programArpRule(dpid, segmentationId, localPort, attachedMac, write);
if (securityServicesManager.isConntrackEnabled()) {
programEgressAclFixedConntrackRule(dpid, segmentationId, localPort, attachedMac, write);
+ } else {
+ // add rule to drop tcp syn packets from the vm
+ addTcpSynFlagMatchDrop(dpid, segmentationId, attachedMac, write,
+ Constants.PROTO_TCP_SYN_MATCH_PRIORITY_DROP);
}
// add rule to drop the DHCP server traffic originating from the vm.
egressAclDhcpDropServerTrafficfromVm(dpid, localPort, write,
Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
egressAclDhcpv6DropServerTrafficfromVm(dpid, localPort, write,
Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
- //Adds rule to check legitimate ip/mac pair for each packet from the vm
- for (Neutron_IPs srcAddress : srcAddressList) {
- try {
- InetAddress address = InetAddress.getByName(srcAddress.getIpAddress());
- if (address instanceof Inet4Address) {
- String addressWithPrefix = srcAddress.getIpAddress() + HOST_MASK;
- egressAclAllowTrafficFromVmIpMacPair(dpid, localPort, attachedMac, addressWithPrefix,
- Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
- } else if (address instanceof Inet6Address) {
- String addressWithPrefix = srcAddress.getIpAddress() + V6_HOST_MASK;
- egressAclAllowTrafficFromVmIpV6MacPair(dpid, localPort, attachedMac, addressWithPrefix,
- Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
- }
- } catch (UnknownHostException e) {
- LOG.warn("Invalid IP address {}", srcAddress.getIpAddress(), e);
- }
- }
+ }
+ private void addTcpSynFlagMatchDrop(Long dpidLong, String segmentationId, String srcMac,
+ boolean write, Integer priority) {
+ String flowName = "Egress_TCP_" + segmentationId + "_" + srcMac + "_DROP_";
+ MatchBuilder matchBuilder = new MatchBuilder();
+ flowName = flowName + "_";
+ matchBuilder = MatchUtils.createTcpSynWithProtoMatch(matchBuilder);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
+ addPipelineInstruction(flowBuilder, null, true);
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
private void programArpRule(Long dpid, String segmentationId, long localPort, String attachedMac, boolean write) {
MatchUtils.addLayer4MatchWithMask(matchBuilder, MatchUtils.TCP_SHORT,
0, port, portMaskMap.get(port));
addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ addTcpSynMatch(matchBuilder);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, protoPortMatchPriority,
matchBuilder, getTable());
addInstructionWithConntrackCommit(flowBuilder, false);
} else {
flowId = flowId + "_Permit";
addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ addTcpSynMatch(matchBuilder);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority,
matchBuilder, getTable());
addInstructionWithConntrackCommit(flowBuilder, false);
}
}
+ private void addTcpSynMatch(MatchBuilder matchBuilder) {
+ if (!securityServicesManager.isConntrackEnabled()) {
+ MatchUtils.createTcpSynWithProtoMatch(matchBuilder);
+ }
+ }
+
private void egressAclIcmp(Long dpidLong, String segmentationId, String srcMac,
NeutronSecurityRule portSecurityRule, String dstAddress,
boolean write, Integer protoPortMatchPriority) {
Code Review / netvirt.git / blobdiff