2 * Copyright (c) 2016 Ericsson India Global Services Pvt Ltd. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netvirt.neutronvpn;
10 import com.google.common.collect.ImmutableBiMap;
11 import org.opendaylight.controller.md.sal.binding.api.DataBroker;
12 import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
13 import org.opendaylight.genius.datastoreutils.AsyncDataTreeChangeListenerBase;
14 import org.opendaylight.genius.mdsalutil.MDSALUtil;
15 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.AccessLists;
16 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
17 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.AclKey;
18 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
19 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
20 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.AceBuilder;
21 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.AceKey;
22 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.ActionsBuilder;
23 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.MatchesBuilder;
24 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.actions.packet.handling.PermitBuilder;
25 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIpBuilder;
26 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.ace.ip.version.AceIpv4Builder;
27 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.ace.ip.version.AceIpv6Builder;
28 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv4Prefix;
29 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv6Prefix;
30 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.PortNumber;
31 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160218.acl.transport.header.fields.DestinationPortRangeBuilder;
32 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160218.acl.transport.header.fields.SourcePortRangeBuilder;
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttrBuilder;
35 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.DirectionBase;
36 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.DirectionEgress;
37 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.DirectionIngress;
38 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.ProtocolBase;
39 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.ProtocolIcmp;
40 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.ProtocolIcmpV6;
41 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.ProtocolTcp;
42 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.constants.rev150712.ProtocolUdp;
43 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.rev150712.Neutron;
44 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.secgroups.rev150712.SecurityRuleAttributes;
45 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.secgroups.rev150712.security.rules.attributes.SecurityRules;
46 import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.secgroups.rev150712.security.rules.attributes.security.rules.SecurityRule;
47 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
48 import org.slf4j.Logger;
49 import org.slf4j.LoggerFactory;
51 public class NeutronSecurityRuleListener
52 extends AsyncDataTreeChangeListenerBase<SecurityRule, NeutronSecurityRuleListener> {
53 private static final Logger LOG = LoggerFactory.getLogger(NeutronSecurityRuleListener.class);
54 private final DataBroker dataBroker;
55 private static final ImmutableBiMap<Class<? extends DirectionBase>, Class<? extends org.opendaylight.yang.gen.
56 v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionBase>> DIRECTION_MAP = ImmutableBiMap.of(
57 DirectionEgress.class, NeutronSecurityRuleConstants.DIRECTION_EGRESS,
58 DirectionIngress.class, NeutronSecurityRuleConstants.DIRECTION_INGRESS);
59 private static final ImmutableBiMap<Class<? extends ProtocolBase>, Short> PROTOCOL_MAP = ImmutableBiMap.of(
60 ProtocolIcmp.class, NeutronSecurityRuleConstants.PROTOCOL_ICMP,
61 ProtocolTcp.class, NeutronSecurityRuleConstants.PROTOCOL_TCP,
62 ProtocolUdp.class, NeutronSecurityRuleConstants.PROTOCOL_UDP,
63 ProtocolIcmpV6.class, NeutronSecurityRuleConstants.PROTOCOL_ICMPV6);
65 public NeutronSecurityRuleListener(final DataBroker dataBroker) {
66 super(SecurityRule.class, NeutronSecurityRuleListener.class);
67 this.dataBroker = dataBroker;
71 LOG.info("{} start", getClass().getSimpleName());
72 registerListener(LogicalDatastoreType.CONFIGURATION, dataBroker);
76 protected InstanceIdentifier<SecurityRule> getWildCardPath() {
77 return InstanceIdentifier.create(Neutron.class).child(SecurityRules.class).child(SecurityRule.class);
81 protected void add(InstanceIdentifier<SecurityRule> instanceIdentifier, SecurityRule securityRule) {
82 if (LOG.isTraceEnabled()) {
83 LOG.trace("added securityRule: {}", securityRule);
86 Ace ace = toAceBuilder(securityRule).build();
87 InstanceIdentifier<Ace> identifier = getAceInstanceIdentifier(securityRule);
88 MDSALUtil.syncWrite(dataBroker, LogicalDatastoreType.CONFIGURATION, identifier, ace);
89 } catch (Exception ex) {
90 LOG.error("Exception occured while adding acl for security rule: ", ex);
94 private InstanceIdentifier<Ace> getAceInstanceIdentifier(SecurityRule securityRule) {
95 return InstanceIdentifier
96 .builder(AccessLists.class)
98 new AclKey(securityRule.getSecurityGroupId().getValue(), NeutronSecurityRuleConstants.ACLTYPE))
99 .child(AccessListEntries.class)
101 new AceKey(securityRule.getUuid().getValue()))
105 private AceBuilder toAceBuilder(SecurityRule securityRule) {
106 AceIpBuilder aceIpBuilder = new AceIpBuilder();
107 SecurityRuleAttrBuilder securityRuleAttrBuilder = new SecurityRuleAttrBuilder();
108 SourcePortRangeBuilder sourcePortRangeBuilder = new SourcePortRangeBuilder();
109 DestinationPortRangeBuilder destinationPortRangeBuilder = new DestinationPortRangeBuilder();
110 boolean isDirectionIngress = false;
111 if (securityRule.getDirection() != null) {
112 securityRuleAttrBuilder.setDirection(DIRECTION_MAP.get(securityRule.getDirection()));
113 isDirectionIngress = securityRule.getDirection().equals(DirectionIngress.class);
115 if (securityRule.getPortRangeMax() != null) {
116 if (isDirectionIngress) {
117 sourcePortRangeBuilder.setUpperPort(new PortNumber(securityRule.getPortRangeMax()));
119 destinationPortRangeBuilder.setUpperPort(new PortNumber(securityRule.getPortRangeMax()));
122 if (securityRule.getPortRangeMin() != null) {
123 if (isDirectionIngress) {
124 sourcePortRangeBuilder.setLowerPort(new PortNumber(securityRule.getPortRangeMin()));
125 // set source port range if lower port is specified as it is mandatory parameter in acl model
126 aceIpBuilder.setSourcePortRange(sourcePortRangeBuilder.build());
128 destinationPortRangeBuilder.setLowerPort(new PortNumber(securityRule.getPortRangeMin()));
129 // set destination port range if lower port is specified as it is mandatory parameter in acl model
130 aceIpBuilder.setDestinationPortRange(destinationPortRangeBuilder.build());
133 aceIpBuilder = handleRemoteIpPrefix(securityRule, aceIpBuilder, isDirectionIngress);
134 if (securityRule.getRemoteGroupId() != null) {
135 securityRuleAttrBuilder.setRemoteGroupId(securityRule.getRemoteGroupId());
137 if (securityRule.getProtocol() != null) {
138 SecurityRuleAttributes.Protocol protocol = securityRule.getProtocol();
139 if (protocol.getUint8() != null) {
141 aceIpBuilder.setProtocol(protocol.getUint8());
143 // symbolic protocol name
144 aceIpBuilder.setProtocol(PROTOCOL_MAP.get(protocol.getIdentityref()));
148 MatchesBuilder matchesBuilder = new MatchesBuilder();
149 matchesBuilder.setAceType(aceIpBuilder.build());
150 // set acl action as permit for the security rule
151 ActionsBuilder actionsBuilder = new ActionsBuilder();
152 actionsBuilder.setPacketHandling(new PermitBuilder().setPermit(true).build());
154 AceBuilder aceBuilder = new AceBuilder();
155 aceBuilder.setKey(new AceKey(securityRule.getUuid().getValue()));
156 aceBuilder.setRuleName(securityRule.getUuid().getValue());
157 aceBuilder.setMatches(matchesBuilder.build());
158 aceBuilder.setActions(actionsBuilder.build());
159 aceBuilder.addAugmentation(SecurityRuleAttr.class, securityRuleAttrBuilder.build());
163 private AceIpBuilder handleEtherType(SecurityRule securityRule, AceIpBuilder aceIpBuilder) {
164 if (NeutronSecurityRuleConstants.ETHERTYPE_IPV4.equals(securityRule.getEthertype())) {
165 AceIpv4Builder aceIpv4Builder = new AceIpv4Builder();
166 aceIpv4Builder.setSourceIpv4Network(new Ipv4Prefix(
167 NeutronSecurityRuleConstants.IPV4_ALL_NETWORK));
168 aceIpv4Builder.setDestinationIpv4Network(new Ipv4Prefix(
169 NeutronSecurityRuleConstants.IPV4_ALL_NETWORK));
170 aceIpBuilder.setAceIpVersion(aceIpv4Builder.build());
172 AceIpv6Builder aceIpv6Builder = new AceIpv6Builder();
173 aceIpv6Builder.setSourceIpv6Network(new Ipv6Prefix(
174 NeutronSecurityRuleConstants.IPV6_ALL_NETWORK));
175 aceIpv6Builder.setDestinationIpv6Network(new Ipv6Prefix(
176 NeutronSecurityRuleConstants.IPV6_ALL_NETWORK));
177 aceIpBuilder.setAceIpVersion(aceIpv6Builder.build());
183 private AceIpBuilder handleRemoteIpPrefix(SecurityRule securityRule, AceIpBuilder aceIpBuilder,
184 boolean isDirectionIngress) {
185 if (securityRule.getRemoteIpPrefix() != null) {
186 if (securityRule.getRemoteIpPrefix().getIpv4Prefix() != null) {
187 AceIpv4Builder aceIpv4Builder = new AceIpv4Builder();
188 if (isDirectionIngress) {
189 aceIpv4Builder.setSourceIpv4Network(new Ipv4Prefix(securityRule
190 .getRemoteIpPrefix().getIpv4Prefix().getValue()));
192 aceIpv4Builder.setDestinationIpv4Network(new Ipv4Prefix(securityRule
193 .getRemoteIpPrefix().getIpv4Prefix().getValue()));
195 aceIpBuilder.setAceIpVersion(aceIpv4Builder.build());
197 AceIpv6Builder aceIpv6Builder = new AceIpv6Builder();
198 if (isDirectionIngress) {
199 aceIpv6Builder.setSourceIpv6Network(new Ipv6Prefix(
200 securityRule.getRemoteIpPrefix().getIpv6Prefix().getValue()));
202 aceIpv6Builder.setDestinationIpv6Network(new Ipv6Prefix(
203 securityRule.getRemoteIpPrefix().getIpv6Prefix().getValue()));
205 aceIpBuilder.setAceIpVersion(aceIpv6Builder.build());
208 if (securityRule.getEthertype() != null) {
209 handleEtherType( securityRule, aceIpBuilder);
217 protected void remove(InstanceIdentifier<SecurityRule> instanceIdentifier, SecurityRule securityRule) {
218 if (LOG.isTraceEnabled()) {
219 LOG.trace("removed securityRule: {}", securityRule);
222 InstanceIdentifier<Ace> identifier = getAceInstanceIdentifier(securityRule);
223 MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, identifier);
224 } catch (Exception ex) {
225 LOG.error("Exception occured while removing acl for security rule: ", ex);
230 protected void update(InstanceIdentifier<SecurityRule> instanceIdentifier, SecurityRule oldSecurityRule, SecurityRule updatedSecurityRule) {
231 // security rule updation is not supported from openstack, so no need to handle update.
232 LOG.trace("updates on security rules not supported.");
236 protected NeutronSecurityRuleListener getDataTreeChangeListener() {