2 * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
9 package org.opendaylight.netvirt.aclservice.utils;
11 import com.google.common.base.Optional;
12 import java.math.BigInteger;
13 import java.util.ArrayList;
14 import java.util.HashMap;
15 import java.util.Iterator;
16 import java.util.List;
18 import java.util.concurrent.ExecutionException;
19 import java.util.concurrent.Future;
20 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
21 import org.opendaylight.controller.md.sal.binding.api.ReadOnlyTransaction;
22 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
23 import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException;
24 import org.opendaylight.genius.mdsalutil.MDSALUtil;
25 import org.opendaylight.genius.mdsalutil.MatchFieldType;
26 import org.opendaylight.genius.mdsalutil.MatchInfo;
27 import org.opendaylight.genius.mdsalutil.MatchInfoBase;
28 import org.opendaylight.genius.mdsalutil.MetaDataUtil;
29 import org.opendaylight.genius.mdsalutil.NwConstants;
30 import org.opendaylight.genius.mdsalutil.packet.IPProtocols;
31 import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.AccessLists;
33 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.Ipv4Acl;
34 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
35 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.AclKey;
36 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
37 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IpAddress;
38 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IpPrefix;
39 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.Interfaces;
40 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.InterfacesState;
41 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface;
42 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.InterfaceKey;
43 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
44 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
45 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.GetDpidFromInterfaceInput;
46 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.GetDpidFromInterfaceInputBuilder;
47 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.GetDpidFromInterfaceOutput;
48 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
49 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceBindings;
50 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeBase;
51 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceTypeFlowBased;
52 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.StypeOpenflow;
53 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.StypeOpenflowBuilder;
54 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.ServicesInfo;
55 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.ServicesInfoKey;
56 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
57 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServicesBuilder;
58 import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServicesKey;
59 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeConnectorId;
60 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.InterfaceAcl;
61 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
62 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
63 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs;
64 import org.opendaylight.yangtools.yang.binding.DataObject;
65 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
66 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier.InstanceIdentifierBuilder;
67 import org.opendaylight.yangtools.yang.common.RpcResult;
68 import org.slf4j.Logger;
69 import org.slf4j.LoggerFactory;
71 public final class AclServiceUtils {
73 private static final Logger LOG = LoggerFactory.getLogger(AclServiceUtils.class);
75 private AclServiceUtils() { }
78 * Retrieves the Interface from the datastore.
79 * @param broker the data broker
80 * @param interfaceName the interface name
81 * @return the interface.
83 public static Optional<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces
84 .Interface> getInterface(DataBroker broker, String interfaceName) {
85 return read(broker, LogicalDatastoreType.CONFIGURATION, getInterfaceIdentifier(interfaceName));
89 * Builds the interface identifier.
90 * @param interfaceName the interface name.
91 * @return the interface identifier.
93 public static InstanceIdentifier<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
94 .interfaces.Interface> getInterfaceIdentifier(String interfaceName) {
95 return InstanceIdentifier.builder(Interfaces.class)
97 org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces
98 .Interface.class, new InterfaceKey(interfaceName)).build();
102 * Retrieves the object from the datastore.
103 * @param broker the data broker.
104 * @param datastoreType the data store type.
105 * @param path the wild card path.
106 * @return the required object.
108 public static <T extends DataObject> Optional<T> read(
109 DataBroker broker, LogicalDatastoreType datastoreType, InstanceIdentifier<T> path) {
111 Optional<T> result = Optional.absent();
112 ReadOnlyTransaction tx = broker.newReadOnlyTransaction();
114 result = tx.read(datastoreType, path).checkedGet();
115 } catch (ReadFailedException e) {
116 LOG.warn("Failed to read InstanceIdentifier {} from {}", path, datastoreType, e);
124 * Retrieves the acl matching the key from the data store.
126 * @param broker the data broker
127 * @param aclKey the acl key
130 public static Acl getAcl(DataBroker broker, String aclKey) {
131 Optional<Acl> optAcl = read(broker,
132 LogicalDatastoreType.CONFIGURATION, getAclInstanceIdentifier(aclKey));
133 if (optAcl.isPresent()) {
139 /** Creates the Acl instance identifier.
141 * @param aclKey the acl key
142 * @return the instance identifier
144 public static InstanceIdentifier<Acl> getAclInstanceIdentifier(String aclKey) {
145 return InstanceIdentifier
146 .builder(AccessLists.class)
148 new AclKey(aclKey,Ipv4Acl.class))
153 * Get the data path number for the interface.
154 * @param interfaceManagerRpcService interfaceManagerRpcService instance.
155 * @param ifName the interface name.
158 public static BigInteger getDpnForInterface(OdlInterfaceRpcService interfaceManagerRpcService, String ifName) {
159 BigInteger nodeId = BigInteger.ZERO;
161 GetDpidFromInterfaceInput dpIdInput =
162 new GetDpidFromInterfaceInputBuilder().setIntfName(ifName).build();
163 Future<RpcResult<GetDpidFromInterfaceOutput>> dpIdOutput =
164 interfaceManagerRpcService.getDpidFromInterface(dpIdInput);
165 RpcResult<GetDpidFromInterfaceOutput> dpIdResult = dpIdOutput.get();
166 if (dpIdResult.isSuccessful()) {
167 nodeId = dpIdResult.getResult().getDpid();
169 LOG.error("Could not retrieve DPN Id for interface {}", ifName);
171 } catch (NullPointerException | InterruptedException | ExecutionException e) {
172 LOG.error("Exception when getting dpn for interface {}", ifName, e);
178 * Retrieves the interface state.
179 * @param dataBroker the data broker.
180 * @param interfaceName the interface name.
181 * @return the interface state.
183 public static org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state
184 .Interface getInterfaceStateFromOperDS(DataBroker dataBroker, String interfaceName) {
185 InstanceIdentifier<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
186 .interfaces.state.Interface> ifStateId = buildStateInterfaceId(interfaceName);
187 Optional<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
188 .interfaces.state.Interface> ifStateOptional = MDSALUtil.read(LogicalDatastoreType
189 .OPERATIONAL, ifStateId, dataBroker);
190 if (!ifStateOptional.isPresent()) {
194 return ifStateOptional.get();
198 * Build the interface state.
199 * @param interfaceName the interface name.
200 * @return the interface state.
202 public static InstanceIdentifier<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
203 .interfaces.state.Interface> buildStateInterfaceId(String interfaceName) {
204 InstanceIdentifierBuilder<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508
205 .interfaces.state.Interface> idBuilder = InstanceIdentifier.builder(InterfacesState.class)
206 .child(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces
207 .state.Interface.class, new org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces
208 .rev140508.interfaces.state.InterfaceKey(interfaceName));
209 return idBuilder.build();
213 * Checks whether port security is enabled for the port.
214 * @param port the port.
215 * @return the port security is enabled/not.
217 public static boolean isPortSecurityEnabled(AclInterface port) {
218 return port.isPortSecurityEnabled();
222 * Checks whether port security is enabled for the port.
223 * @param port the port.
224 * @return the list of security groups.
226 public static List<Uuid> getInterfaceAcls(Interface port) {
228 LOG.error("Port is Null");
231 InterfaceAcl aclInPort = port.getAugmentation(InterfaceAcl.class);
232 if (aclInPort == null) {
233 LOG.error("getSecurityGroupInPortList: no security group associated}",
237 return aclInPort.getSecurityGroups();
241 * Retrieves the security rule attribute augmentation from the access list.
242 * @param ace the access list entry
243 * @return the security rule attributes
245 public static SecurityRuleAttr getAccesssListAttributes(Ace ace) {
247 LOG.error("Ace is Null");
250 SecurityRuleAttr aceAttributes = ace.getAugmentation(SecurityRuleAttr.class);
251 if (aceAttributes == null) {
252 LOG.error("Ace is null");
255 return aceAttributes;
259 * Returns the DHCP match.
261 * @param srcPort the source port.
262 * @param dstPort the destination port.
263 * @param lportTag the lport tag
264 * @return list of matches.
266 public static List<MatchInfoBase> buildDhcpMatches(int srcPort, int dstPort, int lportTag) {
267 List<MatchInfoBase> matches = new ArrayList<>(6);
268 matches.add(new MatchInfo(MatchFieldType.eth_type,
269 new long[] { NwConstants.ETHTYPE_IPV4 }));
270 matches.add(new MatchInfo(MatchFieldType.ip_proto,
271 new long[] { IPProtocols.UDP.intValue() }));
272 matches.add(new MatchInfo(MatchFieldType.udp_dst,
273 new long[] { dstPort }));
274 matches.add(new MatchInfo(MatchFieldType.udp_src,
275 new long[] { srcPort}));
276 matches.add(AclServiceUtils.buildLPortTagMatch(lportTag));
281 * Builds the service id.
283 * @param interfaceName the interface name
284 * @param serviceIndex the service index
285 * @param serviceMode the service mode
286 * @return the instance identifier
288 public static InstanceIdentifier<BoundServices> buildServiceId(String interfaceName, short serviceIndex,
289 Class<? extends ServiceModeBase> serviceMode) {
290 return InstanceIdentifier.builder(ServiceBindings.class)
291 .child(ServicesInfo.class, new ServicesInfoKey(interfaceName, serviceMode))
292 .child(BoundServices.class, new BoundServicesKey(serviceIndex)).build();
296 * Gets the bound services.
298 * @param serviceName the service name
299 * @param servicePriority the service priority
300 * @param flowPriority the flow priority
301 * @param cookie the cookie
302 * @param instructions the instructions
303 * @return the bound services
305 public static BoundServices getBoundServices(String serviceName, short servicePriority, int flowPriority,
306 BigInteger cookie, List<Instruction> instructions) {
307 StypeOpenflowBuilder augBuilder = new StypeOpenflowBuilder().setFlowCookie(cookie).setFlowPriority(flowPriority)
308 .setInstruction(instructions);
309 return new BoundServicesBuilder().setKey(new BoundServicesKey(servicePriority)).setServiceName(serviceName)
310 .setServicePriority(servicePriority).setServiceType(ServiceTypeFlowBased.class)
311 .addAugmentation(StypeOpenflow.class, augBuilder.build()).build();
314 public static List<Uuid> getUpdatedAclList(List<Uuid> updatedAclList, List<Uuid> currentAclList) {
315 if (updatedAclList == null) {
318 List<Uuid> newAclList = new ArrayList<>(updatedAclList);
319 if (currentAclList == null) {
322 List<Uuid> origAclList = new ArrayList<>(currentAclList);
323 for (Iterator<Uuid> iterator = newAclList.iterator(); iterator.hasNext();) {
324 Uuid updatedAclUuid = iterator.next();
325 for (Uuid currentAclUuid :origAclList) {
326 if (updatedAclUuid.getValue().equals(currentAclUuid.getValue())) {
334 public static List<AllowedAddressPairs> getUpdatedAllowedAddressPairs(
335 List<AllowedAddressPairs> updatedAllowedAddressPairs,
336 List<AllowedAddressPairs> currentAllowedAddressPairs) {
337 if (updatedAllowedAddressPairs == null) {
340 List<AllowedAddressPairs> newAllowedAddressPairs = new ArrayList<>(updatedAllowedAddressPairs);
341 if (currentAllowedAddressPairs == null) {
342 return newAllowedAddressPairs;
344 List<AllowedAddressPairs> origAllowedAddressPairs = new ArrayList<>(currentAllowedAddressPairs);
345 for (Iterator<AllowedAddressPairs> iterator = newAllowedAddressPairs.iterator(); iterator.hasNext();) {
346 AllowedAddressPairs updatedAllowedAddressPair = iterator.next();
347 for (AllowedAddressPairs currentAllowedAddressPair : origAllowedAddressPairs) {
348 if (updatedAllowedAddressPair.getKey().equals(currentAllowedAddressPair.getKey())) {
354 return newAllowedAddressPairs;
357 public static List<AllowedAddressPairs> getPortAllowedAddresses(Interface port) {
359 LOG.error("Port is Null");
362 InterfaceAcl aclInPort = port.getAugmentation(InterfaceAcl.class);
363 if (aclInPort == null) {
364 LOG.error("getSecurityGroupInPortList: no security group associated to Interface port: {}", port.getName());
367 return aclInPort.getAllowedAddressPairs();
370 public static BigInteger getDpIdFromIterfaceState(org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf
371 .interfaces.rev140508.interfaces.state.Interface interfaceState) {
372 BigInteger dpId = null;
373 String interfaceName = interfaceState.getName();
374 List<String> ofportIds = interfaceState.getLowerLayerIf();
375 if (ofportIds != null && !ofportIds.isEmpty()) {
376 NodeConnectorId nodeConnectorId = new NodeConnectorId(ofportIds.get(0));
377 dpId = BigInteger.valueOf(MDSALUtil.getDpnIdFromPortName(nodeConnectorId));
383 * Builds the ip matches.
385 * @param ipPrefixOrAddress the ip prefix or address
386 * @param ipv4MatchType the ipv4 match type
389 public static List<MatchInfoBase> buildIpMatches(IpPrefixOrAddress ipPrefixOrAddress,
390 MatchFieldType ipv4MatchType) {
391 List<MatchInfoBase> flowMatches = new ArrayList<>();
392 flowMatches.add(new MatchInfo(MatchFieldType.eth_type, new long[] {NwConstants.ETHTYPE_IPV4}));
393 IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
394 if (ipPrefix != null) {
395 if (ipPrefix.getIpv4Prefix().getValue() != null) {
396 String[] ipaddressValues = ipPrefix.getIpv4Prefix().getValue().split("/");
397 flowMatches.add(new MatchInfo(ipv4MatchType, new String[] {ipaddressValues[0], ipaddressValues[1]}));
402 IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
403 if (ipAddress.getIpv4Address() != null) {
405 .add(new MatchInfo(ipv4MatchType, new String[] {ipAddress.getIpv4Address().getValue(), "32"}));
414 * Gets the lport tag match.
416 * @param lportTag the lport tag
417 * @return the lport tag match
419 public static MatchInfo buildLPortTagMatch(int lportTag) {
420 return new MatchInfo(MatchFieldType.metadata,
421 new BigInteger[] {MetaDataUtil.getLportTagMetaData(lportTag), MetaDataUtil.METADATA_MASK_LPORT_TAG});
424 public static List<Ace> getAceWithRemoteAclId(DataBroker dataBroker, AclInterface port, Uuid remoteAcl) {
425 List<Ace> remoteAclRuleList = new ArrayList<>();
426 List<Uuid> aclList = port.getSecurityGroups();
427 for (Uuid aclId : aclList) {
428 Acl acl = getAcl(dataBroker, aclId.getValue());
429 List<Ace> aceList = acl.getAccessListEntries().getAce();
430 for (Ace ace : aceList) {
431 Uuid tempRemoteAcl = getAccesssListAttributes(ace).getRemoteGroupId();
432 if (tempRemoteAcl != null && tempRemoteAcl.equals(remoteAcl)) {
433 remoteAclRuleList.add(ace);
437 return remoteAclRuleList;
440 public static Map<String, List<MatchInfoBase>> getFlowForRemoteAcl(Uuid remoteAclId, String ignoreInterfaceId,
441 Map<String, List<MatchInfoBase>>
442 flowMatchesMap, boolean
443 isSourceIpMacMatch) {
444 List<AclInterface> interfaceList = AclDataUtil.getInterfaceList(remoteAclId);
445 if (flowMatchesMap == null || interfaceList == null || interfaceList.isEmpty()) {
448 Map<String, List<MatchInfoBase>> updatedFlowMatchesMap = new HashMap<>();
449 for (String flowName : flowMatchesMap.keySet()) {
450 List<MatchInfoBase> flows = flowMatchesMap.get(flowName);
451 for (AclInterface port : interfaceList) {
452 if (port.getInterfaceId().equals(ignoreInterfaceId)) {
455 //get allow address pair
456 List<AllowedAddressPairs> allowedAddressPair = port.getAllowedAddressPairs();
457 // iterate over allow address pair and update match type
458 for (AllowedAddressPairs aap : allowedAddressPair) {
459 List<MatchInfoBase> matchInfoBaseList = updateAAPMatches(isSourceIpMacMatch, flows, aap);
460 String flowId = flowName + "_remoteACL_interface_" + port.getInterfaceId() + "_aap_" + aap.getKey();
461 updatedFlowMatchesMap.put(flowId, matchInfoBaseList);
467 return updatedFlowMatchesMap;
470 public static Map<String, List<MatchInfoBase>> getFlowForAllowedAddresses(List<AllowedAddressPairs>
471 syncAllowedAddresses,
472 Map<String, List<MatchInfoBase>>
473 flowMatchesMap, boolean
474 isSourceIpMacMatch) {
475 if (flowMatchesMap == null) {
478 Map<String, List<MatchInfoBase>> updatedFlowMatchesMap = new HashMap<>();
479 for (String flowName : flowMatchesMap.keySet()) {
480 List<MatchInfoBase> flows = flowMatchesMap.get(flowName);
481 // iterate over allow address pair and update match type
482 for (AllowedAddressPairs aap : syncAllowedAddresses) {
483 List<MatchInfoBase> matchInfoBaseList = updateAAPMatches(isSourceIpMacMatch, flows, aap);
484 String flowId = flowName + "_remoteACL_interface_aap_" + aap.getKey();
485 updatedFlowMatchesMap.put(flowId, matchInfoBaseList);
489 return updatedFlowMatchesMap;
492 private static List<MatchInfoBase> updateAAPMatches(boolean isSourceIpMacMatch, List<MatchInfoBase> flows,
493 AllowedAddressPairs aap) {
494 List<MatchInfoBase> matchInfoBaseList;
495 if (isSourceIpMacMatch) {
496 flows.remove(MatchFieldType.ipv4_source);
497 matchInfoBaseList = AclServiceUtils.buildIpMatches(aap.getIpAddress(), MatchFieldType.ipv4_source);
499 flows.remove(MatchFieldType.ipv4_destination);
500 matchInfoBaseList = AclServiceUtils.buildIpMatches(aap.getIpAddress(), MatchFieldType.ipv4_destination);
502 matchInfoBaseList.addAll(flows);
503 return matchInfoBaseList;