- flowMap.writeFlow(nodeId, TABLE_ID, dropFlow(Integer.valueOf(110), FlowUtils.ARP));
- flowMap.writeFlow(nodeId, TABLE_ID, dropFlow(Integer.valueOf(111), FlowUtils.IPv4));
- flowMap.writeFlow(nodeId, TABLE_ID, dropFlow(Integer.valueOf(112), FlowUtils.IPv6));
-
- for (EgKey sepg : ctx.getEndpointManager().getGroupsForNode(nodeId)) {
- for (Endpoint ep : ctx.getEndpointManager().getEndpointsForNode(nodeId, sepg)) {
- OfOverlayContext ofc = ep.getAugmentation(OfOverlayContext.class);
-
- if (ofc != null && ofc.getNodeConnectorId() != null &&
- (ofc.getLocationType() == null ||
- LocationType.Internal.equals(ofc.getLocationType()))) {
- // Allow layer 3 traffic (ARP and IP) with the correct
- // source IP, MAC, and source port
- l3flow(flowMap, nodeId, ep, ofc, 120, false);
- l3flow(flowMap, nodeId, ep, ofc, 121, true);
- flowMap.writeFlow(nodeId, TABLE_ID, l3DhcpDoraFlow(ep, ofc, 115));
-
- // Allow layer 2 traffic with the correct source MAC and
- // source port (note lower priority than drop IP rules)
- flowMap.writeFlow(nodeId, TABLE_ID, l2flow(ep, ofc, 100));
+ ofWriter.writeFlow(nodeId, TABLE_ID, dropFlow(110, FlowUtils.ARP, TABLE_ID));
+ ofWriter.writeFlow(nodeId, TABLE_ID, dropFlow(111, FlowUtils.IPv4, TABLE_ID));
+ ofWriter.writeFlow(nodeId, TABLE_ID, dropFlow(112, FlowUtils.IPv6, TABLE_ID));
+
+ Set<TenantId> tenantIds = new HashSet<>();
+ for (Endpoint ep : ctx.getEndpointManager().getEndpointsForNode(nodeId)) {
+ OfOverlayContext ofc = ep.getAugmentation(OfOverlayContext.class);
+ if (ofc == null || ofc.getNodeConnectorId() == null) {
+ LOG.info("Endpoint {} does not contain node-connector-id. OFOverlay ignores the endpoint.",
+ ep.getKey());
+ continue;
+ }
+
+ tenantIds.add(ep.getTenant());
+ Set<ExternalImplicitGroup> eigs = getExternalImplicitGroupsForTenant(ep.getTenant());
+ if (EndpointManager.isInternal(ep, eigs)) {
+ // Allow layer 3 traffic (ARP and IP) with the correct
+ // source IP, MAC, and source port
+ l3flow(ofWriter, nodeId, ep, ofc, 120, false);
+ l3flow(ofWriter, nodeId, ep, ofc, 121, true);
+ ofWriter.writeFlow(nodeId, TABLE_ID, l3DhcpDoraFlow(ep, ofc, 115));
+
+ // Allow layer 2 traffic with the correct source MAC and
+ // source port (note lower priority than drop IP rules)
+ ofWriter.writeFlow(nodeId, TABLE_ID, l2flow(ep, ofc, 100));
+ } else { // EP is external
+ if (LOG.isTraceEnabled()) {
+ LOG.trace("External Endpoint is ignored in PortSecurity: {}", ep);
+ }
+ }
+ }
+
+ for (TenantId tenantId : tenantIds) {
+ for (NodeConnectorId nc : ctx.getSwitchManager().getExternalPorts(nodeId)) {
+ // TODO Bug 3546 - Difficult: External port is unrelated to Tenant, L3C, L2BD..
+ for (Flow flow : popVlanTagsOnExternalPort(nc, tenantId, 210)) {
+ // Tagged frames have to be untagged when entering policy domain
+ ofWriter.writeFlow(nodeId, TABLE_ID, flow);