/*
- * Copyright (C) 2014 Red Hat, Inc.
+ * Copyright (c) 2014, 2015 Red Hat, Inc. and others. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v1.0 which accompanies this distribution,
* and is available at http://www.eclipse.org/legal/epl-v10.html
- *
- * Authors : Madhu Venugopal
*/
+
package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
import java.math.BigInteger;
import java.util.List;
-import org.opendaylight.neutron.spi.NeutronSecurityGroup;
-import org.opendaylight.neutron.spi.NeutronSecurityRule;
-import org.opendaylight.neutron.spi.Neutron_IPs;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
import org.opendaylight.ovsdb.openstack.netvirt.api.EgressAclProvider;
+import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityServicesManager;
import org.opendaylight.ovsdb.openstack.netvirt.providers.ConfigInterface;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
+import org.opendaylight.ovsdb.utils.servicehelper.ServiceHelper;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
public class EgressAclService extends AbstractServiceInstance implements EgressAclProvider, ConfigInterface {
private static final Logger LOG = LoggerFactory.getLogger(EgressAclService.class);
- final int DHCP_SOURCE_PORT = 67;
- final int DHCP_DESTINATION_PORT = 68;
- final String HOST_MASK = "/32";
+ private volatile SecurityServicesManager securityServicesManager;
+ private static final int DHCP_SOURCE_PORT = 67;
+ private static final int DHCP_DESTINATION_PORT = 68;
+ private static final String HOST_MASK = "/32";
+ private static final int PORT_RANGE_MIN = 1;
+ private static final int PORT_RANGE_MAX = 65535;
public EgressAclService() {
super(Service.EGRESS_ACL);
}
@Override
- public void programPortSecurityACL(Long dpid, String segmentationId, String attachedMac, long localPort,
- NeutronSecurityGroup securityGroup) {
+ public void programPortSecurityAcl(Long dpid, String segmentationId, String attachedMac, long localPort,
+ NeutronSecurityGroup securityGroup,
+ List<Neutron_IPs> srcAddressList, boolean write) {
+
+ LOG.trace("programPortSecurityAcl: neutronSecurityGroup: {} ", securityGroup);
+ if (securityGroup == null || securityGroup.getSecurityRules() == null) {
+ return;
+ }
- LOG.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
/* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
for (NeutronSecurityRule portSecurityRule : portSecurityList) {
/**
- * Neutron Port Security ACL "egress" and "IPv4"
- *
+ * Neutron Port Security Acl "egress" and "IPv4"
* Check that the base conditions for flow based Port Security are true:
* Port Security Rule Direction ("egress") and Protocol ("IPv4")
* Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
* http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
*
*/
- if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
+ if ("IPv4".equals(portSecurityRule.getSecurityRuleEthertype())
+ && portSecurityRule.getSecurityRuleDirection().equals("egress")) {
+ LOG.debug("programPortSecurityAcl: Acl Rule matching IPv4 and ingress is: {} ", portSecurityRule);
+ if (null == portSecurityRule.getSecurityRuleProtocol()) {
+ /* TODO Rework on the priority values */
+ egressAclIPv4(dpid, segmentationId, attachedMac,
+ write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ } else if (null != portSecurityRule.getSecurityRemoteGroupID()) {
+ //Remote Security group is selected
+ List<Neutron_IPs> remoteSrcAddressList = securityServicesManager
+ .getVmListForSecurityGroup(srcAddressList,portSecurityRule.getSecurityRemoteGroupID());
+ if (null != remoteSrcAddressList) {
+ for (Neutron_IPs vmIp :remoteSrcAddressList ) {
+ switch (portSecurityRule.getSecurityRuleProtocol()) {
+ case MatchUtils.TCP:
+ egressAclTcp(dpid, segmentationId, attachedMac,
+ portSecurityRule,vmIp.getIpAddress(), write,
+ Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ case MatchUtils.UDP:
+ egressAclUdp(dpid, segmentationId, attachedMac,
+ portSecurityRule,vmIp.getIpAddress(), write,
+ Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ case MatchUtils.ICMP:
+ egressAclIcmp(dpid, segmentationId, attachedMac,
+ portSecurityRule, vmIp.getIpAddress(),write,
+ Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ default:
+ LOG.error("programPortSecurityAcl: Protocol not supported", portSecurityRule);
+ break;
+ }
+ }
+ }
+ } else {
+ //CIDR is selected
+ switch (portSecurityRule.getSecurityRuleProtocol()) {
+ case MatchUtils.TCP:
+ egressAclTcp(dpid, segmentationId, attachedMac,
+ portSecurityRule, null, write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ case MatchUtils.UDP:
+ egressAclUdp(dpid, segmentationId, attachedMac,
+ portSecurityRule, null, write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ case MatchUtils.ICMP:
+ egressAclIcmp(dpid, segmentationId, attachedMac,
+ portSecurityRule, null, write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ default:
+ LOG.error("programPortSecurityAcl: Protocol not supported", portSecurityRule);
+ }
+ }
+ }
+ /*
+ * Code is refactored to handle all the protocols. More
+ * protocols will be added incrementrally
+ * TODO Connection tracking will be used to track active TCP connections This code
+ * may be reused then.
+ */
+ /* if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("egress")) {
LOG.debug("Egress IPV4 ACL Port Security Rule: {} ", portSecurityRule);
// ToDo: Implement Port Range
- /**
- * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
- */
+ *//**
+ * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
+ *//*
if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
!String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
!String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
continue;
}
- /**
- * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
- */
+ *//**
+ * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
+ *//*
if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
!String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
continue;
}
- /**
- * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- */
+ *//**
+ * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
+ *//*
if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PREFIX_MATCH_PRIORITY);
continue;
}
- /**
- * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- */
+ *//**
+ * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
+ *//*
if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PREFIX_MATCH_PRIORITY);
continue;
}
- /**
+ *//**
* TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
- */
+ *//*
if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
!String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
!String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
Constants.PROTO_PORT_MATCH_PRIORITY);
continue;
}
- /**
- * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
- */
+ *//**
+ * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
+ *//*
if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
!String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
portSecurityRule.getSecurityRulePortMin(), Constants.PROTO_PORT_MATCH_PRIORITY);
continue;
}
- /**
- * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
- */
+ *//**
+ * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
+ *//*
if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
continue;
}
LOG.debug("ACL Match combination not found for rule: {}", portSecurityRule);
- }
+ }*/
}
}
@Override
- public void programFixedSecurityACL(Long dpid, String segmentationId, String attachedMac,
- long localPort, List<Neutron_IPs> srcAddressList, boolean isLastPortinBridge, boolean isComputePort ,boolean write) {
+ public void programFixedSecurityAcl(Long dpid, String segmentationId, String attachedMac,
+ long localPort, List<Neutron_IPs> srcAddressList,
+ boolean isLastPortinBridge, boolean isComputePort ,boolean write) {
// If it is the only port in the bridge add the rule to allow any DHCP client traffic
if (isLastPortinBridge) {
- egressACLDHCPAllowClientTrafficFromVm(dpid, write, Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
+ egressAclDhcpAllowClientTrafficFromVm(dpid, write, Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
}
- if(isComputePort) {
- // add rule to drop the DHCP server traffic originating from the vm.
- egressACLDHCPDropServerTrafficfromVM(dpid, localPort, write, Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
+ if (isComputePort) {
+ // add rule to drop the DHCP server traffic originating from the vm.
+ egressAclDhcpDropServerTrafficfromVm(dpid, localPort, write,
+ Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
//Adds rule to check legitimate ip/mac pair for each packet from the vm
- for(Neutron_IPs srcAddress : srcAddressList) {
+ for (Neutron_IPs srcAddress : srcAddressList) {
String addressWithPrefix = srcAddress.getIpAddress() + HOST_MASK;
- egressACLAllowTrafficFromVmIpMacPair(dpid, localPort, attachedMac, addressWithPrefix, Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
+ egressAclAllowTrafficFromVmIpMacPair(dpid, localPort, attachedMac, addressWithPrefix,
+ Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
+ }
+ }
+ }
+
+ /**
+ * Allows IPv4 packet egress from the src mac address.
+ * @param dpidLong the dpid
+ * @param segmentationId the segementation id
+ * @param srcMac the src mac address
+ * @param write add or remove
+ * @param protoPortMatchPriority the protocol match priority.
+ */
+ private void egressAclIPv4(Long dpidLong, String segmentationId, String srcMac,
+ boolean write, Integer protoPortMatchPriority ) {
+ String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ String flowId = "Egress_IP" + segmentationId + "_" + srcMac + "_Permit_";
+ matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,srcMac,null);
+ syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false);
+ }
+
+ /**
+ * Creates a egress match with src macaddress. If dest address is specified
+ * destination specific match will be created. Otherwise a match with a
+ * CIDR will be created.
+ * @param dpidLong the dpid
+ * @param segmentationId the segmentation id
+ * @param srcMac the source mac address.
+ * @param portSecurityRule the security rule in the SG
+ * @param dstAddress the destination IP address
+ * @param write add or delete
+ * @param protoPortMatchPriority the protocol match priroty
+ */
+ private void egressAclTcp(Long dpidLong, String segmentationId, String srcMac,
+ NeutronSecurityRule portSecurityRule, String dstAddress,
+ boolean write, Integer protoPortMatchPriority) {
+ MatchBuilder matchBuilder = new MatchBuilder();
+ String flowId = "Egress_TCP_" + segmentationId + "_" + srcMac + "_";
+ matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,srcMac,null);
+
+ /* Custom TCP Match */
+ if (portSecurityRule.getSecurityRulePortMin().equals(portSecurityRule.getSecurityRulePortMax())) {
+ flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_";
+ matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.TCP_SHORT, 0,
+ portSecurityRule.getSecurityRulePortMin());
+ } else {
+ /* All TCP Match */
+ if(portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN)
+ && portSecurityRule.getSecurityRulePortMax().equals(PORT_RANGE_MAX)) {
+ flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_" +
+ portSecurityRule.getSecurityRulePortMax()+ "_";
+ matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.TCP_SHORT, 0, 0);
}
+ /*TODO TCP PortRange Match*/
+
}
+
+ if (null != dstAddress) {
+ flowId = flowId + dstAddress;
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
+
+ } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
+ flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ new Ipv4Prefix(portSecurityRule
+ .getSecurityRuleRemoteIpPrefix()));
+ }
+ flowId = flowId + "_Permit";
+ String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false);
+
}
+ /**
+ * Creates a egress match with src macaddress. If dest address is specified
+ * destination specific match will be created. Otherwise a match with a
+ * CIDR will be created.
+ * @param dpidLong the dpid
+ * @param segmentationId the segmentation id
+ * @param srcMac the source mac address.
+ * @param portSecurityRule the security rule in the SG
+ * @param dstAddress the source IP address
+ * @param write add or delete
+ * @param protoPortMatchPriority the protocol match priority
+ */
+ private void egressAclIcmp(Long dpidLong, String segmentationId, String srcMac,
+ NeutronSecurityRule portSecurityRule, String dstAddress,
+ boolean write, Integer protoPortMatchPriority) {
+ MatchBuilder matchBuilder = new MatchBuilder();
+ String flowId = "Egress_ICMP_" + segmentationId + "_" + srcMac + "_"
+ + portSecurityRule.getSecurityRulePortMin().shortValue() + "_"
+ + portSecurityRule.getSecurityRulePortMax().shortValue() + "_";
+ matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,srcMac,null);
+ matchBuilder = MatchUtils.createICMPv4Match(matchBuilder,
+ portSecurityRule.getSecurityRulePortMin().shortValue(),
+ portSecurityRule.getSecurityRulePortMax().shortValue());
+ if (null != dstAddress) {
+ flowId = flowId + dstAddress;
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
+ } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
+ flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
+ }
+ flowId = flowId + "_Permit";
+ String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false);
+
+ }
+
+ /**
+ * Creates a egress match with src macaddress. If dest address is specified
+ * destination specific match will be created. Otherwise a match with a
+ * CIDR will be created.
+ * @param dpidLong the dpid
+ * @param segmentationId the segmentation id
+ * @param srcMac the source mac address.
+ * @param portSecurityRule the security rule in the SG
+ * @param dstAddress the source IP address
+ * @param write add or delete
+ * @param protoPortMatchPriority the protocol match priroty
+ */
+ private void egressAclUdp(Long dpidLong, String segmentationId, String srcMac,
+ NeutronSecurityRule portSecurityRule, String dstAddress,
+ boolean write, Integer protoPortMatchPriority) {
+
+ MatchBuilder matchBuilder = new MatchBuilder();
+ String flowId = "Egress_UDP_" + segmentationId + "_" + srcMac + "_";
+ matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,srcMac,null);
+
+ /* Custom UDP Match */
+ if (portSecurityRule.getSecurityRulePortMin().equals(portSecurityRule.getSecurityRulePortMax())) {
+ flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_";
+ matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 0,
+ portSecurityRule.getSecurityRulePortMin());
+ } else {
+ /* All UDP Match */
+ if(portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN)
+ && portSecurityRule.getSecurityRulePortMax().equals(PORT_RANGE_MAX)) {
+ flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_" +
+ portSecurityRule.getSecurityRulePortMax()+ "_";
+ matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 0, 0);
+ }
+ /*TODO UDP PortRange Match*/
+
+ }
+
+ if (null != dstAddress) {
+ flowId = flowId + dstAddress;
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
+
+ } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
+ flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
+ new Ipv4Prefix(portSecurityRule
+ .getSecurityRuleRemoteIpPrefix()));
+ }
+ flowId = flowId + "_Permit";
+ String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false);
+
+ }
public void egressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
int priority, boolean write) {
Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
flowBuilder.setMatch(MatchUtils
- .createSmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
- tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
+ .createSmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
+ tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
LOG.debug(" MatchBuilder contains: {}", flowBuilder.getMatch());
String flowId = "UcastEgress_" + segmentationId + "_" + attachedMac +
- securityRulePortMin + securityRuleIpPrefix;
+ securityRulePortMin + securityRuleIpPrefix;
// Add Flow Attributes
flowBuilder.setId(new FlowId(flowId));
FlowKey key = new FlowKey(new FlowId(flowId));
FlowBuilder flowBuilder = new FlowBuilder();
flowBuilder.setMatch(MatchUtils
- .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
+ .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
flowBuilder.setMatch(MatchUtils
- .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
+ .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
String flowId = "EgressAllProto_" + segmentationId + "_" +
- attachedMac + "_AllowEgressTCPSyn_" + securityRuleProtcol;
+ attachedMac + "_AllowEgressTCPSyn_" + securityRuleProtcol;
// Add Flow Attributes
flowBuilder.setId(new FlowId(flowId));
FlowKey key = new FlowKey(new FlowId(flowId));
FlowBuilder flowBuilder = new FlowBuilder();
flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
- .build());
+ .build());
if (securityRuleIpPrefix != null) {
Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
flowBuilder.setMatch(MatchUtils
- .createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
- .build());
+ .createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
+ .build());
} else {
flowBuilder.setMatch(MatchUtils
- .createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
- .build());
+ .createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
+ .build());
}
LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
String flowId = "Egress_Proto_ACL" + segmentationId + "_" +
- attachedMac + "_Permit_" + securityRuleIpPrefix;
+ attachedMac + "_Permit_" + securityRuleIpPrefix;
// Add Flow Attributes
flowBuilder.setId(new FlowId(flowId));
FlowKey key = new FlowKey(new FlowId(flowId));
}
/**
- * Adds flow to allow any DHCP client traffic
+ * Adds flow to allow any DHCP client traffic.
*
* @param dpidLong the dpid
* @param write whether to write or delete the flow
* @param protoPortMatchPriority the priority
*/
- public void egressACLDHCPAllowClientTrafficFromVm(Long dpidLong,
- boolean write, Integer protoPortMatchPriority) {
+ private void egressAclDhcpAllowClientTrafficFromVm(Long dpidLong,
+ boolean write, Integer protoPortMatchPriority) {
String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
MatchBuilder matchBuilder = new MatchBuilder();
NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
- flowBuilder.setMatch(MatchUtils.createDHCPMatch(matchBuilder, DHCP_DESTINATION_PORT, DHCP_SOURCE_PORT).build());
- LOG.debug("egressACLDHCPAllowClientTrafficFromVm: MatchBuilder contains: {}", flowBuilder.getMatch());
+ MatchUtils.createDhcpMatch(matchBuilder, DHCP_DESTINATION_PORT, DHCP_SOURCE_PORT).build();
+ LOG.debug("egressAclDHCPAllowClientTrafficFromVm: MatchBuilder contains: {}", matchBuilder);
String flowId = "Egress_DHCP_Client" + "_Permit_";
- // Add Flow Attributes
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(protoPortMatchPriority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- LOG.debug("egressACLDHCPAllowClientTrafficFromVm: Instructions contain: {}", ib.getInstruction());
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
+ syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false);
}
/**
* @param write is write or delete
* @param protoPortMatchPriority the priority
*/
- public void egressACLDHCPDropServerTrafficfromVM(Long dpidLong, long localPort,
- boolean write, Integer protoPortMatchPriority) {
+ private void egressAclDhcpDropServerTrafficfromVm(Long dpidLong, long localPort,
+ boolean write, Integer protoPortMatchPriority) {
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
MatchBuilder matchBuilder = new MatchBuilder();
- NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
+ //FlowBuilder flowBuilder = new FlowBuilder();
MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
- flowBuilder.setMatch(MatchUtils.createDHCPMatch(matchBuilder, DHCP_SOURCE_PORT, DHCP_DESTINATION_PORT).build());
-
- LOG.debug("egressACLDHCPDropServerTrafficfromVM: MatchBuilder contains: {}", flowBuilder.getMatch());
+ MatchUtils.createDhcpMatch(matchBuilder, DHCP_SOURCE_PORT, DHCP_DESTINATION_PORT).build();
+ LOG.debug("egressAclDHCPDropServerTrafficfromVM: MatchBuilder contains: {}", matchBuilder);
String flowId = "Egress_DHCP_Server" + "_" + localPort + "_DROP_";
- // Add Flow Attributes
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(protoPortMatchPriority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionBuilder ib = new InstructionBuilder();
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionUtils.createDropInstructions(ib);
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
+ String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, true);
- LOG.debug("egressACLDHCPDropServerTrafficfromVM: Instructions contain: {}", ib.getInstruction());
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
}
/**
* @param protoPortMatchPriority the priority
* @param write is write or delete
*/
- public void egressACLAllowTrafficFromVmIpMacPair(Long dpidLong, long localPort,
- String attachedMac, String srcIp, Integer protoPortMatchPriority, boolean write) {
-
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
+ private void egressAclAllowTrafficFromVmIpMacPair(Long dpidLong, long localPort,
+ String attachedMac, String srcIp,
+ Integer protoPortMatchPriority, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
+ MatchUtils.createSrcL3Ipv4MatchWithMac(matchBuilder, new Ipv4Prefix(srcIp),new MacAddress(attachedMac));
+ MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
+ LOG.debug("egressAclAllowTrafficFromVmIpMacPair: MatchBuilder contains: {}", matchBuilder);
+ String flowId = "Egress_Allow_VM_IP_MAC" + "_" + localPort + attachedMac + "_Permit_";
+ String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false);
+
+ }
+
+ /**
+ * Add or remove flow to the node.
+ *
+ * @param flowId the the flow id
+ * @param nodeBuilder the node builder
+ * @param matchBuilder the matchbuilder
+ * @param protoPortMatchPriority the protocol priority
+ * @param write whether it is a write
+ * @param drop whether it is a drop or forward
+ */
+ private void syncFlow(String flowId, NodeBuilder nodeBuilder,
+ MatchBuilder matchBuilder,Integer protoPortMatchPriority,
+ boolean write,boolean drop) {
FlowBuilder flowBuilder = new FlowBuilder();
- MatchUtils.createSrcL3IPv4MatchWithMac(matchBuilder, new Ipv4Prefix(srcIp),new MacAddress(attachedMac));
- MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
flowBuilder.setMatch(matchBuilder.build());
-
- LOG.debug("egressACLAllowTrafficFromVmIpMacPair: MatchBuilder contains: {}", flowBuilder.getMatch());
- String flowId = "Egress_Allow_VM_IP_MAC" + "_" + localPort + attachedMac + "_Permit_";
- // Add Flow Attributes
flowBuilder.setId(new FlowId(flowId));
FlowKey key = new FlowKey(new FlowId(flowId));
flowBuilder.setStrict(false);
if (write) {
// Instantiate the Builders for the OF Actions and Instructions
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
+ if (drop) {
+ InstructionUtils.createDropInstructions(ib);
+ }
ib.setOrder(0);
ib.setKey(new InstructionKey(0));
+ InstructionsBuilder isb = new InstructionsBuilder();
+ List<Instruction> instructionsList = Lists.newArrayList();
instructionsList.add(ib.build());
isb.setInstruction(instructionsList);
-
- LOG.debug("egressACLAllowTrafficFromVmIpMacPair: Instructions contain: {}", ib.getInstruction());
- // Add InstructionsBuilder to FlowBuilder
flowBuilder.setInstructions(isb.build());
writeFlow(flowBuilder, nodeBuilder);
} else {
removeFlow(flowBuilder, nodeBuilder);
}
+
}
+
+
+
@Override
public void setDependencies(BundleContext bundleContext, ServiceReference serviceReference) {
super.setDependencies(bundleContext.getServiceReference(EgressAclProvider.class.getName()), this);
+ securityServicesManager =
+ (SecurityServicesManager) ServiceHelper.getGlobalInstance(SecurityServicesManager.class, this);
}
@Override