+ if (isComputePort) {
+ if (securityServicesManager.isConntrackEnabled()) {
+ programIngressAclFixedConntrackRule(dpid, segmentationId, attachMac, localPort, write);
+ }
+ programArpRule(dpid, segmentationId, localPort, attachMac, write);
+ }
+ }
+
+ private void programArpRule(Long dpid, String segmentationId, long localPort, String attachMac, boolean write) {
+ String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpid;
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ String flowId = "Ingress_ARP_" + segmentationId + "_" + localPort + "_";
+ EthernetMatchBuilder ethernetType = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0806L));
+ ethernetType.setEthernetType(ethTypeBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetType.build());
+
+ ArpMatchBuilder arpDstMatch = new ArpMatchBuilder();
+ ArpTargetHardwareAddressBuilder arpDst = new ArpTargetHardwareAddressBuilder();
+ arpDst.setAddress(new MacAddress(attachMac));
+ arpDstMatch.setArpTargetHardwareAddress(arpDst.build());
+ matchBuilder.setLayer3Match(arpDstMatch.build());
+ syncFlow(flowId, nodeBuilder, matchBuilder, Constants.PROTO_MATCH_PRIORITY, write, false, securityServicesManager.isConntrackEnabled());
+ }
+
+ private void programIngressAclFixedConntrackRule(Long dpid,
+ String segmentationId, String attachMac, long localPort, boolean write) {
+ try {
+ String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpid;
+ programConntrackUntrackRule(nodeName, segmentationId, localPort, attachMac,
+ Constants.CT_STATE_UNTRACKED_PRIORITY, write );
+ programConntrackTrackedPlusEstRule(nodeName, segmentationId, localPort, attachMac,
+ Constants.CT_STATE_TRACKED_EST_PRIORITY, write );
+ programConntrackNewDropRule(nodeName, segmentationId, localPort, attachMac,
+ Constants.CT_STATE_NEW_PRIORITY_DROP, write );
+ LOG.info("programIngressAclFixedConntrackRule : default connection tracking rule are added.");
+ } catch (Exception e) {
+ LOG.error("Failed to add default conntrack rules : " , e);
+ }
+ }
+
+ private void programConntrackUntrackRule(String nodeName, String segmentationId,
+ long localPort, String attachMac, Integer priority, boolean write) {
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ String flowName = "Ingress_Fixed_Conntrk_Untrk_" + segmentationId + "_" + localPort + "_";
+ matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,attachMac);
+ matchBuilder = MatchUtils.addCtState(matchBuilder,0x00, 0x80);
+ FlowBuilder flowBuilder = new FlowBuilder();
+ flowBuilder.setMatch(matchBuilder.build());
+ FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
+ if (write) {
+ InstructionBuilder ib = new InstructionBuilder();
+ List<Instruction> instructionsList = Lists.newArrayList();
+ InstructionsBuilder isb = new InstructionsBuilder();
+ ActionBuilder ab = new ActionBuilder();
+ ab.setAction(ActionUtils.nxConntrackAction(0, 0L, 0, (short)0x0));
+ // 0xff means no table, 0x0 is table = 0
+ // nxConntrackAction(Integer flags, Long zoneSrc,Integer conntrackZone, Short recircTable)
+ ab.setOrder(0);
+ ab.setKey(new ActionKey(0));
+ List<Action> actionList = Lists.newArrayList();
+ actionList.add(ab.build());
+ ApplyActionsBuilder aab = new ApplyActionsBuilder();
+ aab.setAction(actionList);
+
+ ib.setOrder(0);
+ ib.setKey(new InstructionKey(0));
+ ib.setInstruction(new ApplyActionsCaseBuilder().setApplyActions(aab.build()).build());
+ instructionsList.add(ib.build());
+ isb.setInstruction(instructionsList);
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ LOG.info("INGRESS:default programConntrackUntrackRule() flows are written");
+ } else {
+ removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+ private void programConntrackTrackedPlusEstRule(String nodeName, String segmentationId,
+ long localPort, String attachMac,Integer priority, boolean write) {
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ String flowName = "Ingress_Fixed_Conntrk_TrkEst_" + segmentationId + "_" + localPort + "_";
+ matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,attachMac);
+ matchBuilder = MatchUtils.addCtState(matchBuilder,0x82, 0x82);
+ FlowBuilder flowBuilder = new FlowBuilder();
+ flowBuilder.setMatch(matchBuilder.build());
+ FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
+ if (write) {
+ InstructionBuilder ib = new InstructionBuilder();
+ List<Instruction> instructionsList = Lists.newArrayList();
+ InstructionsBuilder isb = new InstructionsBuilder();
+
+ ib = this.getMutablePipelineInstructionBuilder();
+ ib.setOrder(0);
+ ib.setKey(new InstructionKey(0));
+ instructionsList.add(ib.build());
+ isb.setInstruction(instructionsList);
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ LOG.info("INGRESS:default programConntrackTrackedPlusEstRule() flows are written");
+ } else {
+ removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+ private void programConntrackNewDropRule(String nodeName, String segmentationId,
+ long localPort, String attachMac, Integer priority, boolean write) {
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ String flowName = "Ingress_Fixed_Conntrk_NewDrop_" + segmentationId + "_" + localPort + "_";
+ matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,attachMac);
+ matchBuilder = MatchUtils.addCtState(matchBuilder,0x01, 0x01);
+ FlowBuilder flowBuilder = new FlowBuilder();
+ flowBuilder.setMatch(matchBuilder.build());
+ FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
+ if (write) {
+ // Instantiate the Builders for the OF Actions and Instructions
+ InstructionBuilder ib = new InstructionBuilder();
+ InstructionsBuilder isb = new InstructionsBuilder();
+
+ // Instructions List Stores Individual Instructions
+ List<Instruction> instructions = Lists.newArrayList();
+
+ // Set the Output Port/Iface
+ InstructionUtils.createDropInstructions(ib);
+ ib.setOrder(0);
+ ib.setKey(new InstructionKey(0));
+ instructions.add(ib.build());
+
+ // Add InstructionBuilder to the Instruction(s)Builder List
+ isb.setInstruction(instructions);
+ LOG.debug("Instructions contain: {}", ib.getInstruction());
+ // Add InstructionsBuilder to FlowBuilder
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ LOG.info("INGRESS:default programConntrackNewDropRule flows are written");
+ } else {
+ removeFlow(flowBuilder, nodeBuilder);
+ }