securityGroupMode == SecurityGroupMode.Learn) {
130 addLearnIngressAclTableMissFlow(dpnId);
131 addLearnEgressAclTableMissFlow(dpnId);
136 * Adds the ingress acl table miss flow.
138 * @param dpId the dp id
140 private void addIngressAclTableMissFlow(BigInteger dpId) {
141 List<MatchInfo> mkMatches = new ArrayList<>();
142 List<InstructionInfo> mkInstructions = new ArrayList<>();
143 List<ActionInfo> actionsInfos = new ArrayList<>();
144 actionsInfos.add(new ActionDrop());
145 mkInstructions.add(new InstructionApplyActions(actionsInfos));
147 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.EGRESS_ACL_TABLE,
148 getTableMissFlowId(NwConstants.EGRESS_ACL_TABLE), 0, "Ingress ACL Table Miss Flow", 0, 0,
149 AclConstants.COOKIE_ACL_BASE, mkMatches, mkInstructions);
150 mdsalManager.installFlow(flowEntity);
152 FlowEntity nextTblFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE,
153 getTableMissFlowId(NwConstants.EGRESS_ACL_FILTER_TABLE), 0, "Ingress ACL Filter Table Miss Flow",
154 0, 0, AclConstants.COOKIE_ACL_BASE, mkMatches, mkInstructions);
155 mdsalManager.installFlow(nextTblFlowEntity);
157 LOG.debug("Added Ingress ACL Table Miss Flows for dpn {}", dpId);
160 private void addLearnEgressAclTableMissFlow(BigInteger dpId) {
161 List<InstructionInfo> mkInstructions = new ArrayList<>();
162 List<ActionInfo> actionsInfos = new ArrayList<>();
163 actionsInfos.add(new ActionNxResubmit(NwConstants.EGRESS_LEARN_TABLE));
164 actionsInfos.add(new ActionNxResubmit(NwConstants.EGRESS_LEARN2_TABLE));
165 mkInstructions.add(new InstructionApplyActions(actionsInfos));
167 List<MatchInfo> mkMatches = new ArrayList<>();
168 FlowEntity doubleResubmitTable = MDSALUtil.buildFlowEntity(dpId, NwConstants.EGRESS_ACL_TABLE,
169 "RESUB-" + getTableMissFlowId(NwConstants.EGRESS_ACL_TABLE),
170 AclConstants.PROTO_MATCH_PRIORITY, "Egress resubmit ACL Table Block", 0, 0,
171 AclConstants.COOKIE_ACL_BASE, mkMatches, mkInstructions);
172 mdsalManager.installFlow(doubleResubmitTable);
174 mkMatches = new ArrayList<>();
175 mkInstructions = new ArrayList<>();
176 actionsInfos = new ArrayList<>();
177 actionsInfos.add(new ActionDrop());
178 mkInstructions.add(new InstructionApplyActions(actionsInfos));
180 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.EGRESS_LEARN2_TABLE,
181 "LEARN-" + getTableMissFlowId(NwConstants.EGRESS_LEARN2_TABLE), 0,
182 "Egress Learn2 ACL Table Miss Flow", 0, 0,
183 AclConstants.COOKIE_ACL_BASE, mkMatches, mkInstructions);
184 mdsalManager.installFlow(flowEntity);
186 List<NxMatchInfo> nxMkMatches = new ArrayList<>();
187 nxMkMatches.add(new NxMatchInfo(NxMatchFieldType.nxm_reg_5,
188 new long[] {Long.valueOf(AclConstants.LEARN_MATCH_REG_VALUE)}));
190 short dispatcherTableId = NwConstants.EGRESS_LPORT_DISPATCHER_TABLE;
191 List<InstructionInfo> instructions = new ArrayList<>();
192 actionsInfos.add(new ActionNxResubmit(dispatcherTableId));
193 instructions.add(new InstructionApplyActions(actionsInfos));
195 flowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.EGRESS_LEARN2_TABLE,
196 "LEARN2-REG-" + getTableMissFlowId(NwConstants.EGRESS_LEARN2_TABLE),
197 AclConstants.PROTO_MATCH_PRIORITY, "Egress Learn2 ACL Table match reg Flow", 0, 0,
198 AclConstants.COOKIE_ACL_BASE, nxMkMatches, instructions);
199 mdsalManager.installFlow(flowEntity);
200 LOG.debug("Added learn ACL Table Miss Flows for dpn {}", dpId);
203 private void addLearnIngressAclTableMissFlow(BigInteger dpId) {
204 List<InstructionInfo> mkInstructions = new ArrayList<>();
205 List<ActionInfo> actionsInfos = new ArrayList<>();
206 actionsInfos.add(new ActionNxResubmit(NwConstants.INGRESS_LEARN_TABLE));
207 actionsInfos.add(new ActionNxResubmit(NwConstants.INGRESS_LEARN2_TABLE));
208 mkInstructions.add(new InstructionApplyActions(actionsInfos));
210 List<MatchInfo> mkMatches = new ArrayList<>();
211 FlowEntity doubleResubmitTable = MDSALUtil.buildFlowEntity(dpId, NwConstants.INGRESS_ACL_TABLE,
212 "RESUB-" + getTableMissFlowId(NwConstants.INGRESS_ACL_TABLE),
213 AclConstants.PROTO_MATCH_PRIORITY, "Ingress resubmit ACL Table Block", 0, 0,
214 AclConstants.COOKIE_ACL_BASE, mkMatches, mkInstructions);
215 mdsalManager.installFlow(doubleResubmitTable);
217 mkMatches = new ArrayList<>();
218 mkInstructions = new ArrayList<>();
219 actionsInfos = new ArrayList<>();
220 actionsInfos.add(new ActionDrop());
221 mkInstructions.add(new InstructionApplyActions(actionsInfos));
223 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.INGRESS_LEARN2_TABLE,
224 "LEARN-" + getTableMissFlowId(NwConstants.INGRESS_LEARN2_TABLE), 0,
225 "Ingress Learn2 ACL Table Miss Flow", 0, 0,
226 AclConstants.COOKIE_ACL_BASE, mkMatches, mkInstructions);
227 mdsalManager.installFlow(flowEntity);
229 List<NxMatchInfo> nxMkMatches = new ArrayList<>();
230 nxMkMatches.add(new NxMatchInfo(NxMatchFieldType.nxm_reg_5,
231 new long[] {Long.valueOf(AclConstants.LEARN_MATCH_REG_VALUE)}));
233 short dispatcherTableId = NwConstants.LPORT_DISPATCHER_TABLE;
234 List<InstructionInfo> instructions = new ArrayList<>();
235 actionsInfos.add(new ActionNxResubmit(dispatcherTableId));
236 instructions.add(new InstructionApplyActions(actionsInfos));
238 flowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.INGRESS_LEARN2_TABLE,
239 "LEARN2-REG-" + getTableMissFlowId(NwConstants.INGRESS_LEARN2_TABLE),
240 AclConstants.PROTO_MATCH_PRIORITY, "Egress Learn2 ACL Table match reg Flow", 0, 0,
241 AclConstants.COOKIE_ACL_BASE, nxMkMatches, instructions);
242 mdsalManager.installFlow(flowEntity);
243 LOG.debug("Added learn ACL Table Miss Flows for dpn {}", dpId);
248 * Adds the ingress acl table transparent flow.
250 * @param dpId the dp id
252 private void addTransparentIngressAclTableMissFlow(BigInteger dpId) {
253 List<MatchInfo> mkMatches = new ArrayList<>();
254 List<InstructionInfo> allowAllInstructions = new ArrayList<>();
255 allowAllInstructions.add(new InstructionGotoTable(NwConstants.INGRESS_ACL_FILTER_TABLE));
257 FlowEntity nextTblFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.INGRESS_ACL_TABLE,
258 getTableMissFlowId(NwConstants.INGRESS_ACL_TABLE), 0, "Ingress ACL Table allow all Flow",
259 0, 0, AclConstants.COOKIE_ACL_BASE, mkMatches, allowAllInstructions);
260 mdsalManager.installFlow(nextTblFlowEntity);
262 short dispatcherTableId = NwConstants.LPORT_DISPATCHER_TABLE;
264 List<ActionInfo> actionsInfos = new ArrayList<>();
265 List<InstructionInfo> dispatcherInstructions = new ArrayList<>();
266 actionsInfos.add(new ActionNxResubmit(dispatcherTableId));
267 dispatcherInstructions.add(new InstructionApplyActions(actionsInfos));
269 nextTblFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE,
270 getTableMissFlowId(NwConstants.INGRESS_ACL_FILTER_TABLE), 0, "Ingress ACL Filter Table allow all Flow",
271 0, 0, AclConstants.COOKIE_ACL_BASE, mkMatches, dispatcherInstructions);
272 mdsalManager.installFlow(nextTblFlowEntity);
274 LOG.debug("Added Transparent Ingress ACL Table allow all Flows for dpn {}", dpId);
278 * Adds the egress acl table transparent flow.
280 * @param dpId the dp id
282 private void addTransparentEgressAclTableMissFlow(BigInteger dpId) {
283 List<MatchInfo> mkMatches = new ArrayList<>();
284 List<InstructionInfo> allowAllInstructions = new ArrayList<>();
285 allowAllInstructions.add(new InstructionGotoTable(NwConstants.EGRESS_ACL_FILTER_TABLE));
287 FlowEntity nextTblFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.EGRESS_ACL_TABLE,
288 getTableMissFlowId(NwConstants.EGRESS_ACL_TABLE), 0, "Egress ACL Table allow all Flow",
289 0, 0, AclConstants.COOKIE_ACL_BASE, mkMatches, allowAllInstructions);
290 mdsalManager.installFlow(nextTblFlowEntity);
292 short dispatcherTableId = NwConstants.EGRESS_LPORT_DISPATCHER_TABLE;
294 List<ActionInfo> actionsInfos = new ArrayList<>();
295 List<InstructionInfo> instructions = new ArrayList<>();
296 actionsInfos.add(new ActionNxResubmit(dispatcherTableId));
297 instructions.add(new InstructionApplyActions(actionsInfos));
299 nextTblFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE,
300 getTableMissFlowId(NwConstants.EGRESS_ACL_FILTER_TABLE), 0, "Egress ACL Filter Table allow all Flow",
301 0, 0, AclConstants.COOKIE_ACL_BASE, mkMatches, instructions);
302 mdsalManager.installFlow(nextTblFlowEntity);
304 LOG.debug("Added Transparent Egress ACL Table allow all Flows for dpn {}", dpId);
308 * Adds the ingress acl table miss flow.
310 * @param dpId the dp id
312 private void addStatelessIngressAclTableMissFlow(BigInteger dpId) {
313 List<MatchInfo> synMatches = new ArrayList<>();
314 synMatches.add(MatchEthernetType.IPV4);
315 synMatches.add(MatchIpProtocol.TCP);
317 synMatches.add(MatchTcpFlags.SYN);
319 List<ActionInfo> dropActionsInfos = new ArrayList<>();
320 dropActionsInfos.add(new ActionDrop());
321 List<InstructionInfo> synInstructions = new ArrayList<>();
322 synInstructions.add(new InstructionApplyActions(dropActionsInfos));
324 FlowEntity synFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.EGRESS_ACL_TABLE,
325 "SYN-" + getTableMissFlowId(NwConstants.EGRESS_ACL_TABLE),
326 AclConstants.PROTO_MATCH_SYN_DROP_PRIORITY, "Ingress Syn ACL Table Block", 0, 0,
327 AclConstants.COOKIE_ACL_BASE, synMatches, synInstructions);
328 mdsalManager.installFlow(synFlowEntity);
330 synMatches = new ArrayList<>();
331 synMatches.add(MatchEthernetType.IPV4);
332 synMatches.add(MatchIpProtocol.TCP);
333 synMatches.add(MatchTcpFlags.SYN_ACK);
335 List<InstructionInfo> allowAllInstructions = new ArrayList<>();
336 allowAllInstructions.add(new InstructionGotoTable(NwConstants.EGRESS_ACL_FILTER_TABLE));
338 FlowEntity synAckFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.EGRESS_ACL_TABLE,
339 "SYN-ACK-ALLOW-" + getTableMissFlowId(NwConstants.EGRESS_ACL_TABLE),
340 AclConstants.PROTO_MATCH_SYN_ACK_ALLOW_PRIORITY, "Ingress Syn Ack ACL Table Allow", 0, 0,
341 AclConstants.COOKIE_ACL_BASE, synMatches, allowAllInstructions);
342 mdsalManager.installFlow(synAckFlowEntity);
345 List<MatchInfo> mkMatches = new ArrayList<>();
346 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.EGRESS_ACL_TABLE,
347 getTableMissFlowId(NwConstants.EGRESS_ACL_TABLE), 0, "Ingress Stateless ACL Table Miss Flow",
348 0, 0, AclConstants.COOKIE_ACL_BASE, mkMatches, allowAllInstructions);
349 mdsalManager.installFlow(flowEntity);
351 short dispatcherTableId = NwConstants.EGRESS_LPORT_DISPATCHER_TABLE;
353 List<ActionInfo> actionsInfos = new ArrayList<>();
354 List<InstructionInfo> instructions = new ArrayList<>();
355 actionsInfos.add(new ActionNxResubmit(dispatcherTableId));
356 instructions.add(new InstructionApplyActions(actionsInfos));
358 FlowEntity nextTblFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE,
359 getTableMissFlowId(NwConstants.EGRESS_ACL_FILTER_TABLE), 0,
360 "Ingress Stateless Next ACL Table Miss Flow", 0, 0, AclConstants.COOKIE_ACL_BASE,
361 mkMatches, instructions);
362 mdsalManager.installFlow(nextTblFlowEntity);
364 LOG.debug("Added Stateless Ingress ACL Table Miss Flows for dpn {}.", dpId);
368 * Adds the stateless egress acl table miss flow.
370 * @param dpId the dp id
372 private void addStatelessEgressAclTableMissFlow(BigInteger dpId) {
373 List<InstructionInfo> allowAllInstructions = new ArrayList<>();
374 allowAllInstructions.add(new InstructionGotoTable(NwConstants.INGRESS_ACL_FILTER_TABLE));
376 List<MatchInfo> synMatches = new ArrayList<>();
377 synMatches.add(MatchEthernetType.IPV4);
378 synMatches.add(MatchIpProtocol.TCP);
379 synMatches.add(MatchTcpFlags.SYN);
381 List<ActionInfo> synActionsInfos = new ArrayList<>();
382 synActionsInfos.add(new ActionDrop());
383 List<InstructionInfo> synInstructions = new ArrayList<>();
384 synInstructions.add(new InstructionApplyActions(synActionsInfos));
386 FlowEntity synFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.INGRESS_ACL_TABLE,
387 "SYN-" + getTableMissFlowId(NwConstants.INGRESS_ACL_TABLE),
388 AclConstants.PROTO_MATCH_SYN_DROP_PRIORITY, "Egress Syn ACL Table Block", 0, 0,
389 AclConstants.COOKIE_ACL_BASE, synMatches, synInstructions);
390 mdsalManager.installFlow(synFlowEntity);
392 synMatches = new ArrayList<>();
393 synMatches.add(MatchEthernetType.IPV4);
394 synMatches.add(MatchIpProtocol.TCP);
395 synMatches.add(MatchTcpFlags.SYN_ACK);
397 FlowEntity synAckFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.INGRESS_ACL_TABLE,
398 "SYN-ACK-ALLOW-" + getTableMissFlowId(NwConstants.INGRESS_ACL_TABLE),
399 AclConstants.PROTO_MATCH_SYN_ACK_ALLOW_PRIORITY, "Egress Syn Ack ACL Table Allow", 0, 0,
400 AclConstants.COOKIE_ACL_BASE, synMatches, allowAllInstructions);
401 mdsalManager.installFlow(synAckFlowEntity);
403 List<MatchInfo> mkMatches = new ArrayList<>();
404 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.INGRESS_ACL_TABLE,
405 getTableMissFlowId(NwConstants.INGRESS_ACL_TABLE), 0, "Egress Stateless ACL Table Miss Flow", 0, 0,
406 AclConstants.COOKIE_ACL_BASE, mkMatches, allowAllInstructions);
407 mdsalManager.installFlow(flowEntity);
409 short dispatcherTableId = NwConstants.LPORT_DISPATCHER_TABLE;
411 List<ActionInfo> actionsInfos = new ArrayList<>();
412 List<InstructionInfo> dispatcherInstructions = new ArrayList<>();
413 actionsInfos.add(new ActionNxResubmit(dispatcherTableId));
414 dispatcherInstructions.add(new InstructionApplyActions(actionsInfos));
416 FlowEntity nextTblFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE,
417 getTableMissFlowId(NwConstants.INGRESS_ACL_FILTER_TABLE), 0,
418 "Egress Stateless Next ACL Table Miss Flow", 0, 0, AclConstants.COOKIE_ACL_BASE, mkMatches,
419 dispatcherInstructions);
420 mdsalManager.installFlow(nextTblFlowEntity);
422 LOG.debug("Added Stateless Egress ACL Table Miss Flows for dpn {}", dpId);
426 * Adds the egress acl table miss flow.
428 * @param dpId the dp id
430 private void addEgressAclTableMissFlow(BigInteger dpId) {
431 List<MatchInfo> mkMatches = new ArrayList<>();
432 List<InstructionInfo> mkInstructions = new ArrayList<>();
433 List<ActionInfo> actionsInfos = new ArrayList<>();
434 actionsInfos.add(new ActionDrop());
435 mkInstructions.add(new InstructionApplyActions(actionsInfos));
437 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.INGRESS_ACL_TABLE,
438 getTableMissFlowId(NwConstants.INGRESS_ACL_TABLE), 0, "Egress ACL Table Miss Flow", 0, 0,
439 AclConstants.COOKIE_ACL_BASE, mkMatches, mkInstructions);
440 mdsalManager.installFlow(flowEntity);
442 FlowEntity nextTblFlowEntity = MDSALUtil.buildFlowEntity(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE,
443 getTableMissFlowId(NwConstants.INGRESS_ACL_FILTER_TABLE), 0, "Egress ACL Table Miss Flow", 0, 0,
444 AclConstants.COOKIE_ACL_BASE, mkMatches, mkInstructions);
445 mdsalManager.installFlow(nextTblFlowEntity);
447 LOG.debug("Added Egress ACL Table Miss Flows for dpn {}", dpId);
450 private void addConntrackRules(BigInteger dpnId, short dispatcherTableId,short tableId, int write) {
451 programConntrackForwardRule(dpnId, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,
452 "Tracked_Established", AclConstants.TRACKED_EST_CT_STATE, AclConstants.TRACKED_EST_CT_STATE_MASK,
453 dispatcherTableId, tableId, write );
454 programConntrackForwardRule(dpnId, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,"Tracked_Related", AclConstants
455 .TRACKED_REL_CT_STATE, AclConstants.TRACKED_REL_CT_STATE_MASK, dispatcherTableId, tableId, write );
456 programConntrackDropRule(dpnId, AclConstants.CT_STATE_NEW_PRIORITY_DROP,"Tracked_New",
457 AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK, tableId, write );
458 programConntrackDropRule(dpnId, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY, "Tracked_Invalid",
459 AclConstants.TRACKED_INV_CT_STATE, AclConstants.TRACKED_INV_CT_STATE_MASK, tableId, write );
464 * Adds the rule to forward the packets known packets.
466 * @param dpId the dpId
467 * @param priority the priority of the flow
468 * @param flowId the flowId
469 * @param conntrackState the conntrack state of the packets thats should be
471 * @param conntrackMask the conntrack mask
472 * @param dispatcherTableId the dispatcher table id
473 * @param tableId the table id
474 * @param addOrRemove whether to add or remove the flow
476 private void programConntrackForwardRule(BigInteger dpId, Integer priority, String flowId,
477 int conntrackState, int conntrackMask, short dispatcherTableId, short tableId, int addOrRemove) {
478 List<MatchInfoBase> matches = new ArrayList<>();
479 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask}));
481 List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions(
482 new ArrayList<>(),dispatcherTableId);
484 flowId = "Fixed_Conntrk_Trk_" + dpId + "_" + flowId + dispatcherTableId;
485 syncFlow(dpId, tableId, flowId, priority, "ACL", 0, 0,
486 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
490 * Adds the rule to drop the unknown/invalid packets .
492 * @param dpId the dpId
493 * @param priority the priority of the flow
494 * @param flowId the flowId
495 * @param conntrackState the conntrack state of the packets thats should be
497 * @param conntrackMask the conntrack mask
498 * @param tableId the table id
499 * @param addOrRemove whether to add or remove the flow
501 private void programConntrackDropRule(BigInteger dpId, Integer priority, String flowId,
502 int conntrackState, int conntrackMask, short tableId, int addOrRemove) {
503 List<MatchInfoBase> matches = new ArrayList<>();
504 matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask}));
506 List<InstructionInfo> instructions = new ArrayList<>();
507 List<ActionInfo> actionsInfos = new ArrayList<>();
508 actionsInfos.add(new ActionDrop());
509 instructions.add(new InstructionApplyActions(actionsInfos));
510 flowId = "Fixed_Conntrk_NewDrop_" + dpId + "_" + flowId + tableId;
511 syncFlow(dpId, tableId, flowId, priority, "ACL", 0, 0,
512 AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
516 * Gets the dispatcher table resubmit instructions.
518 * @param actionsInfos the actions infos
519 * @param dispatcherTableId the dispatcher table id
520 * @return the instructions for dispatcher table resubmit
522 private List<InstructionInfo> getDispatcherTableResubmitInstructions(List<ActionInfo> actionsInfos,
523 short dispatcherTableId) {
524 List<InstructionInfo> instructions = new ArrayList<>();
525 actionsInfos.add(new ActionNxResubmit(dispatcherTableId));
526 instructions.add(new InstructionApplyActions(actionsInfos));
531 * Writes/remove the flow to/from the datastore.
532 * @param dpId the dpId
533 * @param tableId the tableId
534 * @param flowId the flowId
535 * @param priority the priority
536 * @param flowName the flow name
537 * @param idleTimeOut the idle timeout
538 * @param hardTimeOut the hard timeout
539 * @param cookie the cookie
540 * @param matches the list of matches to be written
541 * @param instructions the list of instruction to be written.
542 * @param addOrRemove add or remove the entries.
544 protected void syncFlow(BigInteger dpId, short tableId, String flowId, int priority, String flowName,
545 int idleTimeOut, int hardTimeOut, BigInteger cookie, List<? extends MatchInfoBase> matches,
546 List<InstructionInfo> instructions, int addOrRemove) {
547 if (addOrRemove == NwConstants.DEL_FLOW) {
548 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, tableId,flowId,
549 priority, flowName , idleTimeOut, hardTimeOut, cookie, matches, null);
550 LOG.trace("Removing Acl Flow DpnId {}, flowId {}", dpId, flowId);
551 mdsalManager.removeFlow(flowEntity);
553 FlowEntity flowEntity = MDSALUtil.buildFlowEntity(dpId, tableId, flowId,
554 priority, flowName, idleTimeOut, hardTimeOut, cookie, matches, instructions);
555 LOG.trace("Installing DpnId {}, flowId {}", dpId, flowId);
556 mdsalManager.installFlow(flowEntity);
561 * Gets the table miss flow id.
563 * @param tableId the table id
564 * @return the table miss flow id
566 private String getTableMissFlowId(short tableId) {
567 return String.valueOf(tableId);
571 protected AclNodeListener getDataTreeChangeListener() {
572 return AclNodeListener.this;