package org.opendaylight.netvirt.aclservice.utils;
import com.google.common.base.Optional;
+import com.google.common.collect.Lists;
import com.google.common.net.InetAddresses;
import java.math.BigInteger;
import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+import java.util.SortedSet;
+import java.util.TreeSet;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import javax.inject.Inject;
import javax.inject.Singleton;
import org.opendaylight.controller.md.sal.binding.api.DataBroker;
import org.opendaylight.controller.md.sal.binding.api.ReadOnlyTransaction;
-import org.opendaylight.controller.md.sal.binding.api.WriteTransaction;
import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException;
import org.opendaylight.genius.interfacemanager.globals.InterfaceServiceUtil;
import org.opendaylight.genius.mdsalutil.MetaDataUtil;
import org.opendaylight.genius.mdsalutil.NwConstants;
import org.opendaylight.genius.mdsalutil.NxMatchInfo;
+import org.opendaylight.genius.mdsalutil.instructions.InstructionWriteMetadata;
import org.opendaylight.genius.mdsalutil.matches.MatchArpSpa;
import org.opendaylight.genius.mdsalutil.matches.MatchEthernetDestination;
import org.opendaylight.genius.mdsalutil.matches.MatchEthernetType;
import org.opendaylight.genius.mdsalutil.matches.MatchUdpDestinationPort;
import org.opendaylight.genius.mdsalutil.matches.MatchUdpSourcePort;
import org.opendaylight.genius.mdsalutil.nxmatches.NxMatchRegister;
+import org.opendaylight.genius.mdsalutil.packet.IPProtocols;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.MatchCriteria;
import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
-import org.opendaylight.netvirt.aclservice.api.utils.AclInterfaceCacheUtil;
-import org.opendaylight.netvirt.vpnmanager.api.VpnHelper;
-import org.opendaylight.yang.gen.v1.urn.huawei.params.xml.ns.yang.l3vpn.rev140815.vpn.interfaces.VpnInterface;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.AccessLists;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.Ipv4Acl;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.AclKey;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
-import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.actions.PacketHandling;
-import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.actions.packet.handling.Permit;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IpAddress;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IpPrefix;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv4Prefix;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.rpcs.rev160406.OdlInterfaceRpcService;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceBindings;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeBase;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeEgress;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceTypeFlowBased;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.StypeOpenflow;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.StypeOpenflowBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServicesKey;
import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.NodeConnectorId;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.config.rev160806.AclserviceConfig;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionBase;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.InterfaceAcl;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.PortsSubnetIpPrefixes;
import org.slf4j.LoggerFactory;
@Singleton
-@SuppressWarnings("deprecation")
public final class AclServiceUtils {
private static final Logger LOG = LoggerFactory.getLogger(AclServiceUtils.class);
}
}
- public static <T extends DataObject> void delete(
- DataBroker broker, LogicalDatastoreType datastoreType, InstanceIdentifier<T> path) {
- WriteTransaction tx = broker.newWriteOnlyTransaction();
- tx.delete(datastoreType, path);
- }
-
/**
* Retrieves the acl matching the key from the data store.
*
public static List<Uuid> getUpdatedAclList(List<Uuid> updatedAclList, List<Uuid> currentAclList) {
if (updatedAclList == null) {
- return null;
+ return Collections.emptyList();
}
List<Uuid> newAclList = new ArrayList<>(updatedAclList);
if (currentAclList == null) {
int cidrPart = Integer.parseInt(ipaddressValues[1]);
int netmask = 0;
for (int j = 0; j < cidrPart; ++j) {
- netmask |= (1 << 31 - j);
+ netmask |= 1 << 31 - j;
}
- int network = (address & netmask);
- int broadcast = network | ~(netmask);
+ int network = address & netmask;
+ int broadcast = network | ~netmask;
return InetAddresses.toAddrString(InetAddresses.fromInteger(broadcast));
}
return flowMatches;
}
- private List<MatchInfoBase> buildAclIdMetadataMatch(Uuid remoteAclId) {
+ private List<MatchInfoBase> buildAclIdMetadataMatches(Uuid remoteAclId) {
List<MatchInfoBase> flowMatches = new ArrayList<>();
BigInteger aclId = buildAclId(remoteAclId);
- if (aclId.intValue() != AclConstants.INVALID_ACL_ID) {
- MatchMetadata metadataMatch = new MatchMetadata(getAclIdMetadata(aclId),
- MetaDataUtil.METADATA_MASK_REMOTE_ACL_ID);
+ if (aclId.intValue() != AclConstants.INVALID_ACL_TAG) {
+ MatchMetadata metadataMatch = new MatchMetadata(getAclTagMetadata(aclId),
+ MetaDataUtil.METADATA_MASK_REMOTE_ACL_TAG);
flowMatches.add(metadataMatch);
} else {
LOG.error("Failed building metadata match for Acl id match. Failed to allocate id");
return flowMatches;
}
+ public static MatchInfoBase buildAclTagMetadataMatch(Integer aclTag) {
+ return new MatchMetadata(getAclTagMetadata(BigInteger.valueOf(aclTag)),
+ MetaDataUtil.METADATA_MASK_REMOTE_ACL_TAG);
+ }
+
public BigInteger buildAclId(Uuid remoteAclId) {
- Integer aclId = allocateAclId(remoteAclId.getValue());
+ Integer aclId = allocateAclTag(remoteAclId.getValue());
return BigInteger.valueOf(aclId);
}
- public static BigInteger getAclIdMetadata(BigInteger aclId) {
- return aclId.shiftLeft(1);
+ public static BigInteger getAclTagMetadata(BigInteger aclTag) {
+ return aclTag.shiftLeft(4);
+ }
+
+ /**
+ * Does IPv4 address exists in the list of allowed address pair.
+ *
+ * @param aaps the allowed address pairs
+ * @return true, if successful
+ */
+ public static boolean doesIpv4AddressExists(List<AllowedAddressPairs> aaps) {
+ if (aaps == null) {
+ return false;
+ }
+ for (AllowedAddressPairs aap : aaps) {
+ IpPrefixOrAddress ipPrefixOrAddress = aap.getIpAddress();
+ IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
+ if (ipPrefix != null) {
+ if (ipPrefix.getIpv4Prefix() != null) {
+ return true;
+ }
+ } else {
+ IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
+ if (ipAddress != null && ipAddress.getIpv4Address() != null) {
+ return true;
+ }
+ }
+ }
+ return false;
+ }
+
+ /**
+ * Does IPv6 address exists in the list of allowed address pair.
+ *
+ * @param aaps the allowed address pairs
+ * @return true, if successful
+ */
+ public static boolean doesIpv6AddressExists(List<AllowedAddressPairs> aaps) {
+ if (aaps == null) {
+ return false;
+ }
+ for (AllowedAddressPairs aap : aaps) {
+ IpPrefixOrAddress ipPrefixOrAddress = aap.getIpAddress();
+ IpPrefix ipPrefix = ipPrefixOrAddress.getIpPrefix();
+ if (ipPrefix != null) {
+ if (ipPrefix.getIpv6Prefix() != null) {
+ return true;
+ }
+ } else {
+ IpAddress ipAddress = ipPrefixOrAddress.getIpAddress();
+ if (ipAddress != null && ipAddress.getIpv6Address() != null) {
+ return true;
+ }
+ }
+ }
+ return false;
}
/**
* @return the lport tag match
*/
public static MatchInfoBase buildLPortTagMatch(int lportTag, Class<? extends ServiceModeBase> serviceMode) {
- if (serviceMode != null && serviceMode.isAssignableFrom(ServiceModeIngress.class)) {
+ if (serviceMode != null && serviceMode.isAssignableFrom(ServiceModeEgress.class)) {
return new NxMatchRegister(NxmNxReg6.class, MetaDataUtil.getLportTagForReg6(lportTag).longValue(),
MetaDataUtil.getLportTagMaskForReg6());
} else {
}
}
+ public static List<MatchInfoBase> buildMatchesForLPortTagAndRemoteAclTag(Integer lportTag, Integer aclTag,
+ Class<? extends ServiceModeBase> serviceMode) {
+ List<MatchInfoBase> matches = new ArrayList<>();
+ if (serviceMode != null && serviceMode.isAssignableFrom(ServiceModeEgress.class)) {
+ matches.add(AclServiceUtils.buildLPortTagMatch(lportTag, serviceMode));
+ matches.add(AclServiceUtils.buildAclTagMetadataMatch(aclTag));
+ } else {
+ // In case of ingress service mode, only metadata is used for
+ // matching both lportTag and aclTag. Hence performing "or"
+ // operation on both lportTag and aclTag metadata.
+ BigInteger metaData =
+ MetaDataUtil.getLportTagMetaData(lportTag).or(getAclTagMetadata(BigInteger.valueOf(aclTag)));
+ BigInteger metaDataMask = MetaDataUtil.METADATA_MASK_LPORT_TAG
+ .or(MetaDataUtil.METADATA_MASK_REMOTE_ACL_TAG);
+ matches.add(new MatchMetadata(metaData, metaDataMask));
+ }
+ return matches;
+ }
+
+ public static InstructionWriteMetadata getWriteMetadataForAclClassifierType(
+ AclConntrackClassifierType conntrackClassifierType) {
+ return new InstructionWriteMetadata(
+ MetaDataUtil.getAclConntrackClassifierTypeFromMetaData(conntrackClassifierType.getValue()),
+ MetaDataUtil.METADATA_MASK_ACL_CONNTRACK_CLASSIFIER_TYPE);
+ }
+
+ public static InstructionWriteMetadata getWriteMetadataForRemoteAclTag(Integer remoteAclTag) {
+ return new InstructionWriteMetadata(getAclTagMetadata(BigInteger.valueOf(remoteAclTag)),
+ MetaDataUtil.METADATA_MASK_REMOTE_ACL_TAG);
+ }
+
+ public static MatchInfoBase buildAclConntrackClassifierTypeMatch(
+ AclConntrackClassifierType conntrackSupportedType) {
+ return new MatchMetadata(
+ MetaDataUtil.getAclConntrackClassifierTypeFromMetaData(conntrackSupportedType.getValue()),
+ MetaDataUtil.METADATA_MASK_ACL_CONNTRACK_CLASSIFIER_TYPE);
+ }
+
public static List<Ace> getAceWithRemoteAclId(DataBroker dataBroker, AclInterface port, Uuid remoteAcl) {
List<Ace> remoteAclRuleList = new ArrayList<>();
List<Uuid> aclList = port.getSecurityGroups();
public Map<String, List<MatchInfoBase>> getFlowForRemoteAcl(AclInterface aclInterface, Uuid remoteAclId,
String ignoreInterfaceId, Map<String, List<MatchInfoBase>> flowMatchesMap, boolean isSourceIpMacMatch) {
boolean singleAcl = false;
- List<AclInterface> interfaceList = null;
+ Collection<AclInterface> interfaceList = null;
if (aclInterface.getSecurityGroups() != null && aclInterface.getSecurityGroups().size() == 1) {
singleAcl = true;
} else {
Map<String, List<MatchInfoBase>> updatedFlowMatchesMap = new HashMap<>();
MatchInfoBase ipv4Match = MatchEthernetType.IPV4;
MatchInfoBase ipv6Match = MatchEthernetType.IPV6;
- for (String flowName : flowMatchesMap.keySet()) {
- List<MatchInfoBase> flows = flowMatchesMap.get(flowName);
+ for (Entry<String, List<MatchInfoBase>> entry : flowMatchesMap.entrySet()) {
+ String flowName = entry.getKey();
+ List<MatchInfoBase> flows = entry.getValue();
if (singleAcl) {
LOG.debug("port {} is in only one SG. "
+ "Doesn't adding it's IPs {} to matches (handled in acl id match)",
Map<String, List<MatchInfoBase>> updatedFlowMatchesMap = new HashMap<>();
MatchInfoBase ipv4Match = MatchEthernetType.IPV4;
MatchInfoBase ipv6Match = MatchEthernetType.IPV6;
- for (String flowName : flowMatchesMap.keySet()) {
- List<MatchInfoBase> flows = flowMatchesMap.get(flowName);
+ for (Entry<String, List<MatchInfoBase>> entry : flowMatchesMap.entrySet()) {
+ String flowName = entry.getKey();
+ List<MatchInfoBase> flows = entry.getValue();
// iterate over allow address pair and update match type
for (AllowedAddressPairs aap : syncAllowedAddresses) {
List<MatchInfoBase> matchInfoBaseList;
return null;
}
- public static Long getElanIdFromAclInterface(String elanInterfaceName) {
- AclInterface aclInterface = AclInterfaceCacheUtil.getAclInterfaceFromCache(elanInterfaceName);
- if (null != aclInterface) {
- return aclInterface.getElanId();
- }
- return null;
- }
-
public static ElanInterface getElanInterfaceByElanInterfaceName(String elanInterfaceName,DataBroker broker) {
InstanceIdentifier<ElanInterface> elanInterfaceId = getElanInterfaceConfigurationDataPathId(elanInterfaceName);
return read(broker, LogicalDatastoreType.CONFIGURATION, elanInterfaceId).orNull();
MDSALUtil.syncDelete(broker, LogicalDatastoreType.OPERATIONAL, id);
}
- public static Long getVpnIdFromInterface(DataBroker broker, String vpnInterfaceName) {
- VpnInterface vpnInterface = VpnHelper.getVpnInterface(broker, vpnInterfaceName);
- if (vpnInterface != null) {
- return VpnHelper.getVpnId(broker, vpnInterface.getVpnInstanceName());
- }
- return null;
- }
-
private static List<MatchInfoBase> updateAAPMatches(boolean isSourceIpMacMatch, List<MatchInfoBase> flows,
AllowedAddressPairs aap) {
List<MatchInfoBase> matchInfoBaseList;
return matchInfoBaseList;
}
- private List<MatchInfoBase> addFlowMatchForAclId(Uuid remoteAclId, List<MatchInfoBase> flows) {
+ public List<MatchInfoBase> addFlowMatchForAclId(Uuid remoteAclId, List<MatchInfoBase> flows) {
List<MatchInfoBase> matchInfoBaseList;
- matchInfoBaseList = buildAclIdMetadataMatch(remoteAclId);
+ matchInfoBaseList = buildAclIdMetadataMatches(remoteAclId);
matchInfoBaseList.addAll(flows);
return matchInfoBaseList;
}
LOG.debug("Allocated ACL ID: {} with key: {} into pool: {}", allocatedId, idKey, poolName);
return allocatedId;
} else {
- LOG.warn("RPC Call to Get Unique Id returned with Errors {}", rpcResult.getErrors());
+ LOG.error("RPC Call to Get Unique Id for key {} from pool {} returned with Errors {}",
+ idKey, poolName, rpcResult.getErrors());
}
} catch (InterruptedException | ExecutionException e) {
- LOG.warn("Exception when getting Unique Id", e);
+ LOG.error("Exception when getting Unique Id for key {} from pool {} ", idKey, poolName, e);
}
return defaultId;
}
Future<RpcResult<Void>> result = idManager.releaseId(idInput);
RpcResult<Void> rpcResult = result.get();
if (!rpcResult.isSuccessful()) {
- LOG.warn("RPC Call to release Id {} with Key {} returned with Errors {}", idKey, rpcResult.getErrors());
+ LOG.error("RPC Call to release Id with Key {} from pool {} returned with Errors {}",
+ idKey, poolName, rpcResult.getErrors());
} else {
LOG.debug("Released ACL ID with key: {} from pool: {}", idKey, poolName);
}
} catch (InterruptedException | ExecutionException e) {
- LOG.warn("Exception when releasing Id for key {}", idKey, e);
+ LOG.error("Exception when releasing Id for key {} from pool {} ", idKey, poolName, e);
}
}
/**
- * Allocate and save flow priority in cache.
+ * Gets the ACL tag from cache. If not found in cache, tries to allocate and
+ * return the value.
*
- * @param key the key
- * @return the integer
+ * @param aclId the acl id
+ * @return the acl tag
*/
- public Integer allocateAndSaveFlowPriorityInCache(String poolName, String key) {
- Integer flowPriority = AclServiceUtils.allocateId(this.idManager, poolName, key,
- AclConstants.PROTO_MATCH_PRIORITY);
- this.aclDataUtil.addAclFlowPriority(key, flowPriority);
- return flowPriority;
+ public Integer getAclTag(final Uuid aclId) {
+ String aclName = aclId.getValue();
+ Integer aclTag = this.aclDataUtil.getAclTag(aclName);
+ if (aclTag == null) {
+ LOG.debug("ACL tag not found in cache for ACL={}, trying to allocate again.", aclName);
+ aclTag = allocateAclTag(aclName);
+ if (aclTag != null && aclTag != AclConstants.INVALID_ACL_TAG) {
+ this.aclDataUtil.addAclTag(aclName, aclTag);
+ }
+ }
+ return aclTag;
}
/**
- * Allocate acl id.
+ * Allocate ACL tag.
*
- * @param key the key
+ * @param aclName the ACL name
+ * @return the integer
*/
- public Integer allocateAclId(String key) {
- Integer aclId = AclServiceUtils.allocateId(this.idManager, AclConstants.ACL_ID_POOL_NAME, key,
- AclConstants.INVALID_ACL_ID);
- return aclId;
- }
-
- /**
- * Allocate and save flow priority in cache.
- *
- * @param key the key
- */
- public void releaseAclId(String key) {
- AclServiceUtils.releaseId(idManager, AclConstants.ACL_ID_POOL_NAME, key);
+ public Integer allocateAclTag(String aclName) {
+ Integer aclTag = AclServiceUtils.allocateId(this.idManager, AclConstants.ACL_TAG_POOL_NAME, aclName,
+ AclConstants.INVALID_ACL_TAG);
+ return aclTag;
}
/**
- * Release and remove flow priority from cache.
+ * Release ACL tag.
*
- * @param key the key
- * @return the integer
+ * @param aclName the ACL name
*/
- public Integer releaseAndRemoveFlowPriorityFromCache(String poolName, String key) {
- AclServiceUtils.releaseId(this.idManager, poolName, key);
- Integer flowPriority = this.aclDataUtil.removeAclFlowPriority(key);
- if (flowPriority == null) {
- flowPriority = AclConstants.PROTO_MATCH_PRIORITY;
- }
- return flowPriority;
+ public void releaseAclTag(String aclName) {
+ AclServiceUtils.releaseId(this.idManager, AclConstants.ACL_TAG_POOL_NAME, aclName);
}
/**
* Indicates whether the interface has port security enabled.
+ *
* @param aclInterface the interface.
* @return true if port is security enabled.
*/
public static boolean isOfInterest(AclInterface aclInterface) {
- return aclInterface != null && aclInterface.getPortSecurityEnabled() != null
- && aclInterface.isPortSecurityEnabled();
+ return aclInterface != null && aclInterface.isPortSecurityEnabled();
}
/**
- * Creates the id pool.
+ * Creates the id pool for ACL tag.
*
* @param poolName the pool name
*/
- public void createIdPool(String poolName, AclConstants.PacketHandlingType packetHandlingType) {
- CreateIdPoolInput createPool = null;
-
- // If the default behavior is Deny, then ACLs with Allow packetHandling must have lower priority than
- // ACLs with Deny packetHandling - otherwise the Deny ACLs are redundant, and vice versa
- if ((config.getDefaultBehavior() == DEFAULT_DENY
- && packetHandlingType == AclConstants.PacketHandlingType.PERMIT)
- || (config.getDefaultBehavior() == DEFAULT_ALLOW
- && packetHandlingType == AclConstants.PacketHandlingType.DENY)) {
- createPool = new CreateIdPoolInputBuilder()
- .setPoolName(poolName).setLow(AclConstants.ACL_FLOW_PRIORITY_LOW_POOL_START)
- .setHigh(AclConstants.ACL_FLOW_PRIORITY_LOW_POOL_END).build();
- } else if ((config.getDefaultBehavior() == DEFAULT_DENY
- && packetHandlingType == AclConstants.PacketHandlingType.DENY)
- || (config.getDefaultBehavior() == DEFAULT_ALLOW
- && packetHandlingType == AclConstants.PacketHandlingType.PERMIT)) {
- createPool = new CreateIdPoolInputBuilder()
- .setPoolName(poolName).setLow(AclConstants.ACL_FLOW_PRIORITY_HIGH_POOL_START)
- .setHigh(AclConstants.ACL_FLOW_PRIORITY_HIGH_POOL_END).build();
- } else {
- LOG.error("Got unexpected PacketHandling {} combined with default behavior {}, skipping creation"
- + "of pool {}", packetHandlingType, config.getDefaultBehavior(), poolName);
- return;
- }
- try {
- Future<RpcResult<Void>> result = this.idManager.createIdPool(createPool);
- if ((result != null) && (result.get().isSuccessful())) {
- LOG.debug("Created IdPool for {}", poolName);
- }
- } catch (InterruptedException | ExecutionException e) {
- LOG.error("Failed to create ID pool [{}] for ACL flow priority", poolName, e);
- throw new RuntimeException("Failed to create ID pool for ACL flow priority", e);
- }
- }
-
- /**
- * Creates the id pool.
- *
- * @param poolName the pool name
- */
- private void createIdPoolForAclId(String poolName) {
+ private void createIdPoolForAclTag(String poolName) {
CreateIdPoolInput createPool = new CreateIdPoolInputBuilder()
- .setPoolName(poolName).setLow(AclConstants.ACL_ID_METADATA_POOL_START)
- .setHigh(AclConstants.ACL_ID_METADATA_POOL_END).build();
+ .setPoolName(poolName).setLow(AclConstants.ACL_TAG_POOL_START)
+ .setHigh(AclConstants.ACL_TAG_POOL_END).build();
try {
Future<RpcResult<Void>> result = this.idManager.createIdPool(createPool);
- if ((result != null) && (result.get().isSuccessful())) {
+ if (result != null && result.get().isSuccessful()) {
LOG.debug("Created IdPool for {}", poolName);
}
} catch (InterruptedException | ExecutionException e) {
DeleteIdPoolInput deletePool = new DeleteIdPoolInputBuilder().setPoolName(poolName).build();
try {
Future<RpcResult<Void>> result = this.idManager.deleteIdPool(deletePool);
- if ((result != null) && (result.get().isSuccessful())) {
+ if (result != null && result.get().isSuccessful()) {
LOG.debug("Deleted IdPool for {}", poolName);
}
} catch (InterruptedException | ExecutionException e) {
}
}
- /**
- * Gets the acl pool name.
- *
- * @param dpId the dp id
- * @param tableId the table id
- * @param packetHandlingType packet handling type
- * @return the acl pool name
- */
- public static String getAclPoolName(BigInteger dpId, short tableId,
- AclConstants.PacketHandlingType packetHandlingType) {
- return AclConstants.ACL_FLOW_PRIORITY_POOL_NAME + "." + dpId + "." + tableId + "." + packetHandlingType;
- }
-
- /**
- * Gets the acl pool name.
- *
- * @param dpId the dp id
- * @param tableId the table id
- * @param packetHandling packet handling type
- * @return the acl pool name
- */
- public static String getAclPoolName(BigInteger dpId, short tableId, PacketHandling packetHandling) {
- return packetHandling instanceof Permit
- ? getAclPoolName(dpId, tableId, AclConstants.PacketHandlingType.PERMIT)
- : getAclPoolName(dpId, tableId, AclConstants.PacketHandlingType.DENY);
- }
-
- /**
- * Creates the acl id pools.
- *
- * @param dpId the dp id
- */
- public void createAclIdPools(BigInteger dpId) {
- createIdPool(getAclPoolName(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE,
- AclConstants.PacketHandlingType.PERMIT), AclConstants.PacketHandlingType.PERMIT);
- createIdPool(getAclPoolName(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE,
- AclConstants.PacketHandlingType.DENY), AclConstants.PacketHandlingType.DENY);
- createIdPool(getAclPoolName(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE,
- AclConstants.PacketHandlingType.PERMIT), AclConstants.PacketHandlingType.PERMIT);
- createIdPool(getAclPoolName(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE,
- AclConstants.PacketHandlingType.DENY), AclConstants.PacketHandlingType.DENY);
- }
-
/**
* Creates remote the acl id pools.
*/
public void createRemoteAclIdPool() {
- createIdPoolForAclId(AclConstants.ACL_ID_POOL_NAME);
+ createIdPoolForAclTag(AclConstants.ACL_TAG_POOL_NAME);
}
/**
* Delete remote the acl id pools.
*/
public void deleteRemoteAclIdPool() {
- deleteIdPool(AclConstants.ACL_ID_POOL_NAME);
+ deleteIdPool(AclConstants.ACL_TAG_POOL_NAME);
}
- /**
- * Delete acl id pools.
- *
- * @param dpId the dp id
- */
- public void deleteAclIdPools(BigInteger dpId) {
- deleteIdPool(getAclPoolName(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE,
- AclConstants.PacketHandlingType.PERMIT));
- deleteIdPool(getAclPoolName(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE,
- AclConstants.PacketHandlingType.DENY));
- deleteIdPool(getAclPoolName(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE,
- AclConstants.PacketHandlingType.PERMIT));
- deleteIdPool(getAclPoolName(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE,
- AclConstants.PacketHandlingType.DENY));
- }
-
- public static List<? extends MatchInfoBase> buildIpAndSrcServiceMatch(long elanTag, AllowedAddressPairs ip,
- DataBroker dataBroker, Long vpnId) {
+ public static List<? extends MatchInfoBase> buildIpAndSrcServiceMatch(Integer aclTag, AllowedAddressPairs ip,
+ DataBroker dataBroker) {
List<MatchInfoBase> flowMatches = new ArrayList<>();
- MatchMetadata metadatMatch = null;
- if (vpnId == null) {
- metadatMatch =
- new MatchMetadata(MetaDataUtil.getElanTagMetadata(elanTag), MetaDataUtil.METADATA_MASK_SERVICE);
- } else {
- metadatMatch =
- new MatchMetadata(MetaDataUtil.getVpnIdMetadata(vpnId), MetaDataUtil.METADATA_MASK_VRFID);
- }
- flowMatches.add(metadatMatch);
+ flowMatches.add(buildAclTagMetadataMatch(aclTag));
if (ip.getIpAddress().getIpAddress() != null) {
if (ip.getIpAddress().getIpAddress().getIpv4Address() != null) {
MatchEthernetType ipv4EthMatch = new MatchEthernetType(NwConstants.ETHTYPE_IPV4);
return flowMatches;
}
- public static List<? extends MatchInfoBase> buildIpAndDstServiceMatch(Long elanTag, AllowedAddressPairs ip,
- DataBroker dataBroker, Long vpnId) {
+ public static List<? extends MatchInfoBase> buildIpAndDstServiceMatch(Integer aclTag, AllowedAddressPairs ip,
+ DataBroker dataBroker) {
List<MatchInfoBase> flowMatches = new ArrayList<>();
- MatchMetadata metadatMatch = null;
- if (vpnId == null) {
- metadatMatch =
- new MatchMetadata(MetaDataUtil.getElanTagMetadata(elanTag), MetaDataUtil.METADATA_MASK_SERVICE);
- } else {
- metadatMatch =
- new MatchMetadata(MetaDataUtil.getVpnIdMetadata(vpnId), MetaDataUtil.METADATA_MASK_VRFID);
- }
- flowMatches.add(metadatMatch);
+ flowMatches.add(buildAclTagMetadataMatch(aclTag));
if (ip.getIpAddress().getIpAddress() != null) {
if (ip.getIpAddress().getIpAddress().getIpv4Address() != null) {
return flowMatches;
}
- public static boolean exactlyOneAcl(AclInterface port) {
- return (port.getSecurityGroups() != null) && (port.getSecurityGroups().size() == 1);
- }
-
public static boolean isOfAclInterest(Acl acl) {
List<Ace> aceList = acl.getAccessListEntries().getAce();
- if ((aceList != null) && !aceList.isEmpty()) {
- return (aceList.get(0).getAugmentation(SecurityRuleAttr.class) != null);
+ if (aceList != null && !aceList.isEmpty()) {
+ return aceList.get(0).getAugmentation(SecurityRuleAttr.class) != null;
}
return false;
}
InterfaceServiceUtil.mergeMetadataMatchsOrAdd(flowMatches, lportMatch);
}
- static AclInterface buildAclInterfaceState(String interfaceId, InterfaceAcl aclInPort) {
- AclInterface aclInterface = new AclInterface();
- aclInterface.setInterfaceId(interfaceId);
- aclInterface.setPortSecurityEnabled(aclInPort.isPortSecurityEnabled());
- aclInterface.setSecurityGroups(aclInPort.getSecurityGroups());
- aclInterface.setAllowedAddressPairs(aclInPort.getAllowedAddressPairs());
- return aclInterface;
+ /**
+ * Returns ACL specific key for synchronization.
+ *
+ * @param key the generic key
+ * @return ACL key that can be used with synchronization
+ */
+ public static String getAclKeyForSynchronization(String key) {
+ return key + AclConstants.ACL_SYNC_KEY_EXT;
+ }
+
+ /**
+ * Builds the ip protocol matches.
+ *
+ * @param etherType the ether type
+ * @param protocol the protocol
+ * @return the list of matches.
+ */
+ public static List<MatchInfoBase> buildIpProtocolMatches(MatchEthernetType etherType, IPProtocols protocol) {
+ return Lists.newArrayList(etherType, new MatchIpProtocol(protocol.shortValue()));
+ }
+
+ /**
+ * Does ACE have remote group id.
+ *
+ * @param aceAttr the ace attr
+ * @return true, if successful
+ */
+ public static boolean doesAceHaveRemoteGroupId(final SecurityRuleAttr aceAttr) {
+ return aceAttr.getRemoteGroupId() != null;
+ }
+
+ public SortedSet<Integer> getRemoteAclTags(List<Uuid> aclIds, Class<? extends DirectionBase> direction,
+ DataBroker dataBroker) {
+ SortedSet<Integer> remoteAclTags = new TreeSet<>();
+ Set<Uuid> remoteAclIds = AclServiceUtils.getRemoteAclIdsByDirection(aclIds, direction, dataBroker);
+ for (Uuid remoteAclId : remoteAclIds) {
+ Integer remoteAclTag = getAclTag(remoteAclId);
+ if (remoteAclTag != null && remoteAclTag != AclConstants.INVALID_ACL_TAG) {
+ remoteAclTags.add(remoteAclTag);
+ }
+ }
+ return remoteAclTags;
+ }
+
+ public static Set<Uuid> getRemoteAclIdsByDirection(List<Uuid> aclIds, Class<? extends DirectionBase> direction,
+ DataBroker broker) {
+ Set<Uuid> remoteAclIds = new HashSet<>();
+ if (aclIds == null || aclIds.isEmpty()) {
+ return remoteAclIds;
+ }
+
+ for (Uuid aclId : aclIds) {
+ Acl acl = AclServiceUtils.getAcl(broker, aclId.getValue());
+ if (null == acl) {
+ LOG.warn("ACL {} not found in config DS.", aclId.getValue());
+ continue;
+ }
+ AccessListEntries accessListEntries = acl.getAccessListEntries();
+ List<Ace> aceList = accessListEntries.getAce();
+ for (Ace ace : aceList) {
+ SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
+ if (aceAttr.getDirection().equals(direction) && doesAceHaveRemoteGroupId(aceAttr)) {
+ remoteAclIds.add(aceAttr.getRemoteGroupId());
+ }
+ }
+ }
+ return remoteAclIds;
}
}