/*
- * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
+ * Copyright (c) 2016 HPE, Inc. and others. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v1.0 which accompanies this distribution,
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
+
import org.opendaylight.controller.md.sal.binding.api.DataBroker;
import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
import org.opendaylight.genius.mdsalutil.ActionInfo;
import org.opendaylight.genius.mdsalutil.ActionType;
import org.opendaylight.genius.mdsalutil.InstructionInfo;
-import org.opendaylight.genius.mdsalutil.InstructionType;
import org.opendaylight.genius.mdsalutil.MDSALUtil;
import org.opendaylight.genius.mdsalutil.MatchFieldType;
import org.opendaylight.genius.mdsalutil.MatchInfo;
import org.opendaylight.genius.mdsalutil.MatchInfoBase;
import org.opendaylight.genius.mdsalutil.NwConstants;
-import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
-import org.opendaylight.genius.mdsalutil.NxMatchInfo;
import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
import org.opendaylight.genius.utils.ServiceIndex;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.slf4j.LoggerFactory;
/**
- * Provides the stateful implementation for egress (w.r.t VM) ACL service.
+ * Provides abstract implementation for egress (w.r.t VM) ACL service.
*
* <p>
* Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress
* and vice versa.
*/
-public class EgressAclServiceImpl extends AbstractAclServiceImpl {
+public abstract class AbstractEgressAclServiceImpl extends AbstractAclServiceImpl {
- private static final Logger LOG = LoggerFactory.getLogger(EgressAclServiceImpl.class);
+ private static final Logger LOG = LoggerFactory.getLogger(AbstractEgressAclServiceImpl.class);
/**
* Initialize the member variables.
* @param dataBroker the data broker instance.
* @param mdsalManager the mdsal manager instance.
*/
- public EgressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) {
+ public AbstractEgressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) {
// Service mode is w.rt. switch
super(ServiceModeIngress.class, dataBroker, mdsalManager);
}
MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path);
}
- /**
- * Program conntrack rules.
- *
- * @param dpid the dpid
- * @param dhcpMacAddress the dhcp mac address.
- * @param allowedAddresses the allowed addresses
- * @param lportTag the lport tag
- * @param addOrRemove addorRemove
- */
- @Override
- protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress,
- List<AllowedAddressPairs> allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) {
- programEgressAclFixedConntrackRule(dpid, allowedAddresses, lportTag, portId, action, addOrRemove);
- }
-
@Override
protected void programGeneralFixedRules(BigInteger dpid, String dhcpMacAddress,
List<AllowedAddressPairs> allowedAddresses, int lportTag, Action action, int addOrRemove) {
}
//The flow map contains list of flows if port range is selected.
for ( String flowName : flowMap.keySet()) {
- List<MatchInfoBase> flows = flowMap.get(flowName);
- flowName += "Egress" + lportTag + ace.getKey().getRuleName();
- flows.add(AclServiceUtils.buildLPortTagMatch(lportTag));
- flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
- new long[] {AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
-
- Long elanId = AclServiceUtils.getElanIdFromInterface(portId, dataBroker);
- List<ActionInfo> actionsInfos = new ArrayList<>();
- actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
- new String[] {"1", "0", elanId.toString(), "255"}, 2));
- List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions(actionsInfos);
-
- syncFlow(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY,
- "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
+ flowName = syncSpecificAclFlow(dpId, lportTag, addOrRemove, ace, portId, flowMap, flowName);
}
}
+ protected abstract String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace,
+ String portId, Map<String, List<MatchInfoBase>> flowMap, String flowName);
+
/**
* Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port.
*
"ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
- /**
- * Adds the rule to send the packet to the netfilter to check whether it is
- * a known packet.
- *
- * @param dpId the dpId
- * @param allowedAddresses the allowed addresses
- * @param priority the priority of the flow
- * @param flowId the flowId
- * @param conntrackState the conntrack state of the packets thats should be
- * send
- * @param conntrackMask the conntrack mask
- * @param portId the portId
- * @param addOrRemove whether to add or remove the flow
- */
- private void programConntrackRecircRules(BigInteger dpId, List<AllowedAddressPairs> allowedAddresses,
- Integer priority, String flowId, int conntrackState, int conntrackMask, String portId, int addOrRemove) {
- for (AllowedAddressPairs allowedAddress : allowedAddresses) {
- IpPrefixOrAddress attachIp = allowedAddress.getIpAddress();
- String attachMac = allowedAddress.getMacAddress().getValue();
-
- List<MatchInfoBase> matches = new ArrayList<>();
- matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] {NwConstants.ETHTYPE_IPV4}));
- matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask}));
- matches.add(new MatchInfo(MatchFieldType.eth_src, new String[] {attachMac}));
- matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_source));
-
- Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker);
- List<InstructionInfo> instructions = new ArrayList<>();
- List<ActionInfo> actionsInfos = new ArrayList<>();
- actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
- new String[] {"0", "0", elanTag.toString(), Short.toString(
- NwConstants.INGRESS_ACL_FILTER_TABLE)}, 2));
- instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
-
- String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_"
- + String.valueOf(attachIp.getValue()) + "_" + flowId;
- syncFlow(dpId, NwConstants.INGRESS_ACL_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
- AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
- }
- }
-
/**
* Adds the rule to allow arp packets.
*
AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
}
-
- /**
- * Programs the default connection tracking rules.
- *
- * @param dpid the dp id
- * @param allowedAddresses the allowed addresses
- * @param lportTag the lport tag
- * @param portId the portId
- * @param action the action
- * @param write whether to add or remove the flow.
- */
- private void programEgressAclFixedConntrackRule(BigInteger dpid, List<AllowedAddressPairs> allowedAddresses,
- int lportTag, String portId, Action action, int write) {
- programConntrackRecircRules(dpid, allowedAddresses, AclConstants.CT_STATE_UNTRACKED_PRIORITY,
- "Untracked",AclConstants.UNTRACKED_CT_STATE,AclConstants.UNTRACKED_CT_STATE_MASK, portId, write );
- LOG.info("programEgressAclFixedConntrackRule : default connection tracking rule are added.");
- }
}
/*
- * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
+ * Copyright (c) 2016 HPE, Inc. and others. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v1.0 which accompanies this distribution,
import org.opendaylight.controller.md.sal.binding.api.DataBroker;
import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
import org.opendaylight.genius.mdsalutil.ActionInfo;
-import org.opendaylight.genius.mdsalutil.ActionType;
import org.opendaylight.genius.mdsalutil.InstructionInfo;
-import org.opendaylight.genius.mdsalutil.InstructionType;
import org.opendaylight.genius.mdsalutil.MDSALUtil;
import org.opendaylight.genius.mdsalutil.MatchFieldType;
import org.opendaylight.genius.mdsalutil.MatchInfo;
import org.opendaylight.genius.mdsalutil.MatchInfoBase;
import org.opendaylight.genius.mdsalutil.NwConstants;
-import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
-import org.opendaylight.genius.mdsalutil.NxMatchInfo;
import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
import org.opendaylight.netvirt.aclservice.utils.AclConstants;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeEgress;
import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionIngress;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.slf4j.LoggerFactory;
/**
- * Provides the stateful implementation for ingress (w.r.t VM) ACL service.
+ * Provides abstract implementation for ingress (w.r.t VM) ACL service.
*
* <p>
* Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress
* and vice versa.
*/
-public class IngressAclServiceImpl extends AbstractAclServiceImpl {
+public abstract class AbstractIngressAclServiceImpl extends AbstractAclServiceImpl {
- private static final Logger LOG = LoggerFactory.getLogger(IngressAclServiceImpl.class);
+ private static final Logger LOG = LoggerFactory.getLogger(AbstractIngressAclServiceImpl.class);
/**
* Initialize the member variables.
* @param dataBroker the data broker instance.
* @param mdsalManager the mdsal manager.
*/
- public IngressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) {
+ public AbstractIngressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) {
// Service mode is w.rt. switch
super(ServiceModeEgress.class, dataBroker, mdsalManager);
}
* @param addOrRemove add or remove the flow
*/
@Override
- protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress,
- List<AllowedAddressPairs> allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) {
- programIngressAclFixedConntrackRule(dpid, allowedAddresses, portId, action, addOrRemove);
- }
+ protected abstract void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress,
+ List<AllowedAddressPairs> allowedAddresses, int lportTag, String portId, Action action, int addOrRemove);
@Override
protected void programGeneralFixedRules(BigInteger dpid, String dhcpMacAddress,
return;
}
for ( String flowName : flowMap.keySet()) {
- List<MatchInfoBase> flows = flowMap.get(flowName);
- flowName += "Ingress" + lportTag + ace.getKey().getRuleName();
- flows.add(AclServiceUtils.buildLPortTagMatch(lportTag));
- flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
- new long[] {AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
-
- Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker);
- List<ActionInfo> actionsInfos = new ArrayList<>();
- actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
- new String[] {"1", "0", elanTag.toString(), "255"}, 2));
- List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions(actionsInfos);
-
- syncFlow(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY,
- "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
+ flowName = syncSpecificAclFlow(dpId, lportTag, addOrRemove, ace, portId, flowMap, flowName);
}
}
+ protected abstract String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace,
+ String portId, Map<String, List<MatchInfoBase>> flowMap, String flowName);
+
/**
* Add rule to ensure only DHCP server traffic from the specified mac is
* allowed.
0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
- /**
- * Adds the rule to send the packet to the netfilter to check whether it is
- * a known packet.
- *
- * @param dpId the dpId
- * @param allowedAddresses the allowed addresses
- * @param priority the priority of the flow
- * @param flowId the flowId
- * @param conntrackState the conntrack state of the packets thats should be
- * send
- * @param conntrackMask the conntrack mask
- * @param portId the portId
- * @param addOrRemove whether to add or remove the flow
- */
- private void programConntrackRecircRules(BigInteger dpId, List<AllowedAddressPairs> allowedAddresses,
- Integer priority, String flowId, int conntrackState, int conntrackMask, String portId, int addOrRemove) {
- for (AllowedAddressPairs allowedAddress : allowedAddresses) {
- IpPrefixOrAddress attachIp = allowedAddress.getIpAddress();
- String attachMac = allowedAddress.getMacAddress().getValue();
-
- List<MatchInfoBase> matches = new ArrayList<>();
- matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] { NwConstants.ETHTYPE_IPV4 }));
- matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask}));
- matches.add(new MatchInfo(MatchFieldType.eth_dst, new String[] { attachMac }));
- matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_destination));
-
- List<InstructionInfo> instructions = new ArrayList<>();
- List<ActionInfo> actionsInfos = new ArrayList<>();
-
- Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker);
- actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
- new String[] {"0", "0", elanTag.toString(), Short.toString(
- NwConstants.EGRESS_ACL_FILTER_TABLE)}, 2));
- instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
- String flowName = "Ingress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_"
- + String.valueOf(attachIp.getValue()) + "_" + flowId;
- syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
- AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
- }
- }
-
- /**
- * Program conntrack tracked rule.
- *
- * @param dpId the dp id
- * @param allowedAddresses the allowed addresses
- * @param priority the priority
- * @param flowId the flow id
- * @param conntrackState the conntrack state
- * @param conntrackMask the conntrack mask
- * @param addOrRemove the add or remove
- */
- private void programConntrackTrackedRule(BigInteger dpId, List<AllowedAddressPairs> allowedAddresses,
- Integer priority, String flowId, int conntrackState, int conntrackMask, int addOrRemove) {
- for (AllowedAddressPairs allowedAddress : allowedAddresses) {
- IpPrefixOrAddress attachIp = allowedAddress.getIpAddress();
- String attachMac = allowedAddress.getMacAddress().getValue();
-
- List<MatchInfoBase> matches = new ArrayList<>();
- matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] {NwConstants.ETHTYPE_IPV4}));
- matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask}));
- matches.add(new MatchInfo(MatchFieldType.eth_dst, new String[] {attachMac}));
- matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_destination));
-
- List<ActionInfo> actionsInfos = new ArrayList<>();
- actionsInfos.add(new ActionInfo(ActionType.goto_table, new String[] {}));
-
- List<InstructionInfo> instructions = new ArrayList<>();
- instructions.add(new InstructionInfo(InstructionType.goto_table,
- new long[] {NwConstants.EGRESS_ACL_FILTER_TABLE}));
-
- String flowName = "Ingress_Fixed_Conntrk_Trk_" + dpId + "_" + attachMac + "_"
- + String.valueOf(attachIp.getValue()) + "_" + flowId;
- syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, priority, "ACL", 0, 0,
- AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
- }
- }
-
/**
* Adds the rule to allow arp packets.
*
AclConstants.PROTO_ARP_TRAFFIC_MATCH_PRIORITY, "ACL", 0, 0,
AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
}
-
- /**
- * Programs the default connection tracking rules.
- *
- * @param dpid the dp id
- * @param allowedAddresses the allowed addresses
- * @param portId the portId
- * @param write whether to add or remove the flow.
- */
- private void programIngressAclFixedConntrackRule(BigInteger dpid, List<AllowedAddressPairs> allowedAddresses,
- String portId, Action action, int write) {
- programConntrackRecircRules(dpid, allowedAddresses, AclConstants.CT_STATE_UNTRACKED_PRIORITY,
- "Untracked", AclConstants.UNTRACKED_CT_STATE, AclConstants.UNTRACKED_CT_STATE_MASK, portId, write);
- programConntrackTrackedRule(dpid, allowedAddresses, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY, "Tracked",
- AclConstants.TRACKED_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK, write);
- LOG.info("programIngressAclFixedConntrackRule : default connection tracking rule are added.");
- }
}
LOG.info("{} close", getClass().getSimpleName());
}
- public IngressAclServiceImpl createIngressAclServiceImpl() {
+ public AbstractIngressAclServiceImpl createIngressAclServiceImpl() {
LOG.info("creating ingress acl service using mode {}", securityGroupMode);
if (securityGroupMode == null || securityGroupMode == SecurityGroupMode.Stateful) {
- return new IngressAclServiceImpl(dataBroker, mdsalManager);
+ return new StatefulIngressAclServiceImpl(dataBroker, mdsalManager);
} else if (securityGroupMode == SecurityGroupMode.Stateless) {
return new StatelessIngressAclServiceImpl(dataBroker, mdsalManager);
} else if (securityGroupMode == SecurityGroupMode.Transparent) {
}
}
- public EgressAclServiceImpl createEgressAclServiceImpl() {
+ public AbstractEgressAclServiceImpl createEgressAclServiceImpl() {
LOG.info("creating egress acl service using mode {}", securityGroupMode);
if (securityGroupMode == null || securityGroupMode == SecurityGroupMode.Stateful) {
- return new EgressAclServiceImpl(dataBroker, mdsalManager);
+ return new StatefulEgressAclServiceImpl(dataBroker, mdsalManager);
} else if (securityGroupMode == SecurityGroupMode.Stateless) {
return new StatelessEgressAclServiceImpl(dataBroker, mdsalManager);
} else if (securityGroupMode == SecurityGroupMode.Transparent) {
* @param ingressAclService ingress acl service
* @param egressAclService egress acl service
*/
- public AclServiceManagerImpl(final IngressAclServiceImpl ingressAclService,
- final EgressAclServiceImpl egressAclService) {
+ public AclServiceManagerImpl(final AbstractIngressAclServiceImpl ingressAclService,
+ final AbstractEgressAclServiceImpl egressAclService) {
addAclServiceListner(ingressAclService);
addAclServiceListner(egressAclService);
/*
- * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
+ * Copyright (c) 2016 HPE, Inc. and others. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v1.0 which accompanies this distribution,
import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
import org.opendaylight.netvirt.aclservice.utils.AclConstants;
-import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder;
import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
-import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
-import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
-import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-public class LearnEgressAclServiceImpl extends EgressAclServiceImpl {
+public class LearnEgressAclServiceImpl extends AbstractEgressAclServiceImpl {
private static final Logger LOG = LoggerFactory.getLogger(LearnEgressAclServiceImpl.class);
@Override
protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress,
List<AllowedAddressPairs> allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) {
-
}
@Override
- protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
- List<AllowedAddressPairs> syncAllowedAddresses) {
- SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
- if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
- return;
- }
- Matches matches = ace.getMatches();
- AceType aceType = matches.getAceType();
- Map<String, List<MatchInfoBase>> flowMap = null;
- if (aceType instanceof AceIp) {
- flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
- }
- if (null == flowMap) {
- LOG.error("Failed to apply ACL {} lportTag {}", ace.getKey(), lportTag);
- return;
- }
-
- // The flow map contains list of flows if port range is selected.
- for (Map.Entry<String, List<MatchInfoBase>> flow : flowMap.entrySet()) {
- List<MatchInfoBase> flowMatches = flow.getValue();
- flowMatches.add(AclServiceUtils.buildLPortTagMatch(lportTag));
- List<ActionInfo> actionsInfos = new ArrayList<>();
- addLearnActions(flowMatches, actionsInfos);
-
- actionsInfos.add(new ActionInfo(ActionType.nx_resubmit,
- new String[] {Short.toString(NwConstants.LPORT_DISPATCHER_TABLE)}));
-
- List<InstructionInfo> instructions = new ArrayList<>();
- instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
-
- String flowName = flow.getKey() + "Egress" + lportTag + ace.getKey().getRuleName();
- syncFlow(dpId, NwConstants.INGRESS_LEARN2_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
- AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove);
- }
+ protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
+ Map<String, List<MatchInfoBase>> flowMap, String flowName) {
+ List<MatchInfoBase> flowMatches = flowMap.get(flowName);
+ flowMatches.add(AclServiceUtils.buildLPortTagMatch(lportTag));
+ List<ActionInfo> actionsInfos = new ArrayList<>();
+ addLearnActions(flowMatches, actionsInfos);
+
+ actionsInfos.add(new ActionInfo(ActionType.nx_resubmit,
+ new String[] {Short.toString(NwConstants.LPORT_DISPATCHER_TABLE)}));
+
+ List<InstructionInfo> instructions = new ArrayList<>();
+ instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
+
+ String flowNameAdded = flowName + "Egress" + lportTag + ace.getKey().getRuleName();
+ syncFlow(dpId, NwConstants.INGRESS_LEARN2_TABLE, flowNameAdded, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove);
+ return flowName;
}
/*
/*
- * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
+ * Copyright (c) 2016 HPE, Inc. and others. All rights reserved.
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v1.0 which accompanies this distribution,
import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
import org.opendaylight.netvirt.aclservice.utils.AclConstants;
-import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder;
import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
-import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
-import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType;
-import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionIngress;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-public class LearnIngressAclServiceImpl extends IngressAclServiceImpl {
+public class LearnIngressAclServiceImpl extends AbstractIngressAclServiceImpl {
private static final Logger LOG = LoggerFactory.getLogger(LearnIngressAclServiceImpl.class);
}
@Override
- protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
- List<AllowedAddressPairs> syncAllowedAddresses) {
- SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
- if (!aceAttr.getDirection().equals(DirectionIngress.class)) {
- return;
- }
- Matches matches = ace.getMatches();
- AceType aceType = matches.getAceType();
- Map<String, List<MatchInfoBase>> flowMap = null;
- if (aceType instanceof AceIp) {
- flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
- }
- if (null == flowMap) {
- LOG.error("Failed to apply ACL {} lportTag {}", ace.getKey(), lportTag);
- return;
- }
-
- // The flow map contains list of flows if port range is selected.
- for (Map.Entry<String, List<MatchInfoBase>> flow : flowMap.entrySet()) {
- List<MatchInfoBase> flowMatches = flow.getValue();
- flowMatches.add(AclServiceUtils.buildLPortTagMatch(lportTag));
- List<ActionInfo> actionsInfos = new ArrayList<>();
- addLearnActions(flowMatches, actionsInfos);
-
- actionsInfos.add(new ActionInfo(ActionType.nx_resubmit,
- new String[] {Short.toString(NwConstants.EGRESS_LPORT_DISPATCHER_TABLE)}));
-
- List<InstructionInfo> instructions = new ArrayList<>();
- instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
-
- String flowName = flow.getKey() + "Ingress" + lportTag + ace.getKey().getRuleName();
- syncFlow(dpId, NwConstants.EGRESS_LEARN2_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
- AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove);
- }
+ protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
+ Map<String, List<MatchInfoBase>> flowMap, String flowName) {
+ List<MatchInfoBase> flowMatches = flowMap.get(flowName);
+ flowMatches.add(AclServiceUtils.buildLPortTagMatch(lportTag));
+ List<ActionInfo> actionsInfos = new ArrayList<>();
+ addLearnActions(flowMatches, actionsInfos);
+
+ actionsInfos.add(new ActionInfo(ActionType.nx_resubmit,
+ new String[] {Short.toString(NwConstants.EGRESS_LPORT_DISPATCHER_TABLE)}));
+
+ List<InstructionInfo> instructions = new ArrayList<>();
+ instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
+
+ String flowNameAdded = flowName + "Ingress" + lportTag + ace.getKey().getRuleName();
+ syncFlow(dpId, NwConstants.EGRESS_LEARN2_TABLE, flowNameAdded, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove);
+ return flowName;
}
/*
--- /dev/null
+/*
+ * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.netvirt.aclservice;
+
+import java.math.BigInteger;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import org.opendaylight.controller.md.sal.binding.api.DataBroker;
+import org.opendaylight.genius.mdsalutil.ActionInfo;
+import org.opendaylight.genius.mdsalutil.ActionType;
+import org.opendaylight.genius.mdsalutil.InstructionInfo;
+import org.opendaylight.genius.mdsalutil.InstructionType;
+import org.opendaylight.genius.mdsalutil.MatchFieldType;
+import org.opendaylight.genius.mdsalutil.MatchInfo;
+import org.opendaylight.genius.mdsalutil.MatchInfoBase;
+import org.opendaylight.genius.mdsalutil.NwConstants;
+import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
+import org.opendaylight.genius.mdsalutil.NxMatchInfo;
+import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
+import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
+import org.opendaylight.netvirt.aclservice.utils.AclConstants;
+import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Provides the stateful implementation for egress (w.r.t VM) ACL service.
+ *
+ * <p>
+ * Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress
+ * and vice versa.
+ */
+public class StatefulEgressAclServiceImpl extends AbstractEgressAclServiceImpl {
+
+ public StatefulEgressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) {
+ super(dataBroker, mdsalManager);
+ }
+
+ private static final Logger LOG = LoggerFactory.getLogger(StatefulEgressAclServiceImpl.class);
+
+
+ /**
+ * Program conntrack rules.
+ *
+ * @param dpid the dpid
+ * @param dhcpMacAddress the dhcp mac address.
+ * @param allowedAddresses the allowed addresses
+ * @param lportTag the lport tag
+ * @param addOrRemove addorRemove
+ */
+ @Override
+ protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress,
+ List<AllowedAddressPairs> allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) {
+ programEgressAclFixedConntrackRule(dpid, allowedAddresses, lportTag, portId, action, addOrRemove);
+ }
+
+ @Override
+ protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
+ Map<String, List<MatchInfoBase>> flowMap, String flowName) {
+ List<MatchInfoBase> flows = flowMap.get(flowName);
+ flowName += "Egress" + lportTag + ace.getKey().getRuleName();
+ flows.add(AclServiceUtils.buildLPortTagMatch(lportTag));
+ flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
+ new long[] {AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
+
+ Long elanId = AclServiceUtils.getElanIdFromInterface(portId, dataBroker);
+ List<ActionInfo> actionsInfos = new ArrayList<>();
+ actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
+ new String[] {"1", "0", elanId.toString(), "255"}, 2));
+ List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions(actionsInfos);
+
+ syncFlow(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY,
+ "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
+ return flowName;
+ }
+
+ /**
+ * Adds the rule to send the packet to the netfilter to check whether it is
+ * a known packet.
+ *
+ * @param dpId the dpId
+ * @param allowedAddresses the allowed addresses
+ * @param priority the priority of the flow
+ * @param flowId the flowId
+ * @param conntrackState the conntrack state of the packets thats should be
+ * send
+ * @param conntrackMask the conntrack mask
+ * @param portId the portId
+ * @param addOrRemove whether to add or remove the flow
+ */
+ private void programConntrackRecircRules(BigInteger dpId, List<AllowedAddressPairs> allowedAddresses,
+ Integer priority, String flowId, int conntrackState, int conntrackMask, String portId, int addOrRemove) {
+ for (AllowedAddressPairs allowedAddress : allowedAddresses) {
+ IpPrefixOrAddress attachIp = allowedAddress.getIpAddress();
+ String attachMac = allowedAddress.getMacAddress().getValue();
+
+ List<MatchInfoBase> matches = new ArrayList<>();
+ matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] {NwConstants.ETHTYPE_IPV4}));
+ matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask}));
+ matches.add(new MatchInfo(MatchFieldType.eth_src, new String[] {attachMac}));
+ matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_source));
+
+ Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker);
+ List<InstructionInfo> instructions = new ArrayList<>();
+ List<ActionInfo> actionsInfos = new ArrayList<>();
+ actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
+ new String[] {"0", "0", elanTag.toString(), Short.toString(
+ NwConstants.INGRESS_ACL_FILTER_TABLE)}, 2));
+ instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
+
+ String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_"
+ + String.valueOf(attachIp.getValue()) + "_" + flowId;
+ syncFlow(dpId, NwConstants.INGRESS_ACL_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
+ }
+ }
+
+ /**
+ * Programs the default connection tracking rules.
+ *
+ * @param dpid the dp id
+ * @param allowedAddresses the allowed addresses
+ * @param lportTag the lport tag
+ * @param portId the portId
+ * @param action the action
+ * @param write whether to add or remove the flow.
+ */
+ private void programEgressAclFixedConntrackRule(BigInteger dpid, List<AllowedAddressPairs> allowedAddresses,
+ int lportTag, String portId, Action action, int write) {
+ programConntrackRecircRules(dpid, allowedAddresses, AclConstants.CT_STATE_UNTRACKED_PRIORITY,
+ "Untracked",AclConstants.UNTRACKED_CT_STATE,AclConstants.UNTRACKED_CT_STATE_MASK, portId, write );
+ LOG.info("programEgressAclFixedConntrackRule : default connection tracking rule are added.");
+ }
+}
--- /dev/null
+/*
+ * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.opendaylight.netvirt.aclservice;
+
+import java.math.BigInteger;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import org.opendaylight.controller.md.sal.binding.api.DataBroker;
+import org.opendaylight.genius.mdsalutil.ActionInfo;
+import org.opendaylight.genius.mdsalutil.ActionType;
+import org.opendaylight.genius.mdsalutil.InstructionInfo;
+import org.opendaylight.genius.mdsalutil.InstructionType;
+import org.opendaylight.genius.mdsalutil.MatchFieldType;
+import org.opendaylight.genius.mdsalutil.MatchInfo;
+import org.opendaylight.genius.mdsalutil.MatchInfoBase;
+import org.opendaylight.genius.mdsalutil.NwConstants;
+import org.opendaylight.genius.mdsalutil.NxMatchFieldType;
+import org.opendaylight.genius.mdsalutil.NxMatchInfo;
+import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
+import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
+import org.opendaylight.netvirt.aclservice.utils.AclConstants;
+import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Provides the stateful implementation for ingress (w.r.t VM) ACL service.
+ *
+ * <p>
+ * Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress
+ * and vice versa.
+ */
+public class StatefulIngressAclServiceImpl extends AbstractIngressAclServiceImpl {
+
+ private static final Logger LOG = LoggerFactory.getLogger(StatefulIngressAclServiceImpl.class);
+
+ /**
+ * Initialize the member variables.
+ *
+ * @param dataBroker the data broker instance.
+ * @param mdsalManager the mdsal manager.
+ */
+ public StatefulIngressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) {
+ // Service mode is w.rt. switch
+ super(dataBroker, mdsalManager);
+ }
+
+ /**
+ * Program conntrack rules.
+ *
+ * @param dpid the dpid
+ * @param dhcpMacAddress the dhcp mac address.
+ * @param allowedAddresses the allowed addresses
+ * @param lportTag the lport tag
+ * @param addOrRemove add or remove the flow
+ */
+ @Override
+ protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress,
+ List<AllowedAddressPairs> allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) {
+ programIngressAclFixedConntrackRule(dpid, allowedAddresses, portId, action, addOrRemove);
+ }
+
+ @Override
+ protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
+ Map<String, List<MatchInfoBase>> flowMap, String flowName) {
+ List<MatchInfoBase> flows = flowMap.get(flowName);
+ flowName += "Ingress" + lportTag + ace.getKey().getRuleName();
+ flows.add(AclServiceUtils.buildLPortTagMatch(lportTag));
+ flows.add(new NxMatchInfo(NxMatchFieldType.ct_state,
+ new long[] {AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK}));
+
+ Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker);
+ List<ActionInfo> actionsInfos = new ArrayList<>();
+ actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
+ new String[] {"1", "0", elanTag.toString(), "255"}, 2));
+ List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions(actionsInfos);
+
+ syncFlow(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY,
+ "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove);
+ return flowName;
+ }
+
+ /**
+ * Adds the rule to send the packet to the netfilter to check whether it is
+ * a known packet.
+ *
+ * @param dpId the dpId
+ * @param allowedAddresses the allowed addresses
+ * @param priority the priority of the flow
+ * @param flowId the flowId
+ * @param conntrackState the conntrack state of the packets thats should be
+ * send
+ * @param conntrackMask the conntrack mask
+ * @param portId the portId
+ * @param addOrRemove whether to add or remove the flow
+ */
+ private void programConntrackRecircRules(BigInteger dpId, List<AllowedAddressPairs> allowedAddresses,
+ Integer priority, String flowId, int conntrackState, int conntrackMask, String portId, int addOrRemove) {
+ for (AllowedAddressPairs allowedAddress : allowedAddresses) {
+ IpPrefixOrAddress attachIp = allowedAddress.getIpAddress();
+ String attachMac = allowedAddress.getMacAddress().getValue();
+
+ List<MatchInfoBase> matches = new ArrayList<>();
+ matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] { NwConstants.ETHTYPE_IPV4 }));
+ matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask}));
+ matches.add(new MatchInfo(MatchFieldType.eth_dst, new String[] { attachMac }));
+ matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_destination));
+
+ List<InstructionInfo> instructions = new ArrayList<>();
+ List<ActionInfo> actionsInfos = new ArrayList<>();
+
+ Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker);
+ actionsInfos.add(new ActionInfo(ActionType.nx_conntrack,
+ new String[] {"0", "0", elanTag.toString(), Short.toString(
+ NwConstants.EGRESS_ACL_FILTER_TABLE)}, 2));
+ instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos));
+ String flowName = "Ingress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_"
+ + String.valueOf(attachIp.getValue()) + "_" + flowId;
+ syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
+ }
+ }
+
+ /**
+ * Program conntrack tracked rule.
+ *
+ * @param dpId the dp id
+ * @param allowedAddresses the allowed addresses
+ * @param priority the priority
+ * @param flowId the flow id
+ * @param conntrackState the conntrack state
+ * @param conntrackMask the conntrack mask
+ * @param addOrRemove the add or remove
+ */
+ private void programConntrackTrackedRule(BigInteger dpId, List<AllowedAddressPairs> allowedAddresses,
+ Integer priority, String flowId, int conntrackState, int conntrackMask, int addOrRemove) {
+ for (AllowedAddressPairs allowedAddress : allowedAddresses) {
+ IpPrefixOrAddress attachIp = allowedAddress.getIpAddress();
+ String attachMac = allowedAddress.getMacAddress().getValue();
+
+ List<MatchInfoBase> matches = new ArrayList<>();
+ matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] {NwConstants.ETHTYPE_IPV4}));
+ matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask}));
+ matches.add(new MatchInfo(MatchFieldType.eth_dst, new String[] {attachMac}));
+ matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_destination));
+
+ List<ActionInfo> actionsInfos = new ArrayList<>();
+ actionsInfos.add(new ActionInfo(ActionType.goto_table, new String[] {}));
+
+ List<InstructionInfo> instructions = new ArrayList<>();
+ instructions.add(new InstructionInfo(InstructionType.goto_table,
+ new long[] {NwConstants.EGRESS_ACL_FILTER_TABLE}));
+
+ String flowName = "Ingress_Fixed_Conntrk_Trk_" + dpId + "_" + attachMac + "_"
+ + String.valueOf(attachIp.getValue()) + "_" + flowId;
+ syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, priority, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
+ }
+ }
+
+ /**
+ * Programs the default connection tracking rules.
+ *
+ * @param dpid the dp id
+ * @param allowedAddresses the allowed addresses
+ * @param portId the portId
+ * @param write whether to add or remove the flow.
+ */
+ private void programIngressAclFixedConntrackRule(BigInteger dpid, List<AllowedAddressPairs> allowedAddresses,
+ String portId, Action action, int write) {
+ programConntrackRecircRules(dpid, allowedAddresses, AclConstants.CT_STATE_UNTRACKED_PRIORITY,
+ "Untracked", AclConstants.UNTRACKED_CT_STATE, AclConstants.UNTRACKED_CT_STATE_MASK, portId, write);
+ programConntrackTrackedRule(dpid, allowedAddresses, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY, "Tracked",
+ AclConstants.TRACKED_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK, write);
+ LOG.info("programIngressAclFixedConntrackRule : default connection tracking rule are added.");
+ }
+}
* Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress
* and vice versa.
*/
-public class StatelessEgressAclServiceImpl extends EgressAclServiceImpl {
+public class StatelessEgressAclServiceImpl extends AbstractEgressAclServiceImpl {
private static final Logger LOG = LoggerFactory.getLogger(StatelessEgressAclServiceImpl.class);
List<AllowedAddressPairs> allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) {
}
+ @Override
+ protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
+ Map<String, List<MatchInfoBase>> flowMap, String flowName) {
+ // Not in use here. programAceRule function is overridden.
+ return null;
+ }
+
@Override
protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
List<AllowedAddressPairs> syncAllowedAddresses) {
* Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress
* and vice versa.
*/
-public class StatelessIngressAclServiceImpl extends IngressAclServiceImpl {
+public class StatelessIngressAclServiceImpl extends AbstractIngressAclServiceImpl {
private static final Logger LOG = LoggerFactory.getLogger(StatelessIngressAclServiceImpl.class);
List<AllowedAddressPairs> allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) {
}
+ @Override
+ protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
+ Map<String, List<MatchInfoBase>> flowMap, String flowName) {
+ // Not in use here. programAceRule function is overridden.
+ return null;
+ }
+
@Override
protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
List<AllowedAddressPairs> syncAllowedAddresses) {
String oper = getOperAsString(addOrRemove);
LOG.debug("{} allow syn packet flow {}", oper, flowName);
}
+
}
import java.math.BigInteger;
import java.util.List;
+import java.util.Map;
import org.opendaylight.controller.md.sal.binding.api.DataBroker;
+import org.opendaylight.genius.mdsalutil.MatchInfoBase;
import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
* Provides the transparent implementation for egress (w.r.t VM) ACL service.
*
*/
-public class TransparentEgressAclServiceImpl extends EgressAclServiceImpl {
+public class TransparentEgressAclServiceImpl extends AbstractEgressAclServiceImpl {
private static final Logger LOG = LoggerFactory.getLogger(TransparentEgressAclServiceImpl.class);
LOG.debug("transparent egress acl service - do nothing");
}
+ @Override
+ protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
+ Map<String, List<MatchInfoBase>> flowMap, String flowName) {
+ // Not in use here. programAceRule function is overridden.
+ return null;
+ }
+
}
import java.math.BigInteger;
import java.util.List;
+import java.util.Map;
import org.opendaylight.controller.md.sal.binding.api.DataBroker;
+import org.opendaylight.genius.mdsalutil.MatchInfoBase;
import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
* Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress
* and vice versa.
*/
-public class TransparentIngressAclServiceImpl extends IngressAclServiceImpl {
+public class TransparentIngressAclServiceImpl extends AbstractIngressAclServiceImpl {
private static final Logger LOG = LoggerFactory.getLogger(TransparentIngressAclServiceImpl.class);
super(dataBroker, mdsalManager);
}
+ @Override
+ protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId,
+ Map<String, List<MatchInfoBase>> flowMap, String flowName) {
+ // Not in use here. programAceRule function is overridden.
+ return null;
+ }
+
@Override
protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress,
List<AllowedAddressPairs> allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) {
Code Review / netvirt.git / commitdiff