public static final String SERVICE_PROPERTY ="serviceProperty";
private static final Logger LOG = LoggerFactory.getLogger(AbstractServiceInstance.class);
public static final String OPENFLOW = "openflow:";
- private DataBroker dataBroker = null;
+ protected DataBroker dataBroker = null;
// OSGi Services that we are dependent on.
private volatile PipelineOrchestrator orchestrator;
private volatile Southbound southbound;
return builder;
}
- private static InstanceIdentifier<Flow> createFlowPath(FlowBuilder flowBuilder, NodeBuilder nodeBuilder) {
+ protected static InstanceIdentifier<Flow> createFlowPath(FlowBuilder flowBuilder, NodeBuilder nodeBuilder) {
return InstanceIdentifier.builder(Nodes.class)
.child(org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.Node.class,
nodeBuilder.getKey())
protected void removeFlow(FlowBuilder flowBuilder, NodeBuilder nodeBuilder) {
if (NetvirtProvidersProvider.isMasterProviderInstance()) {
+ LOG.debug("removeFlow: flowBuilder: {}, nodeBuilder: {}",
+ flowBuilder.build(), nodeBuilder.build());
WriteTransaction modification = dataBroker.newWriteOnlyTransaction();
modification.delete(LogicalDatastoreType.CONFIGURATION, createFlowPath(flowBuilder, nodeBuilder));
--- /dev/null
+/*
+ * Copyright (c) 2017 NEC Corporation and others. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.services;
+
+import com.google.common.base.Optional;
+import com.google.common.collect.Lists;
+import com.google.common.util.concurrent.CheckedFuture;
+import com.google.common.util.concurrent.FutureCallback;
+import com.google.common.util.concurrent.Futures;
+import org.opendaylight.controller.md.sal.binding.api.ReadOnlyTransaction;
+import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
+import org.opendaylight.controller.md.sal.common.api.data.ReadFailedException;
+import org.opendaylight.netvirt.openstack.netvirt.api.SecurityGroupCacheManger;
+import org.opendaylight.netvirt.openstack.netvirt.api.SecurityServicesManager;
+import org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
+import org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.Service;
+import org.opendaylight.netvirt.openstack.netvirt.translator.NeutronSecurityGroup;
+import org.opendaylight.netvirt.openstack.netvirt.translator.NeutronSecurityRule;
+import org.opendaylight.netvirt.openstack.netvirt.translator.crud.INeutronSecurityRuleCRUD;
+import org.opendaylight.netvirt.utils.mdsal.openflow.ActionUtils;
+import org.opendaylight.netvirt.utils.mdsal.openflow.InstructionUtils;
+import org.opendaylight.netvirt.utils.mdsal.openflow.MatchUtils;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.Action;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.Flow;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.FlowCookie;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
+import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.annotation.Nullable;
+import java.math.BigInteger;
+import java.util.ArrayList;
+
+import java.util.List;
+
+/**
+ * Provide functionalities for programing pipeline flows associated with Security rules
+ */
+public class AbstractAclService extends AbstractServiceInstance {
+ private static final Logger LOG = LoggerFactory.getLogger(AbstractAclService.class);
+ protected volatile SecurityServicesManager securityServicesManager;
+ protected volatile SecurityGroupCacheManger securityGroupCacheManger;
+ protected volatile INeutronSecurityRuleCRUD neutronSecurityRule;
+ protected static final int PORT_RANGE_MIN = 1;
+ protected static final int PORT_RANGE_MAX = 65535;
+ protected static final NeutronSecurityRule TCP_SECURITY_GROUP_RULE_IPv4_ANY = new NeutronSecurityRule();
+ protected static final NeutronSecurityRule UDP_SECURITY_GROUP_RULE_IPv4_ANY = new NeutronSecurityRule();
+ protected static final NeutronSecurityRule ICMP_SECURITY_GROUP_RULE_IPv4_ANY = new NeutronSecurityRule();
+
+ static {
+ TCP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRuleProtocol(MatchUtils.TCP);
+ TCP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRuleEthertype(NeutronSecurityRule.ETHERTYPE_IPV4);
+ TCP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRulePortMin(null);
+ TCP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRulePortMax(null);
+ UDP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRuleProtocol(MatchUtils.UDP);
+ UDP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRuleEthertype(NeutronSecurityRule.ETHERTYPE_IPV4);
+ UDP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRulePortMin(null);
+ UDP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRulePortMax(null);
+ ICMP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRuleProtocol(MatchUtils.ICMP);
+ ICMP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRuleEthertype(NeutronSecurityRule.ETHERTYPE_IPV4);
+ ICMP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRulePortMin(null);
+ ICMP_SECURITY_GROUP_RULE_IPv4_ANY.setSecurityRulePortMax(null);
+ }
+
+ protected AbstractAclService(Service service) {
+ super(service);
+ }
+
+ /**
+ * Add or remove flow to the node.
+ *
+ * @param flowBuilder the flow builder
+ * @param nodeBuilder the node builder
+ * @param write whether it is a write
+ */
+ protected void syncFlow(FlowBuilder flowBuilder, NodeBuilder nodeBuilder,
+ boolean write) {
+ if (write) {
+ writeFlow(flowBuilder, nodeBuilder);
+ } else {
+ removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+
+ /**
+ * Add or remove security group related flow to the node.
+ *
+ * @param flowBuilder the flow builder
+ * @param nodeBuilder the node builder
+ * @param write whether it is a write
+ */
+ protected void syncSecurityRuleFlow(FlowBuilder flowBuilder, NodeBuilder nodeBuilder, boolean write) {
+ LOG.trace("syncSecurityRuleFlow {} {}", flowBuilder.build(), write);
+ if (securityServicesManager.isConntrackEnabled()) {
+ syncFlow(flowBuilder, nodeBuilder, write);
+ } else {
+ if (write) {
+ writeSecurityRuleFlow(flowBuilder, nodeBuilder);
+ } else {
+ removeSecurityRuleFlow(flowBuilder, nodeBuilder);
+ }
+ }
+ }
+
+ /**
+ * Add security related flow to the node.
+ *
+ * The flow cookie contains the counter which keeps track of duplicate security rules in a particular VM.
+ * When writing a security related flow, the flow counter is incremented if the flow already exists,
+ * otherwise the flow is added to the node with counter value is '1'
+ * When removing a security related flow, if the counter value is '1', the flow is removed from the node,
+ * otherwise the flow counter is decremented
+ *
+ * @param flowBuilder the flow builder
+ * @param nodeBuilder the node builder
+ */
+ protected void writeSecurityRuleFlow(FlowBuilder flowBuilder, NodeBuilder nodeBuilder) {
+ ReadOnlyTransaction readTx = dataBroker.newReadOnlyTransaction();
+ InstanceIdentifier<Flow> flowInstanceIdentifier = createFlowPath(flowBuilder, nodeBuilder);
+ CheckedFuture<Optional<Flow>, ReadFailedException> readFlowFuture =
+ readTx.read(LogicalDatastoreType.CONFIGURATION, flowInstanceIdentifier);
+ Futures.addCallback(readFlowFuture, new FutureCallback<Optional<Flow>>() {
+ @Override
+ public void onSuccess(@Nullable Optional<Flow> optionalFlow) {
+ if (optionalFlow != null) {
+ if (optionalFlow.isPresent()) {
+ Flow flow = optionalFlow.get();
+ if (flow.getCookie() == null) {
+ flowBuilder.setCookie(new FlowCookie(BigInteger.ONE));
+ } else {
+ flowBuilder.setCookie(new FlowCookie(flow.getCookie().getValue().add(BigInteger.ONE)));
+ }
+ } else {
+ flowBuilder.setCookie(new FlowCookie(BigInteger.ONE));
+ }
+ writeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+ @Override
+ public void onFailure(Throwable throwable) {
+ LOG.warn("Read Config/DS for Flow failed! " + flowInstanceIdentifier, throwable);
+ }
+ });
+ }
+
+ /**
+ * Remove security related flow from the node.
+ *
+ * The flow cookie contains the counter which keeps track of duplicate security rules in a particular VM.
+ * If the flow counter value stored in the flow cookie is '1', which indicates the flow is only associated with
+ * single security rule, it is removed from the node.
+ * Otherwise the flow counter is decremented.
+ *
+ * @param flowBuilder the flow builder
+ * @param nodeBuilder the node builder
+ */
+ protected void removeSecurityRuleFlow(FlowBuilder flowBuilder, NodeBuilder nodeBuilder) {
+ ReadOnlyTransaction readTx = dataBroker.newReadOnlyTransaction();
+ InstanceIdentifier<Flow> flowInstanceIdentifier = createFlowPath(flowBuilder, nodeBuilder);
+ CheckedFuture<Optional<Flow>, ReadFailedException> readFlowFuture =
+ readTx.read(LogicalDatastoreType.CONFIGURATION, flowInstanceIdentifier);
+ Futures.addCallback(readFlowFuture, new FutureCallback<Optional<Flow>>() {
+ @Override
+ public void onSuccess(@Nullable Optional<Flow> optionalFlow) {
+ if (optionalFlow != null && optionalFlow.isPresent()) {
+ Flow flow = optionalFlow.get();
+ if (flow.getCookie() != null) {
+ FlowCookie flowCookie = flow.getCookie();
+ BigInteger cookie = flowCookie.getValue();
+ int compareValue = cookie.compareTo(BigInteger.ONE);
+ if (compareValue == 0) {
+ removeFlow(flowBuilder, nodeBuilder);
+ } else if (compareValue == 1) {
+ flowBuilder.setCookie(new FlowCookie(cookie.subtract(BigInteger.ONE)));
+ writeFlow(flowBuilder, nodeBuilder);
+ }
+ } else {
+ removeFlow(flowBuilder, nodeBuilder);
+ }
+ }
+ }
+ @Override
+ public void onFailure(Throwable throwable) {
+ LOG.warn("Read Config/DS for Flow failed! " + flowInstanceIdentifier, throwable);
+ }
+
+ });
+ }
+
+ protected FlowBuilder addInstructionWithConntrackCommit(FlowBuilder flowBuilder, boolean isDrop) {
+ InstructionBuilder instructionBuilder = null;
+ if (securityServicesManager.isConntrackEnabled()) {
+ Action conntrackAction = ActionUtils.nxConntrackAction(1, 0L, 0, (short) 0xff);
+ instructionBuilder = InstructionUtils
+ .createInstructionBuilder(ActionUtils.conntrackActionBuilder(conntrackAction), 1, false);
+ }
+ return addPipelineInstruction(flowBuilder, instructionBuilder, isDrop);
+ }
+
+ protected FlowBuilder addPipelineInstruction(FlowBuilder flowBuilder, InstructionBuilder instructionBuilder,
+ boolean isDrop) {
+ InstructionBuilder pipeLineIndstructionBuilder = createPipleLineInstructionBuilder(isDrop);
+ List<Instruction> instructionsList = Lists.newArrayList();
+ instructionsList.add(pipeLineIndstructionBuilder.build());
+ if (null != instructionBuilder) {
+ instructionsList.add(instructionBuilder.build());
+ }
+ InstructionsBuilder isb = new InstructionsBuilder();
+ isb.setInstruction(instructionsList);
+ flowBuilder.setInstructions(isb.build());
+ return flowBuilder;
+ }
+
+ protected InstructionBuilder createPipleLineInstructionBuilder(boolean drop) {
+ InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
+ if (drop) {
+ InstructionUtils.createDropInstructions(ib);
+ }
+ ib.setOrder(0);
+ List<Instruction> instructionsList = Lists.newArrayList();
+ ib.setKey(new InstructionKey(0));
+ instructionsList.add(ib.build());
+ return ib;
+ }
+
+ protected List<NeutronSecurityRule> getSecurityRulesforGroup(NeutronSecurityGroup securityGroup) {
+ List<NeutronSecurityRule> securityRules = new ArrayList<>();
+ List<NeutronSecurityRule> rules = neutronSecurityRule.getAllNeutronSecurityRules();
+ for (NeutronSecurityRule securityRule : rules) {
+ if (securityGroup.getID().equals(securityRule.getSecurityRuleGroupID())) {
+ securityRules.add(securityRule);
+ }
+ }
+ return securityRules;
+ }
+
+ protected void addConntrackMatch(MatchBuilder matchBuilder, int state, int mask) {
+ if (securityServicesManager.isConntrackEnabled()) {
+ MatchUtils.addCtState(matchBuilder, state, mask);
+ }
+
+ }
+
+ protected FlowBuilder addInstructionWithConntrackRecirc(FlowBuilder flowBuilder) {
+ InstructionBuilder instructionBuilder = null;
+ if (securityServicesManager.isConntrackEnabled()) {
+ Action conntrackAction = ActionUtils.nxConntrackAction(0, 0L, 0, (short) 0x0);
+ instructionBuilder = InstructionUtils
+ .createInstructionBuilder(ActionUtils.conntrackActionBuilder(conntrackAction), 1, false);
+ List<Instruction> instructionsList = Lists.newArrayList();
+ instructionsList.add(instructionBuilder.build());
+ InstructionsBuilder isb = new InstructionsBuilder();
+ isb.setInstruction(instructionsList);
+ flowBuilder.setInstructions(isb.build());
+ }
+ return flowBuilder;
+ }
+}
import java.util.List;
import java.util.ArrayList;
-import org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
import org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.Service;
-import org.opendaylight.netvirt.openstack.netvirt.providers.ConfigInterface;
-import org.opendaylight.netvirt.openstack.netvirt.api.L2ForwardingLearnProvider;
import org.opendaylight.netvirt.openstack.netvirt.api.LearnConstants;
import org.opendaylight.netvirt.openstack.netvirt.api.LearnConstants.LearnFlowModsType;
import org.opendaylight.netvirt.openstack.netvirt.providers.NetvirtProvidersProvider;
-import org.opendaylight.netvirt.utils.mdsal.openflow.ActionUtils;
-import org.opendaylight.netvirt.utils.mdsal.openflow.FlowUtils;
-import org.opendaylight.netvirt.utils.mdsal.openflow.MatchUtils;
-import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.PortNumber;
import org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.list.Action;
import org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.list.ActionBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.list.ActionKey;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.instruction.ApplyActionsCase;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.instruction.ApplyActionsCaseBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.instruction.apply.actions._case.ApplyActions;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg0;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowjava.nx.match.rev140421.NxmNxReg6;
import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowplugin.extension.nicira.action.rev140714.add.group.input.buckets.bucket.action.action.NxActionResubmitRpcAddGroupCaseBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowplugin.extension.nicira.action.rev140714.nx.action.resubmit.grouping.NxResubmitBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowplugin.extension.nicira.action.rev140714.dst.choice.grouping.dst.choice.DstNxRegCaseBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowplugin.extension.nicira.action.rev140714.flow.mod.spec.flow.mod.spec.FlowModAddMatchFromFieldCaseBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowplugin.extension.nicira.action.rev140714.flow.mod.spec.flow.mod.spec.FlowModAddMatchFromValueCaseBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowplugin.extension.nicira.action.rev140714.flow.mod.spec.flow.mod.spec.FlowModCopyFieldIntoFieldCaseBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowplugin.extension.nicira.action.rev140714.nx.action.learn.grouping.NxLearnBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowplugin.extension.nicira.action.rev140714.nx.action.learn.grouping.nx.learn.FlowMods;
import org.opendaylight.yang.gen.v1.urn.opendaylight.openflowplugin.extension.nicira.action.rev140714.nx.action.learn.grouping.nx.learn.FlowModsBuilder;
-import org.osgi.framework.BundleContext;
-import org.osgi.framework.ServiceReference;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import com.google.common.collect.Lists;
public class EgressAclLearnServiceUtil {
+ private static final short LEARN_TABLE_ID = Service.ACL_LEARN_SERVICE.getTable();
+ private static final short RESUBMIT_TABLE_ID = Service.LOAD_BALANCER.getTable();
/*
* (Table:EgressAclLearnService) EgressACL Learning
* fin_hard_timeout=0,priority=61010, cookie=0x6900000,eth_type=0x800,nw_proto=6, NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],
* NXM_OF_TCP_SRC[]=NXM_OF_TCP_DST[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG6[0..7]),resubmit(,50)"
*/
- public static FlowBuilder programEgressAclLearnRuleForTcp(FlowBuilder flowBuilder, InstructionBuilder instructionBuilder, short learnTableId, short resubmitId) {
+ public static FlowBuilder programEgressAclLearnRuleForTcp(FlowBuilder flowBuilder) {
List<Action> listAction = new ArrayList<>();
// Create learn action
LearnConstants.LEARN_PRIORITY,
"0",
LearnConstants.DELETE_LEARNED_FLAG_VALUE,
- String.valueOf(learnTableId),
+ String.valueOf(LEARN_TABLE_ID),
String.valueOf(NetvirtProvidersProvider.getSecurityGroupTcpFinIdleTimeout()),
String.valueOf(NetvirtProvidersProvider.getSecurityGroupTcpFinHardTimeout())
};
listAction.add(buildAction(0, header, flowMod));
ActionBuilder ab = new ActionBuilder();
ab = new ActionBuilder();
- ab.setAction(createResubmitActions(resubmitId));
+ ab.setAction(createResubmitActions());
ab.setKey(new ActionKey(1));
listAction.add(ab.build());
ApplyActions applyActions = new ApplyActionsBuilder().setAction(listAction).build();
ApplyActionsCase applyActionsCase = new ApplyActionsCaseBuilder().setApplyActions(applyActions).build();
InstructionsBuilder instructionsBuilder = new InstructionsBuilder();
List<Instruction> instructions = Lists.newArrayList();
- if(instructionBuilder == null) {
- instructionBuilder = new InstructionBuilder();
- }
+ InstructionBuilder instructionBuilder = new InstructionBuilder();
instructionBuilder.setInstruction(applyActionsCase);
instructionBuilder.setOrder(0);
instructionBuilder.setKey(new InstructionKey(0));
* fin_hard_timeout=0,priority=61010, cookie=0x6900000,eth_type=0x800,nw_proto=6, NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],
* NXM_OF_UDP_SRC[]=NXM_OF_UDP_DST[],NXM_OF_UDP_DST[]=NXM_OF_UDP_SRC[],load:0x1->NXM_NX_REG6[0..7]),resubmit(,50)"
*/
- public static FlowBuilder programEgressAclLearnRuleForUdp(FlowBuilder flowBuilder, InstructionBuilder instructionBuilder,short learnTableId, short resubmitId) {
+ public static FlowBuilder programEgressAclLearnRuleForUdp(FlowBuilder flowBuilder) {
List<Action> listAction = new ArrayList<>();
// Create learn action
/*
LearnConstants.LEARN_PRIORITY,
"0",
LearnConstants.DELETE_LEARNED_FLAG_VALUE,
- String.valueOf(learnTableId),
+ String.valueOf(LEARN_TABLE_ID),
"0",
"0"
};
listAction.add(buildAction(0, header, flowMod));
ActionBuilder ab = new ActionBuilder();
ab = new ActionBuilder();
- ab.setAction(createResubmitActions(resubmitId));
+ ab.setAction(createResubmitActions());
ab.setKey(new ActionKey(1));
listAction.add(ab.build());
ApplyActions applyActions = new ApplyActionsBuilder().setAction(listAction).build();
ApplyActionsCase applyActionsCase = new ApplyActionsCaseBuilder().setApplyActions(applyActions).build();
InstructionsBuilder instructionsBuilder = new InstructionsBuilder();
List<Instruction> instructions = Lists.newArrayList();
- if(instructionBuilder == null) {
- instructionBuilder = new InstructionBuilder();
- }
+ InstructionBuilder instructionBuilder = new InstructionBuilder();
instructionBuilder.setInstruction(applyActionsCase);
instructionBuilder.setOrder(0);
instructionBuilder.setKey(new InstructionKey(0));
* fin_hard_timeout=0,priority=61010, cookie=0x6900000,eth_type=0x800,nw_proto=6, NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],
* NXM_OF_UDP_SRC[]=NXM_OF_UDP_DST[],NXM_OF_UDP_DST[]=NXM_OF_UDP_SRC[],load:0x1->NXM_NX_REG6[0..7]),resubmit(,50)"
*/
- public static FlowBuilder programEgressAclLearnRuleForIcmp(FlowBuilder flowBuilder, InstructionBuilder instructionBuilder, String icmpType, String icmpCode,short learnTableId, short resubmitId) {
+ public static FlowBuilder programEgressAclLearnRuleForIcmp(FlowBuilder flowBuilder,
+ String icmpType, String icmpCode) {
List<Action> listAction = new ArrayList<>();
String[] header = new String[] {
LearnConstants.LEARN_PRIORITY,
"0",
LearnConstants.DELETE_LEARNED_FLAG_VALUE,
- String.valueOf(learnTableId),
+ String.valueOf(LEARN_TABLE_ID),
"0",
"0"
};
listAction.add(buildAction(0, header, flowMod));
ActionBuilder ab = new ActionBuilder();
ab = new ActionBuilder();
- ab.setAction(createResubmitActions(resubmitId));
- ab.setKey(new ActionKey(1));
- listAction.add(ab.build());
- ApplyActions applyActions = new ApplyActionsBuilder().setAction(listAction).build();
- ApplyActionsCase applyActionsCase = new ApplyActionsCaseBuilder().setApplyActions(applyActions).build();
- InstructionsBuilder instructionsBuilder = new InstructionsBuilder();
- List<Instruction> instructions = Lists.newArrayList();
-
- if(instructionBuilder == null) {
- instructionBuilder = new InstructionBuilder();
- }
- instructionBuilder.setInstruction(applyActionsCase);
- instructionBuilder.setOrder(0);
- instructionBuilder.setKey(new InstructionKey(0));
- instructions.add(instructionBuilder.build());
- // Add InstructionBuilder to the Instruction(s)Builder List
- instructionsBuilder.setInstruction(instructions);
-
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(instructionsBuilder.build());
-
- return flowBuilder;
-
- }
-
- /*
- * (Table:EgressAclLearnService) EgressACL Learning
- * Match: reg6 = LearnConstants.NxmOfFieldType.NXM_NX_REG6
- * Action: learn and resubmit to next table
- * "table=40,dl_src=fa:16:3e:d3:bb:8a,priority=61003,icmp,dl_src=fa:16:3e:55:71:d1,actions=learn(table=39,idle_timeout=300,fin_idle_timeout=0,
- * fin_hard_timeout=0,priority=61010, cookie=0x6900000,eth_type=0x800,nw_proto=6, NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],
- * NXM_OF_ICMP_TYPE=NXM_OF_ICMP_TYPE,NXM_OF_ICMP_CODE=NXM_OF_ICMP_CODE,load:0x1->NXM_NX_REG6[0..7]),resubmit(,50)"
- */
- public static FlowBuilder programEgressAclLearnRuleForIcmpAll(FlowBuilder flowBuilder, InstructionBuilder instructionBuilder, short learnTableId, short resubmitId) {
- List<Action> listAction = new ArrayList<>();
-
- String[] header = new String[] {
- String.valueOf(NetvirtProvidersProvider.getSecurityGroupDefaultIdleTimeout()),
- String.valueOf(NetvirtProvidersProvider.getSecurityGroupDefaultHardTimeout()),
- LearnConstants.LEARN_PRIORITY,
- "0",
- LearnConstants.DELETE_LEARNED_FLAG_VALUE,
- String.valueOf(learnTableId),
- "0",
- "0"
- };
-
- String[][] flowMod = new String[7][];
- //eth_type=0x800
- flowMod[0] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_VALUE.name(),
- Integer.toString(LearnConstants.ETHTYPE_IPV4),
- LearnConstants.NxmOfFieldType.NXM_OF_ETH_TYPE.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_ETH_TYPE.getFlowModHeaderLen() };
- //nw_proto=1
- flowMod[1] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_VALUE.name(),
- Integer.toString(LearnConstants.IP_PROT_ICMP),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_PROTO.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_PROTO.getFlowModHeaderLen() };
- //NXM_OF_IP_SRC[]=NXM_OF_IP_DST[]
- flowMod[2] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_FIELD.name(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_DST.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_SRC.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_DST.getFlowModHeaderLen()};
- // NXM_OF_IP_DST[]=NXM_OF_IP_SRC[]
- flowMod[3] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_FIELD.name(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_SRC.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_DST.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_SRC.getFlowModHeaderLen()};
- //NXM_OF_ICMP_TYPE=NXM_OF_ICMP_TYPE
- flowMod[4] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_FIELD.name(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_TYPE.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_TYPE.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_TYPE.getFlowModHeaderLen()};
- // NXM_OF_ICMP_CODE=NXM_OF_ICMP_CODE
- flowMod[5] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_FIELD.name(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_CODE.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_CODE.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_CODE.getFlowModHeaderLen()};
- flowMod[6] = new String[] {
- LearnConstants.LearnFlowModsType.COPY_FROM_VALUE.name(), LearnConstants.LEARN_MATCH_REG_VALUE,
- LearnConstants.NxmOfFieldType.NXM_NX_REG6.getHexType(), "8" };
- listAction.add(buildAction(0, header, flowMod));
- ActionBuilder ab = new ActionBuilder();
- ab.setAction(createResubmitActions(resubmitId));
+ ab.setAction(createResubmitActions());
ab.setKey(new ActionKey(1));
listAction.add(ab.build());
ApplyActions applyActions = new ApplyActionsBuilder().setAction(listAction).build();
InstructionsBuilder instructionsBuilder = new InstructionsBuilder();
List<Instruction> instructions = Lists.newArrayList();
- if(instructionBuilder == null) {
- instructionBuilder = new InstructionBuilder();
- }
+ InstructionBuilder instructionBuilder = new InstructionBuilder();
instructionBuilder.setInstruction(applyActionsCase);
instructionBuilder.setOrder(0);
instructionBuilder.setKey(new InstructionKey(0));
flowBuilder.setInstructions(instructionsBuilder.build());
return flowBuilder;
-
}
/*
return abExt.build();
}
- private static org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.Action createResubmitActions(short tableId) {
+ private static org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.Action createResubmitActions() {
NxResubmitBuilder gttb = new NxResubmitBuilder();
- gttb.setTable(tableId);
+ gttb.setTable(RESUBMIT_TABLE_ID);
// Wrap our Apply Action in an InstructionBuilder
return (new NxActionResubmitRpcAddGroupCaseBuilder().setNxResubmit(gttb.build())).build();
package org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.services;
-import java.math.BigInteger;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.UnknownHostException;
-import java.util.ArrayList;
import java.util.List;
import java.util.HashMap;
import java.util.Map;
import org.opendaylight.netvirt.openstack.netvirt.api.SecurityGroupCacheManger;
import org.opendaylight.netvirt.openstack.netvirt.api.SecurityServicesManager;
import org.opendaylight.netvirt.openstack.netvirt.providers.ConfigInterface;
-import org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
import org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.Service;
import org.opendaylight.netvirt.openstack.netvirt.translator.NeutronSecurityGroup;
import org.opendaylight.netvirt.openstack.netvirt.translator.NeutronSecurityRule;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev130715.MacAddress;
import org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.Action;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.Icmpv4MatchBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.Icmpv6MatchBuilder;
-import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.network.topology.topology.Node;
import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.NodeId;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceReference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import com.google.common.collect.Lists;
-
-public class EgressAclService extends AbstractServiceInstance implements EgressAclProvider, ConfigInterface {
+public class EgressAclService extends AbstractAclService implements EgressAclProvider, ConfigInterface {
private static final Logger LOG = LoggerFactory.getLogger(EgressAclService.class);
- private volatile SecurityServicesManager securityServicesManager;
- private volatile SecurityGroupCacheManger securityGroupCacheManger;
- private volatile INeutronSecurityRuleCRUD neutronSecurityRule;
private static final int DHCP_SOURCE_PORT = 67;
private static final int DHCP_DESTINATION_PORT = 68;
private static final int DHCPV6_SOURCE_PORT = 547;
private static final int DHCPV6_DESTINATION_PORT = 546;
- private static final String HOST_MASK = "/32";
- private static final String V6_HOST_MASK = "/128";
- private static final int PORT_RANGE_MIN = 1;
- private static final int PORT_RANGE_MAX = 65535;
public EgressAclService() {
super(Service.EGRESS_ACL);
@Override
public void programPortSecurityGroup(Long dpid, String segmentationId, String attachedMac, long localPort,
- NeutronSecurityGroup securityGroup, String portUuid, NodeId nodeId, boolean write) {
+ NeutronSecurityGroup securityGroup, String portUuid, NodeId nodeId, boolean write) {
LOG.trace("programPortSecurityGroup: neutronSecurityGroup: {} ", securityGroup);
if (securityGroup == null ) {
List<Neutron_IPs> remoteSrcAddressList = secGroupRemoteIPMap.get(remoteSgUuid);
if (remoteSrcAddressList == null) {
remoteSrcAddressList = securityServicesManager
- .getVmListForSecurityGroup(portUuid,remoteSgUuid);
+ .getVmListForSecurityGroup(portUuid, remoteSgUuid);
secGroupRemoteIPMap.put(remoteSgUuid, remoteSrcAddressList);
}
for (Neutron_IPs vmIp :remoteSrcAddressList ) {
- programPortSecurityRule(dpid, segmentationId, attachedMac, portSecurityRule, securityGroup, vmIp, write);
+ programPortSecurityRule(dpid, segmentationId, attachedMac, portSecurityRule, vmIp, write);
}
if (write) {
securityGroupCacheManger.addToCache(remoteSgUuid, portUuid, nodeId);
portUuid, nodeId);
}
} else {
- programPortSecurityRule(dpid, segmentationId, attachedMac, portSecurityRule, securityGroup, null, write);
+ programPortSecurityRule(dpid, segmentationId, attachedMac, portSecurityRule, null, write);
}
}
}
}
@Override
- public void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac, NeutronSecurityRule portSecurityRule,
- NeutronSecurityGroup securityGroup, Neutron_IPs vmIp, boolean write) {
+ public void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac,
+ NeutronSecurityRule portSecurityRule, Neutron_IPs vmIp, boolean write) {
String securityRuleEtherType = portSecurityRule.getSecurityRuleEthertype();
boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(securityRuleEtherType);
if (!isIpv6 && !NeutronSecurityRule.ETHERTYPE_IPV4.equals(securityRuleEtherType)) {
return;
}
-
String ipaddress = null;
if (null != vmIp) {
ipaddress = vmIp.getIpAddress();
return;
}
}
- if (null == portSecurityRule.getSecurityRuleProtocol() && securityGroup.getSecurityGroupName().equals("default")) {
- /* TODO Rework on the priority values */
- egressAclIp(dpid, isIpv6, segmentationId, attachedMac,
- portSecurityRule, ipaddress,
- write, Constants.PROTO_PORT_MATCH_PRIORITY - 1, false);
- if(!isIpv6) {
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.TCP);
- portSecurityRule.setSecurityRulePortMin(PORT_RANGE_MIN);
- portSecurityRule.setSecurityRulePortMax(PORT_RANGE_MAX);
- egressAclTcp(dpid, segmentationId, attachedMac,
- portSecurityRule,ipaddress, write,
- Constants.PROTO_PORT_MATCH_PRIORITY, false);
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.UDP);
- egressAclUdp(dpid, segmentationId, attachedMac,
- portSecurityRule, ipaddress, write,
- Constants.PROTO_PORT_MATCH_PRIORITY, false);
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.ICMP);
- portSecurityRule.setSecurityRulePortMin(null);
- portSecurityRule.setSecurityRulePortMax(null);
- egressAclIcmp(dpid, segmentationId, attachedMac,
- portSecurityRule, ipaddress,write,
- Constants.PROTO_PORT_MATCH_PRIORITY, false);
- portSecurityRule.setSecurityRuleProtocol(null);
+ if (null == portSecurityRule.getSecurityRuleProtocol()
+ || portSecurityRule.getSecurityRuleProtocol().equals(MatchUtils.ANY_PROTOCOL)) {
+ egressAclIp(dpid, isIpv6, segmentationId, attachedMac, portSecurityRule, ipaddress, write);
+ if (NeutronSecurityRule.ETHERTYPE_IPV4.equals(portSecurityRule.getSecurityRuleEthertype())) {
+ egressAclTcp(dpid, segmentationId, attachedMac, TCP_SECURITY_GROUP_RULE_IPv4_ANY, ipaddress, write);
+ egressAclUdp(dpid, segmentationId, attachedMac, UDP_SECURITY_GROUP_RULE_IPv4_ANY, ipaddress, write);
+ egressAclIcmp(dpid, segmentationId, attachedMac, ICMP_SECURITY_GROUP_RULE_IPv4_ANY, ipaddress, write);
}
} else {
- switch (portSecurityRule.getSecurityRuleProtocol() == null ? "" : portSecurityRule.getSecurityRuleProtocol()) {
+ switch (portSecurityRule.getSecurityRuleProtocol()) {
case MatchUtils.TCP:
+ case MatchUtils.TCP_PROTOCOL:
LOG.debug("programPortSecurityRule: Rule matching TCP", portSecurityRule);
- egressAclTcp(dpid, segmentationId, attachedMac,
- portSecurityRule,ipaddress, write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
+ egressAclTcp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress, write);
break;
case MatchUtils.UDP:
+ case MatchUtils.UDP_PROTOCOL:
LOG.debug("programPortSecurityRule: Rule matching UDP", portSecurityRule);
- egressAclUdp(dpid, segmentationId, attachedMac,
- portSecurityRule, ipaddress, write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
+ egressAclUdp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress, write);
break;
case MatchUtils.ICMP:
case MatchUtils.ICMPV6:
+ case MatchUtils.ICMP_PROTOCOL:
LOG.debug("programPortSecurityRule: Rule matching ICMP", portSecurityRule);
- egressAclIcmp(dpid, segmentationId, attachedMac,
- portSecurityRule, ipaddress,write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
+ egressAclIcmp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress, write);
break;
default:
LOG.info("programPortSecurityAcl: Protocol is not TCP/UDP/ICMP but other "
+ "protocol = ", portSecurityRule.getSecurityRuleProtocol());
egressOtherProtocolAclHandler(dpid, segmentationId, attachedMac,
- portSecurityRule, ipaddress, write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, isIpv6);
+ portSecurityRule, ipaddress, write, isIpv6);
break;
}
}
private void egressOtherProtocolAclHandler(Long dpidLong, String segmentationId, String srcMac,
NeutronSecurityRule portSecurityRule, String dstAddress,
- boolean write, Integer priority, boolean isIpv6) {
- if(null == portSecurityRule.getSecurityRuleProtocol() || portSecurityRule.getSecurityRuleProtocol().equals(MatchUtils.ANY_PROTOCOL)) {
- egressAclIp(dpidLong, isIpv6, segmentationId, srcMac,
- portSecurityRule, dstAddress,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY - 1, true);
- if(!isIpv6) {
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.TCP);
- portSecurityRule.setSecurityRulePortMin(PORT_RANGE_MIN);
- portSecurityRule.setSecurityRulePortMax(PORT_RANGE_MAX);
- egressAclTcp(dpidLong, segmentationId, srcMac,
- portSecurityRule,dstAddress, write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, true);
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.UDP);
- egressAclUdp(dpidLong, segmentationId, srcMac,
- portSecurityRule, dstAddress, write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, true);
- portSecurityRule.setSecurityRulePortMin(null);
- portSecurityRule.setSecurityRulePortMax(null);
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.ICMP);
- egressAclIcmp(dpidLong, segmentationId, srcMac,
- portSecurityRule, dstAddress,write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, true);
- portSecurityRule.setSecurityRuleProtocol(null);
- }
- } else {
- if (portSecurityRule.getSecurityRuleProtocol().equals(MatchUtils.TCP_PROTOCOL)) {
- portSecurityRule.setSecurityRulePortMin(PORT_RANGE_MIN);
- portSecurityRule.setSecurityRulePortMax(PORT_RANGE_MAX);
- egressAclTcp(dpidLong, segmentationId, srcMac,
- portSecurityRule,dstAddress, write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
- } else if (portSecurityRule.getSecurityRuleProtocol().equals(MatchUtils.UDP_PROTOCOL)) {
- portSecurityRule.setSecurityRulePortMin(PORT_RANGE_MIN);
- portSecurityRule.setSecurityRulePortMax(PORT_RANGE_MAX);
- egressAclUdp(dpidLong, segmentationId, srcMac,
- portSecurityRule, dstAddress, write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
- } else if (portSecurityRule.getSecurityRuleProtocol().equals(MatchUtils.ICMP_PROTOCOL)) {
- egressAclIcmp(dpidLong, segmentationId, srcMac,
- portSecurityRule, dstAddress,write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
+ boolean write, boolean isIpv6) {
+ MatchBuilder matchBuilder = new MatchBuilder();
+ String flowId = "Egress_Other_" + segmentationId + "_" + srcMac + "_";
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, srcMac, null, MatchUtils.ETHERTYPE_IPV4);
+ short proto = 0;
+ try {
+ Integer protocol = new Integer(portSecurityRule.getSecurityRuleProtocol());
+ proto = protocol.shortValue();
+ flowId = flowId + proto;
+ } catch (NumberFormatException e) {
+ LOG.error("Protocol value conversion failure", e);
+ }
+ matchBuilder = MatchUtils.createIpProtocolAndEthMatch(matchBuilder, proto, srcMac, null);
+ if (null != dstAddress) {
+ flowId = flowId + "_" + dstAddress;
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
+ MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
+ } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
+ flowId = flowId + "_" + portSecurityRule.getSecurityRuleRemoteIpPrefix();
+ if (isIpv6) {
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, null,
+ new Ipv6Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
} else {
- MatchBuilder matchBuilder = new MatchBuilder();
- String flowId = "Egress_Other_" + segmentationId + "_" + srcMac + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null,MatchUtils.ETHERTYPE_IPV4);
- short proto = 0;
- try {
- Integer protocol = new Integer(portSecurityRule.getSecurityRuleProtocol());
- proto = protocol.shortValue();
- flowId = flowId + proto;
- } catch (NumberFormatException e) {
- LOG.error("Protocol vlaue conversion failure", e);
- }
- matchBuilder = MatchUtils.createIpProtocolAndEthMatch(matchBuilder, proto, srcMac, null);
- if (null != dstAddress) {
- flowId = flowId + dstAddress;
+ if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
- MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
- } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
- flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
- if(isIpv6) {
- matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
- new Ipv6Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
- } else {
- if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
- new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
- }
- }
+ new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
}
- flowId = flowId + "_Permit";
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, priority, matchBuilder, getTable());
- addInstructionWithConntrackCommit(flowBuilder, false);
- syncFlow(flowBuilder ,nodeBuilder, write);
}
}
+ flowId = flowId + "_Permit";
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ flowId, Constants.PROTO_OTHER_MATCH_PRIORITY, matchBuilder, getTable());
+ addInstructionWithConntrackCommit(flowBuilder, false);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
@Override
if (securityServicesManager.isConntrackEnabled()) {
programEgressAclFixedConntrackRule(dpid, segmentationId, localPort, attachedMac, write);
} else {
- egressVMDrop(dpid, segmentationId, attachedMac, write,Constants.PROTO_TCP_SYN_MATCH_PRIORITY_DROP);
- egressVMRegex(dpid, segmentationId, attachedMac, write,Constants.PROTO_REG6_MATCH_PRIORITY);
+ egressVMDrop(dpid, segmentationId, attachedMac, write, Constants.PROTO_PORT_DROP_PRIORITY);
+ egressVMRegex(dpid, segmentationId, attachedMac, write, Constants.PROTO_REG6_MATCH_PRIORITY);
}
egressAclDhcpDropServerTrafficfromVm(dpid, localPort, write,
Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
egressAclDhcpv6DropServerTrafficfromVm(dpid, localPort, write,
Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
}
+
private void egressVMRegex(Long dpidLong, String segmentationId, String srcMac,
boolean write, Integer priority) {
String flowName = "Egress_Regx_" + segmentationId + "_" + srcMac;
MatchBuilder matchBuilder = new MatchBuilder();
- matchBuilder = MatchUtils.createV4EtherMatchWithoutType(matchBuilder,srcMac,null);
+ matchBuilder = MatchUtils.createV4EtherMatchWithoutType(matchBuilder, srcMac, null);
MatchUtils.addNxRegMatch(matchBuilder,
new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL));
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
syncFlow(flowBuilder, nodeBuilder, write);
}
- private void addTcpSynFlagMatchIpv4Drop(Long dpidLong, String segmentationId, String srcMac,
- boolean write, Integer priority) {
- String flowName = "Egress_TCP_Ipv4_" + segmentationId + "_" + srcMac + "_DROP";
- MatchBuilder matchBuilder = new MatchBuilder();
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null,MatchUtils.ETHERTYPE_IPV4);
- matchBuilder = MatchUtils.addTcpSynMatch(matchBuilder);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
- addPipelineInstruction(flowBuilder, null, true);
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder, nodeBuilder, write);
- }
private void egressVMDrop(Long dpidLong, String segmentationId, String srcMac,
boolean write, Integer priority) {
String flowName = "Egress_Drop_" + segmentationId + "_" + srcMac + "_DROP";
MatchBuilder matchBuilder = new MatchBuilder();
- matchBuilder = MatchUtils.createV4EtherMatchWithoutType(matchBuilder,srcMac,null);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
- addPipelineInstruction(flowBuilder, null, true);
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder, nodeBuilder, write);
- }
-
- private void addTcpSynFlagMatchIpv6Drop(Long dpidLong, String segmentationId, String srcMac,
- boolean write, Integer priority) {
- String flowName = "Egress_TCP_Ipv6_" + segmentationId + "_" + srcMac + "_DROP";
- MatchBuilder matchBuilder = new MatchBuilder();
- matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,srcMac,null);
- matchBuilder = MatchUtils.addTcpSynMatch(matchBuilder);
+ matchBuilder = MatchUtils.createV4EtherMatchWithoutType(matchBuilder, srcMac, null);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, true);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
private void programArpRule(Long dpid, String segmentationId, long localPort, String attachedMac, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Egress_ARP_" + segmentationId + "_" + localPort + "_";
- MatchUtils.createV4EtherMatchWithType(matchBuilder,null,null,MatchUtils.ETHERTYPE_ARP);
+ MatchUtils.createV4EtherMatchWithType(matchBuilder, null, null, MatchUtils.ETHERTYPE_ARP);
MatchUtils.addArpMacMatch(matchBuilder, attachedMac, null);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, Constants.PROTO_MATCH_PRIORITY,
matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpid);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
private void programEgressAclFixedConntrackRule(Long dpid,
String segmentationId, long localPort, String attachMac, boolean write) {
try {
- programConntrackUntrackRule(dpid, segmentationId, localPort,attachMac,
+ programConntrackUntrackRule(dpid, segmentationId, localPort, attachMac,
Constants.CT_STATE_UNTRACKED_PRIORITY, write );
programConntrackTrackedPlusEstRule(dpid, segmentationId, localPort,
Constants.CT_STATE_TRACKED_EXIST_PRIORITY, write );
long localPort, String attachMac, Integer priority, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowName = "Egress_Fixed_Conntrk_Untrk_" + segmentationId + "_" + localPort + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, attachMac, null,MatchUtils.ETHERTYPE_IPV4);
- matchBuilder = MatchUtils.addCtState(matchBuilder,MatchUtils.UNTRACKED_CT_STATE,
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, attachMac, null, MatchUtils.ETHERTYPE_IPV4);
+ matchBuilder = MatchUtils.addCtState(matchBuilder, MatchUtils.UNTRACKED_CT_STATE,
MatchUtils.UNTRACKED_CT_STATE_MASK);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addInstructionWithConntrackRecirc(flowBuilder);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
private void programConntrackTrackedPlusEstRule(Long dpidLong, String segmentationId,
- long localPort,Integer priority, boolean write) {
+ long localPort, Integer priority, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowName = "Egress_Fixed_Conntrk_TrkEst_" + segmentationId + "_" + localPort + "_";
matchBuilder = MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
- matchBuilder = MatchUtils.addCtState(matchBuilder,MatchUtils.TRACKED_EST_CT_STATE,
+ matchBuilder = MatchUtils.addCtState(matchBuilder, MatchUtils.TRACKED_EST_CT_STATE,
MatchUtils.TRACKED_CT_STATE_MASK);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
private void programConntrackTrackedPlusRelRule(Long dpidLong, String segmentationId,
- long localPort,Integer priority, boolean write) {
+ long localPort, Integer priority, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowName = "Egress_Fixed_Conntrk_TrkRel_" + segmentationId + "_" + localPort + "_";
matchBuilder = MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
- matchBuilder = MatchUtils.addCtState(matchBuilder,MatchUtils.TRACKED_REL_CT_STATE,
+ matchBuilder = MatchUtils.addCtState(matchBuilder, MatchUtils.TRACKED_REL_CT_STATE,
MatchUtils.TRACKED_CT_STATE_MASK);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
private void programConntrackNewDropRule(Long dpidLong, String segmentationId,
String flowName = "Egress_Fixed_Conntrk_NewDrop_" + segmentationId + "_" + localPort + "_";
matchBuilder = MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
- matchBuilder = MatchUtils.addCtState(matchBuilder,MatchUtils.TRACKED_NEW_CT_STATE,
+ matchBuilder = MatchUtils.addCtState(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,
MatchUtils.TRACKED_NEW_CT_STATE_MASK);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, true);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
private void programConntrackInvDropRule(Long dpidLong, String segmentationId,
MatchBuilder matchBuilder = new MatchBuilder();
String flowName = "Egress_Fixed_Conntrk_InvDrop_" + segmentationId + "_" + localPort + "_";
matchBuilder = MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
- matchBuilder = MatchUtils.addCtState(matchBuilder,MatchUtils.TRACKED_INV_CT_STATE,
+ matchBuilder = MatchUtils.addCtState(matchBuilder, MatchUtils.TRACKED_INV_CT_STATE,
MatchUtils.TRACKED_INV_CT_STATE_MASK);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, true);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
/**
* @param segmentationId the segementation id
* @param srcMac the src mac address
* @param write add or remove
- * @param isRegMatchReq add Reg MAtch or not
- * @param protoPortMatchPriority the protocol match priority.
*/
private void egressAclIp(Long dpidLong, boolean isIpv6, String segmentationId, String srcMac,
- NeutronSecurityRule portSecurityRule, String srcAddress,
- boolean write, Integer protoPortMatchPriority, boolean isRegMatchReq ) {
+ NeutronSecurityRule portSecurityRule, String srcAddress, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Egress_IP" + segmentationId + "_" + srcMac + "_Permit_";
if (isIpv6) {
- matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,srcMac,null);
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder, srcMac, null);
} else {
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null,MatchUtils.ETHERTYPE_IPV4);
- }
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, srcMac, null, MatchUtils.ETHERTYPE_IPV4);
}
if (null != srcAddress) {
flowId = flowId + srcAddress;
if (isIpv6) {
matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
- MatchUtils.iPv6PrefixFromIPv6Address(srcAddress),null);
+ MatchUtils.iPv6PrefixFromIPv6Address(srcAddress), null);
} else {
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- MatchUtils.iPv4PrefixFromIPv4Address(srcAddress),null);
+ MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null);
}
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
if (isIpv6) {
- matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, null,
new Ipv6Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
} else {
// Fix: Bug 6473
// IP match removed if CIDR created as 0.0.0.0/0 in openstack security rule
if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
new Ipv4Prefix(portSecurityRule
.getSecurityRuleRemoteIpPrefix()));
}
flowId = flowId + "Ipv4";
}
}
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ flowId, Constants.PROTO_IP_PORT_MATCH_PRIORITY, matchBuilder, getTable());
addInstructionWithConntrackCommit(flowBuilder, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
/**
* @param portSecurityRule the security rule in the SG
* @param dstAddress the destination IP address
* @param write add or delete
- * @param isRegMatchReq add Reg MAtch or not
- * @param protoPortMatchPriority the protocol match priroty
*/
private void egressAclTcp(Long dpidLong, String segmentationId, String srcMac,
- NeutronSecurityRule portSecurityRule, String dstAddress,
- boolean write, Integer protoPortMatchPriority, boolean isRegMatchReq) {
+ NeutronSecurityRule portSecurityRule, String dstAddress, boolean write) {
+ LOG.debug("egressAclTcp: portSecurityRule {} ", portSecurityRule);
boolean portRange = false;
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Egress_TCP_" + segmentationId + "_" + srcMac + "_";
boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(portSecurityRule.getSecurityRuleEthertype());
if (isIpv6) {
- matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,srcMac,null);
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder, srcMac, null);
} else {
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null,MatchUtils.ETHERTYPE_IPV4);
- }
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, srcMac, null, MatchUtils.ETHERTYPE_IPV4);
}
/* Custom TCP Match */
if (null != dstAddress) {
flowId = flowId + dstAddress;
if (isIpv6) {
- matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, null,
MatchUtils.iPv6PrefixFromIPv6Address(dstAddress));
} else {
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
}
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
if (isIpv6) {
- matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, null,
new Ipv6Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
} else {
// Fix: Bug 6473
// IP match removed if CIDR created as 0.0.0.0/0 in openstack security rule
if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
new Ipv4Prefix(portSecurityRule
.getSecurityRuleRemoteIpPrefix()));
}
.getLayer4MaskForRange(portSecurityRule.getSecurityRulePortMin(),
portSecurityRule.getSecurityRulePortMax());
for (Integer port: portMaskMap.keySet()) {
- String rangeflowId = flowId + port + "_" + portMaskMap.get(port) + "_";
+ String rangeflowId = flowId + port + "_" + portMaskMap.get(port);
rangeflowId = rangeflowId + "_Permit";
MatchUtils.addLayer4MatchWithMask(matchBuilder, MatchUtils.TCP_SHORT,
0, port, portMaskMap.get(port));
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, protoPortMatchPriority,
- matchBuilder, getTable());
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ rangeflowId, Constants.PROTO_PORT_MATCH_PRIORITY, matchBuilder, getTable());
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, null, null);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
} else {
flowId = flowId + "_Permit";
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority,
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, Constants.PROTO_PORT_MATCH_PRIORITY,
matchBuilder, getTable());
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, null, null);
- syncFlow(flowBuilder ,nodeBuilder, write);
- }
- }
-
- private void addTcpSynMatch(MatchBuilder matchBuilder) {
- if (!securityServicesManager.isConntrackEnabled()) {
- MatchUtils.createTcpProtoSynMatch(matchBuilder);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
}
private void egressAclIcmp(Long dpidLong, String segmentationId, String srcMac,
- NeutronSecurityRule portSecurityRule, String dstAddress,
- boolean write, Integer protoPortMatchPriority, boolean isRegMatchReq) {
+ NeutronSecurityRule portSecurityRule, String dstAddress, boolean write) {
boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(portSecurityRule.getSecurityRuleEthertype());
if (isIpv6) {
- egressAclIcmpV6(dpidLong, segmentationId, srcMac, portSecurityRule, dstAddress, write,
- protoPortMatchPriority, isRegMatchReq);
+ egressAclIcmpV6(dpidLong, segmentationId, srcMac, portSecurityRule, dstAddress, write);
} else {
- egressAclIcmpV4(dpidLong, segmentationId, srcMac, portSecurityRule, dstAddress, write,
- protoPortMatchPriority, isRegMatchReq);
+ egressAclIcmpV4(dpidLong, segmentationId, srcMac, portSecurityRule, dstAddress, write);
}
}
* @param portSecurityRule the security rule in the SG
* @param dstAddress the source IP address
* @param write add or delete
- * @param isRegMatchReq add Reg MAtch or not
- * @param protoPortMatchPriority the protocol match priority
*/
private void egressAclIcmpV4(Long dpidLong, String segmentationId, String srcMac,
- NeutronSecurityRule portSecurityRule, String dstAddress,
- boolean write, Integer protoPortMatchPriority, boolean isRegMatchReq) {
+ NeutronSecurityRule portSecurityRule, String dstAddress, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
boolean isIcmpAll = false;
String flowId = "Egress_ICMP_" + segmentationId + "_" + srcMac + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null,MatchUtils.ETHERTYPE_IPV4);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, srcMac, null, MatchUtils.ETHERTYPE_IPV4);
+
/*Custom ICMP Match */
if (portSecurityRule.getSecurityRulePortMin() != null
&& portSecurityRule.getSecurityRulePortMax() != null) {
portSecurityRule.getSecurityRulePortMax().shortValue());
} else {
isIcmpAll = true;
- /* All ICMP Match */ // We are getting from neutron NULL for both min and max
- flowId = flowId + "all" + "_" ;
- matchBuilder = MatchUtils.createICMPv4Match(matchBuilder, MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
- }
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
}
+
if (null != dstAddress) {
flowId = flowId + dstAddress;
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
}
}
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- //matchBuilder = MatchUtils.createICMPv4Match(matchBuilder, portSecurityRule.getSecurityRulePortMin().shortValue(), portSecurityRule.getSecurityRulePortMax().shortValue());
if(isIcmpAll)
{
Map<Integer, String> map = LearnConstants.ICMP_TYPE_MAP;
for(Map.Entry<Integer, String> entry : map.entrySet()) {
- Icmpv4MatchBuilder icmpv4match = new Icmpv4MatchBuilder();
- icmpv4match.setIcmpv4Type(entry.getKey().shortValue());
- icmpv4match.setIcmpv4Code((short)0);
- matchBuilder.setIcmpv4Match(icmpv4match.build());
- String rangeflowId = flowId + "_" + entry.getKey() + "_" + entry.getValue();
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, protoPortMatchPriority, matchBuilder, getTable());
+ matchBuilder = MatchUtils.createICMPv4Match(matchBuilder, entry.getKey().shortValue(), (short)0);
+ String rangeflowId = flowId + entry.getKey() + "_" + entry.getValue() + "_";
+ rangeflowId = rangeflowId + "_Permit";
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ rangeflowId, Constants.PROTO_PORT_MATCH_PRIORITY, matchBuilder, getTable());
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, entry.getValue(), "0");
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
- addIcmpFlow(nodeBuilder, portSecurityRule, segmentationId, srcMac, protoPortMatchPriority - 1, dstAddress, write, isRegMatchReq);
+ addIcmpFlow(nodeBuilder, portSecurityRule, segmentationId, srcMac, dstAddress, write);
} else {
flowId = flowId + "_Permit";
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ flowId, Constants.PROTO_PORT_MATCH_PRIORITY, matchBuilder, getTable());
String icmpType = LearnConstants.ICMP_TYPE_MAP.get(portSecurityRule.getSecurityRulePortMin());
if (icmpType == null){
icmpType = Integer.toString(portSecurityRule.getSecurityRulePortMin());
}
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, icmpType,
Integer.toString(portSecurityRule.getSecurityRulePortMax()));
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
}
- private void addIcmpFlow(NodeBuilder nodeBuilder, NeutronSecurityRule portSecurityRule, String segmentationId, String srcMac,
- Integer protoPortMatchPriority, String dstAddress, boolean write, boolean isRegMatchReq) {
+ private void addIcmpFlow(NodeBuilder nodeBuilder, NeutronSecurityRule portSecurityRule, String segmentationId,
+ String srcMac, String dstAddress, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
- InstructionBuilder instructionBuilder = null;
- short learnTableId=getTable(Service.ACL_LEARN_SERVICE);
- short resubmitId=getTable(Service.LOAD_BALANCER);
String flowId = "Ingress_ICMP_" + segmentationId + "_" + srcMac + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null,MatchUtils.ETHERTYPE_IPV4);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, srcMac, null, MatchUtils.ETHERTYPE_IPV4);
flowId = flowId + "all" + "_" ;
matchBuilder = MatchUtils.createICMPv4Match(matchBuilder, MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
if (null != dstAddress) {
flowId = flowId + dstAddress;
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
}
}
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
- }
- Icmpv4MatchBuilder icmpv4match = new Icmpv4MatchBuilder();
- matchBuilder.setIcmpv4Match(icmpv4match.build());
+ /* All ICMP Match */
+ matchBuilder = MatchUtils.createICMPv4Match(matchBuilder, MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
String rangeflowId = flowId;
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, protoPortMatchPriority, matchBuilder, getTable());
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ rangeflowId, Constants.PROTO_PORT_ICMP_MATCH_PRIORITY, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
- syncFlow(flowBuilder ,nodeBuilder, write);
-
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
/**
* @param portSecurityRule the security rule in the SG
* @param dstAddress the source IP address
* @param write add or delete
- * @param isRegMatchReq add Reg MAtch or not
- * @param protoPortMatchPriority the protocol match priority
*/
private void egressAclIcmpV6(Long dpidLong, String segmentationId, String srcMac,
- NeutronSecurityRule portSecurityRule, String dstAddress,
- boolean write, Integer protoPortMatchPriority, boolean isRegMatchReq) {
+ NeutronSecurityRule portSecurityRule, String dstAddress, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Egress_ICMP_" + segmentationId + "_" + srcMac + "_";
- matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,srcMac,null);
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder, srcMac, null);
/*Custom ICMP Match */
if (portSecurityRule.getSecurityRulePortMin() != null
flowId = flowId + "all" + "_" ;
matchBuilder = MatchUtils.createICMPv6Match(matchBuilder, MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
}
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
- }
if (null != dstAddress) {
flowId = flowId + dstAddress;
- matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, null,
MatchUtils.iPv6PrefixFromIPv6Address(dstAddress));
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
- matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, null,
new Ipv6Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
}
flowId = flowId + "_Permit";
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, Constants.PROTO_PORT_MATCH_PRIORITY, matchBuilder, getTable());
addInstructionWithConntrackCommit(flowBuilder, false);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
/**
* @param portSecurityRule the security rule in the SG
* @param dstAddress the source IP address
* @param write add or delete
- * @param isRegMatchReq add Reg MAtch or not
- * @param protoPortMatchPriority the protocol match priroty
*/
private void egressAclUdp(Long dpidLong, String segmentationId, String srcMac,
- NeutronSecurityRule portSecurityRule, String dstAddress,
- boolean write, Integer protoPortMatchPriority, boolean isRegMatchReq) {
+ NeutronSecurityRule portSecurityRule, String dstAddress, boolean write) {
+ LOG.debug("egressAclTcp: egressAclUdp {} ", portSecurityRule);
boolean portRange = false;
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Egress_UDP_" + segmentationId + "_" + srcMac + "_";
boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(portSecurityRule.getSecurityRuleEthertype());
if (isIpv6) {
- matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,srcMac,null);
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder, srcMac, null);
} else {
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null,MatchUtils.ETHERTYPE_IPV4);
- }
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, srcMac, null, MatchUtils.ETHERTYPE_IPV4);
}
/* Custom UDP Match */
if (null != dstAddress) {
flowId = flowId + dstAddress;
if (isIpv6) {
- matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, null,
MatchUtils.iPv6PrefixFromIPv6Address(dstAddress));
} else {
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null,
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null,
MatchUtils.iPv4PrefixFromIPv4Address(dstAddress));
}
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
rangeflowId = rangeflowId + "_Permit";
MatchUtils.addLayer4MatchWithMask(matchBuilder, MatchUtils.UDP_SHORT,
0, port, portMaskMap.get(port));
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, protoPortMatchPriority,
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, Constants.PROTO_PORT_MATCH_PRIORITY,
matchBuilder, getTable());
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, null, null);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
} else {
flowId = flowId + "_Permit";
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority,
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, Constants.PROTO_PORT_MATCH_PRIORITY,
matchBuilder, getTable());
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, null, null);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
}
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
/**
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
/**
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, true);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
/**
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, true);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
/**
String attachedMac, String srcIp,
Integer priority, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createSrcL3Ipv4MatchWithMac(matchBuilder, new Ipv4Prefix(srcIp),new MacAddress(attachedMac));
+ MatchUtils.createSrcL3Ipv4MatchWithMac(matchBuilder, new Ipv4Prefix(srcIp), new MacAddress(attachedMac));
MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
LOG.debug("egressAclAllowTrafficFromVmIpMacPair: MatchBuilder contains: {}", matchBuilder);
String flowName = "Egress_Allow_VM_IP_MAC" + "_" + localPort + attachedMac + "_Permit_";
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
/**
String attachedMac, String srcIp,
Integer priority, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createSrcL3Ipv6MatchWithMac(matchBuilder, new Ipv6Prefix(srcIp),new MacAddress(attachedMac));
+ MatchUtils.createSrcL3Ipv6MatchWithMac(matchBuilder, new Ipv6Prefix(srcIp), new MacAddress(attachedMac));
MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
LOG.debug("egressAclAllowTrafficFromVmIpMacPair: MatchBuilder contains: {}", matchBuilder);
String flowName = "Egress_Allow_VM_IPv6_MAC" + "_" + localPort + attachedMac + "_Permit_";
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
- }
-
- private void addConntrackMatch(MatchBuilder matchBuilder, int state, int mask) {
- if (securityServicesManager.isConntrackEnabled()) {
- MatchUtils.addCtState(matchBuilder, state, mask );
- }
-
+ syncFlow(flowBuilder, nodeBuilder, write);
}
- private FlowBuilder addInstructionWithConntrackCommit( FlowBuilder flowBuilder , boolean isDrop) {
- InstructionBuilder instructionBuilder = null;
- if (securityServicesManager.isConntrackEnabled()) {
- Action conntrackAction = ActionUtils.nxConntrackAction(1, 0L, 0, (short)0xff);
- instructionBuilder = InstructionUtils
- .createInstructionBuilder(ActionUtils.conntrackActionBuilder(conntrackAction), 1, false);
- }
- return addPipelineInstruction(flowBuilder,instructionBuilder, isDrop);
- }
private FlowBuilder addInstructionWithLearnConntrackCommit(NeutronSecurityRule portSecurityRule, FlowBuilder flowBuilder, String icmpType, String icmpCode) {
InstructionBuilder instructionBuilder = null;
- short learnTableId=getTable(Service.ACL_LEARN_SERVICE);
- short resubmitId=getTable(Service.LOAD_BALANCER);
if (securityServicesManager.isConntrackEnabled()) {
Action conntrackAction = ActionUtils.nxConntrackAction(1, 0L, 0, (short)0xff);
instructionBuilder = InstructionUtils
.createInstructionBuilder(ActionUtils.conntrackActionBuilder(conntrackAction), 1, false);
- return addPipelineInstruction(flowBuilder,instructionBuilder, false);
- }
- if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.TCP) || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.TCP_PROTOCOL)) {
- return EgressAclLearnServiceUtil.programEgressAclLearnRuleForTcp(flowBuilder,instructionBuilder,learnTableId,resubmitId);
- } else if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.UDP) || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.UDP_PROTOCOL)) {
- return EgressAclLearnServiceUtil.programEgressAclLearnRuleForUdp(flowBuilder,instructionBuilder,learnTableId,resubmitId);
- } else if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.ICMP) || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.ICMP_PROTOCOL)) {
- return EgressAclLearnServiceUtil.programEgressAclLearnRuleForIcmp(flowBuilder,instructionBuilder, icmpType, icmpCode,learnTableId,resubmitId);
- }
- return flowBuilder;
- }
-
- private FlowBuilder addInstructionWithConntrackRecirc( FlowBuilder flowBuilder) {
- InstructionBuilder instructionBuilder = null;
- if (securityServicesManager.isConntrackEnabled()) {
- Action conntrackAction = ActionUtils.nxConntrackAction(0, 0L, 0, (short)0x0);
-
- instructionBuilder = InstructionUtils
- .createInstructionBuilder(ActionUtils.conntrackActionBuilder(conntrackAction), 1, false);
- List<Instruction> instructionsList = Lists.newArrayList();
- instructionsList.add(instructionBuilder.build());
- InstructionsBuilder isb = new InstructionsBuilder();
- isb.setInstruction(instructionsList);
- flowBuilder.setInstructions(isb.build());
- }
- return flowBuilder;
- }
-
- private FlowBuilder addPipelineInstruction( FlowBuilder flowBuilder ,
- InstructionBuilder instructionBuilder,boolean isDrop) {
- InstructionBuilder pipeLineIndstructionBuilder = createPipleLineInstructionBuilder(isDrop);
- List<Instruction> instructionsList = Lists.newArrayList();
- instructionsList.add(pipeLineIndstructionBuilder.build());
- if (null != instructionBuilder) {
- instructionsList.add(instructionBuilder.build());
+ return addPipelineInstruction(flowBuilder, instructionBuilder, false);
+ }
+ if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.TCP)
+ || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.TCP_PROTOCOL)) {
+ return EgressAclLearnServiceUtil.programEgressAclLearnRuleForTcp(flowBuilder);
+ } else if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.UDP)
+ || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.UDP_PROTOCOL)) {
+ return EgressAclLearnServiceUtil.programEgressAclLearnRuleForUdp(flowBuilder);
+ } else if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.ICMP)
+ || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.ICMP_PROTOCOL)) {
+ return EgressAclLearnServiceUtil.programEgressAclLearnRuleForIcmp(flowBuilder, icmpType, icmpCode);
}
- InstructionsBuilder isb = new InstructionsBuilder();
- isb.setInstruction(instructionsList);
- flowBuilder.setInstructions(isb.build());
return flowBuilder;
}
- private InstructionBuilder createPipleLineInstructionBuilder(boolean drop) {
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- if (drop) {
- InstructionUtils.createDropInstructions(ib);
- }
- ib.setOrder(0);
- List<Instruction> instructionsList = Lists.newArrayList();
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- return ib;
- }
- /**
- * Add or remove flow to the node.
- * @param flowBuilder the flow builder
- * @param nodeBuilder the node builder
- * @param write whether it is a write
- */
- private void syncFlow(FlowBuilder flowBuilder, NodeBuilder nodeBuilder,
- boolean write) {
- if (write) {
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- private List<NeutronSecurityRule> getSecurityRulesforGroup(NeutronSecurityGroup securityGroup) {
- List<NeutronSecurityRule> securityRules = new ArrayList<>();
- List<NeutronSecurityRule> rules = neutronSecurityRule.getAllNeutronSecurityRules();
- for (NeutronSecurityRule securityRule : rules) {
- if (securityGroup.getID().equals(securityRule.getSecurityRuleGroupID())) {
- securityRules.add(securityRule);
- }
- }
- return securityRules;
- }
-
@Override
public void setDependencies(BundleContext bundleContext, ServiceReference serviceReference) {
super.setDependencies(bundleContext.getServiceReference(EgressAclProvider.class.getName()), this);
import com.google.common.collect.Lists;
public class IngressAclLearnServiceUtil {
+ private static final short LEARN_TABLE_ID = Service.ACL_LEARN_SERVICE.getTable();
+ private static final short RESUBMIT_TABLE_ID = Service.OUTBOUND_NAT.getTable();
/*
* (Table:IngressAclLearnService) IngressAcl Learning
* fin_hard_timeout=0,priority=61010, cookie=0x6900000,eth_type=0x800,nw_proto=6, NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],
* NXM_OF_TCP_SRC[]=NXM_OF_TCP_DST[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG6[0..7]),resubmit(,100)"
*/
- public static FlowBuilder programIngressAclLearnRuleForTcp(FlowBuilder flowBuilder, InstructionBuilder instructionBuilder, short learnTableId, short resubmitTableId) {
+ public static FlowBuilder programIngressAclLearnRuleForTcp(FlowBuilder flowBuilder) {
List<Action> listAction = new ArrayList<>();
// Create learn action
LearnConstants.LEARN_PRIORITY,
"0",
LearnConstants.DELETE_LEARNED_FLAG_VALUE,
- String.valueOf(learnTableId),
+ String.valueOf(LEARN_TABLE_ID),
String.valueOf(NetvirtProvidersProvider.getSecurityGroupTcpFinIdleTimeout()),
String.valueOf(NetvirtProvidersProvider.getSecurityGroupTcpFinHardTimeout())
};
listAction.add(buildAction(0, header, flowMod));
ActionBuilder ab = new ActionBuilder();
ab = new ActionBuilder();
- ab.setAction(createResubmitActions(resubmitTableId));
+ ab.setAction(createResubmitActions());
ab.setKey(new ActionKey(1));
listAction.add(ab.build());
ApplyActions applyActions = new ApplyActionsBuilder().setAction(listAction).build();
ApplyActionsCase applyActionsCase = new ApplyActionsCaseBuilder().setApplyActions(applyActions).build();
InstructionsBuilder instructionsBuilder = new InstructionsBuilder();
List<Instruction> instructions = Lists.newArrayList();
- if(instructionBuilder == null) {
- instructionBuilder = new InstructionBuilder();
- }
+
+ InstructionBuilder instructionBuilder = new InstructionBuilder();
instructionBuilder.setInstruction(applyActionsCase);
instructionBuilder.setOrder(0);
instructionBuilder.setKey(new InstructionKey(0));
* fin_hard_timeout=0,priority=61010, cookie=0x6900000,eth_type=0x800,nw_proto=6, NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],
* NXM_OF_TCP_SRC[]=NXM_OF_TCP_DST[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG6[0..7]),resubmit(,100)"
*/
- public static FlowBuilder programIngressAclLearnRuleForUdp(FlowBuilder flowBuilder, InstructionBuilder instructionBuilder, short learnTableId, short resubmitTableId) {
+ public static FlowBuilder programIngressAclLearnRuleForUdp(FlowBuilder flowBuilder) {
List<Action> listAction = new ArrayList<>();
// Create learn action
LearnConstants.LEARN_PRIORITY,
"0",
LearnConstants.DELETE_LEARNED_FLAG_VALUE,
- String.valueOf(learnTableId),
+ String.valueOf(LEARN_TABLE_ID),
"0",
"0"
};
ActionBuilder ab = new ActionBuilder();
ab = new ActionBuilder();
- ab.setAction(createResubmitActions(resubmitTableId));
+ ab.setAction(createResubmitActions());
ab.setKey(new ActionKey(1));
listAction.add(ab.build());
ApplyActionsCase applyActionsCase = new ApplyActionsCaseBuilder().setApplyActions(applyActions).build();
InstructionsBuilder instructionsBuilder = new InstructionsBuilder();
List<Instruction> instructions = Lists.newArrayList();
- if(instructionBuilder == null) {
- instructionBuilder = new InstructionBuilder();
- }
+
+ InstructionBuilder instructionBuilder = new InstructionBuilder();
instructionBuilder.setInstruction(applyActionsCase);
instructionBuilder.setOrder(0);
instructionBuilder.setKey(new InstructionKey(0));
* fin_hard_timeout=0,priority=61010, cookie=0x6900000,eth_type=0x800,nw_proto=6, NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],
* NXM_OF_TCP_SRC[]=NXM_OF_TCP_DST[],NXM_OF_TCP_DST[]=NXM_OF_TCP_SRC[],load:0x1->NXM_NX_REG6[0..7]),resubmit(,100)"
*/
- public static FlowBuilder programIngressAclLearnRuleForIcmp(FlowBuilder flowBuilder, InstructionBuilder instructionBuilder, String icmpType, String icmpCode, short learnTableId, short resubmitTableId) {
+ public static FlowBuilder programIngressAclLearnRuleForIcmp(FlowBuilder flowBuilder, String icmpType, String icmpCode) {
//, Integer icmpCode,Integer icmpType
List<Action> listAction = new ArrayList<>();
LearnConstants.LEARN_PRIORITY,
"0",
LearnConstants.DELETE_LEARNED_FLAG_VALUE,
- String.valueOf(learnTableId),
+ String.valueOf(LEARN_TABLE_ID),
"0",
"0"
};
listAction.add(buildAction(0, header, flowMod));
ActionBuilder ab = new ActionBuilder();
ab = new ActionBuilder();
- ab.setAction(createResubmitActions(resubmitTableId));
+ ab.setAction(createResubmitActions());
ab.setKey(new ActionKey(1));
listAction.add(ab.build());
ApplyActions applyActions = new ApplyActionsBuilder().setAction(listAction).build();
InstructionsBuilder instructionsBuilder = new InstructionsBuilder();
List<Instruction> instructions = Lists.newArrayList();
- if(instructionBuilder == null) {
- instructionBuilder = new InstructionBuilder();
- }
+ InstructionBuilder instructionBuilder = new InstructionBuilder();
instructionBuilder.setInstruction(applyActionsCase);
instructionBuilder.setOrder(0);
instructionBuilder.setKey(new InstructionKey(0));
flowBuilder.setInstructions(instructionsBuilder.build());
return flowBuilder;
-
- }
-
- /*
- * (Table:IngressAclLearnService) IngressAcl Learning
- * Match: reg6 = LearnConstants.NxmOfFieldType.NXM_NX_REG6
- * Action: learn and resubmit to next table
- * "table=90,dl_src=fa:16:3e:d3:bb:8a,priority=61002,icmp,dl_dst=fa:16:3e:bb:79:c1 ,actions=learn(table=39,idle_timeout=300,fin_idle_timeout=0,
- * fin_hard_timeout=0,priority=61010, cookie=0x6900000,eth_type=0x800,nw_proto=6, NXM_OF_IP_SRC[]=NXM_OF_IP_DST[],NXM_OF_IP_DST[]=NXM_OF_IP_SRC[],
- * NXM_OF_ICMP_TYPE[]=NXM_OF_ICMP_TYPE[],NXM_OF_ICMP_CODE[]=NXM_OF_ICMP_CODE[],load:0x1->NXM_NX_REG6[0..7]),resubmit(,100)"
- */
- public static FlowBuilder programIngressAclLearnRuleForIcmpAll(FlowBuilder flowBuilder, InstructionBuilder instructionBuilder, short learnTableId, short resubmitTableId) {
- //, Integer icmpCode,Integer icmpType
- List<Action> listAction = new ArrayList<>();
-
- String[] header = new String[] {
- String.valueOf(NetvirtProvidersProvider.getSecurityGroupDefaultIdleTimeout()),
- String.valueOf(NetvirtProvidersProvider.getSecurityGroupDefaultHardTimeout()),
- LearnConstants.LEARN_PRIORITY,
- "0",
- LearnConstants.DELETE_LEARNED_FLAG_VALUE,
- String.valueOf(learnTableId),
- "0",
- "0"
- };
-
- String[][] flowMod = new String[7][];
- //eth_type=0x800
- flowMod[0] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_VALUE.name(),
- Integer.toString(LearnConstants.ETHTYPE_IPV4),
- LearnConstants.NxmOfFieldType.NXM_OF_ETH_TYPE.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_ETH_TYPE.getFlowModHeaderLen() };
- //nw_proto=1
- flowMod[1] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_VALUE.name(),
- Integer.toString(LearnConstants.IP_PROT_ICMP),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_PROTO.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_PROTO.getFlowModHeaderLen() };
- //NXM_OF_IP_SRC[]=NXM_OF_IP_DST[]
- flowMod[2] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_FIELD.name(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_DST.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_SRC.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_DST.getFlowModHeaderLen()};
- // NXM_OF_IP_DST[]=NXM_OF_IP_SRC[]
- flowMod[3] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_FIELD.name(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_SRC.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_DST.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_IP_SRC.getFlowModHeaderLen()};
- //NXM_OF_ICMP_TYPE=NXM_OF_ICMP_TYPE
- flowMod[4] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_FIELD.name(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_TYPE.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_TYPE.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_TYPE.getFlowModHeaderLen()};
- // NXM_OF_ICMP_CODE=NXM_OF_ICMP_CODE
- flowMod[5] = new String[] { LearnConstants.LearnFlowModsType.MATCH_FROM_FIELD.name(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_CODE.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_CODE.getHexType(),
- LearnConstants.NxmOfFieldType.NXM_OF_ICMP_CODE.getFlowModHeaderLen()};
- flowMod[6] = new String[] {
- LearnConstants.LearnFlowModsType.COPY_FROM_VALUE.name(), LearnConstants.LEARN_MATCH_REG_VALUE,
- LearnConstants.NxmOfFieldType.NXM_NX_REG6.getHexType(), "8" };
- listAction.add(buildAction(0, header, flowMod));
- ActionBuilder ab = new ActionBuilder();
- ab.setAction(createResubmitActions(resubmitTableId));
- ab.setKey(new ActionKey(1));
- listAction.add(ab.build());
- ApplyActions applyActions = new ApplyActionsBuilder().setAction(listAction).build();
- ApplyActionsCase applyActionsCase = new ApplyActionsCaseBuilder().setApplyActions(applyActions).build();
- InstructionsBuilder instructionsBuilder = new InstructionsBuilder();
- List<Instruction> instructions = Lists.newArrayList();
-
- if(instructionBuilder == null) {
- instructionBuilder = new InstructionBuilder();
- }
- instructionBuilder.setInstruction(applyActionsCase);
- instructionBuilder.setOrder(0);
- instructionBuilder.setKey(new InstructionKey(0));
- instructions.add(instructionBuilder.build());
- // Add InstructionBuilder to the Instruction(s)Builder List
- instructionsBuilder.setInstruction(instructions);
-
- // Add InstructionsBuilder to FlowBuilder
- flowBuilder.setInstructions(instructionsBuilder.build());
-
- return flowBuilder;
-
}
/*
return abExt.build();
}
- private static org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.Action createResubmitActions(short tableId) {
+ private static org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.Action createResubmitActions() {
NxResubmitBuilder gttb = new NxResubmitBuilder();
- gttb.setTable(tableId);
+ gttb.setTable(RESUBMIT_TABLE_ID);
// Wrap our Apply Action in an InstructionBuilder
return (new NxActionResubmitRpcAddGroupCaseBuilder().setNxResubmit(gttb.build())).build();
package org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.services;
-import java.math.BigInteger;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.UnknownHostException;
-import java.util.ArrayList;
import java.util.List;
import java.util.HashMap;
import java.util.Map;
import org.opendaylight.netvirt.openstack.netvirt.api.SecurityGroupCacheManger;
import org.opendaylight.netvirt.openstack.netvirt.api.SecurityServicesManager;
import org.opendaylight.netvirt.openstack.netvirt.providers.ConfigInterface;
-import org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
import org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.Service;
import org.opendaylight.netvirt.openstack.netvirt.translator.NeutronSecurityGroup;
import org.opendaylight.netvirt.openstack.netvirt.translator.NeutronSecurityRule;
import org.opendaylight.netvirt.openstack.netvirt.translator.Neutron_IPs;
-import org.opendaylight.netvirt.openstack.netvirt.translator.crud.INeutronSecurityGroupCRUD;
import org.opendaylight.netvirt.openstack.netvirt.translator.crud.INeutronSecurityRuleCRUD;
import org.opendaylight.netvirt.utils.mdsal.openflow.ActionUtils;
import org.opendaylight.netvirt.utils.mdsal.openflow.FlowUtils;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv6Prefix;
import org.opendaylight.yang.gen.v1.urn.opendaylight.action.types.rev131112.action.Action;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.Icmpv4MatchBuilder;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.Icmpv6MatchBuilder;
-import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.network.topology.topology.Node;
import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.NodeId;
import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
import org.opendaylight.netvirt.openstack.netvirt.api.LearnConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import com.google.common.collect.Lists;
-
-public class IngressAclService extends AbstractServiceInstance implements IngressAclProvider, ConfigInterface {
+public class IngressAclService extends AbstractAclService implements IngressAclProvider, ConfigInterface {
private static final Logger LOG = LoggerFactory.getLogger(IngressAclService.class);
- private volatile SecurityServicesManager securityServicesManager;
- private volatile SecurityGroupCacheManger securityGroupCacheManger;
- private volatile INeutronSecurityRuleCRUD neutronSecurityRule;
- private static final int PORT_RANGE_MIN = 1;
- private static final int PORT_RANGE_MAX = 65535;
public IngressAclService() {
super(Service.INGRESS_ACL);
List<Neutron_IPs> remoteSrcAddressList = secGroupRemoteIPMap.get(remoteSgUuid);
if (remoteSrcAddressList == null) {
remoteSrcAddressList = securityServicesManager
- .getVmListForSecurityGroup(portUuid,remoteSgUuid);
+ .getVmListForSecurityGroup(portUuid, remoteSgUuid);
secGroupRemoteIPMap.put(remoteSgUuid, remoteSrcAddressList);
}
for (Neutron_IPs vmIp :remoteSrcAddressList ) {
- programPortSecurityRule(dpid, segmentationId, attachedMac, portSecurityRule, securityGroup, vmIp, write);
+ programPortSecurityRule(dpid, segmentationId, attachedMac, portSecurityRule, vmIp, write);
}
if (write) {
securityGroupCacheManger.addToCache(remoteSgUuid, portUuid, nodeId);
securityGroupCacheManger.removeFromCache(remoteSgUuid, portUuid, nodeId);
}
} else {
- programPortSecurityRule(dpid, segmentationId, attachedMac, portSecurityRule, securityGroup, null, write);
+ programPortSecurityRule(dpid, segmentationId, attachedMac, portSecurityRule, null, write);
}
}
}
}
@Override
- public void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac, NeutronSecurityRule portSecurityRule,
- NeutronSecurityGroup securityGroup, Neutron_IPs vmIp, boolean write) {
+ public void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac,
+ NeutronSecurityRule portSecurityRule, Neutron_IPs vmIp, boolean write) {
String securityRuleEtherType = portSecurityRule.getSecurityRuleEthertype();
boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(securityRuleEtherType);
if (!isIpv6 && !NeutronSecurityRule.ETHERTYPE_IPV4.equals(securityRuleEtherType)) {
return;
}
}
- if (null == portSecurityRule.getSecurityRuleProtocol() && securityGroup.getSecurityGroupName().equals("default")) {
- ingressAclIp(dpid, isIpv6, segmentationId, attachedMac,
- portSecurityRule, ipaddress,
- write, Constants.PROTO_PORT_MATCH_PRIORITY - 1, false);
- if(!isIpv6) {
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.TCP);
- portSecurityRule.setSecurityRulePortMin(PORT_RANGE_MIN);
- portSecurityRule.setSecurityRulePortMax(PORT_RANGE_MAX);
- ingressAclTcp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress,
- write, Constants.PROTO_PORT_MATCH_PRIORITY, false);
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.UDP);
- ingressAclUdp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress,
- write, Constants.PROTO_PORT_MATCH_PRIORITY, false);
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.ICMP);
- portSecurityRule.setSecurityRulePortMin(null);
- portSecurityRule.setSecurityRulePortMax(null);
- ingressAclIcmp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress,
- write, Constants.PROTO_PORT_MATCH_PRIORITY, false);
- portSecurityRule.setSecurityRuleProtocol(null);
+ if (null == portSecurityRule.getSecurityRuleProtocol()
+ || portSecurityRule.getSecurityRuleProtocol().equals(MatchUtils.ANY_PROTOCOL)) {
+ ingressAclIp(dpid, isIpv6, segmentationId, attachedMac, portSecurityRule, ipaddress, write);
+ if (NeutronSecurityRule.ETHERTYPE_IPV4.equals(portSecurityRule.getSecurityRuleEthertype())) {
+ ingressAclTcp(dpid, segmentationId, attachedMac, TCP_SECURITY_GROUP_RULE_IPv4_ANY, ipaddress, write);
+ ingressAclUdp(dpid, segmentationId, attachedMac, UDP_SECURITY_GROUP_RULE_IPv4_ANY, ipaddress, write);
+ ingressAclIcmp(dpid, segmentationId, attachedMac, ICMP_SECURITY_GROUP_RULE_IPv4_ANY, ipaddress, write);
}
} else {
-
- switch (portSecurityRule.getSecurityRuleProtocol() == null ? "" : portSecurityRule.getSecurityRuleProtocol()) {
+ switch (portSecurityRule.getSecurityRuleProtocol()) {
case MatchUtils.TCP:
+ case MatchUtils.TCP_PROTOCOL:
LOG.debug("programPortSecurityRule: Rule matching TCP", portSecurityRule);
- ingressAclTcp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
+ ingressAclTcp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress, write);
break;
case MatchUtils.UDP:
+ case MatchUtils.UDP_PROTOCOL:
LOG.debug("programPortSecurityRule: Rule matching UDP", portSecurityRule);
- ingressAclUdp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
+ ingressAclUdp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress, write);
break;
case MatchUtils.ICMP:
case MatchUtils.ICMPV6:
+ case MatchUtils.ICMP_PROTOCOL:
LOG.debug("programPortSecurityRule: Rule matching ICMP", portSecurityRule);
- ingressAclIcmp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
+ ingressAclIcmp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress, write);
break;
default:
LOG.info("programPortSecurityAcl: Protocol is not TCP/UDP/ICMP but other "
+ "protocol = ", portSecurityRule.getSecurityRuleProtocol());
ingressOtherProtocolAclHandler(dpid, segmentationId, attachedMac, portSecurityRule,
- ipaddress, write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, isIpv6);
+ ipaddress, write, isIpv6);
break;
}
}
-
}
private void ingressOtherProtocolAclHandler(Long dpidLong, String segmentationId, String dstMac,
NeutronSecurityRule portSecurityRule, String srcAddress,
- boolean write, Integer protoPortMatchPriority, boolean isIpv6) {
- if(null == portSecurityRule.getSecurityRuleProtocol() || portSecurityRule.getSecurityRuleProtocol().equals(MatchUtils.ANY_PROTOCOL)) {
- ingressAclIp(dpidLong, isIpv6, segmentationId, dstMac,
- portSecurityRule, srcAddress,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY - 1, true);
- if(!isIpv6) {
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.TCP);
- portSecurityRule.setSecurityRulePortMin(PORT_RANGE_MIN);
- portSecurityRule.setSecurityRulePortMax(PORT_RANGE_MAX);
- ingressAclTcp(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, true);
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.UDP);
- ingressAclUdp(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, true);
- portSecurityRule.setSecurityRuleProtocol(MatchUtils.ICMP);
- portSecurityRule.setSecurityRulePortMin(null);
- portSecurityRule.setSecurityRulePortMax(null);
- ingressAclIcmp(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, true);
- portSecurityRule.setSecurityRuleProtocol(null);
- }
- } else {
- if (portSecurityRule.getSecurityRuleProtocol().equals(MatchUtils.TCP_PROTOCOL)) {
- portSecurityRule.setSecurityRulePortMin(PORT_RANGE_MIN);
- portSecurityRule.setSecurityRulePortMax(PORT_RANGE_MAX);
- ingressAclTcp(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
- } else if (portSecurityRule.getSecurityRuleProtocol().equals(MatchUtils.UDP_PROTOCOL)) {
- portSecurityRule.setSecurityRulePortMin(PORT_RANGE_MIN);
- portSecurityRule.setSecurityRulePortMax(PORT_RANGE_MAX);
- ingressAclUdp(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
- } else if (portSecurityRule.getSecurityRuleProtocol().equals(MatchUtils.ICMP_PROTOCOL)) {
- ingressAclIcmp(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY, false);
+ boolean write, boolean isIpv6) {
+
+ MatchBuilder matchBuilder = new MatchBuilder();
+ String flowId = "Ingress_Other_" + segmentationId + "_" + dstMac + "_";
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, null, dstMac, MatchUtils.ETHERTYPE_IPV4);
+ short proto = 0;
+ try {
+ Integer protocol = new Integer(portSecurityRule.getSecurityRuleProtocol());
+ proto = protocol.shortValue();
+ flowId = flowId + proto;
+ } catch (NumberFormatException e) {
+ LOG.error("Protocol value conversion failure", e);
+ }
+ matchBuilder = MatchUtils.createIpProtocolAndEthMatch(matchBuilder, proto, null, dstMac);
+ if (null != srcAddress) {
+ flowId = flowId + srcAddress;
+ matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
+ MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null);
+ } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
+ flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
+ if (isIpv6) {
+ matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, null,
+ new Ipv6Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
} else {
- MatchBuilder matchBuilder = new MatchBuilder();
- String flowId = "Ingress_Other_" + segmentationId + "_" + dstMac + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac,MatchUtils.ETHERTYPE_IPV4);
- short proto = 0;
- try {
- Integer protocol = new Integer(portSecurityRule.getSecurityRuleProtocol());
- proto = protocol.shortValue();
- flowId = flowId + proto;
- } catch (NumberFormatException e) {
- LOG.error("Protocol vlaue conversion failure", e);
- }
- matchBuilder = MatchUtils.createIpProtocolAndEthMatch(matchBuilder, proto, null, dstMac);
- if (null != srcAddress) {
- flowId = flowId + srcAddress;
+ if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null);
- } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
- flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
- if(isIpv6) {
- matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null,
- new Ipv6Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
- } else {
- if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
- matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()),null);
- }
- }
+ new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()), null);
}
- flowId = flowId + "_Permit";
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority,
- matchBuilder, getTable());
- addInstructionWithConntrackCommit(flowBuilder, false);
- syncFlow(flowBuilder ,nodeBuilder, write);
}
}
+ flowId = flowId + "_Permit";
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, Constants.PROTO_OTHER_MATCH_PRIORITY,
+ matchBuilder, getTable());
+ addInstructionWithConntrackCommit(flowBuilder, false);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
@Override
public void programFixedSecurityGroup(Long dpid, String segmentationId, String dhcpMacAddress,
- long localPort, String attachMac, boolean write) {
+ long localPort, String attachMac, boolean write) {
- ingressAclDhcpAllowServerTraffic(dpid, segmentationId,dhcpMacAddress, attachMac,
- write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
- ingressAclDhcpv6AllowServerTraffic(dpid, segmentationId,dhcpMacAddress, attachMac,
- write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
+ ingressAclDhcpAllowServerTraffic(dpid, segmentationId, dhcpMacAddress, attachMac,
+ write, Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
+ ingressAclDhcpv6AllowServerTraffic(dpid, segmentationId, dhcpMacAddress, attachMac,
+ write, Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
if (securityServicesManager.isConntrackEnabled()) {
programIngressAclFixedConntrackRule(dpid, segmentationId, attachMac, localPort, write);
} else {
- ingressVMDrop(dpid, segmentationId, attachMac, write,
- Constants.PROTO_TCP_SYN_MATCH_PRIORITY_DROP);
- ingressVMRegex(dpid, segmentationId, attachMac, write,
- Constants.PROTO_REG6_MATCH_PRIORITY);
+ ingressVMDrop(dpid, segmentationId, attachMac, write, Constants.PROTO_PORT_DROP_PRIORITY);
+ ingressVMRegex(dpid, segmentationId, attachMac, write, Constants.PROTO_REG6_MATCH_PRIORITY);
}
programArpRule(dpid, segmentationId, localPort, attachMac, write);
}
+
private void ingressVMDrop(Long dpidLong, String segmentationId, String srcMac,
boolean write, Integer priority) {
String flowName = "Ingress_Drop_" + segmentationId + "_" + srcMac + "_DROP";
MatchBuilder matchBuilder = new MatchBuilder();
- matchBuilder = MatchUtils.createV4EtherMatchWithoutType(matchBuilder,null,srcMac);
+ matchBuilder = MatchUtils.createV4EtherMatchWithoutType(matchBuilder, null, srcMac);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, true);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
syncFlow(flowBuilder, nodeBuilder, write);
}
+
private void ingressVMRegex(Long dpidLong, String segmentationId, String srcMac,
boolean write, Integer priority) {
String flowName = "Ingress_Regx_" + segmentationId + "_" + srcMac;
MatchBuilder matchBuilder = new MatchBuilder();
- matchBuilder = MatchUtils.createV4EtherMatchWithoutType(matchBuilder,null,srcMac);
+ matchBuilder = MatchUtils.createV4EtherMatchWithoutType(matchBuilder, null, srcMac);
MatchUtils.addNxRegMatch(matchBuilder,
new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL));
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
syncFlow(flowBuilder, nodeBuilder, write);
}
- private void addTcpSynFlagMatchIpv4Drop(Long dpidLong, String segmentationId, String dstMac,
- boolean write, Integer priority) {
- String flowId = "Ingress_TCP_Ipv4_" + segmentationId + "_" + dstMac + "_DROP";
- MatchBuilder matchBuilder = new MatchBuilder();
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac,MatchUtils.ETHERTYPE_IPV4);
- matchBuilder = MatchUtils.addTcpSynMatch(matchBuilder);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, priority, matchBuilder, getTable());
- addPipelineInstruction(flowBuilder, null, true);
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder, nodeBuilder, write);
- }
-
- private void addTcpSynFlagMatchIpv6Drop(Long dpidLong, String segmentationId, String dstMac,
- boolean write, Integer priority) {
- String flowId = "Ingress_TCP_Ipv6_" + segmentationId + "_" + dstMac + "_DROP";
- MatchBuilder matchBuilder = new MatchBuilder();
- matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,null,dstMac);
- matchBuilder = MatchUtils.addTcpSynMatch(matchBuilder);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, priority, matchBuilder, getTable());
- addPipelineInstruction(flowBuilder, null, true);
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder, nodeBuilder, write);
- }
-
private void programArpRule(Long dpid, String segmentationId, long localPort, String attachMac, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Ingress_ARP_" + segmentationId + "_" + localPort + "_";
- MatchUtils.createV4EtherMatchWithType(matchBuilder,null,null,MatchUtils.ETHERTYPE_ARP);
+ MatchUtils.createV4EtherMatchWithType(matchBuilder, null, null, MatchUtils.ETHERTYPE_ARP);
MatchUtils.addArpMacMatch(matchBuilder, null, attachMac);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, Constants.PROTO_MATCH_PRIORITY,
matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpid);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
private void programIngressAclFixedConntrackRule(Long dpid,
long localPort, String attachMac, Integer priority, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowName = "Ingress_Fixed_Conntrk_Untrk_" + segmentationId + "_" + localPort + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,attachMac,MatchUtils.ETHERTYPE_IPV4);
- matchBuilder = MatchUtils.addCtState(matchBuilder,MatchUtils.UNTRACKED_CT_STATE,
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, null, attachMac, MatchUtils.ETHERTYPE_IPV4);
+ matchBuilder = MatchUtils.addCtState(matchBuilder, MatchUtils.UNTRACKED_CT_STATE,
MatchUtils.UNTRACKED_CT_STATE_MASK);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addInstructionWithConntrackRecirc(flowBuilder);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
private void programConntrackTrackedPlusEstRule(Long dpidLong, String segmentationId,
- long localPort, String attachMac,Integer priority, boolean write) {
+ long localPort, String attachMac, Integer priority, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowName = "Ingress_Fixed_Conntrk_TrkEst_" + segmentationId + "_" + localPort + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,attachMac,MatchUtils.ETHERTYPE_IPV4);
- matchBuilder = MatchUtils.addCtState(matchBuilder,MatchUtils.TRACKED_EST_CT_STATE,
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, null, attachMac, MatchUtils.ETHERTYPE_IPV4);
+ matchBuilder = MatchUtils.addCtState(matchBuilder, MatchUtils.TRACKED_EST_CT_STATE,
MatchUtils.TRACKED_CT_STATE_MASK);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
private void programConntrackTrackedPlusRelRule(Long dpidLong, String segmentationId,
- long localPort, String attachMac,Integer priority, boolean write) {
+ long localPort, String attachMac, Integer priority, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowName = "Ingress_Fixed_Conntrk_TrkRel_" + segmentationId + "_" + localPort + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,attachMac,MatchUtils.ETHERTYPE_IPV4);
- matchBuilder = MatchUtils.addCtState(matchBuilder,MatchUtils.TRACKED_REL_CT_STATE,
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, null, attachMac, MatchUtils.ETHERTYPE_IPV4);
+ matchBuilder = MatchUtils.addCtState(matchBuilder, MatchUtils.TRACKED_REL_CT_STATE,
MatchUtils.TRACKED_CT_STATE_MASK);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
private void programConntrackNewDropRule(Long dpidLong, String segmentationId,
MatchBuilder matchBuilder = new MatchBuilder();
String flowName = "Ingress_Fixed_Conntrk_NewDrop_" + segmentationId + "_" + localPort + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,attachMac,0x0800L);
- matchBuilder = MatchUtils.addCtState(matchBuilder,MatchUtils.TRACKED_NEW_CT_STATE,
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, null, attachMac, 0x0800L);
+ matchBuilder = MatchUtils.addCtState(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,
MatchUtils.TRACKED_NEW_CT_STATE_MASK);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, true);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
private void programConntrackInvDropRule(Long dpidLong, String segmentationId,
long localPort, String attachMac, Integer priority, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowName = "Ingress_Fixed_Conntrk_InvDrop_" + segmentationId + "_" + localPort + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,attachMac, MatchUtils.ETHERTYPE_IPV4);
- matchBuilder = MatchUtils.addCtState(matchBuilder,MatchUtils.TRACKED_INV_CT_STATE,
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, null, attachMac, MatchUtils.ETHERTYPE_IPV4);
+ matchBuilder = MatchUtils.addCtState(matchBuilder, MatchUtils.TRACKED_INV_CT_STATE,
MatchUtils.TRACKED_INV_CT_STATE_MASK);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, true);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
/**
* @param segmentationId the segementation id
* @param dstMac the destination mac address
* @param write add or remove
- * @param isRegMatchReq add Reg MAtch or not
- * @param protoPortMatchPriority the protocol match priority.
*/
private void ingressAclIp(Long dpidLong, boolean isIpv6, String segmentationId, String dstMac,
- NeutronSecurityRule portSecurityRule, String srcAddress,
- boolean write, Integer protoPortMatchPriority, boolean isRegMatchReq ) {
+ NeutronSecurityRule portSecurityRule, String srcAddress, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Ingress_IP" + segmentationId + "_" + dstMac + "_Permit_";
if (isIpv6) {
- matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,null,dstMac);
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder, null, dstMac);
} else {
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac,MatchUtils.ETHERTYPE_IPV4);
- }
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, null, dstMac, MatchUtils.ETHERTYPE_IPV4);
}
if (null != srcAddress) {
flowId = flowId + srcAddress;
if (isIpv6) {
matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
- MatchUtils.iPv6PrefixFromIPv6Address(srcAddress),null);
+ MatchUtils.iPv6PrefixFromIPv6Address(srcAddress), null);
} else {
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- MatchUtils.iPv4PrefixFromIPv4Address(srcAddress),null);
+ MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null);
}
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
if (isIpv6) {
matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
new Ipv6Prefix(portSecurityRule
- .getSecurityRuleRemoteIpPrefix()),null);
+ .getSecurityRuleRemoteIpPrefix()), null);
} else {
// Fix: Bug 6473
// IP match removed if CIDR created as 0.0.0.0/0 in openstack security rule
if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
new Ipv4Prefix(portSecurityRule
- .getSecurityRuleRemoteIpPrefix()),null);
+ .getSecurityRuleRemoteIpPrefix()), null);
}
}
} else {
flowId = flowId + "Ipv4";
}
}
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ flowId, Constants.PROTO_IP_PORT_MATCH_PRIORITY, matchBuilder, getTable());
addInstructionWithConntrackCommit(flowBuilder, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
/**
* @param portSecurityRule the security rule in the SG
* @param srcAddress the destination IP address
* @param write add or delete
- * @param isRegMatchReq add Reg MAtch or not
- * @param protoPortMatchPriority the protocol match priroty
*/
private void ingressAclTcp(Long dpidLong, String segmentationId, String dstMac,
- NeutronSecurityRule portSecurityRule, String srcAddress, boolean write,
- Integer protoPortMatchPriority, boolean isRegMatchReq) {
+ NeutronSecurityRule portSecurityRule, String srcAddress, boolean write) {
boolean portRange = false;
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Ingress_TCP_" + segmentationId + "_" + dstMac + "_";
boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(portSecurityRule.getSecurityRuleEthertype());
if (isIpv6) {
- matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,null,dstMac);
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder, null, dstMac);
} else {
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac,MatchUtils.ETHERTYPE_IPV4);
- }
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, null, dstMac, MatchUtils.ETHERTYPE_IPV4);
}
/* Custom TCP Match*/
flowId = flowId + srcAddress;
if (isIpv6) {
matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
- MatchUtils.iPv6PrefixFromIPv6Address(srcAddress),null);
+ MatchUtils.iPv6PrefixFromIPv6Address(srcAddress), null);
} else {
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- MatchUtils.iPv4PrefixFromIPv4Address(srcAddress),null);
+ MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null);
}
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
if (isIpv6) {
matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
new Ipv6Prefix(portSecurityRule
- .getSecurityRuleRemoteIpPrefix()),null);
+ .getSecurityRuleRemoteIpPrefix()), null);
} else {
// Fix: Bug 6473
// IP match removed if CIDR created as 0.0.0.0/0 in openstack security rule
if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
new Ipv4Prefix(portSecurityRule
- .getSecurityRuleRemoteIpPrefix()),null);
+ .getSecurityRuleRemoteIpPrefix()), null);
}
}
}
rangeflowId = rangeflowId + "_Permit";
MatchUtils.addLayer4MatchWithMask(matchBuilder, MatchUtils.TCP_SHORT,
0, port, portMaskMap.get(port));
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, protoPortMatchPriority,
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, Constants.PROTO_PORT_MATCH_PRIORITY,
matchBuilder, getTable());
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, null, null);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
} else {
flowId = flowId + "_Permit";
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority,
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, Constants.PROTO_PORT_MATCH_PRIORITY,
matchBuilder, getTable());
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, null, null);
- syncFlow(flowBuilder ,nodeBuilder, write);
- }
- }
-
- private void addTcpSynMatch(MatchBuilder matchBuilder) {
- if (!securityServicesManager.isConntrackEnabled()) {
- MatchUtils.createTcpProtoSynMatch(matchBuilder);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
}
* @param portSecurityRule the security rule in the SG
* @param srcAddress the destination IP address
* @param write add or delete
- * @param isRegMatchReq add Reg MAtch or not
- * @param protoPortMatchPriority the protocol match priroty
*/
private void ingressAclUdp(Long dpidLong, String segmentationId, String dstMac,
NeutronSecurityRule portSecurityRule, String srcAddress,
- boolean write, Integer protoPortMatchPriority, boolean isRegMatchReq ) {
+ boolean write) {
boolean portRange = false;
boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(portSecurityRule.getSecurityRuleEthertype());
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Ingress_UDP_" + segmentationId + "_" + dstMac + "_";
if (isIpv6) {
- matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,null,dstMac);
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder, null, dstMac);
} else {
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac,MatchUtils.ETHERTYPE_IPV4);
- }
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, null, dstMac, MatchUtils.ETHERTYPE_IPV4);
}
/* Custom UDP Match */
if (isIpv6) {
matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
new Ipv6Prefix(portSecurityRule
- .getSecurityRuleRemoteIpPrefix()),null);
+ .getSecurityRuleRemoteIpPrefix()), null);
} else {
if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
new Ipv4Prefix(portSecurityRule
- .getSecurityRuleRemoteIpPrefix()),null);
+ .getSecurityRuleRemoteIpPrefix()), null);
}
}
}
rangeflowId = rangeflowId + "_Permit";
MatchUtils.addLayer4MatchWithMask(matchBuilder, MatchUtils.UDP_SHORT,
0, port, portMaskMap.get(port));
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, protoPortMatchPriority,
- matchBuilder, getTable());
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ rangeflowId, Constants.PROTO_PORT_MATCH_PRIORITY, matchBuilder, getTable());
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, null, null);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
} else {
flowId = flowId + "_Permit";
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority,
- matchBuilder, getTable());
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ flowId, Constants.PROTO_PORT_MATCH_PRIORITY, matchBuilder, getTable());
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, null, null);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
}
private void ingressAclIcmp(Long dpidLong, String segmentationId, String dstMac,
NeutronSecurityRule portSecurityRule, String srcAddress,
- boolean write, Integer protoPortMatchPriority, boolean isRegMatchReq) {
+ boolean write) {
boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(portSecurityRule.getSecurityRuleEthertype());
if (isIpv6) {
- ingressAclIcmpV6(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress,
- write, protoPortMatchPriority, isRegMatchReq);
+ ingressAclIcmpV6(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress, write);
} else {
- ingressAclIcmpV4(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress,
- write, protoPortMatchPriority, isRegMatchReq);
+ ingressAclIcmpV4(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress, write);
}
}
* @param portSecurityRule the security rule in the SG
* @param srcAddress the destination IP address
* @param write add or delete
- * @param isRegMatchReq add Reg MAtch or not
- * @param protoPortMatchPriority the protocol match priority
*/
private void ingressAclIcmpV4(Long dpidLong, String segmentationId, String dstMac,
- NeutronSecurityRule portSecurityRule, String srcAddress,
- boolean write, Integer protoPortMatchPriority, boolean isRegMatchReq) {
-
+ NeutronSecurityRule portSecurityRule, String srcAddress, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
boolean isIcmpAll = false;
String flowId = "Ingress_ICMP_" + segmentationId + "_" + dstMac + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac,MatchUtils.ETHERTYPE_IPV4);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, null, dstMac, MatchUtils.ETHERTYPE_IPV4);
/* Custom ICMP Match */
if (portSecurityRule.getSecurityRulePortMin() != null
} else {
isIcmpAll = true;
/* All ICMP Match */
- flowId = flowId + "all" + "_";
- matchBuilder = MatchUtils.createICMPv4Match(matchBuilder,MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
- }
-
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
+ matchBuilder = MatchUtils.createICMPv4Match(matchBuilder, MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
}
if (null != srcAddress) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()),null);
+ new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()), null);
}
}
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
{
Map<Integer, String> map = LearnConstants.ICMP_TYPE_MAP;
for(Map.Entry<Integer, String> entry : map.entrySet()) {
- Icmpv4MatchBuilder icmpv4match = new Icmpv4MatchBuilder();
- icmpv4match.setIcmpv4Type(entry.getKey().shortValue());
- icmpv4match.setIcmpv4Code((short)0);
- matchBuilder.setIcmpv4Match(icmpv4match.build());
- String rangeflowId = flowId + "_" + entry.getKey() + "_" + entry.getValue();
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, protoPortMatchPriority, matchBuilder, getTable());
+ matchBuilder = MatchUtils.createICMPv4Match(matchBuilder, entry.getKey().shortValue(), (short)0);
+ String rangeflowId = flowId + entry.getKey() + "_" + entry.getValue() + "_" ;
+ rangeflowId = rangeflowId + "_Permit";
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ rangeflowId, Constants.PROTO_PORT_MATCH_PRIORITY, matchBuilder, getTable());
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, entry.getValue(), "0");
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
- addIcmpFlow(nodeBuilder, portSecurityRule, segmentationId, dstMac, protoPortMatchPriority - 1, srcAddress, write, isRegMatchReq);
+ addIcmpFlow(nodeBuilder, portSecurityRule, segmentationId, dstMac, srcAddress, write);
} else {
flowId = flowId + "_Permit";
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ flowId, Constants.PROTO_PORT_MATCH_PRIORITY, matchBuilder, getTable());
String icmpType = LearnConstants.ICMP_TYPE_MAP.get(portSecurityRule.getSecurityRulePortMin());
if (icmpType == null){
icmpType = Integer.toString(portSecurityRule.getSecurityRulePortMin());
}
addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, icmpType,
Integer.toString(portSecurityRule.getSecurityRulePortMax()));
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
}
- private void addIcmpFlow(NodeBuilder nodeBuilder, NeutronSecurityRule portSecurityRule, String segmentationId, String dstMac,
- Integer protoPortMatchPriority, String srcAddress, boolean write, boolean isRegMatchReq) {
+ private void addIcmpFlow(NodeBuilder nodeBuilder, NeutronSecurityRule portSecurityRule, String segmentationId,
+ String dstMac, String srcAddress, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
- InstructionBuilder instructionBuilder = null;
- short learnTableId=getTable(Service.ACL_LEARN_SERVICE);
- short resubmitId=getTable(Service.OUTBOUND_NAT);
String flowId = "Ingress_ICMP_" + segmentationId + "_" + dstMac + "_";
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac,MatchUtils.ETHERTYPE_IPV4);
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, null, dstMac, MatchUtils.ETHERTYPE_IPV4);
if (null != srcAddress) {
flowId = flowId + srcAddress;
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) {
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()),null);
+ new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()), null);
}
}
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
- }
flowId = flowId + "all" + "_";
- matchBuilder = MatchUtils.createICMPv4Match(matchBuilder,MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
- Icmpv4MatchBuilder icmpv4match = new Icmpv4MatchBuilder();
- matchBuilder.setIcmpv4Match(icmpv4match.build());
+ matchBuilder = MatchUtils.createICMPv4Match(matchBuilder, MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
String rangeflowId = flowId;
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, protoPortMatchPriority, matchBuilder, getTable());
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(
+ rangeflowId, Constants.PROTO_PORT_ICMP_MATCH_PRIORITY, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
- syncFlow(flowBuilder ,nodeBuilder, write);
-
+ syncSecurityRuleFlow(flowBuilder, nodeBuilder, write);
}
/**
* @param portSecurityRule the security rule in the SG
* @param srcAddress the destination IP address
* @param write add or delete
- * @param isRegMatchReq add Reg MAtch or not
- * @param protoPortMatchPriority the protocol match priority
*/
private void ingressAclIcmpV6(Long dpidLong, String segmentationId, String dstMac,
- NeutronSecurityRule portSecurityRule, String srcAddress,
- boolean write, Integer protoPortMatchPriority, boolean isRegMatchReq) {
+ NeutronSecurityRule portSecurityRule, String srcAddress, boolean write) {
MatchBuilder matchBuilder = new MatchBuilder();
- String flowId = "Ingress_ICMP_" + segmentationId + "_" + dstMac + "_";
- matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,null,dstMac);
+ String flowId = "Ingress_ICMPv6_" + segmentationId + "_" + dstMac + "_";
+ matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder, null, dstMac);
/* Custom ICMP Match */
if (portSecurityRule.getSecurityRulePortMin() != null
} else {
/* All ICMP Match */
flowId = flowId + "all" + "_";
- matchBuilder = MatchUtils.createICMPv6Match(matchBuilder,MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
- }
- if (isRegMatchReq) {
- flowId = flowId + "_regEx_";
- MatchUtils.addNxRegMatch(matchBuilder,
- new MatchUtils.RegMatch(ClassifierService.REG_FIELD_6, ClassifierService.REG_VALUE_FROM_LOCAL_0));
+ matchBuilder = MatchUtils.createICMPv6Match(matchBuilder, MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP);
}
if (null != srcAddress) {
flowId = flowId + srcAddress;
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,
new Ipv6Prefix(portSecurityRule
- .getSecurityRuleRemoteIpPrefix()),null);
+ .getSecurityRuleRemoteIpPrefix()), null);
}
- addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK);
+ addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE, MatchUtils.TRACKED_NEW_CT_STATE_MASK);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
flowId = flowId + "_Permit";
- FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
+ FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, Constants.PROTO_PORT_MATCH_PRIORITY, matchBuilder, getTable());
addInstructionWithConntrackCommit(flowBuilder, false);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
/**
String attachMac, boolean write, Integer protoPortMatchPriority) {
MatchBuilder matchBuilder = new MatchBuilder();
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,dhcpMacAddress,attachMac,
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, dhcpMacAddress, attachMac,
MatchUtils.ETHERTYPE_IPV4);
MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 67, 68);
String flowId = "Ingress_DHCP_Server_" + segmentationId + "_" + attachMac + "_Permit";
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
+ syncFlow(flowBuilder, nodeBuilder, write);
}
/**
String attachMac, boolean write, Integer protoPortMatchPriority) {
MatchBuilder matchBuilder = new MatchBuilder();
- matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,dhcpMacAddress,attachMac,
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder, dhcpMacAddress, attachMac,
MatchUtils.ETHERTYPE_IPV6);
MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 547, 546);
String flowId = "Ingress_DHCPv6_Server_" + segmentationId + "_" + attachMac + "_Permit";
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
- syncFlow(flowBuilder ,nodeBuilder, write);
- }
-
- private void addConntrackMatch(MatchBuilder matchBuilder, int state, int mask) {
- if (securityServicesManager.isConntrackEnabled()) {
- MatchUtils.addCtState(matchBuilder, state, mask );
- }
- }
- private FlowBuilder addInstructionWithLearnConntrackCommit(NeutronSecurityRule portSecurityRule, FlowBuilder flowBuilder , String icmpType, String icmpCode) {
- InstructionBuilder instructionBuilder = null;
- short learnTableId=getTable(Service.ACL_LEARN_SERVICE);
- short resubmitTableId=getTable(Service.OUTBOUND_NAT);
- if (securityServicesManager.isConntrackEnabled()) {
- Action conntrackAction = ActionUtils.nxConntrackAction(1, 0L, 0, (short)0xff);
- instructionBuilder = InstructionUtils
- .createInstructionBuilder(ActionUtils.conntrackActionBuilder(conntrackAction), 1, false);
- return addPipelineInstruction(flowBuilder,instructionBuilder, false);
- }
- if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.TCP) || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.TCP_PROTOCOL)) {
- return IngressAclLearnServiceUtil.programIngressAclLearnRuleForTcp(flowBuilder,instructionBuilder,learnTableId,resubmitTableId);
- } else if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.UDP) || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.UDP_PROTOCOL)) {
- return IngressAclLearnServiceUtil.programIngressAclLearnRuleForUdp(flowBuilder,instructionBuilder,learnTableId,resubmitTableId);
- } else if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.ICMP) || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.ICMP_PROTOCOL)) {
- return IngressAclLearnServiceUtil.programIngressAclLearnRuleForIcmp(flowBuilder,instructionBuilder, icmpType, icmpCode,learnTableId,resubmitTableId);
- }
- return flowBuilder;
+ syncFlow(flowBuilder, nodeBuilder, write);
}
- private FlowBuilder addInstructionWithConntrackCommit( FlowBuilder flowBuilder , boolean isDrop) {
- InstructionBuilder instructionBuilder = null;
+ private FlowBuilder addInstructionWithLearnConntrackCommit(NeutronSecurityRule portSecurityRule, FlowBuilder flowBuilder,
+ String icmpType, String icmpCode) {
if (securityServicesManager.isConntrackEnabled()) {
Action conntrackAction = ActionUtils.nxConntrackAction(1, 0L, 0, (short)0xff);
- instructionBuilder = InstructionUtils
+ InstructionBuilder instructionBuilder = InstructionUtils
.createInstructionBuilder(ActionUtils.conntrackActionBuilder(conntrackAction), 1, false);
+ return addPipelineInstruction(flowBuilder, instructionBuilder, false);
+ }
+ if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.TCP)
+ || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.TCP_PROTOCOL)) {
+ return IngressAclLearnServiceUtil.programIngressAclLearnRuleForTcp(flowBuilder);
+ } else if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.UDP)
+ || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.UDP_PROTOCOL)) {
+ return IngressAclLearnServiceUtil.programIngressAclLearnRuleForUdp(flowBuilder);
+ } else if (portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.ICMP)
+ || portSecurityRule.getSecurityRuleProtocol().equalsIgnoreCase(MatchUtils.ICMP_PROTOCOL)) {
+ return IngressAclLearnServiceUtil.programIngressAclLearnRuleForIcmp(flowBuilder, icmpType, icmpCode);
}
- return addPipelineInstruction(flowBuilder,instructionBuilder, isDrop);
- }
-
- private FlowBuilder addInstructionWithConntrackRecirc( FlowBuilder flowBuilder) {
- InstructionBuilder instructionBuilder = null;
- if (securityServicesManager.isConntrackEnabled()) {
- Action conntrackAction = ActionUtils.nxConntrackAction(0, 0L, 0, (short)0x0);
- instructionBuilder = InstructionUtils
- .createInstructionBuilder(ActionUtils.conntrackActionBuilder(conntrackAction), 1, false);
- List<Instruction> instructionsList = Lists.newArrayList();
- instructionsList.add(instructionBuilder.build());
- InstructionsBuilder isb = new InstructionsBuilder();
- isb.setInstruction(instructionsList);
- flowBuilder.setInstructions(isb.build());
- }
- return flowBuilder;
- }
-
- private FlowBuilder addPipelineInstruction( FlowBuilder flowBuilder , InstructionBuilder instructionBuilder,
- boolean isDrop) {
- InstructionBuilder pipeLineIndstructionBuilder = createPipleLineInstructionBuilder(isDrop);
- List<Instruction> instructionsList = Lists.newArrayList();
- instructionsList.add(pipeLineIndstructionBuilder.build());
- if (null != instructionBuilder) {
- instructionsList.add(instructionBuilder.build());
- }
- InstructionsBuilder isb = new InstructionsBuilder();
- isb.setInstruction(instructionsList);
- flowBuilder.setInstructions(isb.build());
return flowBuilder;
}
- private InstructionBuilder createPipleLineInstructionBuilder(boolean drop) {
- InstructionBuilder ib = this.getMutablePipelineInstructionBuilder();
- if (drop) {
- InstructionUtils.createDropInstructions(ib);
- }
- ib.setOrder(0);
- List<Instruction> instructionsList = Lists.newArrayList();
- ib.setKey(new InstructionKey(0));
- instructionsList.add(ib.build());
- return ib;
- }
- /**
- * Add or remove flow to the node.
- * @param flowBuilder the flow builder
- * @param nodeBuilder the node builder
- * @param write whether it is a write
- */
- private void syncFlow(FlowBuilder flowBuilder, NodeBuilder nodeBuilder,
- boolean write) {
- if (write) {
- writeFlow(flowBuilder, nodeBuilder);
- } else {
- removeFlow(flowBuilder, nodeBuilder);
- }
- }
-
- private List<NeutronSecurityRule> getSecurityRulesforGroup(NeutronSecurityGroup securityGroup) {
- List<NeutronSecurityRule> securityRules = new ArrayList<>();
- List<NeutronSecurityRule> rules = neutronSecurityRule.getAllNeutronSecurityRules();
- for (NeutronSecurityRule securityRule : rules) {
- if (securityGroup.getID().equals(securityRule.getSecurityRuleGroupID())) {
- securityRules.add(securityRule);
- }
- }
- return securityRules;
- }
-
@Override
public void setDependencies(BundleContext bundleContext, ServiceReference serviceReference) {
super.setDependencies(bundleContext.getServiceReference(IngressAclProvider.class.getName()), this);
}
} else {
for (Neutron_IPs vmIp : vmIpList) {
- securityServicesManager.syncSecurityRule(port, securityRule, vmIp, nodeId, securityGroup, write);
+ securityServicesManager.syncSecurityRule(port, securityRule, vmIp, nodeId, write);
}
}
} else {
- securityServicesManager.syncSecurityRule(port, securityRule, null, nodeId, securityGroup, write);
+ securityServicesManager.syncSecurityRule(port, securityRule, null, nodeId, write);
}
}
public static final Integer PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY = 61012;
public static final Integer PROTO_MATCH_PRIORITY = 61010;
- public static final Integer PREFIX_MATCH_PRIORITY = 61009;
- public static final Integer PROTO_PREFIX_MATCH_PRIORITY = 61008;
- public static final Integer PROTO_PORT_MATCH_PRIORITY = 61007;
- public static final Integer PROTO_PORT_PREFIX_MATCH_PRIORITY = 61004;
public static final Integer PROTO_DHCP_SERVER_MATCH_PRIORITY = 61008;
- public static final Integer PROTO_PORT_ICMP_MATCH_PRIORITY = 61003;
- public static final Integer PROTO_TCP_SYN_MATCH_PRIORITY_DROP = 61002;
+ public static final Integer PROTO_PORT_MATCH_PRIORITY = 61007;
+ public static final Integer PROTO_IP_PORT_MATCH_PRIORITY = 61006;
public static final Integer PROTO_REG6_MATCH_PRIORITY = 61005;
- public static final Integer PROTO_VM_IP_MAC_MATCH_PRIORITY = 36001;
+ public static final Integer PROTO_OTHER_MATCH_PRIORITY = 61004;
+ public static final Integer PROTO_PORT_ICMP_MATCH_PRIORITY = 61003;
+ public static final Integer PROTO_PORT_DROP_PRIORITY = 61002;
public static final Integer CT_STATE_UNTRACKED_PRIORITY = 62030;
public static final Integer CT_STATE_TRACKED_EXIST_PRIORITY = 62020;
public static final Integer CT_STATE_TRACKED_NEW_PRIORITY = 62010;
* @param segmentationId the segmentation id
* @param attachedMac the attached mac
* @param portSecurityRule the security rule
- * @param securityGroup the security group
* @param vmIp the ip of the remote vm if it has a remote security group.
* @param write is this flow write or delete
*/
- void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac, NeutronSecurityRule portSecurityRule,
- NeutronSecurityGroup securityGroup, Neutron_IPs vmIp, boolean write);
+ void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac,
+ NeutronSecurityRule portSecurityRule, Neutron_IPs vmIp, boolean write);
/**
* Program fixed egress security group rules that will be associated with the VM port when a vm is spawned.
*
import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.NodeId;
/**
- * This interface allows ingress Port Security flows to be written to devices.
+ * This interface allows ingress Port Security flows to be written to devices.
*/
public interface IngressAclProvider {
/**
* Program port security Group.
*
- * @param dpid the dpid
+ * @param dpid the dpid
* @param segmentationId the segmentation id
- * @param attachedMac the attached mac
- * @param localPort the local port
- * @param securityGroup the security group
- * @param portUuid the uuid of the port.
- * @param nodeId the NodeId of the node.
- * @param write is this flow write or delete
+ * @param attachedMac the attached mac
+ * @param localPort the local port
+ * @param securityGroup the security group
+ * @param portUuid the uuid of the port.
+ * @param nodeId the NodeId of the node.
+ * @param write is this flow write or delete
*/
void programPortSecurityGroup(Long dpid, String segmentationId, String attachedMac,
- long localPort, NeutronSecurityGroup securityGroup,
- String portUuid, NodeId nodeId, boolean write);
+ long localPort, NeutronSecurityGroup securityGroup,
+ String portUuid, NodeId nodeId, boolean write);
+
/**
* Program port security rule.
*
- * @param dpid the dpid
- * @param segmentationId the segmentation id
- * @param attachedMac the attached mac
+ * @param dpid the dpid
+ * @param segmentationId the segmentation id
+ * @param attachedMac the attached mac
* @param portSecurityRule the security rule
- * @param securityGroup the security group
- * @param vmIp the ip of the remote vm if it has a remote security group.
- * @param write is this flow write or delete
+ * @param vmIp the ip of the remote vm if it has a remote security group.
+ * @param write is this flow write or delete
*/
- void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac, NeutronSecurityRule portSecurityRule,
- NeutronSecurityGroup securityGroup, Neutron_IPs vmIp, boolean write);
+ void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac,
+ NeutronSecurityRule portSecurityRule, Neutron_IPs vmIp, boolean write);
+
/**
* Program fixed ingress ACL rules that will be associated with the VM port when a vm is spawned.
* *
- * @param dpid the dpid
+ *
+ * @param dpid the dpid
* @param segmentationId the segmentation id
- * @param attachedMac the dhcp mac
- * @param localPort the local port
- * @param attachedMac2 the src mac
- * @param write is this flow writing or deleting
+ * @param attachedMac the dhcp mac
+ * @param localPort the local port
+ * @param attachedMac2 the src mac
+ * @param write is this flow writing or deleting
*/
void programFixedSecurityGroup(Long dpid, String segmentationId, String attachedMac, long localPort,
- String attachedMac2, boolean write);
+ String attachedMac2, boolean write);
}
\ No newline at end of file
* @param securityRule the security group associated with the port.
* @param vmIp The list of remote vm ips.
* @param nodeId the NodeId of the node.
- * @param securityGroup the security group.
* @param write whether to add/delete flow.
*/
void syncSecurityRule(NeutronPort port, NeutronSecurityRule securityRule, Neutron_IPs vmIp, NodeId nodeId,
- NeutronSecurityGroup securityGroup, boolean write);
+ boolean write);
/**
* Is connection tracking enabled or not by the user (default is false).
* @return whether connection tracking enabled.
}
for (Neutron_IPs vmIp : currentPort.getFixedIPs()) {
if (write) {
- securityServicesManager.syncSecurityRule(cachedport, securityRule, vmIp, nodeId, securityGroup, true);
+ securityServicesManager.syncSecurityRule(cachedport, securityRule, vmIp, nodeId, true);
} else {
- securityServicesManager.syncSecurityRule(cachedport, securityRule, vmIp, nodeId, securityGroup, false);
+ securityServicesManager.syncSecurityRule(cachedport, securityRule, vmIp, nodeId, false);
}
}
}
@Override
public void syncSecurityRule(NeutronPort port, NeutronSecurityRule securityRule, Neutron_IPs vmIp, NodeId nodeId,
- NeutronSecurityGroup securityGroup, boolean write) {
+ boolean write) {
LOG.trace("syncSecurityGroup:" + securityRule + " Write:" + write);
if (null != port && null != port.getSecurityGroups()) {
if (nodeId != null) {
- syncSecurityRules(port, securityRule, vmIp, nodeId, port.getMacAddress(), securityGroup, write);
+ syncSecurityRules(port, securityRule, vmIp, nodeId, port.getMacAddress(), write);
} else {
return;
}
}
private void syncSecurityRules(NeutronPort port, NeutronSecurityRule securityRule, Neutron_IPs vmIp, NodeId nodeId,
- String attachedMac, NeutronSecurityGroup securityGroup, boolean write) {
+ String attachedMac, boolean write) {
NeutronNetwork neutronNetwork = neutronL3Adapter.getNetworkFromCleanupCache(port.getNetworkUUID());
if (null == neutronNetwork) {
neutronNetwork = neutronNetworkCache.getNetwork(port.getNetworkUUID());
if (NeutronSecurityRule.ETHERTYPE_IPV4.equals(securityRule.getSecurityRuleEthertype())) {
if (NeutronSecurityRule.DIRECTION_INGRESS.equals(securityRule.getSecurityRuleDirection())) {
ingressAclProvider.programPortSecurityRule(dpId, segmentationId, attachedMac,
- securityRule, securityGroup, vmIp, write);
+ securityRule, vmIp, write);
} else if (NeutronSecurityRule.DIRECTION_EGRESS.equals(securityRule.getSecurityRuleDirection())) {
egressAclProvider.programPortSecurityRule(dpId, segmentationId, attachedMac,
- securityRule, securityGroup, vmIp, write);
+ securityRule, vmIp, write);
}
}
}
@Test
public void testPortAddedWithNoRemoteSGInCache() {
securityGroupCacheManagerImpl.portAdded(SECURITY_GROUP_ID_1, NEUTRON_PORT_ID_VM_1);
- verify(securityServicesManager, times(0)).syncSecurityRule(any(NeutronPort.class), any(NeutronSecurityRule.class), any(Neutron_IPs.class), any(NodeId.class), any(NeutronSecurityGroup.class), anyBoolean());
+ verify(securityServicesManager, times(0)).syncSecurityRule(any(NeutronPort.class), any(NeutronSecurityRule.class), any(Neutron_IPs.class), any(NodeId.class), anyBoolean());
}
/**
public void testPortRemovedWithNoRemoteSGInCache() {
securityGroupCacheManagerImpl.addToCache(SECURITY_GROUP_ID_1, NEUTRON_PORT_ID_VM_1, nodeId_1);
securityGroupCacheManagerImpl.portRemoved(SECURITY_GROUP_ID_1, NEUTRON_PORT_ID_VM_1);
- verify(securityServicesManager, times(0)).syncSecurityRule(any(NeutronPort.class), any(NeutronSecurityRule.class), any(Neutron_IPs.class), any(NodeId.class), any(NeutronSecurityGroup.class), anyBoolean());
+ verify(securityServicesManager, times(0)).syncSecurityRule(any(NeutronPort.class), any(NeutronSecurityRule.class), any(Neutron_IPs.class), any(NodeId.class), anyBoolean());
}
/**
securityGroupCacheManagerImpl.portAdded(SECURITY_GROUP_ID_1, NEUTRON_PORT_ID_VM_1);
securityGroupCacheManagerImpl.addToCache(SECURITY_GROUP_ID_1, NEUTRON_PORT_ID_VM_2, nodeId_1);
securityGroupCacheManagerImpl.portAdded(SECURITY_GROUP_ID_1, NEUTRON_PORT_ID_VM_2);
- securityServicesManager.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_2, nodeId_1, neutronSecurityGroup_1, true);
- verify(securityServicesManager, times(1)).syncSecurityRule(eq(neutronPort_Vm1), eq(neutronSecurityRule_1), eq(neutron_ip_2), eq(nodeId_1), eq(neutronSecurityGroup_1), eq(true));
+ securityServicesManager.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_2, nodeId_1, true);
+ verify(securityServicesManager, times(1)).syncSecurityRule(eq(neutronPort_Vm1), eq(neutronSecurityRule_1), eq(neutron_ip_2), eq(nodeId_1), eq(true));
}
/**
securityGroupCacheManagerImpl.addToCache(SECURITY_GROUP_ID_1, NEUTRON_PORT_ID_VM_1, nodeId_1);
securityGroupCacheManagerImpl.addToCache(SECURITY_GROUP_ID_1, NEUTRON_PORT_ID_VM_2, nodeId_1);
securityGroupCacheManagerImpl.portRemoved(SECURITY_GROUP_ID_1, NEUTRON_PORT_ID_VM_2);
- securityServicesManager.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_2, nodeId_1, neutronSecurityGroup_1, false);
- verify(securityServicesManager, times(1)).syncSecurityRule(eq(neutronPort_Vm1), eq(neutronSecurityRule_1), eq(neutron_ip_2), eq(nodeId_1), eq(neutronSecurityGroup_1), eq(false));
+ securityServicesManager.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_2, nodeId_1, false);
+ verify(securityServicesManager, times(1)).syncSecurityRule(eq(neutronPort_Vm1), eq(neutronSecurityRule_1), eq(neutron_ip_2), eq(nodeId_1), eq(false));
}
/**
public void testPortAddedWithCidrInCache() {
securityGroupCacheManagerImpl.addToCache(SECURITY_GROUP_ID_2, NEUTRON_PORT_ID_VM_3, nodeId_1);
securityGroupCacheManagerImpl.portAdded(SECURITY_GROUP_ID_2, NEUTRON_PORT_ID_VM_2);
- securityServicesManager.syncSecurityRule(neutronPort_Vm3, neutronSecurityRule_3, neutron_ip_2, nodeId_1, neutronSecurityGroup_1, true);
- verify(securityServicesManager, times(1)).syncSecurityRule(eq(neutronPort_Vm3), eq(neutronSecurityRule_3), eq(neutron_ip_2), eq(nodeId_1), eq(neutronSecurityGroup_1), eq(true));
+ securityServicesManager.syncSecurityRule(neutronPort_Vm3, neutronSecurityRule_3, neutron_ip_2, nodeId_1, true);
+ verify(securityServicesManager, times(1)).syncSecurityRule(eq(neutronPort_Vm3), eq(neutronSecurityRule_3), eq(neutron_ip_2), eq(nodeId_1), eq(true));
}
/**
public void testPortRemovedWithCidrInCache() {
securityGroupCacheManagerImpl.addToCache(SECURITY_GROUP_ID_2, NEUTRON_PORT_ID_VM_3, nodeId_1);
securityGroupCacheManagerImpl.portRemoved(SECURITY_GROUP_ID_2, NEUTRON_PORT_ID_VM_2);
- securityServicesManager.syncSecurityRule(neutronPort_Vm3, neutronSecurityRule_3, neutron_ip_2, nodeId_1, neutronSecurityGroup_1, false);
- verify(securityServicesManager, times(1)).syncSecurityRule(eq(neutronPort_Vm3), eq(neutronSecurityRule_3), eq(neutron_ip_2), eq(nodeId_1), eq(neutronSecurityGroup_1), eq(false));
+ securityServicesManager.syncSecurityRule(neutronPort_Vm3, neutronSecurityRule_3, neutron_ip_2, nodeId_1, false);
+ verify(securityServicesManager, times(1)).syncSecurityRule(eq(neutronPort_Vm3), eq(neutronSecurityRule_3), eq(neutron_ip_2), eq(nodeId_1), eq(false));
}
/**
securityGroupCacheManagerImpl.addToCache(SECURITY_GROUP_ID_2, NEUTRON_PORT_ID_VM_3, nodeId_1);
securityGroupCacheManagerImpl.removeFromCache(SECURITY_GROUP_ID_2, NEUTRON_PORT_ID_VM_3, nodeId_1);
securityGroupCacheManagerImpl.portRemoved(SECURITY_GROUP_ID_2, NEUTRON_PORT_ID_VM_2);
- verify(securityServicesManager, times(0)).syncSecurityRule(any(NeutronPort.class), any(NeutronSecurityRule.class), any(Neutron_IPs.class),any(NodeId.class), any(NeutronSecurityGroup.class), anyBoolean());
+ verify(securityServicesManager, times(0)).syncSecurityRule(any(NeutronPort.class), any(NeutronSecurityRule.class), any(Neutron_IPs.class),any(NodeId.class), anyBoolean());
}
}
when(neutronSecurityRule_1.getSecurityRuleEthertype()).thenReturn(NeutronSecurityRule.ETHERTYPE_IPV4);
when(nodeCacheManager.getNode(nodeId_1)).thenReturn(node);
when(neutronPort_Vm1.getMacAddress()).thenReturn("attached-mac");
- when(neutronSecurityGroup_1.getSecurityGroupName()).thenReturn(SECURITY_GROUP_ID_1);
- securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, neutronSecurityGroup_1, true);
- verify(egressAclService, times(1)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutronSecurityGroup_1), eq(neutron_ip_1), eq(true));
+ securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, true);
+ verify(egressAclService, times(1)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutron_ip_1), eq(true));
}
/**
securityRuleList.add(neutronSecurityRule_1);
when(neutronSecurityRule_1.getSecurityRuleDirection()).thenReturn(NeutronSecurityRule.DIRECTION_INGRESS);
when(neutronSecurityRule_1.getSecurityRuleEthertype()).thenReturn(NeutronSecurityRule.ETHERTYPE_IPV4);
- when(neutronSecurityGroup_1.getSecurityGroupName()).thenReturn(SECURITY_GROUP_ID_1);
- securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, neutronSecurityGroup_1, true);
- verify(ingressAclService, times(1)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutronSecurityGroup_1), eq(neutron_ip_1), eq(true));
+ securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, true);
+ verify(ingressAclService, times(1)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutron_ip_1), eq(true));
}
/**
securityRuleList.add(neutronSecurityRule_1);
when(neutronSecurityRule_1.getSecurityRuleDirection()).thenReturn(NeutronSecurityRule.DIRECTION_EGRESS);
when(neutronSecurityRule_1.getSecurityRuleEthertype()).thenReturn(NeutronSecurityRule.ETHERTYPE_IPV4);
- when(neutronSecurityGroup_1.getSecurityGroupName()).thenReturn(SECURITY_GROUP_ID_1);
- securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, neutronSecurityGroup_1, false);
- verify(egressAclService, times(1)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutronSecurityGroup_1), eq(neutron_ip_1), eq(false));
+ securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, false);
+ verify(egressAclService, times(1)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutron_ip_1), eq(false));
}
/**
securityRuleList.add(neutronSecurityRule_1);
when(neutronSecurityRule_1.getSecurityRuleDirection()).thenReturn(NeutronSecurityRule.DIRECTION_INGRESS);
when(neutronSecurityRule_1.getSecurityRuleEthertype()).thenReturn(NeutronSecurityRule.ETHERTYPE_IPV4);
- when(neutronSecurityGroup_1.getSecurityGroupName()).thenReturn(SECURITY_GROUP_ID_1);
- securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, neutronSecurityGroup_1, false);
- verify(ingressAclService, times(1)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutronSecurityGroup_1), eq(neutron_ip_1), eq(false));
+ securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, false);
+ verify(ingressAclService, times(1)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutron_ip_1), eq(false));
}
/**
securityRuleList.add(neutronSecurityRule_1);
when(neutronSecurityRule_1.getSecurityRuleDirection()).thenReturn(NeutronSecurityRule.DIRECTION_INGRESS);
when(neutronSecurityRule_1.getSecurityRuleEthertype()).thenReturn(NeutronSecurityRule.ETHERTYPE_IPV4);
- when(neutronSecurityGroup_1.getSecurityGroupName()).thenReturn(SECURITY_GROUP_ID_1);
- securityServicesImpl.syncSecurityRule(null, neutronSecurityRule_1, neutron_ip_1, nodeId_1, neutronSecurityGroup_1, false);
- verify(ingressAclService, times(0)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutronSecurityGroup_1), eq(neutron_ip_1), eq(false));
+ securityServicesImpl.syncSecurityRule(null, neutronSecurityRule_1, neutron_ip_1, nodeId_1, false);
+ verify(ingressAclService, times(0)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutron_ip_1), eq(false));
}
/**
when(neutronPort_Vm1.getSecurityGroups()).thenReturn(null);
when(neutronSecurityRule_1.getSecurityRuleDirection()).thenReturn(NeutronSecurityRule.DIRECTION_INGRESS);
when(neutronSecurityRule_1.getSecurityRuleEthertype()).thenReturn(NeutronSecurityRule.ETHERTYPE_IPV4);
- when(neutronSecurityGroup_1.getSecurityGroupName()).thenReturn(SECURITY_GROUP_ID_1);
- securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, neutronSecurityGroup_1, false);
- verify(ingressAclService, times(0)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutronSecurityGroup_1), eq(neutron_ip_1), eq(false));
+ securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, false);
+ verify(ingressAclService, times(0)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutron_ip_1), eq(false));
}
/**
when(neutronSecurityRule_1.getSecurityRuleDirection()).thenReturn(NeutronSecurityRule.DIRECTION_INGRESS);
when(neutronSecurityRule_1.getSecurityRuleEthertype()).thenReturn(NeutronSecurityRule.ETHERTYPE_IPV4);
when(southbound.getInterfaceExternalIdsValue(any(OvsdbTerminationPointAugmentation.class),eq("attached-mac"))).thenReturn(null);
- when(neutronSecurityGroup_1.getSecurityGroupName()).thenReturn(SECURITY_GROUP_ID_1);
- securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, neutronSecurityGroup_1, false);
- verify(ingressAclService, times(1)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutronSecurityGroup_1), eq(neutron_ip_1), eq(false));
+ securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, false);
+ verify(ingressAclService, times(1)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutron_ip_1), eq(false));
}
securityRuleList.add(neutronSecurityRule_1);
when(neutronSecurityRule_1.getSecurityRuleDirection()).thenReturn(NeutronSecurityRule.DIRECTION_INGRESS);
when(neutronSecurityRule_1.getSecurityRuleEthertype()).thenReturn(NeutronSecurityRule.ETHERTYPE_IPV6);
- when(neutronSecurityGroup_1.getSecurityGroupName()).thenReturn(SECURITY_GROUP_ID_1);
- securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, neutronSecurityGroup_1, false);
- verify(ingressAclService, times(0)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutronSecurityGroup_1), eq(neutron_ip_1), eq(false));
+ securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, false);
+ verify(ingressAclService, times(0)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutron_ip_1), eq(false));
}
/**
securityRuleList.add(neutronSecurityRule_1);
when(neutronSecurityRule_1.getSecurityRuleDirection()).thenReturn("outgress");
when(neutronSecurityRule_1.getSecurityRuleEthertype()).thenReturn(NeutronSecurityRule.ETHERTYPE_IPV4);
- when(neutronSecurityGroup_1.getSecurityGroupName()).thenReturn(SECURITY_GROUP_ID_1);
- securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, neutronSecurityGroup_1, false);
- verify(ingressAclService, times(0)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutronSecurityGroup_1), eq(neutron_ip_1), eq(false));
+ securityServicesImpl.syncSecurityRule(neutronPort_Vm1, neutronSecurityRule_1, neutron_ip_1, nodeId_1, false);
+ verify(ingressAclService, times(0)).programPortSecurityRule(eq(new Long(1)), eq("1000"), eq("attached-mac"), eq(neutronSecurityRule_1), eq(neutron_ip_1), eq(false));
}
@Test
Code Review / netvirt.git / commitdiff