return;
}
}
- ingressAclProvider.programFixedSecurityAcl(dpid, segmentationId, dhcpPort.getMacAddress(), localPort,
+ ingressAclProvider.programFixedSecurityGroup(dpid, segmentationId, dhcpPort.getMacAddress(), localPort,
isLastPortinSubnet, isComputePort, write);
- egressAclProvider.programFixedSecurityAcl(dpid, segmentationId, attachedMac, localPort,
+ egressAclProvider.programFixedSecurityGroup(dpid, segmentationId, attachedMac, localPort,
srcAddressList, isLastPortinBridge, isComputePort,write);
/* If the network type is tunnel based (VXLAN/GRRE/etc) with Neutron Port Security ACLs */
/* TODO SB_MIGRATION */
//Associate the security group flows.
List<NeutronSecurityGroup> securityGroupListInPort = securityServicesManager
.getSecurityGroupInPortList(intf);
+ String neutronPortId = southbound.getInterfaceExternalIdsValue(intf,
+ Constants.EXTERNAL_ID_INTERFACE_ID);
for (NeutronSecurityGroup securityGroupInPort:securityGroupListInPort) {
- ingressAclProvider.programPortSecurityAcl(dpid, segmentationId, attachedMac, localPort,
- securityGroupInPort,srcAddressList, write);
- egressAclProvider.programPortSecurityAcl(dpid, segmentationId, attachedMac, localPort,
- securityGroupInPort,srcAddressList, write);
+ ingressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
+ securityGroupInPort, neutronPortId, write);
+ egressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
+ securityGroupInPort, neutronPortId, write);
}
}
} else {
package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
-import java.math.BigInteger;
-import java.util.List;
+import com.google.common.collect.Lists;
-import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup;
-import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
-import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
import org.opendaylight.ovsdb.openstack.netvirt.api.EgressAclProvider;
+import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityGroupCacheManger;
import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityServicesManager;
import org.opendaylight.ovsdb.openstack.netvirt.providers.ConfigInterface;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
import org.opendaylight.ovsdb.utils.servicehelper.ServiceHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import com.google.common.collect.Lists;
+import java.math.BigInteger;
+import java.util.List;
public class EgressAclService extends AbstractServiceInstance implements EgressAclProvider, ConfigInterface {
private static final Logger LOG = LoggerFactory.getLogger(EgressAclService.class);
private volatile SecurityServicesManager securityServicesManager;
+ private volatile SecurityGroupCacheManger securityGroupCacheManger;
private static final int DHCP_SOURCE_PORT = 67;
private static final int DHCP_DESTINATION_PORT = 68;
private static final String HOST_MASK = "/32";
}
@Override
- public void programPortSecurityAcl(Long dpid, String segmentationId, String attachedMac, long localPort,
- NeutronSecurityGroup securityGroup,
- List<Neutron_IPs> srcAddressList, boolean write) {
+ public void programPortSecurityGroup(Long dpid, String segmentationId, String attachedMac, long localPort,
+ NeutronSecurityGroup securityGroup, String portUuid, boolean write) {
- LOG.trace("programPortSecurityAcl: neutronSecurityGroup: {} ", securityGroup);
+ LOG.trace("programPortSecurityGroup: neutronSecurityGroup: {} ", securityGroup);
if (securityGroup == null || securityGroup.getSecurityRules() == null) {
return;
}
List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
/* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
for (NeutronSecurityRule portSecurityRule : portSecurityList) {
+
/**
* Neutron Port Security Acl "egress" and "IPv4"
* Check that the base conditions for flow based Port Security are true:
*/
if ("IPv4".equals(portSecurityRule.getSecurityRuleEthertype())
&& portSecurityRule.getSecurityRuleDirection().equals("egress")) {
- LOG.debug("programPortSecurityAcl: Acl Rule matching IPv4 and ingress is: {} ", portSecurityRule);
- if (null == portSecurityRule.getSecurityRuleProtocol()) {
- /* TODO Rework on the priority values */
- egressAclIPv4(dpid, segmentationId, attachedMac,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- } else if (null != portSecurityRule.getSecurityRemoteGroupID()) {
- //Remote Security group is selected
+ LOG.debug("programPortSecurityGroup: Acl Rule matching IPv4 and ingress is: {} ", portSecurityRule);
+ if (null != portSecurityRule.getSecurityRemoteGroupID()) {
+ //Remote Security group is selected
List<Neutron_IPs> remoteSrcAddressList = securityServicesManager
- .getVmListForSecurityGroup(srcAddressList,portSecurityRule.getSecurityRemoteGroupID());
+ .getVmListForSecurityGroup(portUuid,portSecurityRule.getSecurityRemoteGroupID());
if (null != remoteSrcAddressList) {
for (Neutron_IPs vmIp :remoteSrcAddressList ) {
- switch (portSecurityRule.getSecurityRuleProtocol()) {
- case MatchUtils.TCP:
- egressAclTcp(dpid, segmentationId, attachedMac,
- portSecurityRule,vmIp.getIpAddress(), write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- case MatchUtils.UDP:
- egressAclUdp(dpid, segmentationId, attachedMac,
- portSecurityRule,vmIp.getIpAddress(), write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- case MatchUtils.ICMP:
- egressAclIcmp(dpid, segmentationId, attachedMac,
- portSecurityRule, vmIp.getIpAddress(),write,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- default:
- LOG.error("programPortSecurityAcl: Protocol not supported", portSecurityRule);
- break;
- }
+
+ programPortSecurityRule(dpid, segmentationId, attachedMac,
+ localPort, portSecurityRule, vmIp, write);
+ }
+ if (write) {
+ securityGroupCacheManger.addToCache(portSecurityRule.getSecurityRemoteGroupID(), portUuid);
+ } else {
+ securityGroupCacheManger.removeFromCache(portSecurityRule.getSecurityRemoteGroupID(),
+ portUuid);
}
}
} else {
- //CIDR is selected
- switch (portSecurityRule.getSecurityRuleProtocol()) {
- case MatchUtils.TCP:
- egressAclTcp(dpid, segmentationId, attachedMac,
- portSecurityRule, null, write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- case MatchUtils.UDP:
- egressAclUdp(dpid, segmentationId, attachedMac,
- portSecurityRule, null, write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- case MatchUtils.ICMP:
- egressAclIcmp(dpid, segmentationId, attachedMac,
- portSecurityRule, null, write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- default:
- LOG.error("programPortSecurityAcl: Protocol not supported", portSecurityRule);
- }
- }
- }
- /*
- * Code is refactored to handle all the protocols. More
- * protocols will be added incrementrally
- * TODO Connection tracking will be used to track active TCP connections This code
- * may be reused then.
- */
- /* if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
- portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("egress")) {
- LOG.debug("Egress IPV4 ACL Port Security Rule: {} ", portSecurityRule);
- // ToDo: Implement Port Range
-
- *//**
- * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
- .equalsIgnoreCase("0.0.0.0/0"))) {
- LOG.debug(
- "Rule #1 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
- true);
- egressACLTcpPortWithPrefix(dpid, segmentationId,
- attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix(),
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- continue;
- }
- *//**
- * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
- .equalsIgnoreCase("0.0.0.0/0"))) {
- LOG.debug(
- "Rule #2 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
- true);
- egressACLTcpPortWithPrefix(dpid, segmentationId,
- attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix(),
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- continue;
- }
- *//**
- * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
- LOG.debug(
- "Rule #3 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PREFIX_MATCH_PRIORITY_DROP,
- true);
- egressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
- portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PREFIX_MATCH_PRIORITY);
- continue;
- }
- *//**
- * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
- .equalsIgnoreCase("0.0.0.0/0"))) {
- LOG.debug(
- "Rule #4 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PREFIX_MATCH_PRIORITY_DROP, true);
- egressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
- portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PREFIX_MATCH_PRIORITY);
- continue;
+ programPortSecurityRule(dpid, segmentationId, attachedMac, localPort,
+ portSecurityRule, null, write);
}
- *//**
- * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
- LOG.debug(
- "Rule #5 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PORT_MATCH_PRIORITY_DROP,
- true);
- egressACLTcpSyn(dpid, segmentationId,
- attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
- Constants.PROTO_PORT_MATCH_PRIORITY);
- continue;
- }
- *//**
- * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
- LOG.debug(
- "Rule #6 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
- Constants.PROTO_PORT_MATCH_PRIORITY_DROP, true);
- egressACLTcpSyn(dpid, segmentationId, attachedMac, true,
- portSecurityRule.getSecurityRulePortMin(), Constants.PROTO_PORT_MATCH_PRIORITY);
- continue;
- }
- *//**
- * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
- String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
- .equalsIgnoreCase("0.0.0.0/0"))) {
- LOG.debug(
- "Rule #7 egress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- // No need to drop until UDP/ICMP are implemented
- // egressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
- egressAllowProto(dpid, segmentationId, attachedMac, true,
- portSecurityRule.getSecurityRuleProtocol(), Constants.PROTO_MATCH_PRIORITY);
- continue;
+ if (write) {
+ securityGroupCacheManger.portAdded(securityGroup.getSecurityGroupUUID(), portUuid);
+ } else {
+ securityGroupCacheManger.portRemoved(securityGroup.getSecurityGroupUUID(), portUuid);
}
- LOG.debug("ACL Match combination not found for rule: {}", portSecurityRule);
- }*/
+ }
}
}
@Override
- public void programFixedSecurityAcl(Long dpid, String segmentationId, String attachedMac,
+ public void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac,
+ long localPort, NeutronSecurityRule portSecurityRule,
+ Neutron_IPs vmIp, boolean write) {
+ if (null == portSecurityRule.getSecurityRuleProtocol()) {
+ /* TODO Rework on the priority values */
+ egressAclIPv4(dpid, segmentationId, attachedMac,
+ write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ } else {
+ String ipaddress = null;
+ if (null != vmIp) {
+ ipaddress = vmIp.getIpAddress();
+ }
+ switch (portSecurityRule.getSecurityRuleProtocol()) {
+ case MatchUtils.TCP:
+ LOG.debug("programPortSecurityRule: Rule matching TCP", portSecurityRule);
+ egressAclTcp(dpid, segmentationId, attachedMac,
+ portSecurityRule,ipaddress, write,
+ Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ case MatchUtils.UDP:
+ LOG.debug("programPortSecurityRule: Rule matching UDP", portSecurityRule);
+ egressAclUdp(dpid, segmentationId, attachedMac,
+ portSecurityRule, ipaddress, write,
+ Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ case MatchUtils.ICMP:
+ LOG.debug("programPortSecurityRule: Rule matching ICMP", portSecurityRule);
+ egressAclIcmp(dpid, segmentationId, attachedMac,
+ portSecurityRule, ipaddress,write,
+ Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ default:
+ LOG.error("programPortSecurityRule: Protocol not supported", portSecurityRule);
+ break;
+ }
+ }
+
+ }
+
+ @Override
+ public void programFixedSecurityGroup(Long dpid, String segmentationId, String attachedMac,
long localPort, List<Neutron_IPs> srcAddressList,
boolean isLastPortinBridge, boolean isComputePort ,boolean write) {
// If it is the only port in the bridge add the rule to allow any DHCP client traffic
portSecurityRule.getSecurityRulePortMin());
} else {
/* All TCP Match */
- if(portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN)
+ if (portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN)
&& portSecurityRule.getSecurityRulePortMax().equals(PORT_RANGE_MAX)) {
- flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_" +
- portSecurityRule.getSecurityRulePortMax()+ "_";
+ flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_"
+ + portSecurityRule.getSecurityRulePortMax() + "_";
matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.TCP_SHORT, 0, 0);
}
/*TODO TCP PortRange Match*/
portSecurityRule.getSecurityRulePortMin());
} else {
/* All UDP Match */
- if(portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN)
+ if (portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN)
&& portSecurityRule.getSecurityRulePortMax().equals(PORT_RANGE_MAX)) {
- flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_" +
- portSecurityRule.getSecurityRulePortMax()+ "_";
+ flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_"
+ + portSecurityRule.getSecurityRulePortMax() + "_";
matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 0, 0);
}
/*TODO UDP PortRange Match*/
super.setDependencies(bundleContext.getServiceReference(EgressAclProvider.class.getName()), this);
securityServicesManager =
(SecurityServicesManager) ServiceHelper.getGlobalInstance(SecurityServicesManager.class, this);
+ securityGroupCacheManger =
+ (SecurityGroupCacheManger) ServiceHelper.getGlobalInstance(SecurityGroupCacheManger.class, this);
}
@Override
package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
-import java.math.BigInteger;
-import java.util.List;
-import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup;
-import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
-import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
+import com.google.common.collect.Lists;
+
import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
import org.opendaylight.ovsdb.openstack.netvirt.api.IngressAclProvider;
+import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityGroupCacheManger;
import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityServicesManager;
import org.opendaylight.ovsdb.openstack.netvirt.providers.ConfigInterface;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
import org.opendaylight.ovsdb.utils.servicehelper.ServiceHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import com.google.common.collect.Lists;
+import java.math.BigInteger;
+import java.util.List;
+
+
public class IngressAclService extends AbstractServiceInstance implements IngressAclProvider, ConfigInterface {
private static final Logger LOG = LoggerFactory.getLogger(IngressAclService.class);
private volatile SecurityServicesManager securityServicesManager;
+ private volatile SecurityGroupCacheManger securityGroupCacheManger;
private static final int PORT_RANGE_MIN = 1;
private static final int PORT_RANGE_MAX = 65535;
}
@Override
- public void programPortSecurityAcl(Long dpid, String segmentationId, String attachedMac,
+ public void programPortSecurityGroup(Long dpid, String segmentationId, String attachedMac,
long localPort, NeutronSecurityGroup securityGroup,
- List<Neutron_IPs> srcAddressList, boolean write) {
+ String portUuid, boolean write) {
- LOG.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
+ LOG.trace("programPortSecurityGroup neutronSecurityGroup: {} ", securityGroup);
if (securityGroup == null || securityGroup.getSecurityRules() == null) {
return;
}
List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
/* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
for (NeutronSecurityRule portSecurityRule : portSecurityList) {
+
/**
* Neutron Port Security Acl "ingress" and "IPv4"
* Check that the base conditions for flow based Port Security are true:
if ("IPv4".equals(portSecurityRule.getSecurityRuleEthertype())
&& "ingress".equals(portSecurityRule.getSecurityRuleDirection())) {
- LOG.debug("Acl Rule matching IPv4 and ingress is: {} ", portSecurityRule);
- if (null == portSecurityRule.getSecurityRuleProtocol()) {
- ingressAclIPv4(dpid, segmentationId, attachedMac,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- } else if (null != portSecurityRule.getSecurityRemoteGroupID()) {
+ LOG.debug("programPortSecurityGroup: Rule matching IPv4 and ingress is: {} ", portSecurityRule);
+ if (null != portSecurityRule.getSecurityRemoteGroupID()) {
//Remote Security group is selected
List<Neutron_IPs> remoteSrcAddressList = securityServicesManager
- .getVmListForSecurityGroup(srcAddressList,portSecurityRule.getSecurityRemoteGroupID());
+ .getVmListForSecurityGroup(portUuid,portSecurityRule.getSecurityRemoteGroupID());
if (null != remoteSrcAddressList) {
for (Neutron_IPs vmIp :remoteSrcAddressList ) {
- switch (portSecurityRule.getSecurityRuleProtocol()) {
- case MatchUtils.TCP:
- ingressAclTcp(dpid, segmentationId, attachedMac, portSecurityRule,
- vmIp.getIpAddress(),write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- case MatchUtils.UDP:
- ingressAclUdp(dpid, segmentationId, attachedMac, portSecurityRule,
- vmIp.getIpAddress(), write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- case MatchUtils.ICMP:
- ingressAclIcmp(dpid, segmentationId, attachedMac, portSecurityRule,
- vmIp.getIpAddress(), write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- default:
- LOG.error("programPortSecurityAcl: Protocol not supported", portSecurityRule);
- break;
- }
+ programPortSecurityRule(dpid, segmentationId, attachedMac, localPort,
+ portSecurityRule, vmIp, write);
+ }
+ if (write) {
+ securityGroupCacheManger.addToCache(portSecurityRule.getSecurityRemoteGroupID(), portUuid);
+ } else {
+ securityGroupCacheManger.removeFromCache(portSecurityRule.getSecurityRemoteGroupID(),
+ portUuid);
}
}
} else {
- //CIDR is selected
- switch (portSecurityRule.getSecurityRuleProtocol()) {
- case MatchUtils.TCP:
- ingressAclTcp(dpid, segmentationId, attachedMac,
- portSecurityRule, null, write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- case MatchUtils.UDP:
- ingressAclUdp(dpid, segmentationId, attachedMac,
- portSecurityRule, null, write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- case MatchUtils.ICMP:
- ingressAclIcmp(dpid, segmentationId, attachedMac, portSecurityRule, null,
- write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- break;
- default:
- LOG.error("programPortSecurityAcl: Protocol not supported", portSecurityRule);
- }
- }
-
- /**
- * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
- * TODO Some part of the code will be used when conntrack is supported
-
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
- .equalsIgnoreCase("0.0.0.0/0"))) {
- LOG.debug("Rule #1 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
- true);
- ingressACLTcpPortWithPrefix(dpid, segmentationId,
- attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- continue;
- }
- /**
- * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
- */
- /*if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
- .equalsIgnoreCase("0.0.0.0/0"))) {
- LOG.debug("Rule #2 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
- Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
- true);
- ingressACLTcpPortWithPrefix(dpid, segmentationId,
- attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
- continue;
- }
- *//**
- * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
- LOG.debug("Rule #3 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PREFIX_MATCH_PRIORITY_DROP,
- true);
- ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
- portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PREFIX_MATCH_PRIORITY);
- continue;
+ programPortSecurityRule(dpid, segmentationId, attachedMac, localPort,
+ portSecurityRule, null, write);
}
- *//**
- * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
- .equalsIgnoreCase("0.0.0.0/0"))) {
- LOG.debug("Rule #4 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PREFIX_MATCH_PRIORITY_DROP, true);
- ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
- portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PREFIX_MATCH_PRIORITY);
- continue;
- }
- *//**
- * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
- LOG.debug("Rule #5 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PORT_MATCH_PRIORITY_DROP,
- true);
- ingressACLTcpSyn(dpid, segmentationId,
- attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
- Constants.PREFIX_PORT_MATCH_PRIORITY_DROP);
- continue;
- }
- *//**
- * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
- LOG.debug("Rule #6 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
- Constants.PROTO_PORT_MATCH_PRIORITY_DROP, true);
- ingressACLTcpSyn(dpid, segmentationId, attachedMac, true,
- portSecurityRule.getSecurityRulePortMin(), Constants.PROTO_PORT_MATCH_PRIORITY);
- continue;
+ if (write) {
+ securityGroupCacheManger.portAdded(securityGroup.getSecurityGroupUUID(), portUuid);
+ } else {
+ securityGroupCacheManger.portRemoved(securityGroup.getSecurityGroupUUID(), portUuid);
}
- *//**
- * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
- *//*
- if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
- String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
- ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
- String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
- .equalsIgnoreCase("0.0.0.0/0"))) {
- LOG.debug("Rule #7 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
- portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
- portSecurityRule.getSecurityRulePortMax(),
- portSecurityRule.getSecurityRuleRemoteIpPrefix());
- // No need to drop until UDP/ICMP are implemented
- // ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
- handleIngressAllowProto(dpid, segmentationId, attachedMac, true,
- portSecurityRule.getSecurityRuleProtocol(), Constants.PROTO_MATCH_PRIORITY);
- continue;
- }*/
- LOG.debug("Ingress Acl Match combination not found for rule: {}", portSecurityRule);
+ }
+
+
+
+ }
+ }
+
+ @Override
+ public void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac,
+ long localPort, NeutronSecurityRule portSecurityRule,
+ Neutron_IPs vmIp, boolean write) {
+ if (null == portSecurityRule.getSecurityRuleProtocol()) {
+ ingressAclIPv4(dpid, segmentationId, attachedMac,
+ write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ } else {
+ String ipaddress = null;
+ if (null != vmIp) {
+ ipaddress = vmIp.getIpAddress();
+ }
+ switch (portSecurityRule.getSecurityRuleProtocol()) {
+ case MatchUtils.TCP:
+ LOG.debug("programPortSecurityRule: Rule matching TCP", portSecurityRule);
+ ingressAclTcp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress,
+ write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ case MatchUtils.UDP:
+ LOG.debug("programPortSecurityRule: Rule matching UDP", portSecurityRule);
+ ingressAclUdp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress,
+ write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ case MatchUtils.ICMP:
+ LOG.debug("programPortSecurityRule: Rule matching ICMP", portSecurityRule);
+ ingressAclIcmp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress,
+ write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
+ break;
+ default:
+ LOG.error("programPortSecurityRule: Protocol not supported", portSecurityRule);
+ break;
}
}
}
@Override
- public void programFixedSecurityAcl(Long dpid, String segmentationId, String dhcpMacAddress,
+ public void programFixedSecurityGroup(Long dpid, String segmentationId, String dhcpMacAddress,
long localPort, boolean isLastPortinSubnet,
boolean isComputePort, boolean write) {
//If this port is the only port in the compute node add the DHCP server rule.
* @param protoPortMatchPriority the protocol match priority.
*/
private void ingressAclIPv4(Long dpidLong, String segmentationId, String dstMac,
- boolean write, Integer protoPortMatchPriority ) {
+ boolean write, Integer protoPortMatchPriority ) {
String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
MatchBuilder matchBuilder = new MatchBuilder();
NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
* @param protoPortMatchPriority the protocol match priroty
*/
private void ingressAclTcp(Long dpidLong, String segmentationId, String dstMac,
- NeutronSecurityRule portSecurityRule, String srcAddress, boolean write,
- Integer protoPortMatchPriority ) {
+ NeutronSecurityRule portSecurityRule, String srcAddress, boolean write,
+ Integer protoPortMatchPriority ) {
MatchBuilder matchBuilder = new MatchBuilder();
FlowBuilder flowBuilder = new FlowBuilder();
if (portSecurityRule.getSecurityRulePortMin().equals(portSecurityRule.getSecurityRulePortMax())) {
flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_";
matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.TCP_SHORT, 0,
- portSecurityRule.getSecurityRulePortMin());
+ portSecurityRule.getSecurityRulePortMin());
} else {
/* All TCP Match */
- if(portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN)
+ if (portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN)
&& portSecurityRule.getSecurityRulePortMax().equals(PORT_RANGE_MAX)) {
- flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_" +
- portSecurityRule.getSecurityRulePortMax()+ "_";
+ flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_"
+ + portSecurityRule.getSecurityRulePortMax() + "_";
matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.TCP_SHORT, 0, 0);
}
/*TODO TCP PortRange Match*/
* @param protoPortMatchPriority the protocol match priroty
*/
private void ingressAclUdp(Long dpidLong, String segmentationId, String dstMac,
- NeutronSecurityRule portSecurityRule, String srcAddress,
- boolean write, Integer protoPortMatchPriority ) {
+ NeutronSecurityRule portSecurityRule, String srcAddress,
+ boolean write, Integer protoPortMatchPriority ) {
MatchBuilder matchBuilder = new MatchBuilder();
String flowId = "Ingress_UDP_" + segmentationId + "_" + dstMac + "_";
matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,dstMac);
if (portSecurityRule.getSecurityRulePortMin().equals(portSecurityRule.getSecurityRulePortMax())) {
flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_";
matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 0,
- portSecurityRule.getSecurityRulePortMin());
+ portSecurityRule.getSecurityRulePortMin());
} else {
/* All UDP Match */
- if(portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN)
+ if (portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN)
&& portSecurityRule.getSecurityRulePortMax().equals(PORT_RANGE_MAX)) {
- flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_" +
- portSecurityRule.getSecurityRulePortMax()+ "_";
+ flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_"
+ + portSecurityRule.getSecurityRulePortMax() + "_";
matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 0, 0);
}
/*TODO TCP PortRange Match*/
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()),null);
+ new Ipv4Prefix(portSecurityRule
+ .getSecurityRuleRemoteIpPrefix()),null);
}
String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
MatchBuilder matchBuilder = new MatchBuilder();
FlowBuilder flowBuilder = new FlowBuilder();
String flowId = "Ingress_ICMP_" + segmentationId + "_" + dstMac + "_"
- + portSecurityRule.getSecurityRulePortMin().shortValue() + "_"
- + portSecurityRule.getSecurityRulePortMax().shortValue() + "_";;
+ + portSecurityRule.getSecurityRulePortMin().shortValue() + "_"
+ + portSecurityRule.getSecurityRulePortMax().shortValue() + "_";;
matchBuilder = MatchUtils.createEtherMatchWithType(matchBuilder,null,dstMac);
matchBuilder = MatchUtils.createICMPv4Match(matchBuilder,
- portSecurityRule.getSecurityRulePortMin().shortValue(),
- portSecurityRule.getSecurityRulePortMax().shortValue());
+ portSecurityRule.getSecurityRulePortMin().shortValue(),
+ portSecurityRule.getSecurityRulePortMax().shortValue());
if (null != srcAddress) {
flowId = flowId + srcAddress;
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null);
-
+ MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null);
} else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) {
flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix();
matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,
- new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()),null);
+ new Ipv4Prefix(portSecurityRule
+ .getSecurityRuleRemoteIpPrefix()),null);
}
String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false);
}
+
public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
Integer securityRulePortMin, Integer protoPortMatchPriority) {
super.setDependencies(bundleContext.getServiceReference(IngressAclProvider.class.getName()), this);
securityServicesManager =
(SecurityServicesManager) ServiceHelper.getGlobalInstance(SecurityServicesManager.class, this);
+ securityGroupCacheManger =
+ (SecurityGroupCacheManger) ServiceHelper.getGlobalInstance(SecurityGroupCacheManger.class, this);
}
@Override
import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
+import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityGroupCacheManger;
import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityServicesManager;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.PipelineOrchestrator;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
@Mock private NeutronSecurityRule portSecurityRule;
@Mock private SecurityServicesManager securityServices;
+ @Mock private SecurityGroupCacheManger securityGroupCacheManger;
private Neutron_IPs neutron_ip_src;
private Neutron_IPs neutron_ip_dest_1;
private static final String DEST_IP_1_WITH_MASK = "192.169.0.1/32";
private static final String DEST_IP_2_WITH_MASK = "192.169.0.2/32";
private static final String SECURITY_GROUP_UUID = "85cc3048-abc3-43cc-89b3-377341426ac5";
+ private static final String PORT_UUID = "95cc3048-abc3-43cc-89b3-377341426ac5";
private static final String SEGMENT_ID = "2";
private static final Long DP_ID_LONG = (long) 1554;
private static final Long LOCAL_PORT = (long) 124;
neutronDestIpList.add(neutron_ip_dest_2);
when(securityGroup.getSecurityRules()).thenReturn(portSecurityList);
- when(securityServices.getVmListForSecurityGroup(neutronSrcIpList, SECURITY_GROUP_UUID)).thenReturn(neutronDestIpList);
+ when(securityServices.getVmListForSecurityGroup(PORT_UUID, SECURITY_GROUP_UUID)).thenReturn(neutronDestIpList);
}
/**
when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
- egressAclServiceSpy.programPortSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,neutronSrcIpList,true);
+ egressAclServiceSpy.programPortSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,PORT_UUID,true);
verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(1)).submit();
when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
- egressAclServiceSpy.programPortSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,neutronSrcIpList,false);
+ egressAclServiceSpy.programPortSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,PORT_UUID,false);
verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(1)).submit();
verify(commitFuture, times(1)).get();
when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn("0.0.0.0/24");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn("0.0.0.0/24");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
Assert.assertTrue(match.getLayer4Match() instanceof TcpMatch);
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn("0.0.0.0/24");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn("0.0.0.0/24");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn("0.0.0.0/24");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn("0.0.0.0/24");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
Icmpv4Match icmpv4Match = match.getIcmpv4Match();
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
Icmpv4Match icmpv4Match = match.getIcmpv4Match();
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
Icmpv4Match icmpv4Match = match.getIcmpv4Match();
PowerMockito.doAnswer(answer()).when(egressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- egressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ egressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
Icmpv4Match icmpv4Match = match.getIcmpv4Match();
public void testProgramPortSecurityACLRuleInvalidEther() throws Exception {
when(portSecurityRule.getSecurityRuleEthertype()).thenReturn("IPV6");
- egressAclServiceSpy.programPortSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,neutronSrcIpList,false);
+ egressAclServiceSpy.programPortSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,PORT_UUID,false);
verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(0)).submit();
public void testProgramPortSecurityACLRuleInvalidDirection() throws Exception {
when(portSecurityRule.getSecurityRuleDirection()).thenReturn("ingress");
- egressAclServiceSpy.programPortSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,neutronSrcIpList,false);
+ egressAclServiceSpy.programPortSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,PORT_UUID,false);
verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(0)).submit();
*/
@Test
public void testProgramFixedSecurityACLAdd1() throws Exception {
- egressAclServiceSpy.programFixedSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true);
verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(0)).submit();
@Test
public void testProgramFixedSecurityACLRemove1() throws Exception {
- egressAclServiceSpy.programFixedSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false);
verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(0)).submit();
@Test
public void testProgramFixedSecurityACLAdd2() throws Exception {
- egressAclServiceSpy.programFixedSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true);
verify(writeTransaction, times(6)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(3)).submit();
@Test
public void testProgramFixedSecurityACLRemove2() throws Exception {
- egressAclServiceSpy.programFixedSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false);
verify(writeTransaction, times(3)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(3)).submit();
@Test
public void testProgramFixedSecurityACLAdd3() throws Exception {
- egressAclServiceSpy.programFixedSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, false, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, false, true);
verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(1)).submit();
@Test
public void testProgramFixedSecurityACLRemove3() throws Exception {
- egressAclServiceSpy.programFixedSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, false, false);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, false, false);
verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(1)).submit();
@Test
public void testProgramFixedSecurityACLAdd4() throws Exception {
- egressAclServiceSpy.programFixedSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, true, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, true, true);
verify(writeTransaction, times(8)).put(any(LogicalDatastoreType.class),
any(InstanceIdentifier.class), any(Node.class), eq(true));
@Test
public void testProgramFixedSecurityACLRemove4() throws Exception {
- egressAclServiceSpy.programFixedSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, true, false);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true, true, false);
verify(writeTransaction, times(4)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(4)).submit();
import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
+import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityGroupCacheManger;
import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityServicesManager;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.PipelineOrchestrator;
import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
@Mock private NeutronSecurityGroup securityGroup;
@Mock private NeutronSecurityRule portSecurityRule;
@Mock private SecurityServicesManager securityServices;
+ @Mock private SecurityGroupCacheManger securityGroupCacheManger;
private List<Neutron_IPs> neutronSrcIpList = new ArrayList<Neutron_IPs>();
private List<Neutron_IPs> neutronDestIpList = new ArrayList<Neutron_IPs>();
private static final String DEST_IP_1 = "192.169.0.1";
private static final String DEST_IP_2 = "192.169.0.2";
private static final String SECURITY_GROUP_UUID = "85cc3048-abc3-43cc-89b3-377341426ac5";
+ private static final String PORT_UUID = "95cc3048-abc3-43cc-89b3-377341426ac5";
private static final String SEGMENT_ID = "2";
private static final Long DP_ID_LONG = (long) 1554;
private static final Long LOCAL_PORT = (long) 124;
when(securityGroup.getSecurityRules()).thenReturn(portSecurityList);
when(securityServices.getVmListForSecurityGroup
- (neutronSrcIpList, SECURITY_GROUP_UUID)).thenReturn(neutronDestIpList);
+ (PORT_UUID, SECURITY_GROUP_UUID)).thenReturn(neutronDestIpList);
}
/* *//**
when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
- ingressAclServiceSpy.programPortSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,neutronSrcIpList,true);
+ ingressAclServiceSpy.programPortSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,PORT_UUID,true);
verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(1)).submit();
when(portSecurityRule.getSecurityRulePortMin()).thenReturn(null);
when(portSecurityRule.getSecurityRuleRemoteIpPrefix()).thenReturn(null);
- ingressAclServiceSpy.programPortSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,neutronSrcIpList,false);
+ ingressAclServiceSpy.programPortSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,PORT_UUID,false);
verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(1)).submit();
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, true);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, true);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
when(portSecurityRule.getSecurityRemoteGroupID()).thenReturn("85cc3048-abc3-43cc-89b3-377341426ac5");
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
- neutronSrcIpList, false);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID, MAC_ADDRESS, LOCAL_PORT, securityGroup,
+ PORT_UUID, false);
Match match = flowBuilder.getMatch();
EthernetMatch ethMatch = match.getEthernetMatch();
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID,
- MAC_ADDRESS, LOCAL_PORT, securityGroup, neutronSrcIpList, true);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID,
+ MAC_ADDRESS, LOCAL_PORT, securityGroup, PORT_UUID, true);
Match match = flowBuilder.getMatch();
Icmpv4Match icmpv4Match = match.getIcmpv4Match();
Assert.assertEquals(10, icmpv4Match.getIcmpv4Type().shortValue());
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "removeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID,
- MAC_ADDRESS, LOCAL_PORT, securityGroup, neutronSrcIpList, false);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID,
+ MAC_ADDRESS, LOCAL_PORT, securityGroup, PORT_UUID, false);
Match match = flowBuilder.getMatch();
Icmpv4Match icmpv4Match = match.getIcmpv4Match();
Assert.assertEquals(20, icmpv4Match.getIcmpv4Type().shortValue());
PowerMockito.doAnswer(answer()).when(ingressAclServiceSpy, "writeFlow", any(FlowBuilder.class),
any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID,
- MAC_ADDRESS, LOCAL_PORT, securityGroup, neutronSrcIpList, true);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID,
+ MAC_ADDRESS, LOCAL_PORT, securityGroup, PORT_UUID, true);
Match match = flowBuilder.getMatch();
Icmpv4Match icmpv4Match =match.getIcmpv4Match();
Assert.assertEquals(30, icmpv4Match.getIcmpv4Type().shortValue());
PowerMockito.doAnswer(answer())
.when(ingressAclServiceSpy, "removeFlow", any(FlowBuilder.class), any(NodeBuilder.class));
- ingressAclServiceSpy.programPortSecurityAcl(DP_ID_LONG, SEGMENT_ID,
- MAC_ADDRESS, LOCAL_PORT, securityGroup, neutronSrcIpList, false);
+ ingressAclServiceSpy.programPortSecurityGroup(DP_ID_LONG, SEGMENT_ID,
+ MAC_ADDRESS, LOCAL_PORT, securityGroup, PORT_UUID, false);
Match match = flowBuilder.getMatch();
Icmpv4Match icmpv4Match = match.getIcmpv4Match();
Assert.assertEquals(40, icmpv4Match.getIcmpv4Type().shortValue());
public void testProgramPortSecurityACLRuleInvalidEther() throws Exception {
when(portSecurityRule.getSecurityRuleEthertype()).thenReturn("IPV6");
- ingressAclServiceSpy.programPortSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,neutronSrcIpList,false);
+ ingressAclServiceSpy.programPortSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,PORT_UUID,false);
verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(0)).submit();
public void testProgramPortSecurityACLRuleInvalidDirection() throws Exception {
when(portSecurityRule.getSecurityRuleDirection()).thenReturn("edgress");
- ingressAclServiceSpy.programPortSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,neutronSrcIpList,false);
+ ingressAclServiceSpy.programPortSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 124, securityGroup,PORT_UUID,false);
verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(0)).submit();
*/
@Test
public void testProgramFixedSecurityACLAdd1() throws Exception {
- ingressAclServiceSpy.programFixedSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 1, false, false, true);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, false, false, true);
verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(0)).submit();
@Test
public void testProgramFixedSecurityACLRemove1() throws Exception {
- ingressAclServiceSpy.programFixedSecurityAcl(Long.valueOf(1554), "2", MAC_ADDRESS, 1, false, false, false);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, false, false, false);
verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(0)).submit();
registerService(context,
new String[]{SecurityServicesManager.class.getName()}, null, securityServices);
+ final SecurityGroupCacheManger securityGroupCacheManger = new SecurityGroupCacheManagerImpl();
+ registerService(context,
+ new String[]{SecurityGroupCacheManger.class.getName()}, null, securityGroupCacheManger);
+
+ registerService(context,
+ new String[]{SecurityServicesManager.class.getName()}, null, securityServices);
+
FWaasHandler fWaasHandler = new FWaasHandler();
registerAbstractHandlerService(context,
new Class[] {INeutronFirewallAware.class, INeutronFirewallRuleAware.class, INeutronFirewallPolicyAware.class},
package org.opendaylight.ovsdb.openstack.netvirt.api;
-import java.util.List;
-
import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
+import java.util.List;
+
/**
* This interface allows egress Port Security flows to be written to devices.
*/
public interface EgressAclProvider {
/**
- * Program port security ACL.
+ * Program port security Group.
*
* @param dpid the dpid
* @param segmentationId the segmentation id
* @param attachedMac the attached mac
* @param localPort the local port
* @param securityGroup the security group
- * @param srcAddressList the src address associated with the vm port
+ * @param portUuid the uuid of the port.
* @param write is this flow write or delete
*/
- void programPortSecurityAcl(Long dpid, String segmentationId, String attachedMac,
+ void programPortSecurityGroup(Long dpid, String segmentationId, String attachedMac,
long localPort, NeutronSecurityGroup securityGroup,
- List<Neutron_IPs> srcAddressList, boolean write);
+ String portUuid, boolean write);
+ /**
+ * Program port security rule.
+ *
+ * @param dpid the dpid
+ * @param segmentationId the segmentation id
+ * @param attachedMac the attached mac
+ * @param localPort the local port
+ * @param portSecurityRule the security rule
+ * @param vmIp the ip of the remote vm if it has a remote security group.
+ * @param write is this flow write or delete
+ */
+ public void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac,
+ long localPort, NeutronSecurityRule portSecurityRule,
+ Neutron_IPs vmIp, boolean write) ;
/**
- * Program fixed egress ACL rules that will be associated with the VM port when a vm is spawned.
+ * Program fixed egress security group rules that will be associated with the VM port when a vm is spawned.
*
* @param dpid the dpid
* @param segmentationId the segmentation id
* @param isComputePort indicates whether this port is a compute port or not
* @param write is this flow writing or deleting
*/
- void programFixedSecurityAcl(Long dpid, String segmentationId,String attachedMac, long localPort,
+ void programFixedSecurityGroup(Long dpid, String segmentationId,String attachedMac, long localPort,
List<Neutron_IPs> srcAddressList, boolean isLastPortinBridge,
boolean isComputePort, boolean write);
}
\ No newline at end of file
package org.opendaylight.ovsdb.openstack.netvirt.api;
-import java.util.List;
-
import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
/**
public interface IngressAclProvider {
/**
- * Program port security ACL.
+ * Program port security Group.
*
* @param dpid the dpid
* @param segmentationId the segmentation id
* @param attachedMac the attached mac
* @param localPort the local port
* @param securityGroup the security group
- * @param srcAddressList the src address associated with the vm port
+ * @param portUuid the uuid of the port.
* @param write is this flow write or delete
*/
- void programPortSecurityAcl(Long dpid, String segmentationId, String attachedMac,
+ void programPortSecurityGroup(Long dpid, String segmentationId, String attachedMac,
long localPort, NeutronSecurityGroup securityGroup,
- List<Neutron_IPs> srcAddressList, boolean write);
+ String portUuid, boolean write);
+ /**
+ * Program port security rule.
+ *
+ * @param dpid the dpid
+ * @param segmentationId the segmentation id
+ * @param attachedMac the attached mac
+ * @param localPort the local port
+ * @param portSecurityRule the security rule
+ * @param vmIp the ip of the remote vm if it has a remote security group.
+ * @param write is this flow write or delete
+ */
+ void programPortSecurityRule(Long dpid, String segmentationId, String attachedMac,
+ long localPort, NeutronSecurityRule portSecurityRule,
+ Neutron_IPs vmIp, boolean write);
/**
* Program fixed ingress ACL rules that will be associated with the VM port when a vm is spawned.
* *
* @param isComputePort indicates whether this port is a compute port or not
* @param write is this flow writing or deleting
*/
- void programFixedSecurityAcl(Long dpid, String segmentationId, String attachedMac, long localPort,
+ void programFixedSecurityGroup(Long dpid, String segmentationId, String attachedMac, long localPort,
boolean isLastPortinSubnet, boolean isComputePort, boolean write);
}
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (c) 2014, 2015 HP, Inc. and others. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.ovsdb.openstack.netvirt.api;
+
+/**
+ * This interface maintain a mapping between the security group and the ports
+ * have this security group as a remote security group. Whenever a new port is
+ * added with a security group associated with it, a rule will be added to allow
+ * traffic from/to the vm from the vms which has the former as a remote sg in its rule.
+ *
+ * @author Aswin Suryanarayanan.
+ */
+
+public interface SecurityGroupCacheManger {
+
+ /**
+ * Notifies that a new port in the security group with securityGroupUuid.
+ * @param securityGroupUuid the uuid of the security group associated with the port.
+ * @param portUuid the uuid of the port.
+ */
+ void portAdded(String securityGroupUuid, String portUuid);
+ /**
+ * Notifies that a port is removed with the securityGroupUuid.
+ * @param securityGroupUuid the uuid of the security group associated with the port.
+ * @param portUuid the uuid of the port.
+ */
+ void portRemoved(String securityGroupUuid, String portUuid);
+ /**
+ * A port with portUuid has a reference remote security group remoteSgUuid will be added
+ * to the cache maintained.
+ * @param remoteSgUuid the remote security group uuid.
+ * @param portUuid the uuid of the port.
+ */
+ void addToCache(String remoteSgUuid, String portUuid);
+ /**A port with portUUID has a reference remote security group remoteSgUuid will be removed
+ * from the cache maintained.
+ * @param remoteSgUuid the remote security group uuid.
+ * @param portUuid portUUID the uuid of the port.
+ */
+ void removeFromCache(String remoteSgUuid, String portUuid);
+}
import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronPort;
import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.ovsdb.rev150105.OvsdbTerminationPointAugmentation;
import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.network.topology.topology.Node;
List<Neutron_IPs> getIpAddressList(Node node, OvsdbTerminationPointAugmentation intf);
/**
* Get the list of vm belonging to a security group.
- * @param srcAddressList the address list of the connected vm.
+ * @param portUuid the uuid of the port.
* @param securityGroupUuid the UUID of the remote security group.
* @return the list of all vm belonging to the security group UUID passed.
*/
- List<Neutron_IPs> getVmListForSecurityGroup(List<Neutron_IPs> srcAddressList,
+ List<Neutron_IPs> getVmListForSecurityGroup(String portUuid,
String securityGroupUuid);
/**
- * Add or remove the security groups rules from the port.
+ * Add or remove the security groups from the port.
* @param port the neutron port.
* @param securityGroup the security group associated with the port.
* @param write whether to add/delete flow.
*/
void syncSecurityGroup(NeutronPort port, List<NeutronSecurityGroup> securityGroup, boolean write);
-}
+ /**
+ * Add or remove individual security rules from the port.
+ * @param port the neutron port.
+ * @param securityRule the security group associated with the port.
+ * @param vmIp The list of remote vm ips.
+ * @param write whether to add/delete flow.
+ */
+ void syncSecurityRule(NeutronPort port, NeutronSecurityRule securityRule,Neutron_IPs vmIp, boolean write);
+}
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (c) 2014, 2015 HP, Inc. and others. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.ovsdb.openstack.netvirt.impl;
+
+import org.opendaylight.ovsdb.openstack.netvirt.ConfigInterface;
+import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityGroupCacheManger;
+import org.opendaylight.ovsdb.openstack.netvirt.api.SecurityServicesManager;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronPort;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.crud.INeutronPortCRUD;
+import org.opendaylight.ovsdb.utils.servicehelper.ServiceHelper;
+import org.osgi.framework.ServiceReference;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+
+/**
+ * @author Aswin Suryanarayanan.
+ */
+
+public class SecurityGroupCacheManagerImpl implements ConfigInterface, SecurityGroupCacheManger{
+
+ private final Map<String, HashSet<String>> securityGroupCache =
+ new ConcurrentHashMap<String, HashSet<String>>();
+ private static final Logger LOG = LoggerFactory.getLogger(NodeCacheManagerImpl.class);
+ private volatile SecurityServicesManager securityServicesManager;
+ private volatile INeutronPortCRUD neutronPortCache;
+
+ @Override
+ public void portAdded(String securityGroupUuid, String portUuid) {
+ LOG.debug("In portAdded securityGroupUuid:" + securityGroupUuid + " portUuid:" + portUuid);
+ NeutronPort port = neutronPortCache.getPort(portUuid);
+ processPortAdded(securityGroupUuid,port);
+ }
+
+ @Override
+ public void portRemoved(String securityGroupUuid, String portUuid) {
+ LOG.debug("In portRemoved securityGroupUuid:" + securityGroupUuid + " portUuid:" + portUuid);
+ NeutronPort port = neutronPortCache.getPort(portUuid);
+ processPortRemoved(securityGroupUuid,port);
+ }
+
+ @Override
+ public void addToCache(String remoteSgUuid, String portUuid) {
+ LOG.debug("In addToCache remoteSgUuid:" + remoteSgUuid + "portUuid:" + portUuid);
+ HashSet<String> portList = securityGroupCache.get(remoteSgUuid);
+ if (null == portList) {
+ portList = new HashSet<String>();
+ securityGroupCache.put(remoteSgUuid, portList);
+ }
+ portList.add(portUuid);
+ }
+
+ @Override
+ public void removeFromCache(String remoteSgUuid, String portUuid) {
+ LOG.debug("In removeFromCache remoteSgUuid:" + remoteSgUuid + " portUuid:" + portUuid);
+ HashSet<String> portList = securityGroupCache.get(remoteSgUuid);
+ if (null == portList) {
+ return;
+ }
+ for (Iterator<String> iterator = portList.iterator(); iterator.hasNext();) {
+ String cachedPort = iterator.next();
+ if (cachedPort.equals(portUuid)) {
+ iterator.remove();
+ break;
+ }
+ }
+ if (portList.isEmpty()) {
+ securityGroupCache.remove(remoteSgUuid);
+ }
+ }
+
+ private void processPortAdded(String securityGroupUuid, NeutronPort port) {
+ /*
+ * Itreate through the cache maintained for the security group added. For each port in the cache
+ * add the rule to allow traffic to/from the new port added.
+ */
+ LOG.debug("In processPortAdded securityGroupUuid:" + securityGroupUuid + " NeutronPort:" + port);
+ HashSet<String> portList = this.securityGroupCache.get(securityGroupUuid);
+ if (null == portList) {
+ return;
+ }
+ for (String cachedportUuid : portList) {
+ if (cachedportUuid.equals(port.getID())) {
+ continue;
+ }
+ NeutronPort cachedport = neutronPortCache.getPort(cachedportUuid);
+ if (null == cachedport) {
+ return;
+ }
+ List<NeutronSecurityRule> remoteSecurityRules = retrieveSecurityRules(securityGroupUuid, cachedportUuid);
+ for (NeutronSecurityRule securityRule:remoteSecurityRules) {
+ for (Neutron_IPs vmIp : port.getFixedIPs()) {
+ securityServicesManager.syncSecurityRule(cachedport, securityRule, vmIp, true);
+ }
+ }
+ }
+ }
+
+ private void processPortRemoved(String securityGroupUuid, NeutronPort port) {
+ /*
+ * Itreate through the cache maintained for the security group added. For each port in the cache remove
+ * the rule to allow traffic to/from the port that got deleted.
+ */
+ LOG.debug("In processPortRemoved securityGroupUuid:" + securityGroupUuid + " port:" + port);
+ HashSet<String> portList = this.securityGroupCache.get(securityGroupUuid);
+ if (null == portList) {
+ return;
+ }
+ for (String cachedportUuid : portList) {
+ if (cachedportUuid.equals(port.getID())) {
+ continue;
+ }
+ NeutronPort cachedport = neutronPortCache.getPort(cachedportUuid);
+ if (null == cachedport) {
+ return;
+ }
+ List<NeutronSecurityRule> remoteSecurityRules = retrieveSecurityRules(securityGroupUuid, cachedportUuid);
+ for (NeutronSecurityRule securityRule:remoteSecurityRules) {
+ for (Neutron_IPs vmIp : port.getFixedIPs()) {
+ securityServicesManager.syncSecurityRule(cachedport, securityRule, vmIp, false);
+ }
+ }
+ }
+ }
+
+ private List<NeutronSecurityRule> retrieveSecurityRules(String securityGroupUuid, String portUuid) {
+ /*
+ * Get the list of security rules in the port with portUuid that has securityGroupUuid as a remote
+ * security group.
+ */
+ LOG.debug("In retrieveSecurityRules securityGroupUuid:" + securityGroupUuid + " portUuid:" + portUuid);
+ NeutronPort port = neutronPortCache.getPort(portUuid);
+ if (null == port) {
+ return null;
+ }
+ List<NeutronSecurityRule> remoteSecurityRules = new ArrayList<NeutronSecurityRule>();
+ List<NeutronSecurityGroup> securityGroups = port.getSecurityGroups();
+ for (NeutronSecurityGroup securtiyGroup : securityGroups) {
+ List<NeutronSecurityRule> securityRules = securtiyGroup.getSecurityRules();
+ for (NeutronSecurityRule securityRule : securityRules) {
+ if (securityGroupUuid.equals(securityRule.getSecurityRemoteGroupID())) {
+ remoteSecurityRules.add(securityRule);
+ }
+ }
+ }
+ return remoteSecurityRules;
+ }
+
+ private void init() {
+ /*
+ * Rebuild the cache in case of a restart.
+ */
+ List<NeutronPort> portList = neutronPortCache.getAllPorts();
+ for (NeutronPort port:portList) {
+ List<NeutronSecurityGroup> securityGroupList = port.getSecurityGroups();
+ if ( null != securityGroupList) {
+ for (NeutronSecurityGroup securityGroup : securityGroupList) {
+ List<NeutronSecurityRule> securityRuleList = securityGroup.getSecurityRules();
+ if ( null != securityRuleList) {
+ for (NeutronSecurityRule securityRule : securityRuleList) {
+ if (null != securityRule.getSecurityRemoteGroupID()) {
+ this.addToCache(securityRule.getSecurityRemoteGroupID(), port.getID());
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ @Override
+ public void setDependencies(ServiceReference serviceReference) {
+ securityServicesManager =
+ (SecurityServicesManager) ServiceHelper.getGlobalInstance(SecurityServicesManager.class, this);
+ neutronPortCache = (INeutronPortCRUD) ServiceHelper.getGlobalInstance(INeutronPortCRUD.class, this);
+ init();
+ }
+
+ @Override
+ public void setDependencies(Object impl) {
+ }
+}
import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronNetwork;
import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronPort;
import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityGroup;
+import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSecurityRule;
import org.opendaylight.ovsdb.openstack.netvirt.translator.NeutronSubnet;
import org.opendaylight.ovsdb.openstack.netvirt.translator.Neutron_IPs;
import org.opendaylight.ovsdb.openstack.netvirt.translator.crud.INeutronNetworkCRUD;
private volatile ConfigurationService configurationService;
private volatile IngressAclProvider ingressAclProvider;
private volatile EgressAclProvider egressAclProvider;
- private volatile SecurityServicesManager securityServicesManager;
@Override
public boolean isPortSecurityReady(OvsdbTerminationPointAugmentation terminationPointAugmentation) {
}
@Override
- public List<Neutron_IPs> getVmListForSecurityGroup(List<Neutron_IPs> srcAddressList, String securityGroupUuid) {
+ public List<Neutron_IPs> getVmListForSecurityGroup(String portUuid, String securityGroupUuid) {
List<Neutron_IPs> vmListForSecurityGroup = new ArrayList<Neutron_IPs>();
/*For every port check whether security grouplist contains the current
* security group.*/
+ "compute port belongs to {}", neutronPort.getID(), neutronPort.getDeviceOwner());
continue;
}
+ if (portUuid.equals(neutronPort.getID())) {
+ continue;
+ }
List<NeutronSecurityGroup> securityGroups = neutronPort.getSecurityGroups();
if (null != securityGroups) {
for (NeutronSecurityGroup securityGroup:securityGroups) {
- if (securityGroup.getSecurityGroupUUID().equals(securityGroupUuid)
- && !neutronPort.getFixedIPs().containsAll(srcAddressList)) {
+ if (securityGroup.getSecurityGroupUUID().equals(securityGroupUuid)) {
LOG.debug("getVMListForSecurityGroup : adding ports with ips {} "
+ "compute port", neutronPort.getFixedIPs());
vmListForSecurityGroup.addAll(neutronPort.getFixedIPs());
return;
}
long dpid = getDpidOfIntegrationBridge(node);
- List<Neutron_IPs> srcAddressList = securityServicesManager.getIpAddressList(node, intf);
+ String neutronPortId = southbound.getInterfaceExternalIdsValue(intf,
+ Constants.EXTERNAL_ID_INTERFACE_ID);
for (NeutronSecurityGroup securityGroupInPort:securityGroupList) {
- ingressAclProvider.programPortSecurityAcl(dpid, segmentationId, attachedMac, localPort,
- securityGroupInPort, srcAddressList, write);
- egressAclProvider.programPortSecurityAcl(dpid, segmentationId, attachedMac, localPort,
- securityGroupInPort, srcAddressList, write);
+ ingressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
+ securityGroupInPort, neutronPortId, write);
+ egressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
+ securityGroupInPort, neutronPortId, write);
+ }
+ }
+ }
+
+ @Override
+ public void syncSecurityRule(NeutronPort port, NeutronSecurityRule securityRule,Neutron_IPs vmIp, boolean write) {
+ LOG.trace("syncSecurityGroup:" + securityRule + " Write:" + Boolean.valueOf(write));
+ if (null != port && null != port.getSecurityGroups()) {
+ Node node = getNode(port);
+ NeutronNetwork neutronNetwork = neutronNetworkCache.getNetwork(port.getNetworkUUID());
+ String segmentationId = neutronNetwork.getProviderSegmentationID();
+ OvsdbTerminationPointAugmentation intf = getInterface(node, port);
+ long localPort = southbound.getOFPort(intf);
+ String attachedMac = southbound.getInterfaceExternalIdsValue(intf, Constants.EXTERNAL_ID_VM_MAC);
+ if (attachedMac == null) {
+ LOG.debug("programVlanRules: No AttachedMac seen in {}", intf);
+ return;
+ }
+ long dpid = getDpidOfIntegrationBridge(node);
+ if ("IPv4".equals(securityRule.getSecurityRuleEthertype())
+ && "ingress".equals(securityRule.getSecurityRuleDirection())) {
+
+ ingressAclProvider.programPortSecurityRule(dpid, segmentationId, attachedMac, localPort,
+ securityRule, vmIp, write);
+ } else if (securityRule.getSecurityRuleEthertype().equals("IPv4")
+ && securityRule.getSecurityRuleDirection().equals("egress")) {
+ egressAclProvider.programPortSecurityRule(dpid, segmentationId, attachedMac, localPort,
+ securityRule, vmIp, write);
}
}
}
(INeutronNetworkCRUD) ServiceHelper.getGlobalInstance(INeutronNetworkCRUD.class, this);
configurationService =
(ConfigurationService) ServiceHelper.getGlobalInstance(ConfigurationService.class, this);
- securityServicesManager =
- (SecurityServicesManager) ServiceHelper.getGlobalInstance(SecurityServicesManager.class, this);
}
@Override
egressAclProvider = (EgressAclProvider) impl;
}
}
-}
+}
\ No newline at end of file