return false;
}
BigInteger dpId = port.getDpId();
+ String portId = port.getInterfaceId();
if (dpId == null || port.getLPortTag() == null) {
- LOG.error("Unable to find DpId from ACL interface with id {}", port.getInterfaceId());
+ LOG.error("Unable to find DpId from ACL interface with id {}", portId);
return false;
}
programDhcpService(flowEntries, port, Action.ADD, NwConstants.ADD_FLOW);
} else {
if (port.getSecurityGroups() == null) {
- LOG.info("Port {} without SGs", port.getInterfaceId());
+ LOG.info("Port {} without SGs", portId);
return false;
}
- programAcl(flowEntries, port, Action.ADD, NwConstants.ADD_FLOW);
+ programAclWithAllowedAddress(flowEntries, port, port.getAllowedAddressPairs(),
+ Action.ADD, NwConstants.ADD_FLOW);
updateRemoteAclFilterTable(flowEntries, port, NwConstants.ADD_FLOW);
}
- programFlows(AclConstants.ACL_JOB_KEY_PREFIX + port.getInterfaceId(), flowEntries, NwConstants.ADD_FLOW);
+ programFlows(AclConstants.ACL_JOB_KEY_PREFIX + portId, flowEntries, NwConstants.ADD_FLOW);
return true;
}
matches, instructions, addOrRemove);
}
- private void programAcl(List<FlowEntity> flowEntries, AclInterface port, Action action, int addOrRemove) {
- programAclWithAllowedAddress(flowEntries, port, port.getAllowedAddressPairs(), action, addOrRemove);
- }
-
private void programAclWithAllowedAddress(List<FlowEntity> flowEntries, AclInterface port,
List<AllowedAddressPairs> allowedAddresses, Action action, int addOrRemove) {
Uint64 dpId = Uint64.valueOf(port.getDpId());
if (port.getInterfaceType() == InterfaceType.DhcpService) {
programDhcpService(flowEntries, port, Action.REMOVE, NwConstants.DEL_FLOW);
} else {
- programAcl(flowEntries, port, Action.REMOVE, NwConstants.DEL_FLOW);
+ programAclWithAllowedAddress(flowEntries, port, port.getAllowedAddressPairs(),
+ Action.REMOVE, NwConstants.DEL_FLOW);
updateRemoteAclFilterTable(flowEntries, port, NwConstants.DEL_FLOW);
}
programFlows(AclConstants.ACL_JOB_KEY_PREFIX + port.getInterfaceId(), flowEntries, NwConstants.DEL_FLOW);
}
String flowName =
- this.directionString + "_Fixed_Conntrk_" + dpId.toString() + "_"
+ this.directionString + "_Fixed_Conntrk_" + dpId + "_"
+ lportTag + "_" + matchEtherType + "_Recirc";
addFlowEntryToList(flowEntries, dpId, getAclConntrackSenderTable(), flowName,
AclConstants.ACL_DEFAULT_PRIORITY, 0, 0, AclConstants.COOKIE_ACL_BASE, matches, instructions,
| MetaDataUtil.METADATA_MASK_ACL_DROP.longValue());
matches.add(new MatchMetadata(metaData, metaDataMask));
- String flowName = "Egress_" + dpId.toString() + "_" + lportTag + "_Drop";
+ String flowName = "Egress_" + dpId + "_" + lportTag + "_Drop";
addFlowEntryToList(flowEntries, dpId, getAclCommitterTable(), flowName,
AclConstants.CT_STATE_TRACKED_INVALID_PRIORITY, 0, 0, AclServiceUtils.getDropFlowCookie(lportTag),
matches, instructions, addOrRemove);
List<InstructionInfo> gotoInstructions = new ArrayList<>();
gotoInstructions.add(new InstructionGotoTable(getAclConntrackClassifierTable()));
- String flowName = "Egress_Fixed_Goto_Classifier_" + dpId.toString() + "_" + lportTag + "_"
+ String flowName = "Egress_Fixed_Goto_Classifier_" + dpId + "_" + lportTag + "_"
+ mac.getValue() + "_" + attachIp.stringValue();
addFlowEntryToList(flowEntries, dpId, getAclAntiSpoofingTable(), flowName,
AclConstants.PROTO_MATCH_PRIORITY, 0, 0, AclConstants.COOKIE_ACL_BASE, matches, gotoInstructions,
for (Integer icmpv6Type: AclConstants.allowedIcmpv6NdList()) {
List<MatchInfoBase> matches = AclServiceUtils.buildIcmpV6Matches(icmpv6Type, 0, lportTag, serviceMode);
- String flowName = "Egress_ICMPv6" + "_" + dpId.toString() + "_" + lportTag + "_" + icmpv6Type + "_Permit_";
+ String flowName = "Egress_ICMPv6" + "_" + dpId + "_" + lportTag + "_" + icmpv6Type + "_Permit_";
addFlowEntryToList(flowEntries, dpId, getAclAntiSpoofingTable(), flowName,
AclConstants.PROTO_IPV6_ALLOWED_PRIORITY, 0, 0, AclConstants.COOKIE_ACL_BASE, matches,
instructions, addOrRemove);
AclServiceUtils.getBoundServices(String.format("%s.%s.%s", "acl", "egressacl", interfaceName),
serviceIndex, flowPriority, AclConstants.COOKIE_ACL_BASE, instructions);
InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
- ServiceIndex.getIndex(NwConstants.EGRESS_ACL_SERVICE_NAME, NwConstants.EGRESS_ACL_SERVICE_INDEX),
- serviceMode);
+ serviceIndex, serviceMode);
return Collections.singletonList(
txRunner.callWithNewWriteOnlyTransactionAndSubmit(CONFIGURATION, tx -> tx.put(
MetaDataUtil.getLportTagMaskForReg6()));
matches.add(new MatchMetadata(metaData, metaDataMask));
- String flowName = "Ingress_" + dpId.toString() + "_" + lportTag + "_Drop";
+ String flowName = "Ingress_" + dpId + "_" + lportTag + "_Drop";
addFlowEntryToList(flowEntries, dpId, getAclCommitterTable(), flowName,
AclConstants.CT_STATE_TRACKED_INVALID_PRIORITY, 0, 0, AclServiceUtils.getDropFlowCookie(lportTag),
matches, instructions, addOrRemove);
List<InstructionInfo> gotoInstructions = new ArrayList<>();
gotoInstructions.add(new InstructionGotoTable(getAclConntrackClassifierTable()));
- String flowName = "Ingress_Fixed_Goto_Classifier_" + dpId.toString() + "_" + lportTag + "_"
+ String flowName = "Ingress_Fixed_Goto_Classifier_" + dpId + "_" + lportTag + "_"
+ mac.getValue() + "_" + attachIp.stringValue();
addFlowEntryToList(flowEntries, dpId, getAclAntiSpoofingTable(), flowName,
AclConstants.PROTO_MATCH_PRIORITY, 0, 0, AclConstants.COOKIE_ACL_BASE, matches, gotoInstructions,
AclConstants.DHCP_CLIENT_PORT_IPV6, lportTag, serviceMode);
List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions();
- String flowName = "Ingress_DHCP_Server_v6" + "_" + dpId.toString() + "_" + lportTag + "_Permit_";
+ String flowName = "Ingress_DHCP_Server_v6" + "_" + dpId + "_" + lportTag + "_Permit_";
addFlowEntryToList(flowEntries, dpId, getAclAntiSpoofingTable(), flowName,
AclConstants.PROTO_DHCP_SERVER_MATCH_PRIORITY, 0, 0, AclConstants.COOKIE_ACL_BASE, matches,
instructions, addOrRemove);
@Override
protected void programIcmpv6RARule(List<FlowEntity> flowEntries, AclInterface port, List<SubnetInfo> subnets,
int addOrRemove) {
- if (AclServiceUtils.isIpv6Subnet(subnets)) {
- /* Allow ICMPv6 Router Advertisement packets from external routers as well as internal routers
- * if subnet is configured with IPv6 version
- * Allow ICMPv6 Router Advertisement packets if originating from any LinkLocal Address.
- */
- List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions();
- List<MatchInfoBase> matches =
- AclServiceUtils.buildIcmpV6Matches(AclConstants.ICMPV6_TYPE_RA, 0,
- port.getLPortTag(), serviceMode);
- matches.addAll(AclServiceUtils.buildIpMatches(
- new IpPrefixOrAddress(IpPrefixBuilder.getDefaultInstance(AclConstants.IPV6_LINK_LOCAL_PREFIX)),
- AclServiceManager.MatchCriteria.MATCH_SOURCE));
- String flowName = "Ingress_ICMPv6" + "_" + port.getDpId() + "_" + port.getLPortTag() + "_"
- + AclConstants.ICMPV6_TYPE_RA + "_LinkLocal_Permit_";
- addFlowEntryToList(flowEntries, Uint64.valueOf(port.getDpId()), getAclAntiSpoofingTable(), flowName,
- AclConstants.PROTO_IPV6_ALLOWED_PRIORITY, 0, 0, AclConstants.COOKIE_ACL_BASE, matches,
- instructions, addOrRemove);
+ if (!AclServiceUtils.isIpv6Subnet(subnets)) {
+ return;
}
+
+ Uint64 dpid = Uint64.valueOf(port.getDpId());
+ /* Allow ICMPv6 Router Advertisement packets from external routers as well as internal routers
+ * if subnet is configured with IPv6 version
+ * Allow ICMPv6 Router Advertisement packets if originating from any LinkLocal Address.
+ */
+ List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions();
+ List<MatchInfoBase> matches =
+ AclServiceUtils.buildIcmpV6Matches(AclConstants.ICMPV6_TYPE_RA, 0,
+ port.getLPortTag(), serviceMode);
+ matches.addAll(AclServiceUtils.buildIpMatches(
+ new IpPrefixOrAddress(IpPrefixBuilder.getDefaultInstance(AclConstants.IPV6_LINK_LOCAL_PREFIX)),
+ AclServiceManager.MatchCriteria.MATCH_SOURCE));
+ String flowName = "Ingress_ICMPv6" + "_" + dpid + "_" + port.getLPortTag() + "_"
+ + AclConstants.ICMPV6_TYPE_RA + "_LinkLocal_Permit_";
+ addFlowEntryToList(flowEntries, dpid, getAclAntiSpoofingTable(), flowName,
+ AclConstants.PROTO_IPV6_ALLOWED_PRIORITY, 0, 0, AclConstants.COOKIE_ACL_BASE, matches,
+ instructions, addOrRemove);
}
/**
matches.add(lportMatchInfo);
List<InstructionInfo> instructions = new ArrayList<>();
instructions.add(new InstructionGotoTable(getAclConntrackClassifierTable()));
- String flowName = "Ingress_v4_Broadcast_" + dpId.longValue() + "_"
+ String flowName = "Ingress_v4_Broadcast_" + dpId + "_"
+ lportTag + "_" + broadcastAddress + "_Permit";
addFlowEntryToList(flowEntries, dpId, getAclAntiSpoofingTable(), flowName,
AclConstants.PROTO_MATCH_PRIORITY, 0, 0, AclConstants.COOKIE_ACL_BASE, matches, instructions,
matches.add(icmpTypeMatchInfo);
List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions();
- String flowName = "Ingress_DHCP_Service_ICMP_" + dpId.toString() + "_" + lportTag + "_" + icmpType + "_Permit_";
+ String flowName = "Ingress_DHCP_Service_ICMP_" + dpId + "_" + lportTag + "_" + icmpType + "_Permit_";
addFlowEntryToList(flowEntries, dpId, getAclAntiSpoofingTable(), flowName,
AclConstants.PROTO_DHCP_SERVER_MATCH_PRIORITY, 0, 0, AclConstants.COOKIE_ACL_BASE, matches,
instructions, addOrRemove);