import java.math.BigInteger;
import java.util.ArrayList;
import java.util.List;
+import java.util.Map;
import org.opendaylight.controller.md.sal.binding.api.DataBroker;
+import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
import org.opendaylight.genius.mdsalutil.ActionInfo;
import org.opendaylight.genius.mdsalutil.ActionType;
import org.opendaylight.genius.mdsalutil.InstructionInfo;
import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
import org.opendaylight.genius.mdsalutil.NxMatchInfo;
import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
-import org.opendaylight.netvirt.aclservice.api.AclServiceListener;
-import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface;
+import org.opendaylight.netvirt.aclservice.utils.AclConstants;
+import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder;
+import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.Uuid;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
+import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-public class EgressAclServiceImpl implements AclServiceListener {
+public class EgressAclServiceImpl extends AbstractAclServiceImpl {
- private static final Logger logger = LoggerFactory.getLogger(EgressAclServiceImpl.class);
-
- private IMdsalApiManager mdsalUtil;
- short tableIdInstall = 22;
- short tableIdNext = 23;
- private OdlInterfaceRpcService interfaceManager;
- private DataBroker dataBroker;
+ private static final Logger LOG = LoggerFactory.getLogger(EgressAclServiceImpl.class);
+ private final DataBroker dataBroker;
/**
- * Intilaze the member variables.
+ * Initialize the member variables.
* @param dataBroker the data broker instance.
* @param interfaceManager the interface manager instance.
- * @param mdsalUtil the mdsal util instance.
+ * @param mdsalManager the mdsal manager instance.
*/
public EgressAclServiceImpl(DataBroker dataBroker, OdlInterfaceRpcService interfaceManager,
- IMdsalApiManager mdsalUtil) {
+ IMdsalApiManager mdsalManager) {
+ super(dataBroker,interfaceManager,mdsalManager);
this.dataBroker = dataBroker;
- this.interfaceManager = interfaceManager;
- this.mdsalUtil = mdsalUtil;
- }
-
- @Override
- public boolean applyAcl(Interface port) {
-
- if (!AclServiceUtils.isPortSecurityEnabled(port, dataBroker)) {
- return false;
- }
- BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
- org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
- interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
- String attachMac = interfaceState.getPhysAddress().getValue();
- programFixedSecurityGroup(dpId, "", attachMac, NwConstants.ADD_FLOW);
- return true;
}
- @Override
- public boolean updateAcl(Interface port) {
- return false;
+ /**
+ * Bind service.
+ *
+ * @param interfaceName the interface name
+ */
+ protected void bindService(String interfaceName) {
+ int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
+
+ int instructionKey = 0;
+ List<Instruction> instructions = new ArrayList<>();
+ instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(AclConstants.EGRESS_ACL_TABLE_ID, ++instructionKey));
+ BoundServices serviceInfo = AclServiceUtils.getBoundServices(
+ String.format("%s.%s.%s", "vpn", "egressacl", interfaceName), AclConstants.EGRESS_ACL_SERVICE_PRIORITY,
+ flowPriority, AclConstants.COOKIE_ACL_BASE, instructions);
+ InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
+ AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
+ MDSALUtil.syncWrite(dataBroker, LogicalDatastoreType.CONFIGURATION, path, serviceInfo);
}
- @Override
- public boolean removeAcl(Interface port) {
- if (!AclServiceUtils.isPortSecurityEnabled(port, dataBroker)) {
- return false;
- }
- BigInteger dpId = AclServiceUtils.getDpnForInterface(interfaceManager, port.getName());
- org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.state.Interface
- interfaceState = AclServiceUtils.getInterfaceStateFromOperDS(dataBroker, port.getName());
- String attachMac = interfaceState.getPhysAddress().getValue();
- programFixedSecurityGroup(dpId, "", attachMac, NwConstants.DEL_FLOW);
- return true;
+ /**
+ * Unbind service.
+ *
+ * @param interfaceName the interface name
+ */
+ protected void unbindService(String interfaceName) {
+ InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
+ AclConstants.EGRESS_ACL_SERVICE_PRIORITY, ServiceModeIngress.class);
+ MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path);
}
/**
* Program the default anti-spoofing rule and the conntrack rules.
+ *
* @param dpid the dpid
* @param dhcpMacAddress the dhcp mac address.
* @param attachMac The vm mac address
* @param addOrRemove addorRemove
*/
- private void programFixedSecurityGroup(BigInteger dpid, String dhcpMacAddress,
- String attachMac, int addOrRemove) {
- logger.info("programFixedSecurityGroup : adding default security group rules.");
+ protected void programFixedRules(BigInteger dpid, String dhcpMacAddress,
+ String attachMac, int addOrRemove) {
+ LOG.info("programFixedRules : adding default rules.");
egressAclDhcpAllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
egressAclDhcpv6AllowClientTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
egressAclDhcpDropServerTraffic(dpid, dhcpMacAddress, attachMac, addOrRemove);
programArpRule(dpid,attachMac, addOrRemove);
}
+ /**
+ * Programs the custom flows.
+ *
+ * @param aclUuidList the list of acl uuid to be applied
+ * @param dpId the dpId
+ * @param attachMac the attached mac
+ * @param addOrRemove whether to delete or add flow
+ */
+ protected void programAclRules(List<Uuid> aclUuidList, BigInteger dpId, String attachMac,
+ IpPrefixOrAddress attachIp, int addOrRemove) {
+ LOG.trace("Applying custom rules DpId {}, vmMacAddress {}", dpId, attachMac );
+ for (Uuid sgUuid :aclUuidList ) {
+ Acl acl = AclServiceUtils.getAcl(dataBroker, sgUuid.getValue());
+ if (null == acl) {
+ LOG.warn("The ACL is empty");
+ continue;
+ }
+ AccessListEntries accessListEntries = acl.getAccessListEntries();
+ List<Ace> aceList = accessListEntries.getAce();
+ for (Ace ace: aceList) {
+ programAceRule(dpId, attachMac, attachIp, addOrRemove, ace);
+ }
+ }
+
+ }
+
+ protected void programAceRule(BigInteger dpId, String attachMac, IpPrefixOrAddress attachIp, int addOrRemove,
+ Ace ace) {
+ SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
+ if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
+ return;
+ }
+ Matches matches = ace.getMatches();
+ AceType aceType = matches.getAceType();
+ Map<String,List<MatchInfoBase>> flowMap = null;
+ if (aceType instanceof AceIp) {
+ flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
+ }
+ if (null == flowMap) {
+ LOG.error("Failed to apply ACL {} vmMacAddress {}", ace.getKey(), attachMac);
+ return;
+ }
+ //The flow map contains list of flows if port range is selected.
+ for ( String flowName : flowMap.keySet()) {
+ List<MatchInfoBase> flows = flowMap.get(flowName);
+ flowName += "Egress" + attachMac + String.valueOf(attachIp.getValue()) + ace.getKey().getRuleName();
+ flows .add(new MatchInfo(MatchFieldType.eth_src,
+ new String[] { attachMac }));
+ flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
+ new long[] { AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
+ flows.addAll(AclServiceUtils.getAllowedIpMatches(attachIp, MatchFieldType.ipv4_source));
+ List<InstructionInfo> instructions = new ArrayList<>();
+ List<ActionInfo> actionsInfos = new ArrayList<>();
+ actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
+ new String[] {"1", "0", "0", "255"}, 2));
+ instructions.add(new InstructionInfo(InstructionType.apply_actions,
+ actionsInfos));
+ instructions.add(new InstructionInfo(InstructionType.goto_table,
+ new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
+ syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY,
+ "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
+ }
+ }
+
/**
* Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port.
* @param dpId the dpId
*/
private void egressAclDhcpDropServerTraffic(BigInteger dpId, String dhcpMacAddress,
String attachMac, int addOrRemove) {
- List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpServerPort_IpV4,
- AclServiceUtils.dhcpClientPort_IpV4);
- matches.add(new MatchInfo(MatchFieldType.eth_src,
- new String[] { attachMac }));
- matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
- new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
+ List<MatchInfoBase> matches = AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_SERVER_PORT_IPV4,
+ AclConstants.DHCP_CLIENT_PORT_IPV4, attachMac);
List<InstructionInfo> instructions = new ArrayList<>();
actionsInfos.add(new ActionInfo(ActionType.drop_action,
new String[] {}));
String flowName = "Egress_DHCP_Server_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
- syncFlow(dpId, tableIdInstall, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
- AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
+ syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
/**
*/
private void egressAclDhcpv6DropServerTraffic(BigInteger dpId, String dhcpMacAddress,
String attachMac, int addOrRemove) {
- List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpServerPort_Ipv6,
- AclServiceUtils.dhcpClientPort_IpV6);
- matches.add(new MatchInfo(MatchFieldType.eth_src,
- new String[] { attachMac }));
- matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
- new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
+ List<MatchInfoBase> matches = AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_SERVER_PORT_IPV6,
+ AclConstants.DHCP_CLIENT_PORT_IPV6, attachMac);
List<InstructionInfo> instructions = new ArrayList<>();
actionsInfos.add(new ActionInfo(ActionType.drop_action,
new String[] {}));
- String flowName = "Egress_DHCP_Server_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
- syncFlow(dpId, tableIdInstall, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
- AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
+ String flowName = "Egress_DHCP_Server_v6" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Drop_";
+ syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
/**
* Add rule to ensure only DHCP server traffic from the specified mac is allowed.
*
- * @param dpidLong the dpid
- * @param segmentationId the segmentation id
+ * @param dpId the dpid
* @param dhcpMacAddress the DHCP server mac address
- * @param attachMac the mac address of the port
- * @param write is write or delete
- * @param protoPortMatchPriority the priority
+ * @param attachMac the mac address of the port
+ * @param addOrRemove whether to add or remove the flow
*/
private void egressAclDhcpAllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
String attachMac, int addOrRemove) {
- List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpClientPort_IpV4,
- AclServiceUtils.dhcpServerPort_IpV4);
- matches.add(new MatchInfo(MatchFieldType.eth_src,
- new String[] { attachMac }));
- matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
- new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
+ final List<MatchInfoBase> matches =
+ AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_CLIENT_PORT_IPV4,
+ AclConstants.DHCP_SERVER_PORT_IPV4, attachMac);
List<InstructionInfo> instructions = new ArrayList<>();
instructions.add(new InstructionInfo(InstructionType.goto_table,
- new long[] { tableIdNext }));
+ new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
String flowName = "Egress_DHCP_Client_v4" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
- syncFlow(dpId, tableIdInstall, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
- AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
+ syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
/**
* Add rule to ensure only DHCPv6 server traffic from the specified mac is allowed.
*
- * @param dpidLong the dpid
- * @param segmentationId the segmentation id
+ * @param dpId the dpid
* @param dhcpMacAddress the DHCP server mac address
* @param attachMac the mac address of the port
- * @param write is write or delete
- * @param protoPortMatchPriority the priority
+ * @param addOrRemove whether to add or remove the flow
*/
private void egressAclDhcpv6AllowClientTraffic(BigInteger dpId, String dhcpMacAddress,
String attachMac, int addOrRemove) {
- List<MatchInfoBase> matches = AclServiceUtils.programDhcpMatches(AclServiceUtils.dhcpClientPort_IpV6,
- AclServiceUtils.dhcpServerPort_Ipv6);
- matches.add(new MatchInfo(MatchFieldType.eth_src,
- new String[] { attachMac }));
- matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
- new long[] { AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK}));
+ final List<MatchInfoBase> matches =
+ AclServiceUtils.buildDhcpSourceMatches(AclConstants.DHCP_CLIENT_PORT_IPV6,
+ AclConstants.DHCP_SERVER_PORT_IPV6, attachMac);
List<InstructionInfo> instructions = new ArrayList<>();
actionsInfos));
instructions.add(new InstructionInfo(InstructionType.goto_table,
- new long[] { tableIdNext }));
- String flowName = "Egress_DHCP_Client_v4" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
- syncFlow(dpId, tableIdInstall, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
- AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
+ new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
+ String flowName = "Egress_DHCP_Client_v6" + "_" + dpId + "_" + attachMac + "_" + dhcpMacAddress + "_Permit_";
+ syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
/**
private void programConntrackRecircRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
int conntrackState, int conntrackMask, int addOrRemove) {
List<MatchInfoBase> matches = new ArrayList<>();
- matches.add((MatchInfoBase)new MatchInfo(MatchFieldType.eth_type,
+ matches.add(new MatchInfo(MatchFieldType.eth_type,
new long[] { NwConstants.ETHTYPE_IPV4 }));
- matches.add((MatchInfoBase)new NxMatchInfo(NxMatchFieldType.ct_state,
+ matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
new long[] {conntrackState, conntrackMask}));
matches.add(new MatchInfo(MatchFieldType.eth_src,
new String[] { attachMac }));
List<ActionInfo> actionsInfos = new ArrayList<>();
actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
- new String[] {"0", "0", "0", Short.toString(tableIdInstall)}, 2));
+ new String[] {"0", "0", "0", Short.toString(AclConstants.EGRESS_ACL_TABLE_ID)}, 2));
instructions.add(new InstructionInfo(InstructionType.apply_actions,
actionsInfos));
String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
- syncFlow(dpId, tableIdInstall, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
- AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
+ syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
/**
- * Adds the rule to forward the packets known packets .
+ * Adds the rule to forward the packets known packets.
* @param dpId the dpId
* @param attachMac the attached mac address
* @param priority the priority of the flow
private void programConntrackForwardRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
int conntrackState, int conntrackMask, int addOrRemove) {
List<MatchInfoBase> matches = new ArrayList<>();
- matches.add((MatchInfoBase)new MatchInfo(MatchFieldType.eth_type,
+ matches.add(new MatchInfo(MatchFieldType.eth_type,
new long[] { NwConstants.ETHTYPE_IPV4 }));
- matches.add((MatchInfoBase)new NxMatchInfo(NxMatchFieldType.ct_state,
+ matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
new long[] {conntrackState, conntrackMask}));
matches.add(new MatchInfo(MatchFieldType.eth_src,
new String[] { attachMac }));
new String[] {}));
instructions.add(new InstructionInfo(InstructionType.goto_table,
- new long[] { tableIdNext }));
+ new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + flowId;
- syncFlow(dpId, tableIdInstall, flowName, priority, "ACL", 0, 0,
- AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
+ syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
/**
private void programConntrackDropRule(BigInteger dpId, String attachMac, Integer priority, String flowId,
int conntrackState, int conntrackMask, int addOrRemove) {
List<MatchInfoBase> matches = new ArrayList<>();
- matches.add((MatchInfoBase)new MatchInfo(MatchFieldType.eth_type,
+ matches.add(new MatchInfo(MatchFieldType.eth_type,
new long[] { NwConstants.ETHTYPE_IPV4 }));
- matches.add((MatchInfoBase)new NxMatchInfo(NxMatchFieldType.ct_state,
+ matches.add(new NxMatchInfo(NxMatchFieldType.ct_state,
new long[] { conntrackState, conntrackMask}));
matches.add(new MatchInfo(MatchFieldType.eth_src,
new String[] { attachMac }));
actionsInfos.add(new ActionInfo(ActionType.drop_action,
new String[] {}));
String flowName = "Egress_Fixed_Conntrk_NewDrop_" + dpId + "_" + attachMac + "_" + flowId;
- syncFlow(dpId, tableIdInstall, flowName, priority, "ACL", 0, 0,
- AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
+ syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, priority, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
/**
private void programArpRule(BigInteger dpId, String attachMac, int addOrRemove) {
List<MatchInfo> matches = new ArrayList<>();
matches.add(new MatchInfo(MatchFieldType.eth_type,
- new long[] { NwConstants.ETHTYPE_IPV4 }));
- matches.add(new MatchInfo(MatchFieldType.arp_tpa,
+ new long[] { NwConstants.ETHTYPE_ARP }));
+ matches.add(new MatchInfo(MatchFieldType.arp_sha,
new String[] { attachMac }));
List<InstructionInfo> instructions = new ArrayList<>();
new String[] {}));
instructions.add(new InstructionInfo(InstructionType.goto_table,
- new long[] { tableIdNext }));
+ new long[] { AclConstants.EGRESS_ACL_NEXT_TABLE_ID }));
String flowName = "Egress_ARP_" + dpId + "_" + attachMac ;
- syncFlow(dpId, tableIdInstall, flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
- AclServiceUtils.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
- }
-
- /**
- * Writes/remove the flow to/from the datastore.
- * @param dpId the dpId
- * @param tableId the tableId
- * @param flowId the flowId
- * @param priority the priority
- * @param flowName the flow name
- * @param idleTimeOut the idle timeout
- * @param hardTimeOut the hard timeout
- * @param cookie the cookie
- * @param matches the list of matches to be writted
- * @param instructions the list of instruction to be written.
- * @param addOrRemove add or remove the entries.
- */
- private void syncFlow(BigInteger dpId, short tableId, String flowId, int priority, String flowName,
- int idleTimeOut, int hardTimeOut, BigInteger cookie, List<? extends MatchInfoBase> matches,
- List<InstructionInfo> instructions, int addOrRemove) {
- if (addOrRemove == NwConstants.DEL_FLOW) {
- MDSALUtil.buildFlowEntity(dpId, tableIdInstall,
- flowName, AclServiceUtils.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
- AclServiceUtils.COOKIE_ACL_BASE, matches, null);
- logger.trace("Removing Acl Flow DpId {}, vmMacAddress {}", dpId, flowId);
- // TODO Need to be done as a part of genius integration
- //mdsalUtil.removeFlow(flowEntity);
- } else {
- MDSALUtil.buildFlowEntity(dpId, tableId,
- flowId ,priority, flowName, 0, 0, cookie, matches, instructions);
- logger.trace("Installing DpId {}, flowId {}", dpId, flowId);
- // TODO Need to be done as a part of genius integration
- //mdsalUtil.installFlow(flowEntity);
- }
+ syncFlow(dpId, AclConstants.EGRESS_ACL_TABLE_ID, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
/**
* @param write whether to add or remove the flow.
*/
private void programEgressAclFixedConntrackRule(BigInteger dpid, String attachMac, int write) {
- try {
- programConntrackRecircRule(dpid, attachMac,AclServiceUtils.CT_STATE_UNTRACKED_PRIORITY,
- "Untracked",AclServiceUtils.UNTRACKED_CT_STATE,AclServiceUtils.UNTRACKED_CT_STATE_MASK, write );
- programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
- "Tracked_Established", AclServiceUtils.TRACKED_EST_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK,
- write );
- programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_TRACKED_EXIST_PRIORITY,
- "Tracked_Related", AclServiceUtils.TRACKED_REL_CT_STATE, AclServiceUtils.TRACKED_CT_STATE_MASK, write );
- programConntrackDropRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
- "Tracked_New", AclServiceUtils.TRACKED_NEW_CT_STATE, AclServiceUtils.TRACKED_NEW_CT_STATE_MASK, write );
- programConntrackForwardRule(dpid, attachMac, AclServiceUtils.CT_STATE_NEW_PRIORITY_DROP,
- "Tracked_Invalid",AclServiceUtils.TRACKED_INV_CT_STATE, AclServiceUtils.TRACKED_INV_CT_STATE_MASK,
- write );
- logger.info("programEgressAclFixedConntrackRule : default connection tracking rule are added.");
- } catch (Exception e) {
- logger.error("Failed to add default conntrack rules : " , e);
- }
+ programConntrackRecircRule(dpid, attachMac,AclConstants.CT_STATE_UNTRACKED_PRIORITY,
+ "Untracked",AclConstants.UNTRACKED_CT_STATE,AclConstants.UNTRACKED_CT_STATE_MASK, write );
+ programConntrackForwardRule(dpid, attachMac, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,
+ "Tracked_Established", AclConstants.TRACKED_EST_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK,
+ write );
+ programConntrackForwardRule(dpid, attachMac, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY,
+ "Tracked_Related", AclConstants.TRACKED_REL_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK, write );
+ programConntrackDropRule(dpid, attachMac, AclConstants.CT_STATE_NEW_PRIORITY_DROP,
+ "Tracked_New", AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK, write );
+ programConntrackDropRule(dpid, attachMac, AclConstants.CT_STATE_NEW_PRIORITY_DROP,
+ "Tracked_Invalid",AclConstants.TRACKED_INV_CT_STATE, AclConstants.TRACKED_INV_CT_STATE_MASK,
+ write );
+ LOG.info("programEgressAclFixedConntrackRule : default connection tracking rule are added.");
}
}
Code Review / netvirt.git / blobdiff