2 * Copyright © 2016, 2017 Red Hat, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
9 package org.opendaylight.netvirt.aclservice.utils;
11 import com.google.common.base.Optional;
12 import com.google.common.net.InetAddresses;
13 import java.math.BigInteger;
14 import java.util.ArrayList;
15 import java.util.HashMap;
16 import java.util.Iterator;
17 import java.util.List;
19 import java.util.concurrent.ExecutionException;
20 import java.util.concurrent.Future;
21 import javax.inject.Inject;
22 import javax.inject.Singleton;
23 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
24 import org.opendaylight.controller.md.sal.binding.api.ReadOnlyTransaction;
25 import org.opendaylight.controller.md.sal.binding.api.WriteTransaction;
26 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
27 import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException;
28 import org.opendaylight.genius.interfacemanager.globals.InterfaceServiceUtil;
29 import org.opendaylight.genius.mdsalutil.MDSALUtil;
30 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
31 import org.opendaylight.genius.mdsalutil.MetaDataUtil;
32 import org.opendaylight.genius.mdsalutil.NwConstants;
33 import org.opendaylight.genius.mdsalutil.NxMatchInfo;
34 import org.opendaylight.genius.mdsalutil.matches.MatchArpSpa;
35 import org.opendaylight.genius.mdsalutil.matches.MatchEthernetDestination;
36 import org.opendaylight.genius.mdsalutil.matches.MatchEthernetType;
37 import org.opendaylight.genius.mdsalutil.matches.MatchIcmpv6;
38 import org.opendaylight.genius.mdsalutil.matches.MatchIpProtocol;
39 import org.opendaylight.genius.mdsalutil.matches.MatchIpv4Destination;
40 import org.opendaylight.genius.mdsalutil.matches.MatchIpv4Source;
41 import org.opendaylight.genius.mdsalutil.matches.MatchIpv6Destination;
42 import org.opendaylight.genius.mdsalutil.matches.MatchIpv6Source;
43 import org.opendaylight.genius.mdsalutil.matches.MatchMetadata;
44 import org.opendaylight.genius.mdsalutil.matches.MatchUdpDestinationPort;
45 import org.opendaylight.genius.mdsalutil.matches.MatchUdpSourcePort;
46 import org.opendaylight.genius.mdsalutil.nxmatches.NxMatchRegister;
47 import org.opendaylight.netvirt.aclservice.api.AclServiceManager.MatchCriteria;
48 import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
49 import org.opendaylight.netvirt.aclservice.api.utils.AclInterfaceCacheUtil;
50 import org.opendaylight.netvirt.vpnmanager.api.VpnHelper;
51 import org.opendaylight.yang.gen.v1.urn.huawei.params.xml.ns.yang.l3vpn.rev140815.vpn.interfaces.VpnInterface;
52 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.AccessLists;
53 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.Ipv4Acl;
54 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
55 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.AclKey;
56 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
57 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.actions.PacketHandling;
58 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.actions.packet.handling.Permit;
59 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IpAddress;
60 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IpPrefix;
61 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv4Prefix;
62 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv6Prefix;
63 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.Interfaces;
64 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.InterfacesState;
65 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface;
66 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.InterfaceKey;
67 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.MacAddress;
68 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
69 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
70 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.AllocateIdInput;
71 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.AllocateIdInputBuilder;
72 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.AllocateIdOutput;
73 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.CreateIdPoolInput;
74 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.CreateIdPoolInputBuilder;
75 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.DeleteIdPoolInput;
76 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.DeleteIdPoolInputBuilder;
77 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.IdManagerService;
78 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.ReleaseIdInput;
79 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.idmanager.rev160406.ReleaseIdInputBuilder;
80 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.GetDpidFromInterfaceInput;
81 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.GetDpidFromInterfaceInputBuilder;
82 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.GetDpidFromInterfaceOutput;
83 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
84 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceBindings;
85 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeBase;
86 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
87 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceTypeFlowBased;
88 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.StypeOpenflow;
89 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.StypeOpenflowBuilder;
90 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.ServicesInfo;
91 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.ServicesInfoKey;
92 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
93 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServicesBuilder;
94 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServicesKey;
95 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeConnectorId;
96 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.config.rev160806.AclserviceConfig;
97 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.InterfaceAcl;
98 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
99 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.PortsSubnetIpPrefixes;
100 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
101 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs;
102 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.ports.subnet.ip.prefixes.PortSubnetIpPrefixes;
103 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.ports.subnet.ip.prefixes.PortSubnetIpPrefixesKey;
104 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.ElanInstances;
105 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.ElanInterfaces;
106 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.elan.instances.ElanInstance;
107 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.elan.instances.ElanInstanceKey;
108 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.elan.interfaces.ElanInterface;
109 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.elan.rev150602.elan.interfaces.ElanInterfaceKey;
110 import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg6;
111 import org.opendaylight.yangtools.yang.binding.DataObject;
112 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
113 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier.InstanceIdentifierBuilder;
114 import org.opendaylight.yangtools.yang.common.RpcResult;
115 import org.slf4j.Logger;
116 import org.slf4j.LoggerFactory;
119 @SuppressWarnings("deprecation")
120 public final class AclServiceUtils {
122 private static final Logger LOG = LoggerFactory.getLogger(AclServiceUtils.class);
123 public static final AclserviceConfig.DefaultBehavior DEFAULT_DENY = AclserviceConfig.DefaultBehavior.Deny;
124 public static final AclserviceConfig.DefaultBehavior DEFAULT_ALLOW = AclserviceConfig.DefaultBehavior.Allow;
126 private final AclDataUtil aclDataUtil;
127 private final AclserviceConfig config;
128 private final IdManagerService idManager;
131 public AclServiceUtils(AclDataUtil aclDataUtil, AclserviceConfig config, IdManagerService idManager) {
133 this.aclDataUtil = aclDataUtil;
134 this.config = config;
135 this.idManager = idManager;
139 * Retrieves the Interface from the datastore.
140 * @param broker the data broker
141 * @param interfaceName the interface name
142 * @return the interface.
144 public static Optional<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces
145 .Interface> getInterface(DataBroker broker, String interfaceName) {
146 return read(broker, LogicalDatastoreType.CONFIGURATION, getInterfaceIdentifier(interfaceName));
150 * Builds the interface identifier.
151 * @param interfaceName the interface name.
152 * @return the interface identifier.
154 public static InstanceIdentifier<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
155 .interfaces.Interface> getInterfaceIdentifier(String interfaceName) {
156 return InstanceIdentifier.builder(Interfaces.class)
158 org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces
159 .Interface.class, new InterfaceKey(interfaceName)).build();
163 * Retrieves the object from the datastore.
164 * @param broker the data broker.
165 * @param datastoreType the data store type.
166 * @param path the wild card path.
167 * @param <T> type of DataObject
168 * @return the required object.
170 public static <T extends DataObject> Optional<T> read(
171 DataBroker broker, LogicalDatastoreType datastoreType, InstanceIdentifier<T> path) {
172 try (ReadOnlyTransaction tx = broker.newReadOnlyTransaction()) {
173 return tx.read(datastoreType, path).checkedGet();
174 } catch (ReadFailedException e) {
175 LOG.error("Failed to read InstanceIdentifier {} from {}", path, datastoreType, e);
176 return Optional.absent();
180 public static <T extends DataObject> void delete(
181 DataBroker broker, LogicalDatastoreType datastoreType, InstanceIdentifier<T> path) {
182 WriteTransaction tx = broker.newWriteOnlyTransaction();
183 tx.delete(datastoreType, path);
187 * Retrieves the acl matching the key from the data store.
189 * @param broker the data broker
190 * @param aclKey the acl key
193 public static Acl getAcl(DataBroker broker, String aclKey) {
194 return read(broker, LogicalDatastoreType.CONFIGURATION, getAclInstanceIdentifier(aclKey)).orNull();
197 /** Creates the Acl instance identifier.
199 * @param aclKey the acl key
200 * @return the instance identifier
202 public static InstanceIdentifier<Acl> getAclInstanceIdentifier(String aclKey) {
203 return InstanceIdentifier
204 .builder(AccessLists.class)
206 new AclKey(aclKey,Ipv4Acl.class))
211 * Get the data path number for the interface.
212 * @param interfaceManagerRpcService interfaceManagerRpcService instance.
213 * @param ifName the interface name.
216 public static BigInteger getDpnForInterface(OdlInterfaceRpcService interfaceManagerRpcService, String ifName) {
217 BigInteger nodeId = BigInteger.ZERO;
219 GetDpidFromInterfaceInput dpIdInput =
220 new GetDpidFromInterfaceInputBuilder().setIntfName(ifName).build();
221 Future<RpcResult<GetDpidFromInterfaceOutput>> dpIdOutput =
222 interfaceManagerRpcService.getDpidFromInterface(dpIdInput);
223 RpcResult<GetDpidFromInterfaceOutput> dpIdResult = dpIdOutput.get();
224 if (dpIdResult.isSuccessful()) {
225 nodeId = dpIdResult.getResult().getDpid();
227 LOG.error("Could not retrieve DPN Id for interface {}", ifName);
229 } catch (NullPointerException | InterruptedException | ExecutionException e) {
230 LOG.error("Exception when getting dpn for interface {}", ifName, e);
236 * Retrieves the interface state.
237 * @param dataBroker the data broker.
238 * @param interfaceName the interface name.
239 * @return the interface state.
241 public static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state
242 .Interface getInterfaceStateFromOperDS(DataBroker dataBroker, String interfaceName) {
243 InstanceIdentifier<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
244 .interfaces.state.Interface> ifStateId = buildStateInterfaceId(interfaceName);
245 return MDSALUtil.read(LogicalDatastoreType.OPERATIONAL, ifStateId, dataBroker).orNull();
249 * Build the interface state.
250 * @param interfaceName the interface name.
251 * @return the interface state.
253 public static InstanceIdentifier<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
254 .interfaces.state.Interface> buildStateInterfaceId(String interfaceName) {
255 InstanceIdentifierBuilder<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
256 .interfaces.state.Interface> idBuilder = InstanceIdentifier.builder(InterfacesState.class)
257 .child(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces
258 .state.Interface.class, new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces
259 .rev140508.interfaces.state.InterfaceKey(interfaceName));
260 return idBuilder.build();
264 * Checks whether port security is enabled for the port.
265 * @param port the port.
266 * @return the port security is enabled/not.
268 public static boolean isPortSecurityEnabled(AclInterface port) {
269 return port.isPortSecurityEnabled();
273 * Checks whether port security is enabled for the port.
274 * @param port the port.
275 * @return the list of security groups.
277 public static List<Uuid> getInterfaceAcls(Interface port) {
279 LOG.error("Port is Null");
282 InterfaceAcl aclInPort = port.getAugmentation(InterfaceAcl.class);
283 if (aclInPort == null) {
284 LOG.error("getSecurityGroupInPortList: no security group associated}",
288 return aclInPort.getSecurityGroups();
292 * Retrieves the security rule attribute augmentation from the access list.
293 * @param ace the access list entry
294 * @return the security rule attributes
296 public static SecurityRuleAttr getAccesssListAttributes(Ace ace) {
298 LOG.error("Ace is Null");
301 SecurityRuleAttr aceAttributes = ace.getAugmentation(SecurityRuleAttr.class);
302 if (aceAttributes == null) {
303 LOG.error("Ace is null");
306 return aceAttributes;
310 * Returns the DHCP match.
312 * @param srcPort the source port.
313 * @param dstPort the destination port.
314 * @param lportTag the lport tag
315 * @param serviceMode ingress or egress service
316 * @return list of matches.
318 public static List<MatchInfoBase> buildDhcpMatches(int srcPort, int dstPort, int lportTag,
319 Class<? extends ServiceModeBase> serviceMode) {
320 List<MatchInfoBase> matches = new ArrayList<>(5);
321 matches.add(MatchEthernetType.IPV4);
322 matches.add(MatchIpProtocol.UDP);
323 matches.add(new MatchUdpDestinationPort(dstPort));
324 matches.add(new MatchUdpSourcePort(srcPort));
325 matches.add(AclServiceUtils.buildLPortTagMatch(lportTag, serviceMode));
330 * Returns the DHCPv6 match.
332 * @param srcPort the source port.
333 * @param dstPort the destination port.
334 * @param lportTag the lport tag
335 * @param serviceMode ingress or egress
336 * @return list of matches.
338 public static List<MatchInfoBase> buildDhcpV6Matches(int srcPort, int dstPort, int lportTag,
339 Class<? extends ServiceModeBase> serviceMode) {
340 List<MatchInfoBase> matches = new ArrayList<>(6);
341 matches.add(MatchEthernetType.IPV6);
342 matches.add(MatchIpProtocol.UDP);
343 matches.add(new MatchUdpDestinationPort(dstPort));
344 matches.add(new MatchUdpSourcePort(srcPort));
345 matches.add(AclServiceUtils.buildLPortTagMatch(lportTag, serviceMode));
350 * Returns the ICMPv6 match.
352 * @param icmpType the icmpv6-type.
353 * @param icmpCode the icmpv6-code.
354 * @param lportTag the lport tag
355 * @param serviceMode ingress or egress
356 * @return list of matches.
358 public static List<MatchInfoBase> buildIcmpV6Matches(int icmpType, int icmpCode, int lportTag,
359 Class<? extends ServiceModeBase> serviceMode) {
360 List<MatchInfoBase> matches = new ArrayList<>(6);
361 matches.add(MatchEthernetType.IPV6);
362 matches.add(MatchIpProtocol.ICMPV6);
364 matches.add(new MatchIcmpv6((short) icmpType, (short) icmpCode));
366 matches.add(AclServiceUtils.buildLPortTagMatch(lportTag, serviceMode));
370 public static List<MatchInfoBase> buildBroadcastIpV4Matches(String ipAddr) {
371 List<MatchInfoBase> matches = new ArrayList<>(2);
372 matches.add(new MatchEthernetDestination(new MacAddress(AclConstants.BROADCAST_MAC)));
373 matches.addAll(AclServiceUtils.buildIpMatches(new IpPrefixOrAddress(ipAddr.toCharArray()),
374 MatchCriteria.MATCH_DESTINATION));
378 public static List<MatchInfoBase> buildL2BroadcastMatches() {
379 List<MatchInfoBase> matches = new ArrayList<>();
380 matches.add(new MatchEthernetDestination(new MacAddress(AclConstants.BROADCAST_MAC)));
385 * Builds the service id.
387 * @param interfaceName the interface name
388 * @param serviceIndex the service index
389 * @param serviceMode the service mode
390 * @return the instance identifier
392 public static InstanceIdentifier<BoundServices> buildServiceId(String interfaceName, short serviceIndex,
393 Class<? extends ServiceModeBase> serviceMode) {
394 return InstanceIdentifier.builder(ServiceBindings.class)
395 .child(ServicesInfo.class, new ServicesInfoKey(interfaceName, serviceMode))
396 .child(BoundServices.class, new BoundServicesKey(serviceIndex)).build();
400 * Gets the bound services.
402 * @param serviceName the service name
403 * @param servicePriority the service priority
404 * @param flowPriority the flow priority
405 * @param cookie the cookie
406 * @param instructions the instructions
407 * @return the bound services
409 public static BoundServices getBoundServices(String serviceName, short servicePriority, int flowPriority,
410 BigInteger cookie, List<Instruction> instructions) {
411 StypeOpenflowBuilder augBuilder = new StypeOpenflowBuilder().setFlowCookie(cookie).setFlowPriority(flowPriority)
412 .setInstruction(instructions);
413 return new BoundServicesBuilder().setKey(new BoundServicesKey(servicePriority)).setServiceName(serviceName)
414 .setServicePriority(servicePriority).setServiceType(ServiceTypeFlowBased.class)
415 .addAugmentation(StypeOpenflow.class, augBuilder.build()).build();
418 public static List<Uuid> getUpdatedAclList(List<Uuid> updatedAclList, List<Uuid> currentAclList) {
419 if (updatedAclList == null) {
422 List<Uuid> newAclList = new ArrayList<>(updatedAclList);
423 if (currentAclList == null) {
426 List<Uuid> origAclList = new ArrayList<>(currentAclList);
427 for (Iterator<Uuid> iterator = newAclList.iterator(); iterator.hasNext();) {
428 Uuid updatedAclUuid = iterator.next();
429 for (Uuid currentAclUuid :origAclList) {
430 if (updatedAclUuid.getValue().equals(currentAclUuid.getValue())) {
438 public static List<AllowedAddressPairs> getUpdatedAllowedAddressPairs(
439 List<AllowedAddressPairs> updatedAllowedAddressPairs,
440 List<AllowedAddressPairs> currentAllowedAddressPairs) {
441 if (updatedAllowedAddressPairs == null) {
444 List<AllowedAddressPairs> newAllowedAddressPairs = new ArrayList<>(updatedAllowedAddressPairs);
445 if (currentAllowedAddressPairs == null) {
446 return newAllowedAddressPairs;
448 List<AllowedAddressPairs> origAllowedAddressPairs = new ArrayList<>(currentAllowedAddressPairs);
449 for (Iterator<AllowedAddressPairs> iterator = newAllowedAddressPairs.iterator(); iterator.hasNext();) {
450 AllowedAddressPairs updatedAllowedAddressPair = iterator.next();
451 for (AllowedAddressPairs currentAllowedAddressPair : origAllowedAddressPairs) {
452 if (updatedAllowedAddressPair.getKey().equals(currentAllowedAddressPair.getKey())) {
458 return newAllowedAddressPairs;
461 public static List<AllowedAddressPairs> getPortAllowedAddresses(Interface port) {
463 LOG.error("Port is Null");
466 InterfaceAcl aclInPort = port.getAugmentation(InterfaceAcl.class);
467 if (aclInPort == null) {
468 LOG.error("getSecurityGroupInPortList: no security group associated to Interface port: {}", port.getName());
471 return aclInPort.getAllowedAddressPairs();
474 public static BigInteger getDpIdFromIterfaceState(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf
475 .interfaces.rev140508.interfaces.state.Interface interfaceState) {
476 BigInteger dpId = null;
477 List<String> ofportIds = interfaceState.getLowerLayerIf();
478 if (ofportIds != null && !ofportIds.isEmpty()) {
479 NodeConnectorId nodeConnectorId = new NodeConnectorId(ofportIds.get(0));
480 dpId = BigInteger.valueOf(MDSALUtil.getDpnIdFromPortName(nodeConnectorId));
485 public static List<String> getIpBroadcastAddresses(List<IpPrefixOrAddress> cidrs) {
486 List<String> ipBroadcastAddresses = new ArrayList<>();
487 for (IpPrefixOrAddress cidr : cidrs) {
488 IpPrefix cidrIpPrefix = cidr.getIpPrefix();
489 if (cidrIpPrefix != null) {
490 Ipv4Prefix cidrIpv4Prefix = cidrIpPrefix.getIpv4Prefix();
491 if (cidrIpv4Prefix != null) {
492 ipBroadcastAddresses.add(getBroadcastAddressFromCidr(cidrIpv4Prefix.getValue()));
496 return ipBroadcastAddresses;
499 public static String getBroadcastAddressFromCidr(String cidr) {
500 String[] ipaddressValues = cidr.split("/");
501 int address = InetAddresses.coerceToInteger(InetAddresses.forString(ipaddressValues[0]));
502 int cidrPart = Integer.parseInt(ipaddressValues[1]);
504 for (int j = 0; j < cidrPart; ++j) {
505 netmask |= (1 << 31 - j);
507 int network = (address & netmask);
508 int broadcast = network | ~(netmask);
509 return InetAddresses.toAddrString(InetAddresses.fromInteger(broadcast));
513 * Builds the ip matches.
515 * @param ipPrefixOrAddress the ip prefix or address
516 * @param matchCriteria the source_ip or destination_ip used for the match
519 public static List<MatchInfoBase> buildIpMatches(IpPrefixOrAddress ipPrefixOrAddress,
520 MatchCriteria matchCriteria) {
521 List<MatchInfoBase> flowMatches = new ArrayList<>();
522 IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
523 if (ipPrefix != null) {
524 Ipv4Prefix ipv4Prefix = ipPrefix.getIpv4Prefix();
525 if (ipv4Prefix != null) {
526 flowMatches.add(MatchEthernetType.IPV4);
527 if (!ipv4Prefix.getValue().equals(AclConstants.IPV4_ALL_NETWORK)) {
528 flowMatches.add(matchCriteria == MatchCriteria.MATCH_SOURCE ? new MatchIpv4Source(ipv4Prefix)
529 : new MatchIpv4Destination(ipv4Prefix));
532 flowMatches.add(MatchEthernetType.IPV6);
533 flowMatches.add(matchCriteria == MatchCriteria.MATCH_SOURCE ? new MatchIpv6Source(
534 ipPrefix.getIpv6Prefix()) : new MatchIpv6Destination(ipPrefix.getIpv6Prefix()));
537 IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
538 if (ipAddress.getIpv4Address() != null) {
539 flowMatches.add(MatchEthernetType.IPV4);
540 flowMatches.add(matchCriteria == MatchCriteria.MATCH_SOURCE ? new MatchIpv4Source(
541 ipAddress.getIpv4Address().getValue(), "32") : new MatchIpv4Destination(
542 ipAddress.getIpv4Address().getValue(), "32"));
544 flowMatches.add(MatchEthernetType.IPV6);
545 flowMatches.add(matchCriteria == MatchCriteria.MATCH_SOURCE ? new MatchIpv6Source(
546 ipAddress.getIpv6Address().getValue() + "/128") : new MatchIpv6Destination(
547 ipAddress.getIpv6Address().getValue() + "/128"));
554 * Builds the arp ip matches.
555 * @param ipPrefixOrAddress the ip prefix or address
556 * @return the MatchInfoBase list
558 public static List<MatchInfoBase> buildArpIpMatches(IpPrefixOrAddress ipPrefixOrAddress) {
559 List<MatchInfoBase> flowMatches = new ArrayList<>();
560 IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
561 if (ipPrefix != null) {
562 Ipv4Prefix ipv4Prefix = ipPrefix.getIpv4Prefix();
563 if (ipv4Prefix != null && !ipv4Prefix.getValue().equals(AclConstants.IPV4_ALL_NETWORK)) {
564 flowMatches.add(new MatchArpSpa(ipv4Prefix));
567 IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
568 if (ipAddress != null && ipAddress.getIpv4Address() != null) {
569 flowMatches.add(new MatchArpSpa(ipAddress.getIpv4Address().getValue(), "32"));
575 private List<MatchInfoBase> buildAclIdMetadataMatch(Uuid remoteAclId) {
576 List<MatchInfoBase> flowMatches = new ArrayList<>();
577 BigInteger aclId = buildAclId(remoteAclId);
578 if (aclId.intValue() != AclConstants.INVALID_ACL_ID) {
579 MatchMetadata metadataMatch = new MatchMetadata(getAclIdMetadata(aclId),
580 MetaDataUtil.METADATA_MASK_REMOTE_ACL_ID);
581 flowMatches.add(metadataMatch);
583 LOG.error("Failed building metadata match for Acl id match. Failed to allocate id");
588 public BigInteger buildAclId(Uuid remoteAclId) {
589 Integer aclId = allocateAclId(remoteAclId.getValue());
590 return BigInteger.valueOf(aclId);
593 public static BigInteger getAclIdMetadata(BigInteger aclId) {
594 return aclId.shiftLeft(1);
598 * Gets the lport tag match.
599 * Ingress match is based on metadata and egress match is based on masked reg6
601 * @param lportTag the lport tag
602 * @param serviceMode ingress or egress service mode
603 * @return the lport tag match
605 public static MatchInfoBase buildLPortTagMatch(int lportTag, Class<? extends ServiceModeBase> serviceMode) {
606 if (serviceMode != null && serviceMode.isAssignableFrom(ServiceModeIngress.class)) {
607 return new NxMatchRegister(NxmNxReg6.class, MetaDataUtil.getLportTagForReg6(lportTag).longValue(),
608 MetaDataUtil.getLportTagMaskForReg6());
610 return new MatchMetadata(MetaDataUtil.getLportTagMetaData(lportTag), MetaDataUtil.METADATA_MASK_LPORT_TAG);
614 public static List<Ace> getAceWithRemoteAclId(DataBroker dataBroker, AclInterface port, Uuid remoteAcl) {
615 List<Ace> remoteAclRuleList = new ArrayList<>();
616 List<Uuid> aclList = port.getSecurityGroups();
617 for (Uuid aclId : aclList) {
618 Acl acl = getAcl(dataBroker, aclId.getValue());
619 List<Ace> aceList = acl.getAccessListEntries().getAce();
620 for (Ace ace : aceList) {
621 Uuid tempRemoteAcl = getAccesssListAttributes(ace).getRemoteGroupId();
622 if (tempRemoteAcl != null && tempRemoteAcl.equals(remoteAcl)) {
623 remoteAclRuleList.add(ace);
627 return remoteAclRuleList;
630 public Map<String, List<MatchInfoBase>> getFlowForRemoteAcl(AclInterface aclInterface, Uuid remoteAclId,
631 String ignoreInterfaceId, Map<String, List<MatchInfoBase>> flowMatchesMap, boolean isSourceIpMacMatch) {
632 boolean singleAcl = false;
633 List<AclInterface> interfaceList = null;
634 if (aclInterface.getSecurityGroups() != null && aclInterface.getSecurityGroups().size() == 1) {
637 interfaceList = aclDataUtil.getInterfaceList(remoteAclId);
638 if (flowMatchesMap == null || interfaceList == null || interfaceList.isEmpty()) {
642 Map<String, List<MatchInfoBase>> updatedFlowMatchesMap = new HashMap<>();
643 MatchInfoBase ipv4Match = MatchEthernetType.IPV4;
644 MatchInfoBase ipv6Match = MatchEthernetType.IPV6;
645 for (String flowName : flowMatchesMap.keySet()) {
646 List<MatchInfoBase> flows = flowMatchesMap.get(flowName);
648 LOG.debug("port {} is in only one SG. "
649 + "Doesn't adding it's IPs {} to matches (handled in acl id match)",
650 aclInterface.getLPortTag(), aclInterface.getAllowedAddressPairs());
651 List<MatchInfoBase> matchInfoBaseList = addFlowMatchForAclId(remoteAclId, flows);
652 String flowId = flowName + "_remoteACL_id_" + remoteAclId.getValue();
653 updatedFlowMatchesMap.put(flowId, matchInfoBaseList);
656 for (AclInterface port : interfaceList) {
657 if (port.getInterfaceId().equals(ignoreInterfaceId)) {
661 // get allow address pair
662 List<AllowedAddressPairs> allowedAddressPair = port.getAllowedAddressPairs();
663 // iterate over allow address pair and update match type
664 for (AllowedAddressPairs aap : allowedAddressPair) {
665 List<MatchInfoBase> matchInfoBaseList;
667 if (flows.contains(ipv4Match) && isIPv4Address(aap) && isNotIpv4AllNetwork(aap)) {
668 matchInfoBaseList = updateAAPMatches(isSourceIpMacMatch, flows, aap);
669 flowId = flowName + "_ipv4_remoteACL_interface_aap_" + getAapFlowId(aap);
670 updatedFlowMatchesMap.put(flowId, matchInfoBaseList);
671 } else if (flows.contains(ipv6Match) && !isIPv4Address(aap) && isNotIpv6AllNetwork(aap)) {
672 matchInfoBaseList = updateAAPMatches(isSourceIpMacMatch, flows, aap);
673 flowId = flowName + "_ipv6_remoteACL_interface_aap_" + getAapFlowId(aap);
674 updatedFlowMatchesMap.put(flowId, matchInfoBaseList);
679 return updatedFlowMatchesMap;
682 public AclserviceConfig getConfig() {
686 public static boolean isIPv4Address(AllowedAddressPairs aap) {
687 IpPrefixOrAddress ipPrefixOrAddress = aap.getIpAddress();
688 IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
689 if (ipPrefix != null) {
690 if (ipPrefix.getIpv4Prefix() != null) {
694 IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
695 if (ipAddress != null && ipAddress.getIpv4Address() != null) {
702 public static Map<String, List<MatchInfoBase>> getFlowForAllowedAddresses(
703 List<AllowedAddressPairs> syncAllowedAddresses, Map<String, List<MatchInfoBase>> flowMatchesMap,
704 boolean isSourceIpMacMatch) {
705 if (flowMatchesMap == null) {
708 Map<String, List<MatchInfoBase>> updatedFlowMatchesMap = new HashMap<>();
709 MatchInfoBase ipv4Match = MatchEthernetType.IPV4;
710 MatchInfoBase ipv6Match = MatchEthernetType.IPV6;
711 for (String flowName : flowMatchesMap.keySet()) {
712 List<MatchInfoBase> flows = flowMatchesMap.get(flowName);
713 // iterate over allow address pair and update match type
714 for (AllowedAddressPairs aap : syncAllowedAddresses) {
715 List<MatchInfoBase> matchInfoBaseList;
717 if (flows.contains(ipv4Match) && isIPv4Address(aap) && isNotIpv4AllNetwork(aap)) {
718 matchInfoBaseList = updateAAPMatches(isSourceIpMacMatch, flows, aap);
719 flowId = flowName + "_ipv4_remoteACL_interface_aap_" + getAapFlowId(aap);
720 updatedFlowMatchesMap.put(flowId, matchInfoBaseList);
721 } else if (flows.contains(ipv6Match) && !isIPv4Address(aap) && isNotIpv6AllNetwork(aap)) {
722 matchInfoBaseList = updateAAPMatches(isSourceIpMacMatch, flows, aap);
723 flowId = flowName + "_ipv6_remoteACL_interface_aap_" + getAapFlowId(aap);
724 updatedFlowMatchesMap.put(flowId, matchInfoBaseList);
728 return updatedFlowMatchesMap;
731 public static boolean isNotIpv4AllNetwork(AllowedAddressPairs aap) {
732 IpPrefix ipPrefix = aap.getIpAddress().getIpPrefix();
733 if (ipPrefix != null && ipPrefix.getIpv4Prefix() != null
734 && ipPrefix.getIpv4Prefix().getValue().equals(AclConstants.IPV4_ALL_NETWORK)) {
740 protected static boolean isNotIpv6AllNetwork(AllowedAddressPairs aap) {
741 IpPrefix ipPrefix = aap.getIpAddress().getIpPrefix();
742 if (ipPrefix != null && ipPrefix.getIpv6Prefix() != null
743 && ipPrefix.getIpv6Prefix().getValue().equals(AclConstants.IPV6_ALL_NETWORK)) {
749 private static String getAapFlowId(AllowedAddressPairs aap) {
750 return aap.getMacAddress().getValue() + "_" + String.valueOf(aap.getIpAddress().getValue());
753 public static Long getElanIdFromInterface(String elanInterfaceName,DataBroker broker) {
754 ElanInterface elanInterface = getElanInterfaceByElanInterfaceName(elanInterfaceName, broker);
755 if (null != elanInterface) {
756 ElanInstance elanInfo = getElanInstanceByName(elanInterface.getElanInstanceName(), broker);
757 return elanInfo.getElanTag();
762 public static Long getElanIdFromAclInterface(String elanInterfaceName) {
763 AclInterface aclInterface = AclInterfaceCacheUtil.getAclInterfaceFromCache(elanInterfaceName);
764 if (null != aclInterface) {
765 return aclInterface.getElanId();
770 public static ElanInterface getElanInterfaceByElanInterfaceName(String elanInterfaceName,DataBroker broker) {
771 InstanceIdentifier<ElanInterface> elanInterfaceId = getElanInterfaceConfigurationDataPathId(elanInterfaceName);
772 return read(broker, LogicalDatastoreType.CONFIGURATION, elanInterfaceId).orNull();
775 public static InstanceIdentifier<ElanInterface> getElanInterfaceConfigurationDataPathId(String interfaceName) {
776 return InstanceIdentifier.builder(ElanInterfaces.class)
777 .child(ElanInterface.class, new ElanInterfaceKey(interfaceName)).build();
780 // elan-instances config container
781 public static ElanInstance getElanInstanceByName(String elanInstanceName, DataBroker broker) {
782 InstanceIdentifier<ElanInstance> elanIdentifierId = getElanInstanceConfigurationDataPath(elanInstanceName);
783 return read(broker, LogicalDatastoreType.CONFIGURATION, elanIdentifierId).orNull();
786 public static InstanceIdentifier<ElanInstance> getElanInstanceConfigurationDataPath(String elanInstanceName) {
787 return InstanceIdentifier.builder(ElanInstances.class)
788 .child(ElanInstance.class, new ElanInstanceKey(elanInstanceName)).build();
791 public static List<IpPrefixOrAddress> getSubnetIpPrefixes(DataBroker broker, String portId) {
792 InstanceIdentifier<PortSubnetIpPrefixes> id = InstanceIdentifier.builder(PortsSubnetIpPrefixes.class)
793 .child(PortSubnetIpPrefixes.class, new PortSubnetIpPrefixesKey(portId)).build();
794 Optional<PortSubnetIpPrefixes> portSubnetIpPrefixes = read(broker, LogicalDatastoreType.OPERATIONAL, id);
795 if (portSubnetIpPrefixes.isPresent()) {
796 return portSubnetIpPrefixes.get().getSubnetIpPrefixes();
801 public static void deleteSubnetIpPrefixes(DataBroker broker, String portId) {
802 InstanceIdentifier<PortSubnetIpPrefixes> id = InstanceIdentifier.builder(PortsSubnetIpPrefixes.class)
803 .child(PortSubnetIpPrefixes.class, new PortSubnetIpPrefixesKey(portId)).build();
804 MDSALUtil.syncDelete(broker, LogicalDatastoreType.OPERATIONAL, id);
807 public static Long getVpnIdFromInterface(DataBroker broker, String vpnInterfaceName) {
808 VpnInterface vpnInterface = VpnHelper.getVpnInterface(broker, vpnInterfaceName);
809 if (vpnInterface != null) {
810 return VpnHelper.getVpnId(broker, vpnInterface.getVpnInstanceName());
815 private static List<MatchInfoBase> updateAAPMatches(boolean isSourceIpMacMatch, List<MatchInfoBase> flows,
816 AllowedAddressPairs aap) {
817 List<MatchInfoBase> matchInfoBaseList;
818 if (isSourceIpMacMatch) {
819 matchInfoBaseList = AclServiceUtils.buildIpMatches(aap.getIpAddress(), MatchCriteria.MATCH_SOURCE);
821 matchInfoBaseList = AclServiceUtils.buildIpMatches(aap.getIpAddress(), MatchCriteria.MATCH_DESTINATION);
823 matchInfoBaseList.addAll(flows);
824 return matchInfoBaseList;
827 private List<MatchInfoBase> addFlowMatchForAclId(Uuid remoteAclId, List<MatchInfoBase> flows) {
828 List<MatchInfoBase> matchInfoBaseList;
829 matchInfoBaseList = buildAclIdMetadataMatch(remoteAclId);
830 matchInfoBaseList.addAll(flows);
831 return matchInfoBaseList;
834 public static MatchInfoBase getMatchInfoByType(List<MatchInfoBase> flows, Class<? extends NxMatchInfo> type) {
835 for (MatchInfoBase mib : flows) {
836 if (type.isAssignableFrom(mib.getClass())) {
843 public static boolean containsMatchFieldType(List<MatchInfoBase> flows, Class<? extends NxMatchInfo> type) {
844 return getMatchInfoByType(flows, type) != null;
847 public static boolean containsTcpMatchField(List<MatchInfoBase> flows) {
848 return flows.contains(MatchIpProtocol.TCP);
851 public static boolean containsUdpMatchField(List<MatchInfoBase> flows) {
852 return flows.contains(MatchIpProtocol.UDP);
855 public static Integer allocateId(IdManagerService idManager, String poolName, String idKey, Integer defaultId) {
856 AllocateIdInput getIdInput = new AllocateIdInputBuilder().setPoolName(poolName).setIdKey(idKey).build();
858 Future<RpcResult<AllocateIdOutput>> result = idManager.allocateId(getIdInput);
859 RpcResult<AllocateIdOutput> rpcResult = result.get();
860 if (rpcResult.isSuccessful()) {
861 Integer allocatedId = rpcResult.getResult().getIdValue().intValue();
862 LOG.debug("Allocated ACL ID: {} with key: {} into pool: {}", allocatedId, idKey, poolName);
865 LOG.warn("RPC Call to Get Unique Id returned with Errors {}", rpcResult.getErrors());
867 } catch (InterruptedException | ExecutionException e) {
868 LOG.warn("Exception when getting Unique Id", e);
873 public static void releaseId(IdManagerService idManager, String poolName, String idKey) {
874 ReleaseIdInput idInput = new ReleaseIdInputBuilder().setPoolName(poolName).setIdKey(idKey).build();
876 Future<RpcResult<Void>> result = idManager.releaseId(idInput);
877 RpcResult<Void> rpcResult = result.get();
878 if (!rpcResult.isSuccessful()) {
879 LOG.warn("RPC Call to release Id {} with Key {} returned with Errors {}", idKey, rpcResult.getErrors());
881 LOG.debug("Released ACL ID with key: {} from pool: {}", idKey, poolName);
883 } catch (InterruptedException | ExecutionException e) {
884 LOG.warn("Exception when releasing Id for key {}", idKey, e);
889 * Allocate and save flow priority in cache.
892 * @return the integer
894 public Integer allocateAndSaveFlowPriorityInCache(String poolName, String key) {
895 Integer flowPriority = AclServiceUtils.allocateId(this.idManager, poolName, key,
896 AclConstants.PROTO_MATCH_PRIORITY);
897 this.aclDataUtil.addAclFlowPriority(key, flowPriority);
906 public Integer allocateAclId(String key) {
907 Integer aclId = AclServiceUtils.allocateId(this.idManager, AclConstants.ACL_ID_POOL_NAME, key,
908 AclConstants.INVALID_ACL_ID);
913 * Allocate and save flow priority in cache.
917 public void releaseAclId(String key) {
918 AclServiceUtils.releaseId(idManager, AclConstants.ACL_ID_POOL_NAME, key);
922 * Release and remove flow priority from cache.
925 * @return the integer
927 public Integer releaseAndRemoveFlowPriorityFromCache(String poolName, String key) {
928 AclServiceUtils.releaseId(this.idManager, poolName, key);
929 Integer flowPriority = this.aclDataUtil.removeAclFlowPriority(key);
930 if (flowPriority == null) {
931 flowPriority = AclConstants.PROTO_MATCH_PRIORITY;
937 * Indicates whether the interface has port security enabled.
938 * @param aclInterface the interface.
939 * @return true if port is security enabled.
941 public static boolean isOfInterest(AclInterface aclInterface) {
942 return aclInterface != null && aclInterface.getPortSecurityEnabled() != null
943 && aclInterface.isPortSecurityEnabled();
947 * Creates the id pool.
949 * @param poolName the pool name
951 public void createIdPool(String poolName, AclConstants.PacketHandlingType packetHandlingType) {
952 CreateIdPoolInput createPool = null;
954 // If the default behavior is Deny, then ACLs with Allow packetHandling must have lower priority than
955 // ACLs with Deny packetHandling - otherwise the Deny ACLs are redundant, and vice versa
956 if ((config.getDefaultBehavior() == DEFAULT_DENY
957 && packetHandlingType == AclConstants.PacketHandlingType.PERMIT)
958 || (config.getDefaultBehavior() == DEFAULT_ALLOW
959 && packetHandlingType == AclConstants.PacketHandlingType.DENY)) {
960 createPool = new CreateIdPoolInputBuilder()
961 .setPoolName(poolName).setLow(AclConstants.ACL_FLOW_PRIORITY_LOW_POOL_START)
962 .setHigh(AclConstants.ACL_FLOW_PRIORITY_LOW_POOL_END).build();
963 } else if ((config.getDefaultBehavior() == DEFAULT_DENY
964 && packetHandlingType == AclConstants.PacketHandlingType.DENY)
965 || (config.getDefaultBehavior() == DEFAULT_ALLOW
966 && packetHandlingType == AclConstants.PacketHandlingType.PERMIT)) {
967 createPool = new CreateIdPoolInputBuilder()
968 .setPoolName(poolName).setLow(AclConstants.ACL_FLOW_PRIORITY_HIGH_POOL_START)
969 .setHigh(AclConstants.ACL_FLOW_PRIORITY_HIGH_POOL_END).build();
971 LOG.error("Got unexpected PacketHandling {} combined with default behavior {}, skipping creation"
972 + "of pool {}", packetHandlingType, config.getDefaultBehavior(), poolName);
976 Future<RpcResult<Void>> result = this.idManager.createIdPool(createPool);
977 if ((result != null) && (result.get().isSuccessful())) {
978 LOG.debug("Created IdPool for {}", poolName);
980 } catch (InterruptedException | ExecutionException e) {
981 LOG.error("Failed to create ID pool [{}] for ACL flow priority", poolName, e);
982 throw new RuntimeException("Failed to create ID pool for ACL flow priority", e);
987 * Creates the id pool.
989 * @param poolName the pool name
991 private void createIdPoolForAclId(String poolName) {
992 CreateIdPoolInput createPool = new CreateIdPoolInputBuilder()
993 .setPoolName(poolName).setLow(AclConstants.ACL_ID_METADATA_POOL_START)
994 .setHigh(AclConstants.ACL_ID_METADATA_POOL_END).build();
996 Future<RpcResult<Void>> result = this.idManager.createIdPool(createPool);
997 if ((result != null) && (result.get().isSuccessful())) {
998 LOG.debug("Created IdPool for {}", poolName);
1000 } catch (InterruptedException | ExecutionException e) {
1001 LOG.error("Failed to create ID pool [{}] for remote ACL ids", poolName, e);
1002 throw new RuntimeException("Failed to create ID pool [{}] for remote ACL ids", e);
1009 * @param poolName the pool name
1011 public void deleteIdPool(String poolName) {
1012 DeleteIdPoolInput deletePool = new DeleteIdPoolInputBuilder().setPoolName(poolName).build();
1014 Future<RpcResult<Void>> result = this.idManager.deleteIdPool(deletePool);
1015 if ((result != null) && (result.get().isSuccessful())) {
1016 LOG.debug("Deleted IdPool for {}", poolName);
1018 } catch (InterruptedException | ExecutionException e) {
1019 LOG.error("Failed to delete ID pool [{}]", poolName, e);
1020 throw new RuntimeException("Failed to delete ID pool [" + poolName + "]", e);
1025 * Gets the acl pool name.
1027 * @param dpId the dp id
1028 * @param tableId the table id
1029 * @param packetHandlingType packet handling type
1030 * @return the acl pool name
1032 public static String getAclPoolName(BigInteger dpId, short tableId,
1033 AclConstants.PacketHandlingType packetHandlingType) {
1034 return AclConstants.ACL_FLOW_PRIORITY_POOL_NAME + "." + dpId + "." + tableId + "." + packetHandlingType;
1038 * Gets the acl pool name.
1040 * @param dpId the dp id
1041 * @param tableId the table id
1042 * @param packetHandling packet handling type
1043 * @return the acl pool name
1045 public static String getAclPoolName(BigInteger dpId, short tableId, PacketHandling packetHandling) {
1046 return packetHandling instanceof Permit
1047 ? getAclPoolName(dpId, tableId, AclConstants.PacketHandlingType.PERMIT)
1048 : getAclPoolName(dpId, tableId, AclConstants.PacketHandlingType.DENY);
1052 * Creates the acl id pools.
1054 * @param dpId the dp id
1056 public void createAclIdPools(BigInteger dpId) {
1057 createIdPool(getAclPoolName(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE,
1058 AclConstants.PacketHandlingType.PERMIT), AclConstants.PacketHandlingType.PERMIT);
1059 createIdPool(getAclPoolName(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE,
1060 AclConstants.PacketHandlingType.DENY), AclConstants.PacketHandlingType.DENY);
1061 createIdPool(getAclPoolName(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE,
1062 AclConstants.PacketHandlingType.PERMIT), AclConstants.PacketHandlingType.PERMIT);
1063 createIdPool(getAclPoolName(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE,
1064 AclConstants.PacketHandlingType.DENY), AclConstants.PacketHandlingType.DENY);
1068 * Creates remote the acl id pools.
1070 public void createRemoteAclIdPool() {
1071 createIdPoolForAclId(AclConstants.ACL_ID_POOL_NAME);
1075 * Delete remote the acl id pools.
1077 public void deleteRemoteAclIdPool() {
1078 deleteIdPool(AclConstants.ACL_ID_POOL_NAME);
1082 * Delete acl id pools.
1084 * @param dpId the dp id
1086 public void deleteAclIdPools(BigInteger dpId) {
1087 deleteIdPool(getAclPoolName(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE,
1088 AclConstants.PacketHandlingType.PERMIT));
1089 deleteIdPool(getAclPoolName(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE,
1090 AclConstants.PacketHandlingType.DENY));
1091 deleteIdPool(getAclPoolName(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE,
1092 AclConstants.PacketHandlingType.PERMIT));
1093 deleteIdPool(getAclPoolName(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE,
1094 AclConstants.PacketHandlingType.DENY));
1097 public static List<? extends MatchInfoBase> buildIpAndSrcServiceMatch(long elanTag, AllowedAddressPairs ip,
1098 DataBroker dataBroker, Long vpnId) {
1099 List<MatchInfoBase> flowMatches = new ArrayList<>();
1100 MatchMetadata metadatMatch = null;
1101 if (vpnId == null) {
1103 new MatchMetadata(MetaDataUtil.getElanTagMetadata(elanTag), MetaDataUtil.METADATA_MASK_SERVICE);
1106 new MatchMetadata(MetaDataUtil.getVpnIdMetadata(vpnId), MetaDataUtil.METADATA_MASK_VRFID);
1108 flowMatches.add(metadatMatch);
1109 if (ip.getIpAddress().getIpAddress() != null) {
1110 if (ip.getIpAddress().getIpAddress().getIpv4Address() != null) {
1111 MatchEthernetType ipv4EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV4);
1112 flowMatches.add(ipv4EthMatch);
1113 MatchIpv4Source srcMatch = new MatchIpv4Source(
1114 new Ipv4Prefix(ip.getIpAddress().getIpAddress().getIpv4Address().getValue() + "/32"));
1115 flowMatches.add(srcMatch);
1116 } else if (ip.getIpAddress().getIpAddress().getIpv6Address() != null) {
1117 MatchEthernetType ipv6EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV6);
1118 flowMatches.add(ipv6EthMatch);
1119 MatchIpv6Source srcMatch = new MatchIpv6Source(
1120 new Ipv6Prefix(ip.getIpAddress().getIpAddress().getIpv6Address().getValue() + "/128"));
1121 flowMatches.add(srcMatch);
1123 } else if (ip.getIpAddress().getIpPrefix() != null) {
1124 if (ip.getIpAddress().getIpPrefix().getIpv4Prefix() != null) {
1125 MatchEthernetType ipv4EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV4);
1126 flowMatches.add(ipv4EthMatch);
1127 MatchIpv4Source srcMatch = new MatchIpv4Source(ip.getIpAddress().getIpPrefix().getIpv4Prefix());
1128 flowMatches.add(srcMatch);
1129 } else if (ip.getIpAddress().getIpPrefix().getIpv6Prefix() != null) {
1130 MatchEthernetType ipv6EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV6);
1131 flowMatches.add(ipv6EthMatch);
1132 MatchIpv6Source srcMatch = new MatchIpv6Source(ip.getIpAddress().getIpPrefix().getIpv6Prefix());
1133 flowMatches.add(srcMatch);
1139 public static List<? extends MatchInfoBase> buildIpAndDstServiceMatch(Long elanTag, AllowedAddressPairs ip,
1140 DataBroker dataBroker, Long vpnId) {
1141 List<MatchInfoBase> flowMatches = new ArrayList<>();
1142 MatchMetadata metadatMatch = null;
1143 if (vpnId == null) {
1145 new MatchMetadata(MetaDataUtil.getElanTagMetadata(elanTag), MetaDataUtil.METADATA_MASK_SERVICE);
1148 new MatchMetadata(MetaDataUtil.getVpnIdMetadata(vpnId), MetaDataUtil.METADATA_MASK_VRFID);
1150 flowMatches.add(metadatMatch);
1152 if (ip.getIpAddress().getIpAddress() != null) {
1153 if (ip.getIpAddress().getIpAddress().getIpv4Address() != null) {
1154 MatchEthernetType ipv4EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV4);
1155 flowMatches.add(ipv4EthMatch);
1156 MatchIpv4Destination dstMatch = new MatchIpv4Destination(
1157 new Ipv4Prefix(ip.getIpAddress().getIpAddress().getIpv4Address().getValue() + "/32"));
1158 flowMatches.add(dstMatch);
1159 } else if (ip.getIpAddress().getIpAddress().getIpv6Address() != null) {
1160 MatchEthernetType ipv6EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV6);
1161 flowMatches.add(ipv6EthMatch);
1162 MatchIpv6Destination dstMatch = new MatchIpv6Destination(
1163 new Ipv6Prefix(ip.getIpAddress().getIpAddress().getIpv6Address().getValue() + "/128"));
1164 flowMatches.add(dstMatch);
1166 } else if (ip.getIpAddress().getIpPrefix() != null) {
1167 if (ip.getIpAddress().getIpPrefix().getIpv4Prefix() != null) {
1168 MatchEthernetType ipv4EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV4);
1169 flowMatches.add(ipv4EthMatch);
1170 MatchIpv4Destination dstMatch =
1171 new MatchIpv4Destination(ip.getIpAddress().getIpPrefix().getIpv4Prefix());
1172 flowMatches.add(dstMatch);
1173 } else if (ip.getIpAddress().getIpPrefix().getIpv6Prefix() != null) {
1174 MatchEthernetType ipv6EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV6);
1175 flowMatches.add(ipv6EthMatch);
1176 MatchIpv6Destination dstMatch =
1177 new MatchIpv6Destination(ip.getIpAddress().getIpPrefix().getIpv6Prefix());
1178 flowMatches.add(dstMatch);
1184 public static boolean exactlyOneAcl(AclInterface port) {
1185 return (port.getSecurityGroups() != null) && (port.getSecurityGroups().size() == 1);
1188 public static boolean isOfAclInterest(Acl acl) {
1189 List<Ace> aceList = acl.getAccessListEntries().getAce();
1190 if ((aceList != null) && !aceList.isEmpty()) {
1191 return (aceList.get(0).getAugmentation(SecurityRuleAttr.class) != null);
1196 public static void addLportTagMetadataMatch(int lportTag, List<MatchInfoBase> flowMatches,
1197 Class<? extends ServiceModeBase> serviceMode) {
1198 MatchInfoBase lportMatch = buildLPortTagMatch(lportTag, serviceMode);
1199 InterfaceServiceUtil.mergeMetadataMatchsOrAdd(flowMatches, lportMatch);
1202 static AclInterface buildAclInterfaceState(String interfaceId, InterfaceAcl aclInPort) {
1203 AclInterface aclInterface = new AclInterface();
1204 aclInterface.setInterfaceId(interfaceId);
1205 aclInterface.setPortSecurityEnabled(aclInPort.isPortSecurityEnabled());
1206 aclInterface.setSecurityGroups(aclInPort.getSecurityGroups());
1207 aclInterface.setAllowedAddressPairs(aclInPort.getAllowedAddressPairs());
1208 return aclInterface;