*/
package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
+import java.math.BigInteger;
+import java.util.List;
+
+import org.opendaylight.controller.networkconfig.neutron.NeutronSecurityGroup;
+import org.opendaylight.controller.networkconfig.neutron.NeutronSecurityRule;
+import org.opendaylight.controller.sal.core.Node;
+import org.opendaylight.ovsdb.openstack.netvirt.api.IngressAclProvider;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
+import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
+import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowKey;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.Lists;
+
+public class IngressAclService extends AbstractServiceInstance implements IngressAclProvider {
+
+ static final Logger logger = LoggerFactory.getLogger(IngressAclService.class);
+ public static final Integer PROTO_MATCH_PRIORITY_DROP = 36006;
+ public static final Integer PROTO_PORT_MATCH_PRIORITY_DROP = 36005;
+ public static final Integer PREFIX_MATCH_PRIORITY_DROP = 36004;
+ public static final Integer PROTO_PREFIX_MATCH_PRIORITY_DROP = 36003;
+ public static final Integer PREFIX_PORT_MATCH_PRIORITY_DROP = 36002;
+ public static final Integer PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP = 36001;
+
+ public static final Integer PROTO_MATCH_PRIORITY = 61010;
+ public static final Integer PREFIX_MATCH_PRIORITY = 61009;
+ public static final Integer PROTO_PREFIX_MATCH_PRIORITY = 61008;
+ public static final Integer PROTO_PORT_MATCH_PRIORITY = 61007;
+ public static final Integer PROTO_PORT_PREFIX_MATCH_PRIORITY = 61007;
+
+ public static final int TCP_SYN = 0x002;
+ public static final short INGRESS_ACL = 40; // Flows Destined to the VM Port go here
+ // TODO: break out egress to the egress table and create a parent for both ingress/egress
+ public static final short EGRESS_ACL = 100; // Flows Sourced from the VM Port go here
+ public static final short OUTBOUND_SNAT = 110; // Ingress ACL table drains traffic to this table
+
+ private static final String OPENFLOW = "openflow:";
+ private static Long groupId = 1L;
-public class IngressAclService extends AbstractServiceInstance {
public IngressAclService() {
super(Service.INGRESS_ACL);
}
}
@Override
- public boolean isBridgeInPipeline (String nodeId) {
+ public boolean isBridgeInPipeline(String nodeId) {
return true;
}
-}
\ No newline at end of file
+
+ @Override
+ public void programPortSecurityACL(Node node, Long dpid, String segmentationId, String attachedMac,
+ long localPort, NeutronSecurityGroup securityGroup) {
+
+ logger.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
+ List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
+ /* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
+ for (NeutronSecurityRule portSecurityRule : portSecurityList) {
+ /**
+ * Neutron Port Security ACL "ingress" and "IPv4"
+ *
+ * Check that the base conditions for flow based Port Security are true:
+ * Port Security Rule Direction ("ingress") and Protocol ("IPv4")
+ * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
+ * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
+ *
+ */
+ if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
+ portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("ingress")) {
+ logger.debug("ACL Rule matching IPv4 and ingress is: {} ", portSecurityRule);
+ /**
+ * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
+ .equalsIgnoreCase("0.0.0.0/0"))) {
+ logger.debug("Rule #1 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
+ PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
+ true);
+ ingressACLTcpPortWithPrefix(dpid, segmentationId,
+ attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ continue;
+ }
+ /**
+ * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
+ .equalsIgnoreCase("0.0.0.0/0"))) {
+ logger.debug("Rule #2 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
+ PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
+ true);
+ ingressACLTcpPortWithPrefix(dpid, segmentationId,
+ attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ continue;
+ }
+ /**
+ * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
+ logger.debug("Rule #3 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_PREFIX_MATCH_PRIORITY_DROP,
+ true);
+ ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
+ portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PREFIX_MATCH_PRIORITY);
+ continue;
+ }
+ /**
+ * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
+ .equalsIgnoreCase("0.0.0.0/0"))) {
+ logger.debug("Rule #4 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PREFIX_MATCH_PRIORITY_DROP, true);
+ ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
+ portSecurityRule.getSecurityRuleRemoteIpPrefix(), PREFIX_MATCH_PRIORITY);
+ continue;
+ }
+ /**
+ * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
+ logger.debug("Rule #5 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_PORT_MATCH_PRIORITY_DROP,
+ true);
+ ingressACLTcpSyn(dpid, segmentationId,
+ attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
+ PREFIX_PORT_MATCH_PRIORITY_DROP);
+ continue;
+ }
+ /**
+ * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
+ logger.debug("Rule #6 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
+ PROTO_PORT_MATCH_PRIORITY_DROP, true);
+ ingressACLTcpSyn(dpid, segmentationId, attachedMac, true,
+ portSecurityRule.getSecurityRulePortMin(), PROTO_PORT_MATCH_PRIORITY);
+ continue;
+ }
+ /**
+ * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
+ String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
+ .equalsIgnoreCase("0.0.0.0/0"))) {
+ logger.debug("Rule #7 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ // No need to drop until UDP/ICMP are implemented
+ // ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
+ handleIngressAllowProto(dpid, segmentationId, attachedMac, true,
+ portSecurityRule.getSecurityRuleProtocol(), PROTO_MATCH_PRIORITY);
+ continue;
+ }
+ logger.debug("Ingress ACL Match combination not found for rule: {}", portSecurityRule);
+ }
+
+ /**
+ * Neutron Port Security ACL "egress" and "IPv4"
+ *
+ * Check that the base conditions for flow based Port Security are true:
+ * Port Security Rule Direction ("egress") and Protocol ("IPv4")
+ * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
+ * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
+ *
+ */
+ if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
+ portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("egress")) {
+ logger.debug("Egress IPV4 ACL Port Security Rule: {} ", portSecurityRule);
+ // TODO Move to EgressAclService and Implement Port Range
+
+ /**
+ * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
+ .equalsIgnoreCase("0.0.0.0/0"))) {
+ logger.debug("Rule #1 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
+ PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
+ true);
+ egressACLTcpPortWithPrefix(dpid, segmentationId,
+ attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ continue;
+ }
+ /**
+ * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
+ .equalsIgnoreCase("0.0.0.0/0"))) {
+ logger.debug("Rule #2 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
+ PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
+ true);
+ egressACLTcpPortWithPrefix(dpid, segmentationId,
+ attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ continue;
+ }
+ /**
+ * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
+ logger.debug("Rule #3 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_PREFIX_MATCH_PRIORITY_DROP,
+ true);
+ egressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
+ portSecurityRule.getSecurityRuleRemoteIpPrefix(), PROTO_PREFIX_MATCH_PRIORITY);
+ continue;
+ }
+ /**
+ * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
+ .equalsIgnoreCase("0.0.0.0/0"))) {
+ logger.debug("Rule #4 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PREFIX_MATCH_PRIORITY_DROP, true);
+ egressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
+ portSecurityRule.getSecurityRuleRemoteIpPrefix(), PREFIX_MATCH_PRIORITY);
+ continue;
+ }
+ /**
+ * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
+ logger.debug("Rule #5 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_PORT_MATCH_PRIORITY_DROP,
+ true);
+ egressACLTcpSyn(dpid, segmentationId,
+ attachedMac, true, portSecurityRule.getSecurityRulePortMin(), PROTO_PORT_MATCH_PRIORITY);
+ continue;
+ }
+ /**
+ * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
+ logger.debug("Rule #6 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
+ PROTO_PORT_MATCH_PRIORITY_DROP, true);
+ egressACLTcpSyn(dpid, segmentationId, attachedMac, true,
+ portSecurityRule.getSecurityRulePortMin(), PROTO_PORT_MATCH_PRIORITY);
+ continue;
+ }
+ /**
+ * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
+ */
+ if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
+ String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
+ ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
+ String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
+ .equalsIgnoreCase("0.0.0.0/0"))) {
+ logger.debug("Rule #7 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
+ portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
+ portSecurityRule.getSecurityRulePortMax(),
+ portSecurityRule.getSecurityRuleRemoteIpPrefix());
+ // No need to drop until UDP/ICMP are implemented
+ // egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
+ egressAllowProto(dpid, segmentationId, attachedMac, true,
+ portSecurityRule.getSecurityRuleProtocol(), PROTO_MATCH_PRIORITY);
+ continue;
+ }
+ logger.debug("ACL Match combination not found for rule: {}", portSecurityRule);
+
+ }
+ }
+ }
+
+ public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
+ Integer securityRulePortMin, Integer protoPortMatchPriority) {
+
+ String nodeName = OPENFLOW + dpidLong;
+ PortNumber tcpPort = new PortNumber(securityRulePortMin);
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ FlowBuilder flowBuilder = new FlowBuilder();
+
+ flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort,
+ TCP_SYN, segmentationId).build());
+
+ logger.debug("ingressACLTcpSyn MatchBuilder contains: {}", flowBuilder.getMatch());
+ String flowId = "UcastOut_ACL2" + segmentationId + "_" + attachedMac + securityRulePortMin;
+ // Add Flow Attributes
+ flowBuilder.setId(new FlowId(flowId));
+ FlowKey key = new FlowKey(new FlowId(flowId));
+ flowBuilder.setStrict(false);
+ flowBuilder.setPriority(protoPortMatchPriority);
+ flowBuilder.setBarrier(true);
+ flowBuilder.setTableId(INGRESS_ACL);
+ flowBuilder.setKey(key);
+ flowBuilder.setFlowName(flowId);
+ flowBuilder.setHardTimeout(0);
+ flowBuilder.setIdleTimeout(0);
+
+ if (write) {
+ // Instantiate the Builders for the OF Actions and Instructions
+ InstructionBuilder ib = new InstructionBuilder();
+ InstructionsBuilder isb = new InstructionsBuilder();
+ List<Instruction> instructionsList = Lists.newArrayList();
+
+ ib = this.getMutablePipelineInstructionBuilder();
+ ib.setOrder(0);
+ ib.setKey(new InstructionKey(0));
+ instructionsList.add(ib.build());
+ isb.setInstruction(instructionsList);
+
+ logger.debug("Instructions are: {}", ib.getInstruction());
+ // Add InstructionsBuilder to FlowBuilder
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ } else {
+ // removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+ public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac,
+ boolean write, Integer securityRulePortMin, String securityRuleIpPrefix,
+ Integer protoPortPrefixMatchPriority) {
+
+ String nodeName = OPENFLOW + dpidLong;
+ PortNumber tcpPort = new PortNumber(securityRulePortMin);
+
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName);
+ FlowBuilder flowBuilder = new FlowBuilder();
+ Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
+
+ flowBuilder.setMatch(MatchUtils
+ .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
+ tcpPort, TCP_SYN, segmentationId, srcIpPrefix).build());
+
+ logger.debug(" MatchBuilder contains: {}", flowBuilder.getMatch());
+ String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac +
+ securityRulePortMin + securityRuleIpPrefix;
+ // Add Flow Attributes
+ flowBuilder.setId(new FlowId(flowId));
+ FlowKey key = new FlowKey(new FlowId(flowId));
+ flowBuilder.setStrict(false);
+ flowBuilder.setPriority(protoPortPrefixMatchPriority);
+ flowBuilder.setBarrier(true);
+ flowBuilder.setTableId(INGRESS_ACL);
+ flowBuilder.setKey(key);
+ flowBuilder.setFlowName(flowId);
+ flowBuilder.setHardTimeout(0);
+ flowBuilder.setIdleTimeout(0);
+
+ if (write) {
+ // Instantiate the Builders for the OF Actions and Instructions
+ InstructionBuilder ib = new InstructionBuilder();
+ InstructionsBuilder isb = new InstructionsBuilder();
+
+ List<Instruction> instructionsList = Lists.newArrayList();
+ ib = this.getMutablePipelineInstructionBuilder();
+ ib.setOrder(0);
+ ib.setKey(new InstructionKey(0));
+ instructionsList.add(ib.build());
+ isb.setInstruction(instructionsList);
+
+ logger.debug("Instructions contain: {}", ib.getInstruction());
+ // Add InstructionsBuilder to FlowBuilder
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ } else {
+ // removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+ public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
+ String securityRuleProtcol, Integer protoMatchPriority) {
+
+ String nodeName = OPENFLOW + dpidLong;
+
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ FlowBuilder flowBuilder = new FlowBuilder();
+
+ flowBuilder.setMatch(MatchUtils
+ .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
+ flowBuilder.setMatch(MatchUtils
+ .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
+ logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
+
+ String flowId = "UcastOut_" + segmentationId + "_" +
+ attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol;
+ // Add Flow Attributes
+ flowBuilder.setId(new FlowId(flowId));
+ FlowKey key = new FlowKey(new FlowId(flowId));
+ flowBuilder.setStrict(false);
+ flowBuilder.setPriority(protoMatchPriority);
+ flowBuilder.setBarrier(true);
+ flowBuilder.setTableId(INGRESS_ACL);
+ flowBuilder.setKey(key);
+ flowBuilder.setFlowName(flowId);
+ flowBuilder.setHardTimeout(0);
+ flowBuilder.setIdleTimeout(0);
+
+ if (write) {
+ // Instantiate the Builders for the OF Actions and Instructions
+ InstructionBuilder ib = new InstructionBuilder();
+ InstructionsBuilder isb = new InstructionsBuilder();
+ List<Instruction> instructionsList = Lists.newArrayList();
+
+ ib = this.getMutablePipelineInstructionBuilder();
+ ib.setOrder(1);
+ ib.setKey(new InstructionKey(1));
+ instructionsList.add(ib.build());
+ isb.setInstruction(instructionsList);
+ logger.debug("Instructions contain: {}", ib.getInstruction());
+
+ // Add InstructionsBuilder to FlowBuilder
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ } else {
+ // removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+
+ public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
+ int priority, boolean write) {
+
+ String nodeName = OPENFLOW + dpidLong;
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ FlowBuilder flowBuilder = new FlowBuilder();
+
+ flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder,
+ attachedMac, TCP_SYN, segmentationId).build());
+
+ logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
+ String flowId = "PortSec_TCP_Syn_Default_Drop_" + attachedMac;
+ flowBuilder.setId(new FlowId(flowId));
+ FlowKey key = new FlowKey(new FlowId(flowId));
+ flowBuilder.setStrict(false);
+ flowBuilder.setPriority(priority);
+ flowBuilder.setBarrier(true);
+ flowBuilder.setTableId(INGRESS_ACL);
+ flowBuilder.setKey(key);
+ flowBuilder.setFlowName(flowId);
+ flowBuilder.setHardTimeout(0);
+ flowBuilder.setIdleTimeout(0);
+
+ if (write) {
+ // Instantiate the Builders for the OF Actions and Instructions
+ InstructionBuilder ib = new InstructionBuilder();
+ InstructionsBuilder isb = new InstructionsBuilder();
+
+ // Instructions List Stores Individual Instructions
+ List<Instruction> instructions = Lists.newArrayList();
+
+ // Set the Output Port/Iface
+ InstructionUtils.createDropInstructions(ib);
+ ib.setOrder(0);
+ ib.setKey(new InstructionKey(0));
+ instructions.add(ib.build());
+
+ // Add InstructionBuilder to the Instruction(s)Builder List
+ isb.setInstruction(instructions);
+ logger.debug("Instructions contain: {}", ib.getInstruction());
+ // Add InstructionsBuilder to FlowBuilder
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ } else {
+ // removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+ public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
+ boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
+
+ String nodeName = OPENFLOW + dpidLong;
+ Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ FlowBuilder flowBuilder = new FlowBuilder();
+
+ flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
+ .build());
+ if (securityRuleIpPrefix != null) {
+ flowBuilder.setMatch(MatchUtils
+ .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
+ .build());
+ } else {
+ flowBuilder.setMatch(MatchUtils
+ .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
+ .build());
+ }
+
+ logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
+ String flowId = "IngressProto_ACL_" + segmentationId + "_" +
+ attachedMac + "_Permit_" + securityRuleIpPrefix;
+ // Add Flow Attributes
+ flowBuilder.setId(new FlowId(flowId));
+ FlowKey key = new FlowKey(new FlowId(flowId));
+ flowBuilder.setStrict(false);
+ flowBuilder.setPriority(protoPortMatchPriority);
+ flowBuilder.setBarrier(true);
+ flowBuilder.setTableId(INGRESS_ACL);
+ flowBuilder.setKey(key);
+ flowBuilder.setFlowName(flowId);
+ flowBuilder.setHardTimeout(0);
+ flowBuilder.setIdleTimeout(0);
+
+ if (write) {
+ // Instantiate the Builders for the OF Actions and Instructions
+ InstructionBuilder ib = new InstructionBuilder();
+ InstructionsBuilder isb = new InstructionsBuilder();
+ List<Instruction> instructionsList = Lists.newArrayList();
+
+ ib = this.getMutablePipelineInstructionBuilder();
+ ib.setOrder(1);
+ ib.setKey(new InstructionKey(0));
+ instructionsList.add(ib.build());
+ isb.setInstruction(instructionsList);
+
+ logger.debug("Instructions contain: {}", ib.getInstruction());
+ // Add InstructionsBuilder to FlowBuilder
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ } else {
+ // // removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+ public void egressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
+ int priority, boolean write) {
+
+ String nodeName = OPENFLOW + dpidLong;
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ FlowBuilder flowBuilder = new FlowBuilder();
+
+ flowBuilder.setMatch(MatchUtils.createSmacTcpPortWithFlagMatch(matchBuilder,
+ attachedMac, TCP_SYN, segmentationId).build());
+ logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
+
+ String flowId = "TCP_Syn_Egress_Default_Drop_" + attachedMac;
+ flowBuilder.setId(new FlowId(flowId));
+ FlowKey key = new FlowKey(new FlowId(flowId));
+ flowBuilder.setStrict(false);
+ flowBuilder.setPriority(priority);
+ flowBuilder.setBarrier(true);
+ flowBuilder.setTableId(EGRESS_ACL);
+ flowBuilder.setKey(key);
+ flowBuilder.setFlowName(flowId);
+ flowBuilder.setHardTimeout(0);
+ flowBuilder.setIdleTimeout(0);
+
+ if (write) {
+ // Instantiate the Builders for the OF Actions and Instructions
+ InstructionBuilder ib = new InstructionBuilder();
+ InstructionsBuilder isb = new InstructionsBuilder();
+ List<Instruction> instructions = Lists.newArrayList();
+
+ InstructionUtils.createDropInstructions(ib);
+ ib.setOrder(0);
+ ib.setKey(new InstructionKey(0));
+ instructions.add(ib.build());
+ // Add InstructionBuilder to the Instruction(s)Builder List
+ isb.setInstruction(instructions);
+
+ logger.debug("Instructions contain: {}", ib.getInstruction());
+ // Add InstructionsBuilder to FlowBuilder
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ } else {
+ // TODO Add // removeFlow to AnstractServiceInstance
+ //// removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+ public void egressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac, boolean write,
+ Integer securityRulePortMin, String securityRuleIpPrefix, Integer protoPortPrefixMatchPriority) {
+
+ String nodeName = OPENFLOW + dpidLong;
+ PortNumber tcpPort = new PortNumber(securityRulePortMin);
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ FlowBuilder flowBuilder = new FlowBuilder();
+ Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
+
+ flowBuilder.setMatch(MatchUtils
+ .createSmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
+ tcpPort, TCP_SYN, segmentationId, srcIpPrefix).build());
+
+ logger.debug(" MatchBuilder contains: {}", flowBuilder.getMatch());
+ String flowId = "UcastEgress_" + segmentationId + "_" + attachedMac +
+ securityRulePortMin + securityRuleIpPrefix;
+ // Add Flow Attributes
+ flowBuilder.setId(new FlowId(flowId));
+ FlowKey key = new FlowKey(new FlowId(flowId));
+ flowBuilder.setStrict(false);
+ flowBuilder.setPriority(protoPortPrefixMatchPriority);
+ flowBuilder.setBarrier(true);
+ flowBuilder.setTableId(EGRESS_ACL);
+ flowBuilder.setKey(key);
+ flowBuilder.setFlowName(flowId);
+ flowBuilder.setHardTimeout(0);
+ flowBuilder.setIdleTimeout(0);
+
+ if (write) {
+ // Instantiate the Builders for the OF Actions and Instructions
+ InstructionBuilder ib = new InstructionBuilder();
+ InstructionsBuilder isb = new InstructionsBuilder();
+ List<Instruction> instructionsList = Lists.newArrayList();
+
+ InstructionUtils.createGotoTableInstructions(ib, OUTBOUND_SNAT);
+ ib.setOrder(0);
+ ib.setKey(new InstructionKey(0));
+ instructionsList.add(ib.build());
+ isb.setInstruction(instructionsList);
+
+ logger.debug("Instructions contain: {}", ib.getInstruction());
+ // Add InstructionsBuilder to FlowBuilder
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ } else {
+ // TODO Add // removeFlow to AnstractServiceInstance
+ //// removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+
+
+ public void egressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
+ String securityRuleProtcol, Integer protoMatchPriority) {
+
+ String nodeName = OPENFLOW + dpidLong;
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ FlowBuilder flowBuilder = new FlowBuilder();
+
+ flowBuilder.setMatch(MatchUtils
+ .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
+ flowBuilder.setMatch(MatchUtils
+ .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
+
+ logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
+ String flowId = "EgressAllProto_" + segmentationId + "_" +
+ attachedMac + "_AllowEgressTCPSyn_" + securityRuleProtcol;
+ // Add Flow Attributes
+ flowBuilder.setId(new FlowId(flowId));
+ FlowKey key = new FlowKey(new FlowId(flowId));
+ flowBuilder.setStrict(false);
+ flowBuilder.setPriority(protoMatchPriority);
+ flowBuilder.setBarrier(true);
+ flowBuilder.setTableId(EGRESS_ACL);
+ flowBuilder.setKey(key);
+ flowBuilder.setFlowName(flowId);
+ flowBuilder.setHardTimeout(0);
+ flowBuilder.setIdleTimeout(0);
+
+ if (write) {
+ // Instantiate the Builders for the OF Actions and Instructions
+ InstructionBuilder ib = new InstructionBuilder();
+ InstructionsBuilder isb = new InstructionsBuilder();
+ List<Instruction> instructionsList = Lists.newArrayList();
+
+ InstructionUtils.createGotoTableInstructions(ib, OUTBOUND_SNAT);
+ ib.setOrder(0);
+ ib.setKey(new InstructionKey(0));
+ instructionsList.add(ib.build());
+ isb.setInstruction(instructionsList);
+
+ logger.debug("Instructions contain: {}", ib.getInstruction());
+ // Add InstructionsBuilder to FlowBuilder
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ } else {
+ // removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+ public void egressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
+ boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
+
+ String nodeName = OPENFLOW + dpidLong;
+ Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ FlowBuilder flowBuilder = new FlowBuilder();
+
+ flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
+ .build());
+ if (securityRuleIpPrefix != null) {
+ flowBuilder.setMatch(MatchUtils
+ .createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
+ .build());
+ } else {
+ flowBuilder.setMatch(MatchUtils
+ .createSmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
+ .build());
+ }
+ logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
+ String flowId = "Egress_Proto_ACL" + segmentationId + "_" +
+ attachedMac + "_Permit_" + securityRuleIpPrefix;
+ // Add Flow Attributes
+ flowBuilder.setId(new FlowId(flowId));
+ FlowKey key = new FlowKey(new FlowId(flowId));
+ flowBuilder.setStrict(false);
+ flowBuilder.setPriority(protoPortMatchPriority);
+ flowBuilder.setBarrier(true);
+ flowBuilder.setTableId(EGRESS_ACL);
+ flowBuilder.setKey(key);
+ flowBuilder.setFlowName(flowId);
+ flowBuilder.setHardTimeout(0);
+ flowBuilder.setIdleTimeout(0);
+
+ if (write) {
+ // Instantiate the Builders for the OF Actions and Instructions
+ InstructionBuilder ib = new InstructionBuilder();
+ InstructionsBuilder isb = new InstructionsBuilder();
+ List<Instruction> instructionsList = Lists.newArrayList();
+
+ InstructionUtils.createGotoTableInstructions(ib, OUTBOUND_SNAT);
+ ib.setOrder(0);
+ ib.setKey(new InstructionKey(0));
+ instructionsList.add(ib.build());
+ isb.setInstruction(instructionsList);
+
+ logger.debug("Instructions contain: {}", ib.getInstruction());
+ // Add InstructionsBuilder to FlowBuilder
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ } else {
+ // removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+
+ public void egressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
+ Integer securityRulePortMin, Integer protoPortMatchPriority) {
+
+ String nodeName = OPENFLOW + dpidLong;
+ PortNumber tcpPort = new PortNumber(securityRulePortMin);
+ MatchBuilder matchBuilder = new MatchBuilder();
+ NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
+ FlowBuilder flowBuilder = new FlowBuilder();
+
+ flowBuilder.setMatch(MatchUtils.createSmacTcpSyn(matchBuilder, attachedMac, tcpPort,
+ TCP_SYN, segmentationId).build());
+
+ logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
+ String flowId = "Ucast_Egress_ACL" + segmentationId + "_" + attachedMac + securityRulePortMin;
+ // Add Flow Attributes
+ flowBuilder.setId(new FlowId(flowId));
+ FlowKey key = new FlowKey(new FlowId(flowId));
+ flowBuilder.setStrict(false);
+ flowBuilder.setPriority(protoPortMatchPriority);
+ flowBuilder.setBarrier(true);
+ flowBuilder.setTableId(EGRESS_ACL);
+ flowBuilder.setKey(key);
+ flowBuilder.setFlowName(flowId);
+ flowBuilder.setHardTimeout(0);
+ flowBuilder.setIdleTimeout(0);
+
+ if (write) {
+ // Instantiate the Builders for the OF Actions and Instructions
+ InstructionBuilder ib = new InstructionBuilder();
+ InstructionsBuilder isb = new InstructionsBuilder();
+ List<Instruction> instructionsList = Lists.newArrayList();
+
+ InstructionUtils.createGotoTableInstructions(ib, OUTBOUND_SNAT);
+ ib.setOrder(0);
+ ib.setKey(new InstructionKey(0));
+ instructionsList.add(ib.build());
+ isb.setInstruction(instructionsList);
+
+ logger.debug("Instructions contain: {}", ib.getInstruction());
+ // Add InstructionsBuilder to FlowBuilder
+ flowBuilder.setInstructions(isb.build());
+ writeFlow(flowBuilder, nodeBuilder);
+ } else {
+ // removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+}
public class MatchUtils {
private static final Logger logger = LoggerFactory.getLogger(MatchUtils.class);
+ public static final short ICMP_SHORT = 1;
+ public static final short TCP_SHORT = 6;
+ public static final short UDP_SHORT = 17;
+ public static final String TCP = "tcp";
+ public static final String UDP = "udp";
+ private static final int TCP_SYN = 0x0002;
/**
* Create Ingress Port Match dpidLong, inPort
return matchBuilder;
}
+ /**
+ * Create TCP Port Match
+ *
+ * @param matchBuilder @param matchbuilder MatchBuilder Object without a match yet
+ * @param tcpport Integer representing a source TCP port
+ * @return matchBuilder Map MatchBuilder Object with a match
+ */
+ public static MatchBuilder createIpProtocolMatch(MatchBuilder matchBuilder, short ipProtocol) {
+
+ EthernetMatchBuilder ethType = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0800L));
+ ethType.setEthernetType(ethTypeBuilder.build());
+ matchBuilder.setEthernetMatch(ethType.build());
+
+ IpMatchBuilder ipMmatch = new IpMatchBuilder();
+ if (ipProtocol == TCP_SHORT) {
+ ipMmatch.setIpProtocol(TCP_SHORT);
+ }
+ else if (ipProtocol == UDP_SHORT) {
+ ipMmatch.setIpProtocol(UDP_SHORT);
+ }
+ else if (ipProtocol == ICMP_SHORT) {
+ ipMmatch.setIpProtocol(ICMP_SHORT);
+ }
+ matchBuilder.setIpMatch(ipMmatch.build());
+ return matchBuilder;
+ }
+
+ /**
+ * Create tcp syn with proto match.
+ *
+ * @param matchBuilder the match builder
+ * @return matchBuilder match builder
+ */
+ public static MatchBuilder createTcpSynWithProtoMatch(MatchBuilder matchBuilder) {
+
+ // Ethertype match
+ EthernetMatchBuilder ethernetType = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0800L));
+ ethernetType.setEthernetType(ethTypeBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetType.build());
+
+ // TCP Protocol Match
+ IpMatchBuilder ipMatch = new IpMatchBuilder(); // ipv4 version
+ ipMatch.setIpProtocol((short) 6);
+ matchBuilder.setIpMatch(ipMatch.build());
+
+ TcpFlagMatchBuilder tcpFlagMatch = new TcpFlagMatchBuilder();
+ tcpFlagMatch.setTcpFlag(TCP_SYN);
+ matchBuilder.setTcpFlagMatch(tcpFlagMatch.build());
+ return matchBuilder;
+ }
+
+ /**
+ * Create tcp proto syn match.
+ *
+ * @param matchBuilder the match builder
+ * @return matchBuilder match builder
+ */
+ public static MatchBuilder createTcpProtoSynMatch(MatchBuilder matchBuilder) {
+
+ // TCP Protocol Match
+ IpMatchBuilder ipMatch = new IpMatchBuilder(); // ipv4 version
+ ipMatch.setIpProtocol((short) 6);
+ matchBuilder.setIpMatch(ipMatch.build());
+
+ TcpFlagMatchBuilder tcpFlagMatch = new TcpFlagMatchBuilder();
+ tcpFlagMatch.setTcpFlag(TCP_SYN);
+ matchBuilder.setTcpFlagMatch(tcpFlagMatch.build());
+ return matchBuilder;
+ }
+
+ /**
+ * Create dmac tcp port with flag match.
+ *
+ * @param matchBuilder the match builder
+ * @param attachedMac the attached mac
+ * @param tcpFlag the tcp flag
+ * @param tunnelID the tunnel iD
+ * @return match containing TCP_Flag (), IP Protocol (TCP), TCP_Flag (SYN)
+ */
+ public static MatchBuilder createDmacTcpPortWithFlagMatch(MatchBuilder matchBuilder,
+ String attachedMac, Integer tcpFlag, String tunnelID) {
+
+ EthernetMatchBuilder ethernetMatch = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0800L));
+ ethernetMatch.setEthernetType(ethTypeBuilder.build());
+
+ EthernetDestinationBuilder ethDestinationBuilder = new EthernetDestinationBuilder();
+ ethDestinationBuilder.setAddress(new MacAddress(attachedMac));
+ ethernetMatch.setEthernetDestination(ethDestinationBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+
+ // TCP Protocol Match
+ IpMatchBuilder ipMatch = new IpMatchBuilder(); // ipv4 version
+ ipMatch.setIpProtocol(TCP_SHORT);
+ matchBuilder.setIpMatch(ipMatch.build());
+
+ TcpFlagMatchBuilder tcpFlagMatch = new TcpFlagMatchBuilder();
+ tcpFlagMatch.setTcpFlag(tcpFlag);
+ matchBuilder.setTcpFlagMatch(tcpFlagMatch.build());
+
+ TunnelBuilder tunnelBuilder = new TunnelBuilder();
+ tunnelBuilder.setTunnelId(new BigInteger(tunnelID));
+ matchBuilder.setTunnel(tunnelBuilder.build());
+
+ return matchBuilder;
+ }
+
+ /**
+ * Create dmac tcp syn match.
+ *
+ * @param matchBuilder the match builder
+ * @param attachedMac the attached mac
+ * @param tcpPort the tcp port
+ * @param tcpFlag the tcp flag
+ * @param tunnelID the tunnel iD
+ * @return the match builder
+ */
+ public static MatchBuilder createDmacTcpSynMatch(MatchBuilder matchBuilder,
+ String attachedMac, PortNumber tcpPort, Integer tcpFlag, String tunnelID) {
+
+ EthernetMatchBuilder ethernetMatch = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0800L));
+ ethernetMatch.setEthernetType(ethTypeBuilder.build());
+
+ EthernetDestinationBuilder ethDestinationBuilder = new EthernetDestinationBuilder();
+ ethDestinationBuilder.setAddress(new MacAddress(attachedMac));
+ ethernetMatch.setEthernetDestination(ethDestinationBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+
+ // TCP Protocol Match
+ IpMatchBuilder ipMatch = new IpMatchBuilder(); // ipv4 version
+ ipMatch.setIpProtocol((short) 6);
+ matchBuilder.setIpMatch(ipMatch.build());
+
+ // TCP Port Match
+ PortNumber dstPort = new PortNumber(tcpPort);
+ TcpMatchBuilder tcpMatch = new TcpMatchBuilder();
+ tcpMatch.setTcpDestinationPort(dstPort);
+ matchBuilder.setLayer4Match(tcpMatch.build());
+
+ TcpFlagMatchBuilder tcpFlagMatch = new TcpFlagMatchBuilder();
+ tcpFlagMatch.setTcpFlag(tcpFlag);
+ matchBuilder.setTcpFlagMatch(tcpFlagMatch.build());
+
+ TunnelBuilder tunnelBuilder = new TunnelBuilder();
+ tunnelBuilder.setTunnelId(new BigInteger(tunnelID));
+ matchBuilder.setTunnel(tunnelBuilder.build());
+
+ return matchBuilder;
+ }
+
+ /**
+ * Create dmac tcp syn dst ip prefix tcp port.
+ *
+ * @param matchBuilder the match builder
+ * @param attachedMac the attached mac
+ * @param tcpPort the tcp port
+ * @param tcpFlag the tcp flag
+ * @param segmentationId the segmentation id
+ * @param dstIp the dst ip
+ * @return the match builder
+ */
+ public static MatchBuilder createDmacTcpSynDstIpPrefixTcpPort(MatchBuilder matchBuilder,
+ MacAddress attachedMac, PortNumber tcpPort, Integer tcpFlag, String segmentationId,
+ Ipv4Prefix dstIp) {
+
+ EthernetMatchBuilder ethernetMatch = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0800L));
+ ethernetMatch.setEthernetType(ethTypeBuilder.build());
+
+ EthernetDestinationBuilder ethDestinationBuilder = new EthernetDestinationBuilder();
+ ethDestinationBuilder.setAddress(new MacAddress(attachedMac));
+ ethernetMatch.setEthernetDestination(ethDestinationBuilder.build());
+
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+
+ Ipv4MatchBuilder ipv4match = new Ipv4MatchBuilder();
+ ipv4match.setIpv4Destination(dstIp);
+ matchBuilder.setLayer3Match(ipv4match.build());
+
+ // TCP Protocol Match
+ IpMatchBuilder ipMatch = new IpMatchBuilder(); // ipv4 version
+ ipMatch.setIpProtocol(TCP_SHORT);
+ matchBuilder.setIpMatch(ipMatch.build());
+
+ // TCP Port Match
+ PortNumber dstPort = new PortNumber(tcpPort);
+ TcpMatchBuilder tcpMatch = new TcpMatchBuilder();
+ tcpMatch.setTcpDestinationPort(dstPort);
+ matchBuilder.setLayer4Match(tcpMatch.build());
+
+ TcpFlagMatchBuilder tcpFlagMatch = new TcpFlagMatchBuilder();
+ tcpFlagMatch.setTcpFlag(tcpFlag);
+ matchBuilder.setTcpFlagMatch(tcpFlagMatch.build());
+
+ TunnelBuilder tunnelBuilder = new TunnelBuilder();
+ tunnelBuilder.setTunnelId(new BigInteger(segmentationId));
+ matchBuilder.setTunnel(tunnelBuilder.build());
+
+ return matchBuilder;
+ }
+
+ /**
+ * Create dmac ip tcp syn match.
+ *
+ * @param matchBuilder the match builder
+ * @param dMacAddr the d mac addr
+ * @param mask the mask
+ * @param ipPrefix the ip prefix
+ * @return MatchBuilder containing the metadata match values
+ */
+ public static MatchBuilder createDmacIpTcpSynMatch(MatchBuilder matchBuilder,
+ MacAddress dMacAddr, MacAddress mask, Ipv4Prefix ipPrefix) {
+
+ EthernetMatchBuilder ethernetMatch = new EthernetMatchBuilder();
+ EthernetDestinationBuilder ethDestBuilder = new EthernetDestinationBuilder();
+ ethDestBuilder.setAddress(new MacAddress(dMacAddr));
+ if (mask != null) {
+ ethDestBuilder.setMask(mask);
+ }
+ ethernetMatch.setEthernetDestination(ethDestBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+ // Ethertype match
+ EthernetMatchBuilder ethernetType = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0800L));
+ ethernetType.setEthernetType(ethTypeBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetType.build());
+ if (ipPrefix != null) {
+ Ipv4MatchBuilder ipv4match = new Ipv4MatchBuilder();
+ ipv4match.setIpv4Destination(ipPrefix);
+ matchBuilder.setLayer3Match(ipv4match.build());
+ }
+ // TCP Protocol Match
+ IpMatchBuilder ipMatch = new IpMatchBuilder(); // ipv4 version
+ ipMatch.setIpProtocol(TCP_SHORT);
+ matchBuilder.setIpMatch(ipMatch.build());
+ // TCP Flag Match
+ TcpFlagMatchBuilder tcpFlagMatch = new TcpFlagMatchBuilder();
+ tcpFlagMatch.setTcpFlag(TCP_SYN);
+ matchBuilder.setTcpFlagMatch(tcpFlagMatch.build());
+
+ return matchBuilder;
+ }
+
+ /**
+ * Create smac tcp syn dst ip prefix tcp port.
+ *
+ * @param matchBuilder the match builder
+ * @param attachedMac the attached mac
+ * @param tcpPort the tcp port
+ * @param tcpFlag the tcp flag
+ * @param segmentationId the segmentation id
+ * @param dstIp the dst ip
+ * @return the match builder
+ */
+ public static MatchBuilder createSmacTcpSynDstIpPrefixTcpPort(MatchBuilder matchBuilder, MacAddress attachedMac,
+ PortNumber tcpPort, Integer tcpFlag, String segmentationId, Ipv4Prefix dstIp) {
+
+ EthernetMatchBuilder ethernetMatch = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0800L));
+ ethernetMatch.setEthernetType(ethTypeBuilder.build());
+
+ EthernetSourceBuilder ethSourceBuilder = new EthernetSourceBuilder();
+ ethSourceBuilder.setAddress(new MacAddress(attachedMac));
+ ethernetMatch.setEthernetSource(ethSourceBuilder.build());
+
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+
+ Ipv4MatchBuilder ipv4match = new Ipv4MatchBuilder();
+ ipv4match.setIpv4Destination(dstIp);
+ matchBuilder.setLayer3Match(ipv4match.build());
+
+ // TCP Protocol Match
+ IpMatchBuilder ipMatch = new IpMatchBuilder(); // ipv4 version
+ ipMatch.setIpProtocol(TCP_SHORT);
+ matchBuilder.setIpMatch(ipMatch.build());
+
+ // TCP Port Match
+ PortNumber dstPort = new PortNumber(tcpPort);
+ TcpMatchBuilder tcpMatch = new TcpMatchBuilder();
+ tcpMatch.setTcpDestinationPort(dstPort);
+ matchBuilder.setLayer4Match(tcpMatch.build());
+
+ TcpFlagMatchBuilder tcpFlagMatch = new TcpFlagMatchBuilder();
+ tcpFlagMatch.setTcpFlag(tcpFlag);
+ matchBuilder.setTcpFlagMatch(tcpFlagMatch.build());
+
+ TunnelBuilder tunnelBuilder = new TunnelBuilder();
+ tunnelBuilder.setTunnelId(new BigInteger(segmentationId));
+ matchBuilder.setTunnel(tunnelBuilder.build());
+
+ return matchBuilder;
+ }
+
+ /**
+ * Create smac tcp port with flag match.
+ *
+ * @param matchBuilder the match builder
+ * @param attachedMac the attached mac
+ * @param tcpFlag the tcp flag
+ * @param tunnelID the tunnel iD
+ * @return matchBuilder
+ */
+ public static MatchBuilder createSmacTcpPortWithFlagMatch(MatchBuilder matchBuilder, String attachedMac,
+ Integer tcpFlag, String tunnelID) {
+
+ EthernetMatchBuilder ethernetMatch = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0800L));
+ ethernetMatch.setEthernetType(ethTypeBuilder.build());
+
+ EthernetSourceBuilder ethSrcBuilder = new EthernetSourceBuilder();
+ ethSrcBuilder.setAddress(new MacAddress(attachedMac));
+ ethernetMatch.setEthernetSource(ethSrcBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+
+ // TCP Protocol Match
+ IpMatchBuilder ipMatch = new IpMatchBuilder(); // ipv4 version
+ ipMatch.setIpProtocol(TCP_SHORT);
+ matchBuilder.setIpMatch(ipMatch.build());
+
+ TcpFlagMatchBuilder tcpFlagMatch = new TcpFlagMatchBuilder();
+ tcpFlagMatch.setTcpFlag(tcpFlag);
+ matchBuilder.setTcpFlagMatch(tcpFlagMatch.build());
+
+ TunnelBuilder tunnelBuilder = new TunnelBuilder();
+ tunnelBuilder.setTunnelId(new BigInteger(tunnelID));
+ matchBuilder.setTunnel(tunnelBuilder.build());
+
+ return matchBuilder;
+ }
+
+ /**
+ * Create smac ip tcp syn match.
+ *
+ * @param matchBuilder the match builder
+ * @param dMacAddr the d mac addr
+ * @param mask the mask
+ * @param ipPrefix the ip prefix
+ * @return MatchBuilder containing the metadata match values
+ */
+ public static MatchBuilder createSmacIpTcpSynMatch(MatchBuilder matchBuilder, MacAddress dMacAddr,
+ MacAddress mask, Ipv4Prefix ipPrefix) {
+
+ EthernetMatchBuilder ethernetMatch = new EthernetMatchBuilder();
+ EthernetSourceBuilder ethSrcBuilder = new EthernetSourceBuilder();
+ ethSrcBuilder.setAddress(new MacAddress(dMacAddr));
+ if (mask != null) {
+ ethSrcBuilder.setMask(mask);
+ }
+ ethernetMatch.setEthernetSource(ethSrcBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+ // Ethertype match
+ EthernetMatchBuilder ethernetType = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0800L));
+ ethernetType.setEthernetType(ethTypeBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetType.build());
+ if (ipPrefix != null) {
+ Ipv4MatchBuilder ipv4match = new Ipv4MatchBuilder();
+ ipv4match.setIpv4Destination(ipPrefix);
+ matchBuilder.setLayer3Match(ipv4match.build());
+ }
+ // TCP Protocol Match
+ IpMatchBuilder ipMatch = new IpMatchBuilder(); // ipv4 version
+ ipMatch.setIpProtocol(TCP_SHORT);
+ matchBuilder.setIpMatch(ipMatch.build());
+ // TCP Flag Match
+ TcpFlagMatchBuilder tcpFlagMatch = new TcpFlagMatchBuilder();
+ tcpFlagMatch.setTcpFlag(TCP_SYN);
+ matchBuilder.setTcpFlagMatch(tcpFlagMatch.build());
+
+ return matchBuilder;
+ }
+
+ /**
+ * Create smac tcp syn.
+ *
+ * @param matchBuilder the match builder
+ * @param attachedMac the attached mac
+ * @param tcpPort the tcp port
+ * @param tcpFlag the tcp flag
+ * @param tunnelID the tunnel iD
+ * @return the match builder
+ */
+ public static MatchBuilder createSmacTcpSyn(MatchBuilder matchBuilder,
+ String attachedMac, PortNumber tcpPort, Integer tcpFlag, String tunnelID) {
+
+ EthernetMatchBuilder ethernetMatch = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0800L));
+ ethernetMatch.setEthernetType(ethTypeBuilder.build());
+
+ EthernetSourceBuilder ethSrcBuilder = new EthernetSourceBuilder();
+ ethSrcBuilder.setAddress(new MacAddress(attachedMac));
+ ethernetMatch.setEthernetSource(ethSrcBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+
+ // TCP Protocol Match
+ IpMatchBuilder ipMatch = new IpMatchBuilder(); // ipv4 version
+ ipMatch.setIpProtocol((short) 6);
+ matchBuilder.setIpMatch(ipMatch.build());
+
+ // TCP Port Match
+ PortNumber dstPort = new PortNumber(tcpPort);
+ TcpMatchBuilder tcpMatch = new TcpMatchBuilder();
+ tcpMatch.setTcpDestinationPort(dstPort);
+ matchBuilder.setLayer4Match(tcpMatch.build());
+
+
+ TcpFlagMatchBuilder tcpFlagMatch = new TcpFlagMatchBuilder();
+ tcpFlagMatch.setTcpFlag(tcpFlag);
+ matchBuilder.setTcpFlagMatch(tcpFlagMatch.build());
+
+ TunnelBuilder tunnelBuilder = new TunnelBuilder();
+ tunnelBuilder.setTunnelId(new BigInteger(tunnelID));
+ matchBuilder.setTunnel(tunnelBuilder.build());
+
+ return matchBuilder;
+ }
+
+ /**
+ * @return MatchBuilder containing the metadata match values
+ */
+ public static MatchBuilder createMacSrcIpTcpSynMatch(MatchBuilder matchBuilder,
+ MacAddress dMacAddr, MacAddress mask, Ipv4Prefix ipPrefix) {
+
+ EthernetMatchBuilder ethernetMatch = new EthernetMatchBuilder();
+ EthernetDestinationBuilder ethDestinationBuilder = new EthernetDestinationBuilder();
+ ethDestinationBuilder.setAddress(new MacAddress(dMacAddr));
+ if (mask != null) {
+ ethDestinationBuilder.setMask(mask);
+ }
+ ethernetMatch.setEthernetDestination(ethDestinationBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetMatch.build());
+ // Ethertype match
+ EthernetMatchBuilder ethernetType = new EthernetMatchBuilder();
+ EthernetTypeBuilder ethTypeBuilder = new EthernetTypeBuilder();
+ ethTypeBuilder.setType(new EtherType(0x0800L));
+ ethernetType.setEthernetType(ethTypeBuilder.build());
+ matchBuilder.setEthernetMatch(ethernetType.build());
+ if (ipPrefix != null) {
+ Ipv4MatchBuilder ipv4match = new Ipv4MatchBuilder();
+ ipv4match.setIpv4Source(ipPrefix);
+ matchBuilder.setLayer3Match(ipv4match.build());
+ }
+ // TCP Protocol Match
+ IpMatchBuilder ipMatch = new IpMatchBuilder(); // ipv4 version
+ ipMatch.setIpProtocol(TCP_SHORT);
+ matchBuilder.setIpMatch(ipMatch.build());
+ // TCP Flag Match
+ TcpFlagMatchBuilder tcpFlagMatch = new TcpFlagMatchBuilder();
+ tcpFlagMatch.setTcpFlag(TCP_SYN);
+ matchBuilder.setTcpFlagMatch(tcpFlagMatch.build());
+
+ return matchBuilder;
+ }
+
public static class RegMatch {
final Class<? extends NxmNxReg> reg;
final Long value;