Code Review / netvirt.git / commit
? search:
summary | shortlog | log | commit | commitdiff | review | tree
(parent: 9f924b4) | patch
Bug 9022: ACL: Broadcast traffic is dropped in ACL tables 51/62151/1
authorShashidhar Raja <shashidharr@altencalsoftlabs.com>
Mon, 21 Aug 2017 14:20:21 +0000 (19:50 +0530)
committerVivekanandan Narasimhan <n.vivekanandan@ericsson.com>
Tue, 22 Aug 2017 11:59:57 +0000 (11:59 +0000)
commita6b0153d497356daa7a9f9ad91076374535a1d9a
treee95a26174df94a1b5b6489ab2ef0a8bf1fee7e15tree | snapshot
parent9f924b40e048ec1967f6a7b2c6d32064f1ea3887commit | diff
Bug 9022: ACL: Broadcast traffic is dropped in ACL tables

This fix enables ACL to permit Broadcast Traffic (Both IP and Non IP).

Related to IP Broadcast, Subnet-Directed Broadcast and All-Subnet
Broadcast traffic on the same network is being allowed subject to one of
the conditions specified below is met:
  (a) The ports that want to communicate share the same
      remote-secuirty-group
  (b) The ports that want to communicate allow the other port's IP Address
      in remote-ip-prefix
  (c) The ports that want to communicate have securiyt0group with
      remote-ip-prefix of 0.0.0.0/0.

IP Broadcast flows configured in VM Ingress ACL table (table 241) is as
below:

all-subnet flow:
cookie=0x6900000, duration=1463.293s, table=241, n_packets=0, n_bytes=0,
       priority=61010,ip,dl_dst=ff:ff:ff:ff:ff:ff,nw_dst=255.255.255.255
       actions=goto_table:242

subnet-directed flow:
cookie=0x6900000, duration=975.798s, table=241, n_packets=0, n_bytes=0,
       priority=61010,ip,metadata=0x10000000000/0x1fffff0000000000,
       dl_dst=ff:ff:ff:ff:ff:ff,nw_dst=10.1.1.255 actions=goto_table:242

Non IP Broadcast flows (with lower priority than other flows - 61005)
configured in VM Egress(211) and Ingress(241) tables is as below:

cookie=0x6900000, duration=30.298s, table=211, n_packets=0, n_bytes=0,
       priority=61005,metadata=0x10000000000/0x1fffff0000000000,
       dl_src=fa:16:3e:a9:4d:81 actions=resubmit(,17)

cookie=0x6900000, duration=901.855s, table=241, n_packets=0, n_bytes=0,
       priority=61005,dl_dst=ff:ff:ff:ff:ff:ff actions=resubmit(,220)

Below are change details:
 - Updated to add a flow to allow broadcast traffic with destination
   adddress 255.255.255.255. Changes related to this are in
   AclNodeListener.java
 - Updated to add flows at port level for subnetwork's broadcast addresses
 - Updated to add flows in 211/241 for Non-IP broadcast traffic
 - Updated to add ARP/IP/IPv6 default drop flows with lower priority than
   respective flows and higher priority than non-ip broadcast flow
 - New yang definition introduced in ACL for higher modules (Neutron VPN
   in our case) to pass broadcast CIDRs when ACL Interface is created
 - NeutronVpn is updated to pass subnet CIDRs when ACL Interface is
   created

Change-Id: I71c5040454b3c00af43dcef4f47b5979cd7cf3a5
Signed-off-by: Shashidhar Raja <shashidharr@altencalsoftlabs.com>
17 files changed:
vpnservice/aclservice/api/src/main/java/org/opendaylight/netvirt/aclservice/api/utils/AclInterface.java diff | blob | history
vpnservice/aclservice/api/src/main/yang/aclservice.yang diff | blob | history
vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AbstractAclServiceImpl.java diff | blob | history
vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AbstractEgressAclServiceImpl.java diff | blob | history
vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AbstractIngressAclServiceImpl.java diff | blob | history
vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/TransparentEgressAclServiceImpl.java diff | blob | history
vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/TransparentIngressAclServiceImpl.java diff | blob | history
vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/listeners/AclInterfaceListener.java diff | blob | history
vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/listeners/AclInterfaceStateListener.java diff | blob | history
vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/listeners/AclNodeListener.java diff | blob | history
vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/utils/AclConstants.java diff | blob | history
vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/utils/AclServiceUtils.java diff | blob | history
vpnservice/aclservice/impl/src/test/java/org/opendaylight/netvirt/aclservice/tests/FlowEntryObjectsBase.xtend diff | blob | history
vpnservice/aclservice/impl/src/test/java/org/opendaylight/netvirt/aclservice/tests/FlowEntryObjectsStateful.xtend diff | blob | history
vpnservice/aclservice/impl/src/test/java/org/opendaylight/netvirt/aclservice/tests/FlowEntryObjectsStateless.xtend diff | blob | history
vpnservice/neutronvpn/neutronvpn-impl/src/main/java/org/opendaylight/netvirt/neutronvpn/NeutronPortChangeListener.java diff | blob | history
vpnservice/neutronvpn/neutronvpn-impl/src/main/java/org/opendaylight/netvirt/neutronvpn/NeutronvpnUtils.java diff | blob | history
NetVirt - Archived