import static org.opendaylight.groupbasedpolicy.renderer.ofoverlay.flow.FlowUtils.nxOutputRegAction;
import java.util.ArrayList;
-import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import org.opendaylight.groupbasedpolicy.api.sf.L4ClassifierDefinition;
import org.opendaylight.groupbasedpolicy.dto.EgKey;
import org.opendaylight.groupbasedpolicy.dto.EndpointConstraint;
-import org.opendaylight.groupbasedpolicy.dto.EpKey;
import org.opendaylight.groupbasedpolicy.dto.IndexedTenant;
import org.opendaylight.groupbasedpolicy.dto.Policy;
import org.opendaylight.groupbasedpolicy.dto.RuleGroup;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.Flow;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.Instructions;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.Match;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.instruction.go.to.table._case.GoToTable;
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ClassifierDefinitionId;
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.ConditionName;
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.common.rev140421.TenantId;
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.endpoint.rev140421.endpoints.Endpoint;
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.endpoint.rev140421.endpoints.EndpointKey;
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.endpoint.rev140421.endpoints.EndpointL3;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.endpoint.rev140421.endpoints.EndpointL3Key;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.l3endpoint.rev151217.NatAddress;
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.ofoverlay.rev140528.OfOverlayContext;
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.HasDirection.Direction;
import org.opendaylight.yang.gen.v1.urn.opendaylight.groupbasedpolicy.policy.rev140421.has.action.refs.ActionRef;
import com.google.common.collect.Table.Cell;
/**
- * Manage the table that enforces policy on the traffic. Traffic is denied
- * unless specifically allowed by policy
+ * <h1>Manage the table that enforces policy on the traffic. Traffic is denied
+ * unless specifically allowed by policy (table=4)</h1>
+ *
+ * In policy enforcer, according to current {@link Policy} specific traffic is sent to SFC (nsp and nsi is set), or from SFC
+ * to some {@link Endpoint} or to another classifier.
+ * <p>
+ * <i>Tunnel/overlay flows</i><br>
+ * Priority = 65000 (if more flows, decrements)<br>
+ * Matches:<br>
+ * - ethertype (tcp, tcp6, ipv6, icmp or missing)<br>
+ * - Reg0 {@link NxmNxReg0}<br>
+ * - Reg1 {@link NxmNxReg1}<br>
+ * - Reg2 {@link NxmNxReg2}<br>
+ * - Reg3 {@link NxmNxReg3}<br>
+ * - L3 for src_ip_prefix (if exists)<br>
+ * - L3 for dst_ip_prefix (if exists)<br>
+ * Actions:<br>
+ * - set nsi (only chain action)<br>
+ * - set nsp (only chain action)<br>
+ * - {@link GoToTable} EXTERNAL MAPPER table<br>
+ *<p>
+ * <i>Allow from tunnel flow</i><br>
+ * Priority = 65000<br>
+ * Matches:<br>
+ * - Reg1 (set to 0xffffff) {@link NxmNxReg1}<br>
+ * - in_port (should be tunnel port) {@link NodeConnectorId}<br>
+ * Actions:<br>
+ * - output:port (Reg7) {@link NxmNxReg7}<br>
+ * <p>
+ * Traffic is sent from one {@link EndpointGroup} to the same EPG
+ * <p>
+ * <i>Allow from same EPG flow</i><br>
+ * Priority = 65000<br>
+ * Matches:<br>
+ * - Reg0 {@link NxmNxReg0}<br>
+ * - Reg2 {@link NxmNxReg2}<br>
+ * Actions:<br>
+ * - output:port (Reg7) {@link NxmNxReg7}
+ * <p>
+ * <i>Arp flow</i><br>
+ * Priority = 20000<br>
+ * Matches:<br>
+ * - ethernet match (arp)<br>
+ * - Reg5 {@link NxmNxReg5}<br>
+ * Actions:<br>
+ * - output:port (Reg7) {@link NxmNxReg7}
+ *
*/
public class PolicyEnforcer extends FlowTable {
.getL3EpPrefixes());
Set<IpPrefix> dIpPrefixes = Policy.getIpPrefixesFrom(activeRulesByConstraints.getColumnKey()
.getL3EpPrefixes());
- PolicyPair policyPair = new PolicyPair(netElements.getDstEpOrdinals().getEpgId(), netElements.getSrcEpOrdinals().getEpgId(),
- netElements.getDstEpOrdinals().getCgId(), netElements.getSrcEpOrdinals().getCgId(), dIpPrefixes, sIpPrefixes,
- netElements.getDstNodeId(), netElements.getSrcNodeId());
- if (visitedPairs.contains(policyPair)) {
- LOG.trace("PolicyEnforcer: Already visited PolicyPair {}, endpoints {} {} skipped",
- policyPair, netElements.getSrcEp().getKey(), netElements.getDstEp().getKey());
- continue;
- } else {
- LOG.trace("PolicyEnforcer: Visiting PolicyPair {} endpoints {} {}", policyPair,
- netElements.getSrcEp().getKey(), netElements.getDstEp().getKey());
- visitedPairs.add(policyPair);
- }
int priority = 65000;
for (RuleGroup rg : activeRulesByConstraints.getValue()) {
LOG.trace("No actions found for pair of rules {}, {}", rule, oppositeRule);
continue;
}
+ PolicyPair policyPair = null;
+ if (rule.equals(ruleWithMatches)) {
+ policyPair = new PolicyPair(netElements.getDstEpOrdinals().getEpgId(),
+ netElements.getSrcEpOrdinals().getEpgId(), netElements.getDstEpOrdinals().getCgId(),
+ netElements.getSrcEpOrdinals().getCgId(), dIpPrefixes, sIpPrefixes,
+ netElements.getDstNodeId(), netElements.getSrcNodeId());
+ } else {
+ policyPair = new PolicyPair(netElements.getSrcEpOrdinals().getEpgId(),
+ netElements.getDstEpOrdinals().getEpgId(), netElements.getSrcEpOrdinals().getCgId(),
+ netElements.getDstEpOrdinals().getCgId(), sIpPrefixes, dIpPrefixes,
+ netElements.getSrcNodeId(), netElements.getDstNodeId());
+ }
+ LOG.trace("PolicyEnforcer: Visiting PolicyPair {} endpoints {} {}", policyPair,
+ netElements.getSrcEp().getKey(), netElements.getDstEp().getKey());
// Preserve original rule direction
Set<Direction> directions = getRuleDirections(rule);