import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.IpPrefix;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.IpPrefixBuilder;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv6Prefix;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
import org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.list.Action;
private volatile SecurityGroupCacheManger securityGroupCacheManger;
private static final int DHCP_SOURCE_PORT = 67;
private static final int DHCP_DESTINATION_PORT = 68;
+ private static final int DHCPV6_SOURCE_PORT = 547;
+ private static final int DHCPV6_DESTINATION_PORT = 546;
private static final String HOST_MASK = "/32";
+ private static final String V6_HOST_MASK = "/128";
private static final int PORT_RANGE_MIN = 1;
private static final int PORT_RANGE_MAX = 65535;
continue;
}
- if ("IPv4".equals(portSecurityRule.getSecurityRuleEthertype())
- && portSecurityRule.getSecurityRuleDirection().equals("egress")) {
- LOG.debug("programPortSecurityGroup: Acl Rule matching IPv4 and ingress is: {} ", portSecurityRule);
+ if (portSecurityRule.getSecurityRuleDirection().equals("egress")) {
+ LOG.debug("programPortSecurityGroup: Acl Rule matching IP and ingress is: {} ", portSecurityRule);
if (null != portSecurityRule.getSecurityRemoteGroupID()) {
//Remote Security group is selected
List<Neutron_IPs> remoteSrcAddressList = securityServicesManager
Neutron_IPs vmIp, boolean write) {
if (null == portSecurityRule.getSecurityRuleProtocol()) {
/* TODO Rework on the priority values */
- egressAclIPv4(dpid, segmentationId, attachedMac,
+ boolean isIpv6 = portSecurityRule.getSecurityRuleEthertype().equals("IPv6");
+ egressAclIP(dpid, isIpv6, segmentationId, attachedMac,
write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
} else {
String ipaddress = null;
if (null != vmIp) {
ipaddress = vmIp.getIpAddress();
- try {
- InetAddress address = InetAddress.getByName(ipaddress);
- // TODO: remove this when ipv6 support is implemented
- if (address instanceof Inet6Address) {
- LOG.debug("Skipping ip address {}. IPv6 support is not yet implemented.", address);
- return;
- }
- } catch (UnknownHostException e) {
- LOG.warn("Invalid ip address {}", ipaddress, e);
- return;
- }
- }
-
- if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
- String prefixStr = portSecurityRule.getSecurityRuleRemoteIpPrefix();
- try {
- IpPrefix ipPrefix = IpPrefixBuilder.getDefaultInstance(prefixStr);
- // TODO: remove this when ipv6 support is implemented
- if (ipPrefix.getIpv6Prefix() != null) {
- LOG.debug("Skipping ip prefix {}. IPv6 support is not yet implemented.", ipPrefix);
- return;
- }
- } catch (IllegalArgumentException e) {
- LOG.warn("Invalid ip prefix {}", prefixStr, e);
- return;
- }
}
switch (portSecurityRule.getSecurityRuleProtocol()) {
Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
break;
case MatchUtils.ICMP:
+ case MatchUtils.ICMPV6:
LOG.debug("programPortSecurityRule: Rule matching ICMP", portSecurityRule);
egressAclIcmp(dpid, segmentationId, attachedMac,
portSecurityRule, ipaddress,write,
boolean write, Integer priority) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Egress_Other_" + segmentationId + "_" + srcMac + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,srcMac,null);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null);
short proto = 0;
try {
// If it is the only port in the bridge add the rule to allow any DHCP client traffic
//if (isLastPortinBridge) {
egressAclDhcpAllowClientTrafficFromVm(dpid, write, Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
+ egressAclDhcpv6AllowClientTrafficFromVm(dpid, write, Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
// }
if (isComputePort) {
programArpRule(dpid, segmentationId, localPort, attachedMac, write);
// add rule to drop the DHCP server traffic originating from the vm.
egressAclDhcpDropServerTrafficfromVm(dpid, localPort, write,
Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
+ egressAclDhcpv6DropServerTrafficfromVm(dpid, localPort, write,
+ Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
//Adds rule to check legitimate ip/mac pair for each packet from the vm
for (Neutron_IPs srcAddress : srcAddressList) {
try {
String addressWithPrefix = srcAddress.getIpAddress() + HOST_MASK;
egressAclAllowTrafficFromVmIpMacPair(dpid, localPort, attachedMac, addressWithPrefix,
Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
- } else {
- LOG.debug("Skipping IPv6 address {}. IPv6 support is not yet implemented.",
- srcAddress.getIpAddress());
+ } else if (address instanceof Inet6Address) {
+ String addressWithPrefix = srcAddress.getIpAddress() + V6_HOST_MASK;
+ egressAclAllowTrafficFromVmIpV6MacPair(dpid, localPort, attachedMac, addressWithPrefix,
+ Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
}
} catch(UnknownHostException e) {
LOG.warn("Invalid IP address {}", srcAddress.getIpAddress());
MatchBuilder matchBuilder = new MatchBuilder();
NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
String flowName = "Egress_Fixed_Conntrk_Untrk_" + segmentationId + "_" + localPort + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder, attachMac, null);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, attachMac, null);
matchBuilder = MatchUtils.addCtState(matchBuilder,0x00,0X80);
FlowBuilder flowBuilder = new FlowBuilder();
flowBuilder.setMatch(matchBuilder.build());
}
/**
- * Allows IPv4 packet egress from the src mac address.
+ * Allows IPv4/v6 packet egress from the src mac address.
* @param dpidLong the dpid
* @param segmentationId the segementation id
* @param srcMac the src mac address
* @param write add or remove
* @param protoPortMatchPriority the protocol match priority.
*/
- private void egressAclIPv4(Long dpidLong, String segmentationId, String srcMac,
+ private void egressAclIP(Long dpidLong, boolean isIpv6, String segmentationId, String srcMac,
boolean write, Integer protoPortMatchPriority ) {
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Egress_IP" + segmentationId + "_" + srcMac + "_Permit_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,srcMac,null);
+ if (isIpv6) {
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,srcMac,null);
+ } else {
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null);
+ }
syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false, false);
}
boolean portRange = false;
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Egress_TCP_" + segmentationId + "_" + srcMac + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,srcMac,null);
+ boolean isIpv6 = portSecurityRule.getSecurityRuleEthertype().equals("IPv6");
+ if (isIpv6) {
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,srcMac,null);
+ } else {
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null);
+ }
/* Custom TCP Match */
if (portSecurityRule.getSecurityRulePortMin().equals(portSecurityRule.getSecurityRulePortMax())) {
}
if (null != dstAddress) {
flowId = flowId + dstAddress;
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
- MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
-
+ if (isIpv6) {
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
+ MatchUtils.iPv6PrefixFromIPv6Address(dstAddress));
+ } else {
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
+ }
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
- new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
+ if (isIpv6) {
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
+ new Ipv6Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
+ } else {
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
+ }
}
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
if (portRange) {
}
}
+ private void egressAclIcmp(Long dpidLong, String segmentationId, String srcMac,
+ NeutronSecurityRule portSecurityRule, String dstAddress,
+ boolean write, Integer protoPortMatchPriority) {
+
+ boolean isIpv6 = portSecurityRule.getSecurityRuleEthertype().equals("IPv6");
+ if (isIpv6) {
+ egressAclIcmpV6(dpidLong, segmentationId, srcMac, portSecurityRule, dstAddress, write, protoPortMatchPriority);
+ } else {
+ egressAclIcmpV4(dpidLong, segmentationId, srcMac, portSecurityRule, dstAddress, write, protoPortMatchPriority);
+ }
+ }
+
/**
- * Creates a egress match with src macaddress. If dest address is specified
+ * Creates a icmp egress match with src macaddress. If dest address is specified
* destination specific match will be created. Otherwise a match with a
* CIDR will be created.
* @param dpidLong the dpid
* @param write add or delete
* @param protoPortMatchPriority the protocol match priority
*/
- private void egressAclIcmp(Long dpidLong, String segmentationId, String srcMac,
- NeutronSecurityRule portSecurityRule, String dstAddress,
- boolean write, Integer protoPortMatchPriority) {
+ private void egressAclIcmpV4(Long dpidLong, String segmentationId, String srcMac,
+ NeutronSecurityRule portSecurityRule, String dstAddress,
+ boolean write, Integer protoPortMatchPriority) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Egress_ICMP_" + segmentationId + "_" + srcMac + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,srcMac,null);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null);
/*Custom ICMP Match */
if (portSecurityRule.getSecurityRulePortMin() != null &&
portSecurityRule.getSecurityRulePortMax() != null) {
syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false, securityServicesManager.isConntrackEnabled());
}
+ /**
+ * Creates a icmpv6 egress match with src macaddress. If dest address is specified
+ * destination specific match will be created. Otherwise a match with a
+ * CIDR will be created.
+ * @param dpidLong the dpid
+ * @param segmentationId the segmentation id
+ * @param srcMac the source mac address.
+ * @param portSecurityRule the security rule in the SG
+ * @param dstAddress the source IP address
+ * @param write add or delete
+ * @param protoPortMatchPriority the protocol match priority
+ */
+ private void egressAclIcmpV6(Long dpidLong, String segmentationId, String srcMac,
+ NeutronSecurityRule portSecurityRule, String dstAddress,
+ boolean write, Integer protoPortMatchPriority) {
+
+ MatchBuilder matchBuilder = new MatchBuilder();
+ String flowId = "Egress_ICMP_" + segmentationId + "_" + srcMac + "_";
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,srcMac,null);
+
+ /*Custom ICMP Match */
+ if (portSecurityRule.getSecurityRulePortMin() != null &&
+ portSecurityRule.getSecurityRulePortMax() != null) {
+ flowId = flowId + portSecurityRule.getSecurityRulePortMin().shortValue() + "_"
+ + portSecurityRule.getSecurityRulePortMax().shortValue() + "_";
+ matchBuilder = MatchUtils.createICMPv6Match(matchBuilder,
+ portSecurityRule.getSecurityRulePortMin().shortValue(),
+ portSecurityRule.getSecurityRulePortMax().shortValue());
+ } else {
+ /* All ICMP Match */ // We are getting from neutron NULL for both min and max
+ flowId = flowId + "all" + "_" ;
+ matchBuilder = MatchUtils.createICMPv6Match(matchBuilder, MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
+ }
+ if (null != dstAddress) {
+ flowId = flowId + dstAddress;
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
+ MatchUtils.iPv6PrefixFromIPv6Address(dstAddress));
+ } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
+ flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
+ new Ipv6Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
+ }
+ flowId = flowId + "_Permit";
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false, false);
+ }
+
/**
* Creates a egress match with src macaddress. If dest address is specified
* destination specific match will be created. Otherwise a match with a
boolean portRange = false;
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Egress_UDP_" + segmentationId + "_" + srcMac + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,srcMac,null);
+ boolean isIpv6 = portSecurityRule.getSecurityRuleEthertype().equals("IPv6");
+ if (isIpv6) {
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,srcMac,null);
+ } else {
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null);
+ }
/* Custom UDP Match */
if (portSecurityRule.getSecurityRulePortMin().equals(portSecurityRule.getSecurityRulePortMax())) {
}
if (null != dstAddress) {
flowId = flowId + dstAddress;
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
- MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
+ if (isIpv6) {
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
+ MatchUtils.iPv6PrefixFromIPv6Address(dstAddress));
+ } else {
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
+ }
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
- new Ipv4Prefix(portSecurityRule
- .getSecurityRuleRemoteIpPrefix()));
+ if (isIpv6) {
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, null,
+ new Ipv6Prefix(portSecurityRule
+ .getSecurityRuleRemoteIpPrefix()));
+ } else {
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
+ new Ipv4Prefix(portSecurityRule
+ .getSecurityRuleRemoteIpPrefix()));
+ }
}
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
if (portRange) {
}
}
- public void egressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
- int priority, boolean write) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = new FlowBuilder();
- String flowName = "TCP_Syn_Egress_Default_Drop_" + segmentationId + "_" + attachedMac;
- FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createSmacTcpPortWithFlagMatch(matchBuilder, attachedMac, Constants.TCP_SYN, segmentationId);
- flowBuilder.setMatch(matchBuilder.build());
-
- if (write) {
- InstructionBuilder ib = new InstructionBuilder();
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructions = Lists.newArrayList();
-
- InstructionUtils.createDropInstructions(ib);
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructions.add(ib.build());
- isb.setInstruction(instructions);
-
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void egressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac, boolean write,
- Integer securityRulePortMin, String securityRuleIpPrefix,
- Integer priority) {
- PortNumber tcpPort = new PortNumber(securityRulePortMin);
- Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
-
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = new FlowBuilder();
- String flowName = "UcastEgress_" + segmentationId + "_" + attachedMac
- + securityRulePortMin + securityRuleIpPrefix;
- FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createSmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
- tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix);
- flowBuilder.setMatch(matchBuilder.build());
-
- if (write) {
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void egressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
- String securityRuleProtcol, Integer priority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = new FlowBuilder();
- String flowName = "EgressAllProto_" + segmentationId + "_"
- + attachedMac + "_AllowEgressTCPSyn_" + securityRuleProtcol;
- FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null);
- MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId));
- flowBuilder.setMatch(matchBuilder.build());
-
- if (write) {
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void egressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
- boolean write, String securityRuleIpPrefix, Integer priority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = new FlowBuilder();
- String flowName = "Egress_Proto_ACL" + segmentationId + "_" +
- attachedMac + "_Permit_" + securityRuleIpPrefix;
- FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId));
- if (securityRuleIpPrefix != null) {
- Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
- MatchUtils.createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix);
- } else {
- MatchUtils.createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null);
- }
- flowBuilder.setMatch(matchBuilder.build());
-
- if (write) {
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void egressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
- Integer securityRulePortMin, Integer priority) {
- PortNumber tcpPort = new PortNumber(securityRulePortMin);
-
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = new FlowBuilder();
- String flowName = "Ucast_this.getTable()" + segmentationId + "_" + attachedMac + securityRulePortMin;
- FlowUtils.initFlowBuilder(flowBuilder, flowName, getTable()).setPriority(priority);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createSmacTcpSyn(matchBuilder, attachedMac, tcpPort, Constants.TCP_SYN, segmentationId);
- flowBuilder.setMatch(matchBuilder.build());
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
/**
* Adds flow to allow any DHCP client traffic.
*
syncFlow(flowName, nodeBuilder, matchBuilder, priority, write, false, false);
}
+ /**
+ * Adds flow to allow any DHCP IPv6 client traffic.
+ *
+ * @param dpidLong the dpid
+ * @param write whether to write or delete the flow
+ * @param priority the priority
+ */
+ private void egressAclDhcpv6AllowClientTrafficFromVm(Long dpidLong,
+ boolean write, Integer priority) {
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ String flowName = "Egress_DHCPv6_Client" + "_Permit_";
+ MatchBuilder matchBuilder = new MatchBuilder();
+ MatchUtils.createDhcpv6Match(matchBuilder, DHCPV6_DESTINATION_PORT, DHCPV6_SOURCE_PORT);
+ syncFlow(flowName, nodeBuilder, matchBuilder, priority, write, false, false);
+ }
+
/**
* Adds rule to prevent DHCP spoofing by the vm attached to the port.
*
syncFlow(flowName, nodeBuilder, matchBuilder, priority, write, true, false);
}
+ /**
+ * Adds rule to prevent DHCPv6 spoofing by the vm attached to the port.
+ *
+ * @param dpidLong the dpid
+ * @param localPort the local port
+ * @param write is write or delete
+ * @param priority the priority
+ */
+ private void egressAclDhcpv6DropServerTrafficfromVm(Long dpidLong, long localPort,
+ boolean write, Integer priority) {
+
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ String flowName = "Egress_DHCPv6_Server" + "_" + localPort + "_DROP_";
+ MatchBuilder matchBuilder = new MatchBuilder();
+ MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
+ MatchUtils.createDhcpv6Match(matchBuilder, DHCPV6_SOURCE_PORT, DHCPV6_DESTINATION_PORT);
+ syncFlow(flowName, nodeBuilder, matchBuilder, priority, write, true, false);
+ }
+
/**
* Adds rule to check legitimate ip/mac pair for each packet from the vm.
*
syncFlow(flowName, nodeBuilder, matchBuilder, priority, write, false, false);
}
+ /**
+ * Adds rule to check legitimate ip/mac pair for each packet from the vm.
+ *
+ * @param dpidLong the dpid
+ * @param localPort the local port
+ * @param srcIp the vm ip address
+ * @param attachedMac the vm mac address
+ * @param priority the priority
+ * @param write is write or delete
+ */
+ private void egressAclAllowTrafficFromVmIpV6MacPair(Long dpidLong, long localPort,
+ String attachedMac, String srcIp,
+ Integer priority, boolean write) {
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ String flowName = "Egress_Allow_VM_IPv6_MAC" + "_" + localPort + attachedMac + "_Permit_";
+ MatchBuilder matchBuilder = new MatchBuilder();
+ MatchUtils.createSrcL3Ipv6MatchWithMac(matchBuilder, new Ipv6Prefix(srcIp),new MacAddress(attachedMac));
+ MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
+ LOG.debug("egressAclAllowTrafficFromVmIpMacPair: MatchBuilder contains: {}", matchBuilder);
+ syncFlow(flowName, nodeBuilder, matchBuilder, priority, write, false, false);
+ }
+
/**
* Add or remove flow to the node.
*
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.IpPrefix;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.IpPrefixBuilder;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv6Prefix;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
import org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.list.Action;
continue;
}
- if ("IPv4".equals(portSecurityRule.getSecurityRuleEthertype())
- && "ingress".equals(portSecurityRule.getSecurityRuleDirection())) {
- LOG.debug("programPortSecurityGroup: Rule matching IPv4 and ingress is: {} ", portSecurityRule);
+ if ("ingress".equals(portSecurityRule.getSecurityRuleDirection())) {
+ LOG.debug("programPortSecurityGroup: Rule matching IP and ingress is: {} ", portSecurityRule);
if (null != portSecurityRule.getSecurityRemoteGroupID()) {
//Remote Security group is selected
List<Neutron_IPs> remoteSrcAddressList = securityServicesManager
long localPort, NeutronSecurityRule portSecurityRule,
Neutron_IPs vmIp, boolean write) {
if (null == portSecurityRule.getSecurityRuleProtocol()) {
- ingressAclIPv4(dpid, segmentationId, attachedMac,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ boolean isIpv6 = portSecurityRule.getSecurityRuleEthertype().equals("IPv6");
+ ingressAclIP(dpid, isIpv6, segmentationId, attachedMac,
+ write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
} else {
String ipaddress = null;
if (null != vmIp) {
ipaddress = vmIp.getIpAddress();
- try {
- InetAddress address = InetAddress.getByName(ipaddress);
- // TODO: remove this when ipv6 support is implemented
- if (address instanceof Inet6Address) {
- LOG.debug("Skipping ip address {}. IPv6 support is not yet implemented.", address);
- return;
- }
- } catch (UnknownHostException e) {
- LOG.warn("Invalid ip address {}", ipaddress, e);
- return;
- }
- }
-
- if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
- String ipPrefixStr = portSecurityRule.getSecurityRuleRemoteIpPrefix();
- try {
- IpPrefix ipPrefix = IpPrefixBuilder.getDefaultInstance(ipPrefixStr);
- // TODO: remove this when ipv6 support is implemented
- if (ipPrefix.getIpv6Prefix() != null) {
- LOG.debug("Skipping ip prefix {}. IPv6 support is not yet implemented.", ipPrefix);
- return;
- }
- } catch (IllegalArgumentException e) {
- LOG.warn("Invalid ip prefix {}", ipPrefixStr, e);
- return;
- }
- }
+ }
switch (portSecurityRule.getSecurityRuleProtocol()) {
case MatchUtils.TCP:
write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
break;
case MatchUtils.ICMP:
+ case MatchUtils.ICMPV6:
LOG.debug("programPortSecurityRule: Rule matching ICMP", portSecurityRule);
ingressAclIcmp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress,
write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Ingress_Other_" + segmentationId + "_" + dstMac + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,dstMac);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac);
short proto = 0;
try {
Integer protocol = new Integer(portSecurityRule.getSecurityRuleProtocol());
if (isLastPortinSubnet && isComputePort ) {
ingressAclDhcpAllowServerTraffic(dpid, segmentationId,dhcpMacAddress,
write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
+ ingressAclDhcpv6AllowServerTraffic(dpid, segmentationId,dhcpMacAddress,
+ write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
}
if (isComputePort) {
if (securityServicesManager.isConntrackEnabled()) {
MatchBuilder matchBuilder = new MatchBuilder();
NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
String flowName = "Ingress_Fixed_Conntrk_Untrk_" + segmentationId + "_" + localPort + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,attachMac);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,attachMac);
matchBuilder = MatchUtils.addCtState(matchBuilder,0x00, 0x80);
FlowBuilder flowBuilder = new FlowBuilder();
flowBuilder.setMatch(matchBuilder.build());
MatchBuilder matchBuilder = new MatchBuilder();
NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
String flowName = "Ingress_Fixed_Conntrk_TrkEst_" + segmentationId + "_" + localPort + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,attachMac);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,attachMac);
matchBuilder = MatchUtils.addCtState(matchBuilder,0x82, 0x82);
FlowBuilder flowBuilder = new FlowBuilder();
flowBuilder.setMatch(matchBuilder.build());
MatchBuilder matchBuilder = new MatchBuilder();
NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
String flowName = "Ingress_Fixed_Conntrk_NewDrop_" + segmentationId + "_" + localPort + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,attachMac);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,attachMac);
matchBuilder = MatchUtils.addCtState(matchBuilder,0x01, 0x01);
FlowBuilder flowBuilder = new FlowBuilder();
flowBuilder.setMatch(matchBuilder.build());
}
/**
- * Allows IPv4 packet ingress to the destination mac address.
+ * Allows an IPv4/v6 packet ingress to the destination mac address.
* @param dpidLong the dpid
* @param segmentationId the segementation id
* @param dstMac the destination mac address
* @param write add or remove
* @param protoPortMatchPriority the protocol match priority.
*/
- private void ingressAclIPv4(Long dpidLong, String segmentationId, String dstMac,
- boolean write, Integer protoPortMatchPriority ) {
+ private void ingressAclIP(Long dpidLong, boolean isIpv6, String segmentationId, String dstMac,
+ boolean write, Integer protoPortMatchPriority ) {
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Ingress_IP" + segmentationId + "_" + dstMac + "_Permit_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,dstMac);
+ if (isIpv6) {
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,null,dstMac);
+ }else {
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac);
+ }
syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false, securityServicesManager.isConntrackEnabled());
-
}
+
/**
* Creates a ingress match to the dst macaddress. If src address is specified
* source specific match will be created. Otherwise a match with a CIDR will
boolean portRange = false;
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Ingress_TCP_" + segmentationId + "_" + dstMac + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,dstMac);
+ boolean isIpv6 = portSecurityRule.getSecurityRuleEthertype().equals("IPv6");
+ if (isIpv6) {
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,null,dstMac);
+ } else {
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac);
+ }
/* Custom TCP Match*/
if (portSecurityRule.getSecurityRulePortMin().equals(portSecurityRule.getSecurityRulePortMax())) {
}
if (null != srcAddress) {
flowId = flowId + srcAddress;
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- MatchUtils.iPv4PrefixFromIPv4Address(srcAddress),null);
-
+ if (isIpv6) {
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
+ MatchUtils.iPv6PrefixFromIPv6Address(srcAddress),null);
+ } else {
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
+ MatchUtils.iPv4PrefixFromIPv4Address(srcAddress),null);
+ }
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- new Ipv4Prefix(portSecurityRule
- .getSecurityRuleRemoteIpPrefix()),null);
+ if (isIpv6) {
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
+ new Ipv6Prefix(portSecurityRule
+ .getSecurityRuleRemoteIpPrefix()),null);
+ } else {
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
+ new Ipv4Prefix(portSecurityRule
+ .getSecurityRuleRemoteIpPrefix()),null);
+ }
}
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
if (portRange) {
NeutronSecurityRule portSecurityRule, String srcAddress,
boolean write, Integer protoPortMatchPriority ) {
boolean portRange = false;
+ boolean isIpv6 = portSecurityRule.getSecurityRuleEthertype().equals("IPv6");
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Ingress_UDP_" + segmentationId + "_" + dstMac + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,dstMac);
+ if (isIpv6) {
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,null,dstMac);
+ }else {
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac);
+ }
/* Custom UDP Match */
if (portSecurityRule.getSecurityRulePortMin().equals(portSecurityRule.getSecurityRulePortMax())) {
}
if (null != srcAddress) {
flowId = flowId + srcAddress;
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null);
-
+ if (isIpv6) {
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
+ MatchUtils.iPv6PrefixFromIPv6Address(srcAddress), null);
+ } else {
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
+ MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null);
+ }
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- new Ipv4Prefix(portSecurityRule
- .getSecurityRuleRemoteIpPrefix()),null);
+ if (isIpv6) {
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
+ new Ipv6Prefix(portSecurityRule
+ .getSecurityRuleRemoteIpPrefix()),null);
+ } else {
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
+ new Ipv4Prefix(portSecurityRule
+ .getSecurityRuleRemoteIpPrefix()),null);
+ }
}
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
if (portRange) {
}
}
+ private void ingressAclIcmp(Long dpidLong, String segmentationId, String dstMac,
+ NeutronSecurityRule portSecurityRule, String srcAddress,
+ boolean write, Integer protoPortMatchPriority) {
+
+ boolean isIpv6 = portSecurityRule.getSecurityRuleEthertype().equals("IPv6");
+ if (isIpv6) {
+ ingressAclIcmpV6(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress, write, protoPortMatchPriority);
+ } else {
+ ingressAclIcmpV4(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress, write, protoPortMatchPriority);
+ }
+ }
+
/**
- * Creates a ingress match to the dst macaddress. If src address is specified
+ * Creates a ingress icmp match to the dst macaddress. If src address is specified
* source specific match will be created. Otherwise a match with a CIDR will
* be created.
* @param dpidLong the dpid
* @param write add or delete
* @param protoPortMatchPriority the protocol match priority
*/
- private void ingressAclIcmp(Long dpidLong, String segmentationId, String dstMac,
- NeutronSecurityRule portSecurityRule, String srcAddress,
- boolean write, Integer protoPortMatchPriority) {
+ private void ingressAclIcmpV4(Long dpidLong, String segmentationId, String dstMac,
+ NeutronSecurityRule portSecurityRule, String srcAddress,
+ boolean write, Integer protoPortMatchPriority) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Ingress_ICMP_" + segmentationId + "_" + dstMac + "_";
- matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,dstMac);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac);
/* Custom ICMP Match */
if (portSecurityRule.getSecurityRulePortMin() != null &&
if (null != srcAddress) {
flowId = flowId + srcAddress;
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null);
+ MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null);
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false, securityServicesManager.isConntrackEnabled());
}
+ /**
+ * Creates a ingress icmpv6 match to the dst macaddress. If src address is specified
+ * source specific match will be created. Otherwise a match with a CIDR will
+ * be created.
+ * @param dpidLong the dpid
+ * @param segmentationId the segmentation id
+ * @param dstMac the destination mac address.
+ * @param portSecurityRule the security rule in the SG
+ * @param srcAddress the destination IP address
+ * @param write add or delete
+ * @param protoPortMatchPriority the protocol match priority
+ */
+ private void ingressAclIcmpV6(Long dpidLong, String segmentationId, String dstMac,
+ NeutronSecurityRule portSecurityRule, String srcAddress,
+ boolean write, Integer protoPortMatchPriority) {
- public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
- Integer securityRulePortMin, Integer protoPortMatchPriority) {
-
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
- PortNumber tcpPort = new PortNumber(securityRulePortMin);
- MatchBuilder matchBuilder = new MatchBuilder();
- NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
-
- flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort,
- Constants.TCP_SYN, segmentationId).build());
-
- LOG.debug("ingressACLTcpSyn MatchBuilder contains: {}", flowBuilder.getMatch());
- String flowId = "UcastOut_ACL2_" + segmentationId + "_" + attachedMac + securityRulePortMin;
- // Add Flow Attributes
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(protoPortMatchPriority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- LOG.debug("Instructions are: {}", ib.getInstruction());
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac,
- boolean write, Integer securityRulePortMin, String securityRuleIpPrefix,
- Integer protoPortPrefixMatchPriority) {
-
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
- PortNumber tcpPort = new PortNumber(securityRulePortMin);
-
- MatchBuilder matchBuilder = new MatchBuilder();
- NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
- Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
-
- flowBuilder.setMatch(MatchUtils
- .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
- tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
-
- LOG.debug(" MatchBuilder contains: {}", flowBuilder.getMatch());
- String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac +
- securityRulePortMin + securityRuleIpPrefix;
- // Add Flow Attributes
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(protoPortPrefixMatchPriority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionsBuilder isb = new InstructionsBuilder();
-
- List<Instruction> instructionsList = Lists.newArrayList();
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- LOG.debug("Instructions contain: {}", ib.getInstruction());
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
- String securityRuleProtcol, Integer protoMatchPriority) {
-
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
-
- MatchBuilder matchBuilder = new MatchBuilder();
- NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
-
- flowBuilder.setMatch(MatchUtils
- .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
- flowBuilder.setMatch(MatchUtils
- .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
- LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
-
- String flowId = "UcastOut_" + segmentationId + "_" +
- attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol;
- // Add Flow Attributes
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(protoMatchPriority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(1);
- ib.setKey(new InstructionKey(1));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
- LOG.debug("Instructions contain: {}", ib.getInstruction());
-
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
-
- public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
- int priority, boolean write) {
-
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
- MatchBuilder matchBuilder = new MatchBuilder();
- NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
-
- flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder,
- attachedMac, Constants.TCP_SYN, segmentationId).build());
-
- LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
- String flowId = "PortSec_TCP_Syn_Default_Drop_" + segmentationId + "_" + attachedMac;
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(priority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionBuilder ib = new InstructionBuilder();
- InstructionsBuilder isb = new InstructionsBuilder();
-
- // Instructions List Stores Individual Instructions
- List<Instruction> instructions = Lists.newArrayList();
-
- // Set the Output Port/Iface
- InstructionUtils.createDropInstructions(ib);
- ib.setOrder(0);
- ib.setKey(new InstructionKey(0));
- instructions.add(ib.build());
-
- // Add InstructionBuilder to the Instruction(s)Builder List
- isb.setInstruction(instructions);
- LOG.debug("Instructions contain: {}", ib.getInstruction());
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
- boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
- String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
- Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
MatchBuilder matchBuilder = new MatchBuilder();
- NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
- FlowBuilder flowBuilder = new FlowBuilder();
+ String flowId = "Ingress_ICMP_" + segmentationId + "_" + dstMac + "_";
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,null,dstMac);
- flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
- .build());
- if (securityRuleIpPrefix != null) {
- flowBuilder.setMatch(MatchUtils
- .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
- .build());
+ /* Custom ICMP Match */
+ if (portSecurityRule.getSecurityRulePortMin() != null &&
+ portSecurityRule.getSecurityRulePortMax() != null) {
+ flowId = flowId + portSecurityRule.getSecurityRulePortMin().shortValue() + "_"
+ + portSecurityRule.getSecurityRulePortMax().shortValue() + "_";
+ matchBuilder = MatchUtils.createICMPv6Match(matchBuilder,
+ portSecurityRule.getSecurityRulePortMin().shortValue(),
+ portSecurityRule.getSecurityRulePortMax().shortValue());
} else {
- flowBuilder.setMatch(MatchUtils
- .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
- .build());
+ /* All ICMP Match */
+ flowId = flowId + "all" + "_";
+ matchBuilder = MatchUtils.createICMPv6Match(matchBuilder,MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
}
-
- LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
- String flowId = "IngressProto_ACL_" + segmentationId + "_" +
- attachedMac + "_Permit_" + securityRuleIpPrefix;
- // Add Flow Attributes
- flowBuilder.setId(new FlowId(flowId));
- FlowKey key = new FlowKey(new FlowId(flowId));
- flowBuilder.setStrict(false);
- flowBuilder.setPriority(protoPortMatchPriority);
- flowBuilder.setBarrier(true);
- flowBuilder.setTableId(this.getTable());
- flowBuilder.setKey(key);
- flowBuilder.setFlowName(flowId);
- flowBuilder.setHardTimeout(0);
- flowBuilder.setIdleTimeout(0);
-
- if (write) {
- // Instantiate the Builders for the OF Actions and Instructions
- InstructionBuilder ib = new InstructionBuilder();
- InstructionsBuilder isb = new InstructionsBuilder();
- List<Instruction> instructionsList = Lists.newArrayList();
-
- ib = this.getMutablePipelineInstructionBuilder();
- ib.setOrder(1);
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- isb.setInstruction(instructionsList);
-
- LOG.debug("Instructions contain: {}", ib.getInstruction());
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(isb.build());
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
+ if (null != srcAddress) {
+ flowId = flowId + srcAddress;
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
+ MatchUtils.iPv6PrefixFromIPv6Address(srcAddress), null);
+ } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
+ flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
+ new Ipv6Prefix(portSecurityRule
+ .getSecurityRuleRemoteIpPrefix()),null);
}
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ flowId = flowId + "_Permit";
+ syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false, false);
}
/**
syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false, false);
}
+ /**
+ * Add rule to ensure only DHCPv6 server traffic from the specified mac is allowed.
+ *
+ * @param dpidLong the dpid
+ * @param segmentationId the segmentation id
+ * @param dhcpMacAddress the DHCP server mac address
+ * @param write is write or delete
+ * @param protoPortMatchPriority the priority
+ */
+ private void ingressAclDhcpv6AllowServerTraffic(Long dpidLong, String segmentationId, String dhcpMacAddress,
+ boolean write, Integer protoPortMatchPriority) {
+
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ MatchBuilder matchBuilder = new MatchBuilder();
+ MatchUtils.createDhcpv6ServerMatch(matchBuilder, dhcpMacAddress, 547, 546).build();
+ String flowId = "Ingress_DHCPv6_Server" + segmentationId + "_" + dhcpMacAddress + "_Permit_";
+ syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false, false);
+ }
+
/**
* Add or remove flow to the node.
*
private Neutron_IPs neutron_ip_dest_2;
private List<Neutron_IPs> neutronSrcIpList = new ArrayList<>();
private List<Neutron_IPs> neutronDestIpList = new ArrayList<>();
- private static final String HOST_ADDRESS = "127.0.0.1/32";
private static final String MAC_ADDRESS = "87:1D:5E:02:40:B7";
private static final String SRC_IP = "192.168.0.1";
private static final String DEST_IP_1 = "192.169.0.1";
private static final String DEST_IP_2 = "192.169.0.2";
- private static final String DEST_IP_1_WITH_MASK = "192.169.0.1/32";
- private static final String DEST_IP_2_WITH_MASK = "192.169.0.2/32";
private static final String SECURITY_GROUP_UUID = "85cc3048-abc3-43cc-89b3-377341426ac5";
private static final String PORT_UUID = "95cc3048-abc3-43cc-89b3-377341426ac5";
private static final String SEGMENT_ID = "2";
}
- /**
- * Rule 1: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
- */
- /*@Test
- public void testProgramPortSecurityACLRule1() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(1);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLTcpPortWithPrefix(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 2: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule2() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLTcpPortWithPrefix(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 3: TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule3() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLPermitAllProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 4: TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule4() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLPermitAllProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 5: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
- *//*
- @Test
- public void testProgramPortSecurityACLRule5() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(1);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLTcpSyn(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 6: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
- *//*
- @Test
- public void testProgramPortSecurityACLRule6() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(egressAclServiceSpy, times(1)).egressACLTcpSyn(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 7: TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
- *//*
- @Test
- public void testProgramPortSecurityACLRule7() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- egressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup);
- verify(egressAclServiceSpy, times(1)).egressAllowProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
- }
-*/
/**
* Test method {@link EgressAclService#programPortSecurityGroup(java.lang.Long, java.lang.String,
* java.lang.String, long, org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup,
localSecurityGroup, PORT_UUID, true);
}
- /**
- * Test method {@link EgressAclService#egressACLDefaultTcpDrop(Long, String, String, int, boolean)}
- */
- @Test
- public void testEgressACLDefaultTcpDrop() throws Exception {
- egressAclService.egressACLDefaultTcpDrop(123L, "2", MAC_ADDRESS, 1, true);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
-
- egressAclService.egressACLDefaultTcpDrop(123L, "2", MAC_ADDRESS, 1, false);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
-
/**
* Test IPv4 add test case.
*/
verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ verify(commitFuture, times(1)).checkedGet();
}
/**
}
}
-
/**
* Test UDP add with port (All UDP) and CIDR selected.
*/
}
/**
- * Test With isLastPortInBridge false isComputeNode false
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLAdd1() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
+
egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true);
- verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
+ verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(1)).submit();
+ verify(commitFuture, times(1)).checkedGet();
}
/**
- * Test With isLastPortInBridge false isComputeNode false
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLRemove1() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false);
- verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
+ verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(1)).submit();
+ verify(commitFuture, times(1)).get();
}
/**
- * Test With isLastPortInBridge false isComputeNode true
+ * Test With isConntrackEnabled false isComputeNode true
*/
@Test
public void testProgramFixedSecurityACLAdd2() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true);
- verify(writeTransaction, times(6)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(3)).submit();
- verify(commitFuture, times(3)).get();
+ verify(writeTransaction, times(10)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(5)).submit();
+ verify(commitFuture, times(5)).checkedGet();
}
/**
- * Test With isLastPortInBridge false isComputeNode true
+ * Test With isConntrackEnabled false isComputeNode true
*/
@Test
public void testProgramFixedSecurityACLRemove2() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false);
- verify(writeTransaction, times(3)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(3)).submit();
- verify(commitFuture, times(3)).get();
+ verify(writeTransaction, times(5)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(5)).submit();
+ verify(commitFuture, times(5)).get();
}
/**
- * Test With isLastPortInBridge true isComputeNode false
+ * Test With isConntrackEnabled true isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLAdd3() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, false, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true);
verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ verify(commitFuture, times(1)).checkedGet();
}
/**
- * Test With isLastPortInBridge true isComputeNode false
+ * Test With isConntrackEnabled true isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLRemove3() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, false, false);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false);
verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(1)).submit();
}
/**
- * Test With isLastPortInBridge true isComputeNode true
+ * Test With isConntrackEnabled true isComputeNode true
*/
@Test
public void testProgramFixedSecurityACLAdd4() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, true, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true);
- verify(writeTransaction, times(8)).put(any(LogicalDatastoreType.class),
+ verify(writeTransaction, times(16)).put(any(LogicalDatastoreType.class),
any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(4)).submit();
- verify(commitFuture, times(4)).get();
+ verify(writeTransaction, times(8)).submit();
+ verify(commitFuture, times(8)).checkedGet();
}
/**
- * Test With isLastPortInBridge true isComputeNode true
+ * Test With isConntrackEnabled true isComputeNode true
*/
@Test
public void testProgramFixedSecurityACLRemove4() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, true, false);
-
- verify(writeTransaction, times(4)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(4)).submit();
- verify(commitFuture, times(4)).get();
- }
-
- /**
- * Test method {@link EgressAclService#egressACLTcpPortWithPrefix(Long, String, String, boolean, Integer, String, Integer)}
- */
- @Test
- public void testEgressACLTcpPortWithPrefix() throws Exception {
- egressAclService.egressACLTcpPortWithPrefix(123L, "2", MAC_ADDRESS, true, 1, HOST_ADDRESS, 1);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
-
- egressAclService.egressACLTcpPortWithPrefix(123L, "2", MAC_ADDRESS, false, 1, HOST_ADDRESS, 1);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
-
- /**
- * Test method {@link EgressAclService#egressAllowProto(Long, String, String, boolean, String, Integer)}
- */
- @Test
- public void testEgressAllowProto() throws Exception {
- egressAclService.egressAllowProto(123L, "2", MAC_ADDRESS, true, HOST_ADDRESS, 1);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
-
- egressAclService.egressAllowProto(123L, "2", MAC_ADDRESS, false, HOST_ADDRESS, 1);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
-
- /**
- * Test method {@link EgressAclService#egressACLPermitAllProto(Long, String, String, boolean, String, Integer)}
- */
- @Test
- public void testEgressACLPermitAllProto() throws Exception {
- egressAclService.egressACLPermitAllProto(123L, "2", MAC_ADDRESS, true, HOST_ADDRESS, 1);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false);
- egressAclService.egressACLPermitAllProto(123L, "2", MAC_ADDRESS, false, HOST_ADDRESS, 1);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
+ verify(writeTransaction, times(8)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(8)).submit();
+ verify(commitFuture, times(8)).get();
}
- /**
- * Test method {@link EgressAclService#egressACLTcpSyn(Long, String, String, boolean, Integer, Integer)}
- */
- @Test
- public void testEgressACLTcpSyn() throws Exception {
- egressAclService.egressACLTcpSyn(123L, "2", MAC_ADDRESS, true, 1, 1);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
-
- egressAclService.egressACLTcpSyn(123L, "2", MAC_ADDRESS, false, 1, 1);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
}
package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
import static org.mockito.Matchers.any;
-import static org.mockito.Matchers.anyBoolean;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.times;
import java.util.ArrayList;
import java.util.List;
+import java.util.concurrent.atomic.AtomicBoolean;
import org.junit.Assert;
import org.junit.Before;
import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityGroupCacheManger;
import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityServicesManager;
+import org.opendaylight.ovsdb.openstack.netvirt.providers.NetvirtProvidersProvider;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.PipelineOrchestrator;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._4.match.UdpMatch;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.powermock.api.mockito.PowerMockito;
+import org.powermock.api.support.membermodification.MemberModifier;
import org.powermock.modules.junit4.PowerMockRunner;
import com.google.common.util.concurrent.CheckedFuture;
private Neutron_IPs neutron_ip_dest_1;
private Neutron_IPs neutron_ip_dest_2;
- private static final String SEGMENTATION_ID = "2";
- private static final int PRIORITY = 1;
- private static final String HOST_ADDRESS = "127.0.0.1/32";
private static final String MAC_ADDRESS = "87:1D:5E:02:40:B8";
+ private static final String DHCP_MAC_ADDRESS = "87:1D:5E:02:40:B9";
private static final String SRC_IP = "192.168.0.1";
private static final String DEST_IP_1 = "192.169.0.1";
private static final String DEST_IP_2 = "192.169.0.2";
}
@Before
- public void setUp() {
+ public void setUp() throws IllegalArgumentException, IllegalAccessException{
ingressAclServiceSpy = PowerMockito.spy(ingressAclService);
when(writeTransaction.submit()).thenReturn(commitFuture);
when(securityGroup.getSecurityRules()).thenReturn(portSecurityList);
when(securityServices.getVmListForSecurityGroup
(PORT_UUID, SECURITY_GROUP_UUID)).thenReturn(neutronDestIpList);
- }
-
- /* *//**
- * Rule 1: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule1() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(1);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLTcpPortWithPrefix(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
-
- *//**
- * Rule 2: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule2() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLTcpPortWithPrefix(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
+ NetvirtProvidersProvider netvirtProvider = mock(NetvirtProvidersProvider.class);
+ MemberModifier.field(NetvirtProvidersProvider.class, "hasProviderEntityOwnership").set(netvirtProvider, new AtomicBoolean(true));
- *//**
- * Rule 3: TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule3() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLPermitAllProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
}
-
- *//**
- * Rule 4: TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- @Test
- public void testProgramPortSecurityACLRule4() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(HOST_ADDRESS);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLPermitAllProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 5: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
- *//*
- @Test
- public void testProgramPortSecurityACLRule5() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(1);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLTcpSyn(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 6: TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
- *//*
- @Test
- public void testProgramPortSecurityACLRule6() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(1);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).ingressACLDefaultTcpDrop(anyLong(), anyString(), anyString(), anyInt(), anyBoolean());
- verify(ingressAclServiceSpy, times(1)).ingressACLTcpSyn(anyLong(), anyString(), anyString(), anyBoolean(), anyInt(), anyInt());
- verify(writeTransaction, times(4)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- *//**
- * Rule 7: TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
- *//*
- @Test
- public void testProgramPortSecurityACLRule7() throws Exception {
- when(portSecurityRule.getSecurityRuleProtocol()).thenReturn("tcp");
- when(portSecurityRule.getSecurityRulePortMax()).thenReturn(null);
- when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
- when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
-
- ingressAclServiceSpy.programPortSecurityACL(Long.valueOf(1554), SEGMENTATION_ID, MAC_ADDRESS, 124, securityGroup);
- verify(ingressAclServiceSpy, times(1)).handleIngressAllowProto(anyLong(), anyString(), anyString(), anyBoolean(), anyString(), anyInt());
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
- }
-*/
/**
* Test method {@link EgressAclService#programPortSecurityGroup(java.lang.Long, java.lang.String,
* java.lang.String, long, org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup,
verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ verify(commitFuture, times(1)).checkedGet();
}
/**
}
/**
- * Test With isLastPortInBridge false isComputeNode false
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLAdd1() throws Exception {
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, false, false, null, true);
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
+
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, true);
verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(0)).submit();
verify(commitFuture, times(0)).get();
}
/**
- * Test With isLastPortInBridge false isComputeNode false
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
public void testProgramFixedSecurityACLRemove1() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, false, false, null, false);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, false);
verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(0)).submit();
verify(commitFuture, times(0)).get();
}
-
/**
- * Test method {@link IgressAclService#egressACLDefaultTcpDrop(Long, String, String, int, boolean)}
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
- public void testIgressACLDefaultTcpDrop() throws Exception {
- ingressAclService.ingressACLDefaultTcpDrop(123L, SEGMENTATION_ID, MAC_ADDRESS, PRIORITY, true);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ public void testProgramFixedSecurityACLAdd2() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
- ingressAclService.ingressACLDefaultTcpDrop(123L, SEGMENTATION_ID, MAC_ADDRESS, PRIORITY, false);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, true);
+ verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(1)).submit();
+ verify(commitFuture, times(1)).checkedGet();
+ }
/**
- * Test method {@link IgressAclService#ingressACLTcpPortWithPrefix(Long, String, String, boolean, Integer, String, Integer)}
+ * Test With isConntrackEnabled false isComputeNode false
*/
@Test
- public void testIngressACLTcpPortWithPrefix() throws Exception {
- ingressAclService.ingressACLTcpPortWithPrefix(123L, SEGMENTATION_ID, MAC_ADDRESS, true, 1, HOST_ADDRESS, PRIORITY);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ public void testProgramFixedSecurityACLRemove2() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(false);
+
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, false);
- ingressAclService.ingressACLTcpPortWithPrefix(123L, SEGMENTATION_ID, MAC_ADDRESS, false, 1, HOST_ADDRESS, PRIORITY);
verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
+ verify(writeTransaction, times(1)).submit();
+ verify(commitFuture, times(1)).get();
}
-
/**
- * Test method {@link IgressAclService#handleIngressAllowProto(Long, String, String, boolean, String, Integer)}
+ * Test With isConntrackEnabled true isComputeNode false
*/
@Test
- public void testIngressAllowProto() throws Exception {
- ingressAclService.handleIngressAllowProto(123L, SEGMENTATION_ID, MAC_ADDRESS, true, HOST_ADDRESS, PRIORITY);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ public void testProgramFixedSecurityACLAdd3() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- ingressAclService.handleIngressAllowProto(123L, SEGMENTATION_ID, MAC_ADDRESS, false, HOST_ADDRESS, PRIORITY);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
- }
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, true);
+ verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(0)).submit();
+ verify(commitFuture, times(0)).get();
+ }
/**
- * Test method {@link IgressAclService#ingressACLPermitAllProto(Long, String, String, boolean, String, Integer)}
+ * Test With isConntrackEnabled true isComputeNode false
*/
@Test
- public void testIngressACLPermitAllProto() throws Exception {
- ingressAclService.ingressACLPermitAllProto(123L, SEGMENTATION_ID, MAC_ADDRESS, true, HOST_ADDRESS, PRIORITY);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ public void testProgramFixedSecurityACLRemove3() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- ingressAclService.ingressACLPermitAllProto(123L, SEGMENTATION_ID, MAC_ADDRESS, false, HOST_ADDRESS, PRIORITY);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, false);
+
+ verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(0)).submit();
+ verify(commitFuture, times(0)).get();
}
+ /**
+ * Test With isConntrackEnabled true isComputeNode true
+ */
+ @Test
+ public void testProgramFixedSecurityACLAdd4() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, true);
+
+ verify(writeTransaction, times(8)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(4)).submit();
+ verify(commitFuture, times(4)).checkedGet();
+ }
/**
- * Test method {@link IgressAclService#ingressACLTcpSyn(Long, String, String, boolean, Integer, Integer)}
+ * Test With isConntrackEnabled true isComputeNode true
*/
@Test
- public void testIngressACLTcpSyn() throws Exception {
- ingressAclService.ingressACLTcpSyn(123L, SEGMENTATION_ID, MAC_ADDRESS, true, 1, PRIORITY);
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), anyBoolean());
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
+ public void testProgramFixedSecurityACLRemove4() throws Exception {
+ when(securityServices.isConntrackEnabled()).thenReturn(true);
- ingressAclService.ingressACLTcpSyn(123L, SEGMENTATION_ID, MAC_ADDRESS, false, 1, PRIORITY);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get(); // 1 + 1 above
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, false);
+
+ verify(writeTransaction, times(4)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(4)).submit();
+ verify(commitFuture, times(4)).get();
}
+
}
import java.util.Map;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv6Prefix;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.EthernetMatch;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.EthernetMatchBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.Icmpv4MatchBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.Icmpv6MatchBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.IpMatchBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.MetadataBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.TcpFlagMatchBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.VlanMatchBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._3.match.ArpMatchBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._3.match.Ipv4MatchBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._3.match.Ipv6MatchBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._4.match.TcpMatchBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._4.match.UdpMatchBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.vlan.match.fields.VlanIdBuilder;
public static final String UDP = "udp";
private static final int TCP_SYN = 0x0002;
public static final String ICMP = "icmp";
+ public static final String ICMPV6 = "icmpv6";
public static final short ALL_ICMP = -1;
/**
return matchBuilder;
}
+ /**
+ * Match ICMPv6 code and type
+ *
+ * @param matchBuilder MatchBuilder Object
+ * @param type short representing an ICMP type
+ * @param code short representing an ICMP code
+ * @return matchBuilder Map MatchBuilder Object with a match
+ */
+ public static MatchBuilder createICMPv6Match(MatchBuilder matchBuilder, short type, short code) {
+
+ // Build the IPv6 Match required per OVS Syntax
+ IpMatchBuilder ipmatch = new IpMatchBuilder();
+ ipmatch.setIpProtocol((short) 58);
+ matchBuilder.setIpMatch(ipmatch.build());
+
+ // Build the ICMPv6 Match
+ Icmpv6MatchBuilder icmpv6match = new Icmpv6MatchBuilder();
+ if (type != ALL_ICMP || code != ALL_ICMP) {
+ icmpv6match.setIcmpv6Type(type);
+ icmpv6match.setIcmpv6Code(code);
+ }
+ matchBuilder.setIcmpv6Match(icmpv6match.build());
+
+ return matchBuilder;
+ }
+
/**
* @param matchBuilder MatchBuilder Object without a match yet
* @param dstip String containing an IPv4 prefix
return matchBuilder;
}
+ /**
+ * Create TCP Port Match
+ *
+ * @param matchBuilder MatchBuilder Object without a match yet
+ * @param ipProtocol Integer representing the IP protocol
+ * @return matchBuilder Map MatchBuilder Object with a match
+ */
+ public static MatchBuilder createIpv6ProtocolMatch(MatchBuilder matchBuilder, short ipProtocol) {
+
+ EthernetMatchBuilder ethType = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x86DDL));
+ ethType.setEthernetType(ethTypeBuilder.build());
+ matchBuilder.setEthernetMatch(ethType.build());
+
+ IpMatchBuilder ipMmatch = new IpMatchBuilder();
+ if (ipProtocol == TCP_SHORT) {
+ ipMmatch.setIpProtocol(TCP_SHORT);
+ }
+ else if (ipProtocol == UDP_SHORT) {
+ ipMmatch.setIpProtocol(UDP_SHORT);
+ }
+ else if (ipProtocol == ICMP_SHORT) {
+ ipMmatch.setIpProtocol(ICMP_SHORT);
+ }
+ matchBuilder.setIpMatch(ipMmatch.build());
+ return matchBuilder;
+ }
+
/**
* Create tcp syn with proto match.
*
}
/**
- * Create a DHCP match with pot provided.
+ * Create a DHCP match with port provided.
*
* @param matchBuilder the match builder
* @param srcPort the source port
}
+ /**
+ * Create a DHCP match with port provided.
+ *
+ * @param matchBuilder the match builder
+ * @param srcPort the source port
+ * @param dstPort the destination port
+ * @return the DHCP match
+ */
+ public static MatchBuilder createDhcpv6Match(MatchBuilder matchBuilder,
+ int srcPort, int dstPort) {
+
+ EthernetMatchBuilder ethernetMatch = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x86DDL));
+ ethernetMatch.setEthernetType(ethTypeBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+
+ IpMatchBuilder ipmatch = new IpMatchBuilder();
+ ipmatch.setIpProtocol(UDP_SHORT);
+ matchBuilder.setIpMatch(ipmatch.build());
+
+ UdpMatchBuilder udpmatch = new UdpMatchBuilder();
+ udpmatch.setUdpSourcePort(new PortNumber(srcPort));
+ udpmatch.setUdpDestinationPort(new PortNumber(dstPort));
+ matchBuilder.setLayer4Match(udpmatch.build());
+
+ return matchBuilder;
+
+ }
+
/**
* Creates DHCP server packet match with DHCP mac address and port.
*
}
+ /**
+ * Creates DHCPv6 server packet match with DHCP mac address and port.
+ *
+ * @param matchBuilder the matchbuilder
+ * @param dhcpServerMac MAc address of the DHCP server of the subnet
+ * @param srcPort the source port
+ * @param dstPort the destination port
+ * @return the DHCP server match
+ */
+ public static MatchBuilder createDhcpv6ServerMatch(MatchBuilder matchBuilder, String dhcpServerMac, int srcPort,
+ int dstPort) {
+
+ EthernetMatchBuilder ethernetMatch = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x86DDL));
+ ethernetMatch.setEthernetType(ethTypeBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+
+ EthernetSourceBuilder ethSourceBuilder = new EthernetSourceBuilder();
+ ethSourceBuilder.setAddress(new MacAddress(dhcpServerMac));
+ ethernetMatch.setEthernetSource(ethSourceBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+
+ IpMatchBuilder ipmatch = new IpMatchBuilder();
+ ipmatch.setIpProtocol(UDP_SHORT);
+ matchBuilder.setIpMatch(ipmatch.build());
+
+ UdpMatchBuilder udpmatch = new UdpMatchBuilder();
+ udpmatch.setUdpSourcePort(new PortNumber(srcPort));
+ udpmatch.setUdpDestinationPort(new PortNumber(dstPort));
+ matchBuilder.setLayer4Match(udpmatch.build());
+
+ return matchBuilder;
+
+ }
+
/**
* Creates a Match with src ip address mac address set.
* @param matchBuilder MatchBuilder Object
}
+ /**
+ * Creates a Match with src ip address mac address set.
+ * @param matchBuilder MatchBuilder Object
+ * @param srcip String containing an IPv6 prefix
+ * @param srcMac The source macAddress
+ * @return matchBuilder Map Object with a match
+ */
+ public static MatchBuilder createSrcL3Ipv6MatchWithMac(MatchBuilder matchBuilder, Ipv6Prefix srcip, MacAddress srcMac) {
+
+ Ipv6MatchBuilder ipv6MatchBuilder = new Ipv6MatchBuilder();
+ ipv6MatchBuilder.setIpv6Source(new Ipv6Prefix(srcip));
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x86DDL));
+ EthernetMatchBuilder eth = new EthernetMatchBuilder();
+ eth.setEthernetType(ethTypeBuilder.build());
+ eth.setEthernetSource(new EthernetSourceBuilder()
+ .setAddress(srcMac)
+ .build());
+
+ matchBuilder.setLayer3Match(ipv6MatchBuilder.build());
+ matchBuilder.setEthernetMatch(eth.build());
+ return matchBuilder;
+
+ }
+
/**
* Creates a ether net match with ether type set to 0x0800L.
* @param matchBuilder MatchBuilder Object
* @param dstMac The destination mac address
* @return matchBuilder Map Object with a match
*/
- public static MatchBuilder createEtherMatchWithType(MatchBuilder matchBuilder,String srcMac, String dstMac)
+ public static MatchBuilder createV4EtherMatchWithType(MatchBuilder matchBuilder,String srcMac, String dstMac)
{
EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
ethTypeBuilder.setType(new EtherType(0x0800L));
matchBuilder.setEthernetMatch(eth.build());
return matchBuilder;
}
+
+ /**
+ * Creates a ether net match with ether type set to 0x86DDL.
+ * @param matchBuilder MatchBuilder Object
+ * @param srcMac The source macAddress
+ * @param dstMac The destination mac address
+ * @return matchBuilder Map Object with a match
+ */
+ public static MatchBuilder createV6EtherMatchWithType(MatchBuilder matchBuilder,String srcMac, String dstMac)
+ {
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x86DDL));
+ EthernetMatchBuilder eth = new EthernetMatchBuilder();
+ eth.setEthernetType(ethTypeBuilder.build());
+ if (null != srcMac) {
+ eth.setEthernetSource(new EthernetSourceBuilder()
+ .setAddress(new MacAddress(srcMac)).build());
+ }
+ if (null != dstMac) {
+ eth.setEthernetDestination(new EthernetDestinationBuilder()
+ .setAddress(new MacAddress(dstMac)).build());
+ }
+ matchBuilder.setEthernetMatch(eth.build());
+ return matchBuilder;
+ }
+
/**
* Adds remote Ip prefix to existing match.
* @param matchBuilder The match builder
return matchBuilder;
}
+
+ /**
+ * Adds remote Ipv6 prefix to existing match.
+ * @param matchBuilder The match builder
+ * @param sourceIpPrefix The source IP prefix
+ * @param destIpPrefix The destination IP prefix
+ * @return matchBuilder Map Object with a match
+ */
+ public static MatchBuilder addRemoteIpv6Prefix(MatchBuilder matchBuilder,
+ Ipv6Prefix sourceIpPrefix,Ipv6Prefix destIpPrefix) {
+ Ipv6MatchBuilder ipv6match = new Ipv6MatchBuilder();
+ if (null != sourceIpPrefix) {
+ ipv6match.setIpv6Source(sourceIpPrefix);
+ }
+ if (null != destIpPrefix) {
+ ipv6match.setIpv6Destination(destIpPrefix);
+ }
+ matchBuilder.setLayer3Match(ipv6match.build());
+
+ return matchBuilder;
+ }
+
/**
* Add a layer4 match to an existing match
*
return new Ipv4Prefix(ipv4AddressString + "/32");
}
+ /**
+ * Create ipv6 prefix from ipv6 address, by appending /128 mask
+ *
+ * @param ipv6AddressString the ip address, in string format
+ * @return Ipv6Prefix with ipv6Address and /128 mask
+ */
+ public static Ipv6Prefix iPv6PrefixFromIPv6Address(String ipv6AddressString) {
+ return new Ipv6Prefix(ipv6AddressString + "/128");
+ }
+
/**
* Converts port range into a set of masked port ranges.
*