<classifier>features</classifier>
<type>xml</type>
</dependency>
- <dependency>
- <groupId>org.opendaylight.openflowplugin</groupId>
- <artifactId>features-openflowplugin-li</artifactId>
- <version>${openflowplugin.version}</version>
- <classifier>features</classifier>
- <type>xml</type>
- </dependency>
- <dependency>
- <groupId>org.opendaylight.openflowplugin</groupId>
- <artifactId>features-openflowplugin-extension-li</artifactId>
- <version>${openflowplugin.version}</version>
- <classifier>features</classifier>
- <type>xml</type>
- </dependency>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>openstack.net-virt</artifactId>
<repository>mvn:org.opendaylight.netconf/features-restconf/{{VERSION}}/xml/features</repository>
<repository>mvn:org.opendaylight.openflowplugin/features-openflowplugin-extension/{{VERSION}}/xml/features</repository>
<repository>mvn:org.opendaylight.openflowplugin/features-openflowplugin/{{VERSION}}/xml/features</repository>
- <repository>mvn:org.opendaylight.openflowplugin/features-openflowplugin-extension-li/{{VERSION}}/xml/features</repository>
- <repository>mvn:org.opendaylight.openflowplugin/features-openflowplugin-li/{{VERSION}}/xml/features</repository>
<repository>mvn:org.opendaylight.neutron/features-neutron/{{VERSION}}/xml/features</repository>
<repository>mvn:org.opendaylight.ovsdb/hwvtepsouthbound-features/{{VERSION}}/xml/features</repository>
<repository>mvn:org.opendaylight.ovsdb/southbound-features/{{VERSION}}/xml/features</repository>
<bundle>mvn:org.opendaylight.netvirt/utils.neutron-utils/{{VERSION}}</bundle>
</feature>
- <feature name="odl-ovsdb-openstack-clusteraware" description="OpenDaylight :: OVSDB :: OpenStack Network Virtualization - Cluster Aware"
- version='${project.version}'>
- <feature version='${controller.mdsal.version}'>odl-mdsal-broker</feature>
- <feature version="${openflowplugin.version}">odl-openflowplugin-nsf-model-li</feature>
- <feature version="${neutron.version}">odl-neutron-service</feature>
- <feature version="${ovsdb.version}">odl-ovsdb-southbound-impl</feature>
- <feature version="${openflowplugin.version}">odl-openflowplugin-flow-services-li</feature>
- <feature version="${openflowplugin.version}">odl-openflowplugin-nxm-extensions-li</feature>
- <bundle>mvn:org.opendaylight.netvirt/utils.servicehelper/{{VERSION}}</bundle>
- <bundle>mvn:org.opendaylight.netvirt/utils.neutron-utils/{{VERSION}}</bundle>
- <bundle>mvn:org.opendaylight.netvirt/utils.mdsal-utils/{{VERSION}}</bundle>
- <bundle>mvn:org.opendaylight.ovsdb/utils.mdsal-utils/{{VERSION}}</bundle>
- <bundle>mvn:org.opendaylight.ovsdb/utils.southbound-utils/{{VERSION}}</bundle>
- <bundle>mvn:org.opendaylight.netvirt/openstack.net-virt/{{VERSION}}</bundle>
- <bundle>mvn:org.opendaylight.netvirt/openstack.net-virt-providers/{{VERSION}}</bundle>
- <bundle>mvn:commons-net/commons-net/{{VERSION}}</bundle>
- <configfile finalname="etc/opendaylight/karaf/netvirt-impl-default-config.xml">mvn:org.opendaylight.netvirt/openstack.net-virt/{{VERSION}}/xml/config</configfile>
- <configfile finalname="etc/opendaylight/karaf/netvirt-providers-impl-default-config.xml">mvn:org.opendaylight.netvirt/openstack.net-virt-providers/{{VERSION}}/xml/config</configfile>
- </feature>
-
<feature name="odl-ovsdb-ui" description="OpenDaylight :: OVSDB :: DLUX Integration Plugin" version='${project.version}'>
<feature version="${dlux.version}">odl-dlux-core</feature>
<bundle>mvn:org.opendaylight.netvirt/ovsdb-ui-bundle/{{VERSION}}</bundle>
}
private void programLocalSecurityGroupRules(String attachedMac, Node node, OvsdbTerminationPointAugmentation intf,
- Long dpid,long localPort, String segmentationId,
- boolean write) {
+ Long dpid,long localPort, String segmentationId,
+ boolean write) {
LOG.debug("programLocalRules: Program fixed security group rules for interface {}", intf.getName());
+ boolean isPortSecurityEnabled = securityServicesManager.isPortSecurityEnabled(intf);
+ if (!isPortSecurityEnabled) {
+ LOG.info("Port security is not enabled" + intf);
+ return;
+ }
NeutronPort dhcpPort = securityServicesManager.getDhcpServerPort(intf);
- boolean isComputePort = false;
- boolean isLastPortinBridge = false;
- boolean isLastPortinSubnet = false;
List<Neutron_IPs> srcAddressList = null;
if (null != dhcpPort) {
- isComputePort = securityServicesManager.isComputePort(intf);
- isLastPortinBridge = securityServicesManager.isLastPortinBridge(node, intf);
- isLastPortinSubnet = false;
- if (isComputePort) {
- isLastPortinSubnet = securityServicesManager.isLastPortinSubnet(node, intf);
- srcAddressList = securityServicesManager.getIpAddressList(intf);
- if (null == srcAddressList) {
- LOG.warn("programLocalRules: No Ip address assigned {}", intf);
- return;
- }
+ srcAddressList = securityServicesManager.getIpAddressList(intf);
+ if (null == srcAddressList) {
+ LOG.warn("programLocalRules: No Ip address assigned {}", intf);
+ return;
}
ingressAclProvider.programFixedSecurityGroup(dpid, segmentationId, dhcpPort.getMacAddress(), localPort,
- isLastPortinSubnet, isComputePort, attachedMac, write);
+ attachedMac, write);
egressAclProvider.programFixedSecurityGroup(dpid, segmentationId, attachedMac, localPort,
- srcAddressList, isLastPortinBridge, isComputePort,write);
+ srcAddressList, write);
/* If the network type is tunnel based (VXLAN/GRRE/etc) with Neutron Port Security ACLs */
/* TODO SB_MIGRATION */
LOG.debug("Neutron port has a Port Security Group");
// Retrieve the security group from the Neutron Port and apply the rules
- if (securityServicesManager.isPortSecurityReady(intf)) {
- //Associate the security group flows.
- List<NeutronSecurityGroup> securityGroupListInPort = securityServicesManager
- .getSecurityGroupInPortList(intf);
- String neutronPortId = southbound.getInterfaceExternalIdsValue(intf,
- Constants.EXTERNAL_ID_INTERFACE_ID);
- for (NeutronSecurityGroup securityGroupInPort:securityGroupListInPort) {
- ingressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
- securityGroupInPort, neutronPortId, write);
- egressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
- securityGroupInPort, neutronPortId, write);
- }
+ List<NeutronSecurityGroup> securityGroupListInPort = securityServicesManager
+ .getSecurityGroupInPortList(intf);
+ String neutronPortId = southbound.getInterfaceExternalIdsValue(intf,
+ Constants.EXTERNAL_ID_INTERFACE_ID);
+ for (NeutronSecurityGroup securityGroupInPort:securityGroupListInPort) {
+ ingressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
+ securityGroupInPort, neutronPortId, write);
+ egressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
+ securityGroupInPort, neutronPortId, write);
}
+
} else {
LOG.warn("programLocalRules: No DCHP port seen in network of {}", intf);
}
@Override
public void programFixedSecurityGroup(Long dpid, String segmentationId, String attachedMac,
- long localPort, List<Neutron_IPs> srcAddressList,
- boolean isLastPortinBridge, boolean isComputePort ,boolean write) {
- // If it is the only port in the bridge add the rule to allow any DHCP client traffic
- //if (isLastPortinBridge) {
- egressAclDhcpAllowClientTrafficFromVm(dpid, write, Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
- egressAclDhcpv6AllowClientTrafficFromVm(dpid, write, Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
- // }
- if (isComputePort) {
- programArpRule(dpid, segmentationId, localPort, attachedMac, write);
- if (securityServicesManager.isConntrackEnabled()) {
- programEgressAclFixedConntrackRule(dpid, segmentationId, localPort, attachedMac, write);
- }
- // add rule to drop the DHCP server traffic originating from the vm.
- egressAclDhcpDropServerTrafficfromVm(dpid, localPort, write,
- Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
- egressAclDhcpv6DropServerTrafficfromVm(dpid, localPort, write,
- Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
- //Adds rule to check legitimate ip/mac pair for each packet from the vm
- for (Neutron_IPs srcAddress : srcAddressList) {
- try {
- InetAddress address = InetAddress.getByName(srcAddress.getIpAddress());
- if (address instanceof Inet4Address) {
- String addressWithPrefix = srcAddress.getIpAddress() + HOST_MASK;
- egressAclAllowTrafficFromVmIpMacPair(dpid, localPort, attachedMac, addressWithPrefix,
- Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
- } else if (address instanceof Inet6Address) {
- String addressWithPrefix = srcAddress.getIpAddress() + V6_HOST_MASK;
- egressAclAllowTrafficFromVmIpV6MacPair(dpid, localPort, attachedMac, addressWithPrefix,
- Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
- }
- } catch (UnknownHostException e) {
- LOG.warn("Invalid IP address {}", srcAddress.getIpAddress(), e);
+ long localPort, List<Neutron_IPs> srcAddressList, boolean write) {
+
+ egressAclDhcpAllowClientTrafficFromVm(dpid, write, localPort,
+ Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
+ egressAclDhcpv6AllowClientTrafficFromVm(dpid, write, localPort,
+ Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
+ programArpRule(dpid, segmentationId, localPort, attachedMac, write);
+ if (securityServicesManager.isConntrackEnabled()) {
+ programEgressAclFixedConntrackRule(dpid, segmentationId, localPort, attachedMac, write);
+ }
+ // add rule to drop the DHCP server traffic originating from the vm.
+ egressAclDhcpDropServerTrafficfromVm(dpid, localPort, write,
+ Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
+ egressAclDhcpv6DropServerTrafficfromVm(dpid, localPort, write,
+ Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
+ //Adds rule to check legitimate ip/mac pair for each packet from the vm
+ for (Neutron_IPs srcAddress : srcAddressList) {
+ try {
+ InetAddress address = InetAddress.getByName(srcAddress.getIpAddress());
+ if (address instanceof Inet4Address) {
+ String addressWithPrefix = srcAddress.getIpAddress() + HOST_MASK;
+ egressAclAllowTrafficFromVmIpMacPair(dpid, localPort, attachedMac, addressWithPrefix,
+ Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
+ } else if (address instanceof Inet6Address) {
+ String addressWithPrefix = srcAddress.getIpAddress() + V6_HOST_MASK;
+ egressAclAllowTrafficFromVmIpV6MacPair(dpid, localPort, attachedMac, addressWithPrefix,
+ Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
}
+ } catch (UnknownHostException e) {
+ LOG.warn("Invalid IP address {}", srcAddress.getIpAddress(), e);
}
}
+
}
private void programArpRule(Long dpid, String segmentationId, long localPort, String attachedMac, boolean write) {
*
* @param dpidLong the dpid
* @param write whether to write or delete the flow
+ * @param localPort the local port.
* @param priority the priority
*/
private void egressAclDhcpAllowClientTrafficFromVm(Long dpidLong,
- boolean write, Integer priority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ boolean write, long localPort, Integer priority) {
String flowName = "Egress_DHCP_Client" + "_Permit_";
MatchBuilder matchBuilder = new MatchBuilder();
+ MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
MatchUtils.createDhcpMatch(matchBuilder, DHCP_DESTINATION_PORT, DHCP_SOURCE_PORT);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
syncFlow(flowBuilder ,nodeBuilder, write);
}
*
* @param dpidLong the dpid
* @param write whether to write or delete the flow
+ * @param localPort the local port
* @param priority the priority
*/
private void egressAclDhcpv6AllowClientTrafficFromVm(Long dpidLong,
- boolean write, Integer priority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ boolean write, long localPort, Integer priority) {
String flowName = "Egress_DHCPv6_Client" + "_Permit_";
MatchBuilder matchBuilder = new MatchBuilder();
+ MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
MatchUtils.createDhcpv6Match(matchBuilder, DHCPV6_DESTINATION_PORT, DHCPV6_SOURCE_PORT);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
syncFlow(flowBuilder ,nodeBuilder, write);
}
@Override
public void programFixedSecurityGroup(Long dpid, String segmentationId, String dhcpMacAddress,
- long localPort, boolean isLastPortinSubnet,
- boolean isComputePort, String attachMac, boolean write) {
- //If this port is the only port in the compute node add the DHCP server rule.
- if (isLastPortinSubnet && isComputePort ) {
- ingressAclDhcpAllowServerTraffic(dpid, segmentationId,dhcpMacAddress,
- write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
- ingressAclDhcpv6AllowServerTraffic(dpid, segmentationId,dhcpMacAddress,
- write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
- }
- if (isComputePort) {
- if (securityServicesManager.isConntrackEnabled()) {
- programIngressAclFixedConntrackRule(dpid, segmentationId, attachMac, localPort, write);
- }
- programArpRule(dpid, segmentationId, localPort, attachMac, write);
+ long localPort, String attachMac, boolean write) {
+
+ ingressAclDhcpAllowServerTraffic(dpid, segmentationId,dhcpMacAddress, attachMac,
+ write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
+ ingressAclDhcpv6AllowServerTraffic(dpid, segmentationId,dhcpMacAddress, attachMac,
+ write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
+
+ if (securityServicesManager.isConntrackEnabled()) {
+ programIngressAclFixedConntrackRule(dpid, segmentationId, attachMac, localPort, write);
}
+ programArpRule(dpid, segmentationId, localPort, attachMac, write);
}
private void programArpRule(Long dpid, String segmentationId, long localPort, String attachMac, boolean write) {
* @param dpidLong the dpid
* @param segmentationId the segmentation id
* @param dhcpMacAddress the DHCP server mac address
+ * @param attachMac the mac address of the port
* @param write is write or delete
* @param protoPortMatchPriority the priority
*/
private void ingressAclDhcpAllowServerTraffic(Long dpidLong, String segmentationId, String dhcpMacAddress,
- boolean write, Integer protoPortMatchPriority) {
+ String attachMac, boolean write, Integer protoPortMatchPriority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createDhcpServerMatch(matchBuilder, dhcpMacAddress, 67, 68).build();
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,dhcpMacAddress,attachMac,
+ MatchUtils.ETHERTYPE_IPV4);
+ MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 67, 68);
String flowId = "Ingress_DHCP_Server" + segmentationId + "_" + dhcpMacAddress + "_Permit_";
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
syncFlow(flowBuilder ,nodeBuilder, write);
}
* @param dpidLong the dpid
* @param segmentationId the segmentation id
* @param dhcpMacAddress the DHCP server mac address
+ * @param attachMac the mac address of the port
* @param write is write or delete
* @param protoPortMatchPriority the priority
*/
private void ingressAclDhcpv6AllowServerTraffic(Long dpidLong, String segmentationId, String dhcpMacAddress,
- boolean write, Integer protoPortMatchPriority) {
+ String attachMac, boolean write, Integer protoPortMatchPriority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createDhcpv6ServerMatch(matchBuilder, dhcpMacAddress, 547, 546).build();
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,dhcpMacAddress,attachMac,
+ MatchUtils.ETHERTYPE_IPV6);
+ MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 547, 546);
String flowId = "Ingress_DHCPv6_Server" + segmentationId + "_" + dhcpMacAddress + "_Permit_";
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
syncFlow(flowBuilder ,nodeBuilder, write);
}
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.Icmpv6Match;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._4.match.TcpMatch;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._4.match.UdpMatch;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.ovsdb.rev150105.OvsdbTerminationPointAugmentation;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.powermock.api.mockito.PowerMockito;
import org.powermock.api.support.membermodification.MemberModifier;
}
/**
- * Test With isConntrackEnabled false isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLAdd1() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(false);
-
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true);
-
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).checkedGet();
- }
- /**
- * Test With isConntrackEnabled false isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLRemove1() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(false);
-
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false);
-
- verify(writeTransaction, times(2)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- /**
- * Test With isConntrackEnabled false isComputeNode true
+ * Test With isConntrackEnabled false
*/
@Test
public void testProgramFixedSecurityACLAdd2() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(false);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true);
verify(writeTransaction, times(9)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(9)).submit();
}
/**
- * Test With isConntrackEnabled false isComputeNode true
+ * Test With isConntrackEnabled false
*/
@Test
public void testProgramFixedSecurityACLRemove2() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(false);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false);
verify(writeTransaction, times(9)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(9)).submit();
}
/**
- * Test With isConntrackEnabled true isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLAdd3() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(true);
-
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true);
-
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).checkedGet();
- }
-
- /**
- * Test With isConntrackEnabled true isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLRemove3() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(true);
-
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false);
-
- verify(writeTransaction, times(2)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- /**
- * Test With isConntrackEnabled true isComputeNode true
+ * Test With isConntrackEnabled true
*/
@Test
public void testProgramFixedSecurityACLAdd4() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true);
verify(writeTransaction, times(14)).put(any(LogicalDatastoreType.class),
any(InstanceIdentifier.class), any(Node.class), eq(true));
}
/**
- * Test With isConntrackEnabled true isComputeNode true
+ * Test With isConntrackEnabled true
*/
@Test
public void testProgramFixedSecurityACLRemove4() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false);
verify(writeTransaction, times(14)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(14)).submit();
}
/**
- * Test With isConntrackEnabled false isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLAdd1() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(false);
-
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, true);
-
- verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
- }
- /**
- * Test With isConntrackEnabled false isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLRemove1() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(false);
-
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, false);
-
- verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
- }
- /**
- * Test With isConntrackEnabled false isComputeNode false
+ * Test With isConntrackEnabled false
*/
@Test
public void testProgramFixedSecurityACLAdd2() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(false);
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, true);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, true);
- verify(writeTransaction, times(1)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).checkedGet();
+ verify(writeTransaction, times(3)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(3)).submit();
+ verify(commitFuture, times(3)).checkedGet();
}
/**
- * Test With isConntrackEnabled false isComputeNode false
+ * Test With isConntrackEnabled false
*/
@Test
public void testProgramFixedSecurityACLRemove2() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(false);
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, false);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, false);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
- }
- /**
- * Test With isConntrackEnabled true isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLAdd3() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(true);
-
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, true);
-
- verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
- }
- /**
- * Test With isConntrackEnabled true isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLRemove3() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(true);
-
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, false);
-
- verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
+ verify(writeTransaction, times(3)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(3)).submit();
+ verify(commitFuture, times(3)).get();
}
/**
- * Test With isConntrackEnabled true isComputeNode true
+ * Test With isConntrackEnabled true
*/
@Test
public void testProgramFixedSecurityACLAdd4() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(true);
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, true);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, true);
- verify(writeTransaction, times(6)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(6)).submit();
- verify(commitFuture, times(6)).checkedGet();
+ verify(writeTransaction, times(8)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(8)).submit();
+ verify(commitFuture, times(8)).checkedGet();
}
/**
- * Test With isConntrackEnabled true isComputeNode true
+ * Test With isConntrackEnabled true
*/
@Test
public void testProgramFixedSecurityACLRemove4() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(true);
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, false);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, false);
- verify(writeTransaction, times(6)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(6)).submit();
- verify(commitFuture, times(6)).get();
+ verify(writeTransaction, times(8)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(8)).submit();
+ verify(commitFuture, times(8)).get();
}
}
import org.opendaylight.netvirt.openstack.netvirt.impl.SecurityGroupCacheManagerImpl;
import org.opendaylight.netvirt.openstack.netvirt.impl.SecurityServicesImpl;
import org.opendaylight.netvirt.openstack.netvirt.impl.SouthboundImpl;
+import org.opendaylight.netvirt.openstack.netvirt.impl.HostConfigService;
import org.opendaylight.netvirt.openstack.netvirt.impl.VlanConfigurationCacheImpl;
import org.opendaylight.netvirt.openstack.netvirt.translator.crud.INeutronLoadBalancerCRUD;
import org.opendaylight.netvirt.openstack.netvirt.translator.crud.INeutronLoadBalancerPoolCRUD;
registerService(context,
new String[]{Southbound.class.getName()}, null, southbound);
+ HostConfigService hostConfigService = new HostConfigService(providerContext.getSALService(DataBroker.class));
+ registerService(context,
+ new String[]{HostConfigService.class.getName()}, null, hostConfigService);
+
NodeCacheManagerImpl nodeCacheManager = new NodeCacheManagerImpl();
registerAbstractHandlerService(context, new Class[] {NodeCacheManager.class},
AbstractEvent.HandlerType.NODE, nodeCacheManager);
private void syncSecurityGroup(NeutronSecurityRule securityRule,NeutronPort port,
boolean write) {
-
+ if (!port.getPortSecurityEnabled()) {
+ LOG.info("Port security not enabled port", port);
+ return;
+ }
if (null != securityRule.getSecurityRemoteGroupID()) {
List<Neutron_IPs> vmIpList = securityServicesManager
.getVmListForSecurityGroup(port.getID(), securityRule.getSecurityRemoteGroupID());
private List<NeutronPort> getPortWithSecurityGroup(String securityGroupUuid) {
List<NeutronPort> neutronPortList = neutronPortCache.getAllPorts();
- List<NeutronPort> neutronPortInSG = new ArrayList<NeutronPort>();
+ List<NeutronPort> neutronPortInSg = new ArrayList<NeutronPort>();
for (NeutronPort neutronPort:neutronPortList) {
List<NeutronSecurityGroup> securityGroupList = neutronPort.getSecurityGroups();
for (NeutronSecurityGroup neutronSecurityGroup:securityGroupList) {
if (neutronSecurityGroup.getID().equals(securityGroupUuid)) {
- neutronPortInSG.add(neutronPort);
+ neutronPortInSg.add(neutronPort);
break;
}
}
}
- return neutronPortInSG;
+ return neutronPortInSg;
}
@Override
* @param attachedMac the attached mac
* @param localPort the local port
* @param srcAddressList the list of source ip address assigned to vm
- * @param isLastPortinBridge is this the last port in the bridge
- * @param isComputePort indicates whether this port is a compute port or not
* @param write is this flow writing or deleting
*/
void programFixedSecurityGroup(Long dpid, String segmentationId,String attachedMac, long localPort,
- List<Neutron_IPs> srcAddressList, boolean isLastPortinBridge,
- boolean isComputePort, boolean write);
+ List<Neutron_IPs> srcAddressList, boolean write);
}
\ No newline at end of file
* @param segmentationId the segmentation id
* @param attachedMac the dhcp mac
* @param localPort the local port
- * @param isLastPortinSubnet is this the last port in the subnet
- * @param isComputePort indicates whether this port is a compute port or not
* @param attachedMac2 the src mac
* @param write is this flow writing or deleting
*/
void programFixedSecurityGroup(Long dpid, String segmentationId, String attachedMac, long localPort,
- boolean isLastPortinSubnet, boolean isComputePort, String attachedMac2, boolean write);
+ String attachedMac2, boolean write);
}
\ No newline at end of file
/**
* Is this the last port in the subnet to which interface belongs to.
* @param node The node to which the intf is connected.
- * @param intf the intf
+ * @param intf the interface
* @return whether last port in the subnet
*/
boolean isLastPortinSubnet(Node node, OvsdbTerminationPointAugmentation intf);
* @return whether connection tracking enabled.
*/
boolean isConntrackEnabled();
+ /**
+ * Is the port a PortSecurity Enabled.
+ *
+ * @param intf the port
+ * @return whether it is a compute port or not
+ */
+ boolean isPortSecurityEnabled(OvsdbTerminationPointAugmentation intf);
}
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (c) 2016 Intel Corporation. All rights reserved.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v1.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v10.html
+ */
+
+package org.opendaylight.netvirt.openstack.netvirt.impl;
+
+import org.opendaylight.controller.md.sal.binding.api.DataBroker;
+import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType;
+import org.opendaylight.netvirt.openstack.netvirt.ClusterAwareMdsalUtils;
+import org.opendaylight.netvirt.openstack.netvirt.ConfigInterface;
+import org.opendaylight.netvirt.openstack.netvirt.api.Action;
+import org.opendaylight.netvirt.openstack.netvirt.api.OvsdbInventoryListener;
+import org.opendaylight.netvirt.openstack.netvirt.api.OvsdbInventoryService;
+import org.opendaylight.netvirt.openstack.netvirt.api.Southbound;
+import org.opendaylight.netvirt.openstack.netvirt.api.OvsdbTables;
+import org.opendaylight.netvirt.utils.servicehelper.ServiceHelper;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.hostconfig.rev150712.hostconfig.attributes.Hostconfigs;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.hostconfig.rev150712.hostconfig.attributes.hostconfigs.Hostconfig;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.rev150712.Neutron;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.ovsdb.rev150105.OvsdbNodeAugmentation;
+import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.network.topology.topology.Node;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.hostconfig.rev150712.hostconfig.attributes.hostconfigs.HostconfigBuilder;
+import org.opendaylight.yangtools.yang.binding.DataObject;
+import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
+import org.osgi.framework.ServiceReference;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.List;
+
+
+public class HostConfigService implements OvsdbInventoryListener, ConfigInterface {
+ private static final Logger LOG = LoggerFactory.getLogger(HostConfigService.class);
+
+ private static final String OS_HOST_CONFIG_HOST_ID_KEY = "odl_os_hostconfig_hostid";
+ private static final String OS_HOST_CONFIG_HOST_TYPE_KEY = "odl_os_hostconfig_hosttype";
+ private static final String OS_HOST_CONFIG_CONFIG_KEY = "odl_os_hostconfig_config";
+
+ private final DataBroker databroker;
+ private final ClusterAwareMdsalUtils mdsalUtils;
+ private volatile OvsdbInventoryService ovsdbInventoryService;
+ private volatile Southbound southbound;
+
+ public HostConfigService(DataBroker dataBroker) {
+ this.databroker = dataBroker;
+ mdsalUtils = new ClusterAwareMdsalUtils(dataBroker);
+ }
+
+ @Override
+ public void ovsdbUpdate(Node node, DataObject resourceAugmentationData, OvsdbType ovsdbType, Action action) {
+ boolean result;
+ Hostconfig hostConfig;
+ InstanceIdentifier<Hostconfig> hostConfigId;
+
+ if (ovsdbType != OvsdbType.NODE) {
+ return;
+ }
+ hostConfig = buildHostConfigInfo(node);
+ if (hostConfig == null) {
+ return;
+ }
+ LOG.trace("ovsdbUpdate: {} - {} - <<{}>> <<{}>>", ovsdbType, action, node, resourceAugmentationData);
+ switch (action) {
+ case ADD:
+ case UPDATE:
+ hostConfigId = createInstanceIdentifier(hostConfig);
+ result = mdsalUtils.put(LogicalDatastoreType.OPERATIONAL, hostConfigId, hostConfig);
+ LOG.trace("Add Node: result: {}", result);
+ break;
+ case DELETE:
+ hostConfigId = createInstanceIdentifier(hostConfig);
+ result = mdsalUtils.delete(LogicalDatastoreType.OPERATIONAL, hostConfigId);
+ LOG.trace("Delete Node: result: {}", result);
+ break;
+ }
+ }
+
+ @Override
+ public void triggerUpdates() {
+ List<Node> ovsdbNodes = southbound.readOvsdbTopologyNodes();
+ for (Node node : ovsdbNodes) {
+ ovsdbUpdate(node, node.getAugmentation(OvsdbNodeAugmentation.class),
+ OvsdbInventoryListener.OvsdbType.NODE, Action.ADD);
+ }
+ }
+
+ private Hostconfig buildHostConfigInfo(Node node) {
+ HostconfigBuilder hostconfigBuilder = new HostconfigBuilder();
+ String value;
+
+ value = southbound.getExternalId(node, OvsdbTables.OPENVSWITCH, OS_HOST_CONFIG_HOST_ID_KEY);
+ if (value == null){
+ return null;
+ }
+ hostconfigBuilder.setHostId(value);
+ value = southbound.getExternalId(node, OvsdbTables.OPENVSWITCH, OS_HOST_CONFIG_HOST_TYPE_KEY);
+ if (value == null) {
+ return null;
+ }
+ hostconfigBuilder.setHostType(value);
+ value = southbound.getExternalId(node, OvsdbTables.OPENVSWITCH, OS_HOST_CONFIG_CONFIG_KEY);
+ if (value == null) {
+ return null;
+ }
+ hostconfigBuilder.setConfig(value);
+ return hostconfigBuilder.build();
+ }
+
+ private InstanceIdentifier<Hostconfig> createInstanceIdentifier() {
+ return InstanceIdentifier.create(Neutron.class)
+ .child(Hostconfigs.class)
+ .child(Hostconfig.class);
+ }
+
+ private InstanceIdentifier<Hostconfig> createInstanceIdentifier(Hostconfig hostconfig) {
+ return InstanceIdentifier.create(Neutron.class)
+ .child(Hostconfigs.class)
+ .child(Hostconfig.class, hostconfig.getKey());
+ }
+
+ @Override
+ public void setDependencies(ServiceReference serviceReference) {
+ southbound =
+ (Southbound) ServiceHelper.getGlobalInstance(Southbound.class, this);
+ ovsdbInventoryService =
+ (OvsdbInventoryService) ServiceHelper.getGlobalInstance(OvsdbInventoryService.class, this);
+ ovsdbInventoryService.listenerAdded(this);
+ }
+
+ @Override
+ public void setDependencies(Object impl) {
+ }
+}
if (action == UPDATE) {
// FIXME: Bug 4971 Move cleanup cache to SG Impl
this.updatePortInCleanupCache(neutronPort, neutronPort.getOriginalPort());
- this.processSecurityGroupUpdate(neutronPort);
+ if (neutronPort.getPortSecurityEnabled()) {
+ this.processSecurityGroupUpdate(neutronPort);
+ }
}
if (!this.enabled) {
return null;
}
+ @Override
+ public boolean isPortSecurityEnabled(OvsdbTerminationPointAugmentation intf) {
+ NeutronPort neutronPort = getNeutronPortFromCache(intf);
+ if (null == neutronPort) {
+ LOG.error("Neutron Port is null: " + intf);
+ return false;
+ }
+ if (neutronPort.getPortSecurityEnabled()) {
+ LOG.info("Port Security is enabled for Port: " + neutronPort);
+ return true;
+ }
+ LOG.info("Port Security is not enabled for Port: " + neutronPort);
+ return false;
+ }
+
@Override
public void setDependencies(ServiceReference serviceReference) {
neutronL3Adapter =
@XmlElement (name = "extra_dhcp_opts")
List<NeutronPort_ExtraDHCPOption> extraDHCPOptions;
+ //Port security is enabled by default for backward compatibility.
+ @XmlElement (defaultValue = "true", name = "port_security_enabled")
+ Boolean portSecurityEnabled;
+
+
NeutronPort originalPort;
public NeutronPort() {
this.bindingvifType = bindingvifType;
}
+ public Boolean getPortSecurityEnabled() {
+ if (portSecurityEnabled == null) {
+ return true;
+ }
+ return portSecurityEnabled;
+ }
+
+ public void setPortSecurityEnabled(Boolean newValue) {
+ portSecurityEnabled = newValue;
+ }
+
+
public NeutronPort getOriginalPort() {
return originalPort;
}
if ("security_groups".equals(field)) {
ans.setSecurityGroups(new ArrayList<>(this.getSecurityGroups()));
}
+ if ("port_security_enabled".equals(field)) {
+ ans.setPortSecurityEnabled(this.getPortSecurityEnabled());
+ }
}
return ans;
}
public void initDefaults() {
adminStateUp = true;
+ portSecurityEnabled = true;
if (status == null) {
status = "ACTIVE";
}
+ ", fixedIPs=" + fixedIPs + ", deviceID=" + deviceID + ", deviceOwner=" + deviceOwner + ", tenantID="
+ tenantID + ", securityGroups=" + securityGroups
+ ", bindinghostID=" + bindinghostID + ", bindingvnicType=" + bindingvnicType
- + ", bindingvnicType=" + bindingvnicType + "]";
+ + ", bindingvnicType=" + bindingvnicType + ", portSecurityEnabled=" + portSecurityEnabled +"]";
}
}
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.ports.attributes.Ports;
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.ports.attributes.ports.Port;
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.ports.attributes.ports.PortBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.portsecurity.rev150712.PortSecurityExtension;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.portsecurity.rev150712.PortSecurityExtensionBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.rev150712.Neutron;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.osgi.framework.BundleContext;
result.setBindingvnicType(binding.getVnicType());
}
+ private void portSecurityExtension(Port port, NeutronPort result) {
+ PortSecurityExtension portSecurity = port.getAugmentation(PortSecurityExtension.class);
+ if(portSecurity != null && portSecurity.isPortSecurityEnabled() != null) {
+ result.setPortSecurityEnabled(portSecurity.isPortSecurityEnabled());
+ }
+ }
+
protected NeutronPort fromMd(Port port) {
NeutronPort result = new NeutronPort();
result.setAdminStateUp(port.isAdminStateUp());
}
result.setPortUUID(String.valueOf(port.getUuid().getValue()));
addExtensions(port, result);
+ portSecurityExtension(port, result);
return result;
}
bindingBuilder.setVnicType(neutronPort.getBindingvnicType());
}
+ PortSecurityExtensionBuilder portSecurityBuilder = new PortSecurityExtensionBuilder();
+ if (neutronPort.getPortSecurityEnabled() != null) {
+ portSecurityBuilder.setPortSecurityEnabled(neutronPort.getPortSecurityEnabled());
+ }
PortBuilder portBuilder = new PortBuilder();
portBuilder.addAugmentation(PortBindingExtension.class,
bindingBuilder.build());
+ portBuilder.addAugmentation(PortSecurityExtension.class, portSecurityBuilder.build());
portBuilder.setAdminStateUp(neutronPort.isAdminStateUp());
if(neutronPort.getAllowedAddressPairs() != null) {
List<AllowedAddressPairs> listAllowedAddressPairs = new ArrayList<>();
"version": 2,
"preRequestScript": "",
"tests": "",
- "rawModeData": "{\n \"netvirt-providers-config\": {\n \"table-offset\": 10\n }\n}"
+ "rawModeData": "{\n \"netvirt-providers-config\": {\n \"table-offset\": 1\n }\n}"
},
{
"id": "a1bd4157-09e1-d6a8-2ee7-8c503747511c",
"rawModeData": "{\n \"service-function-paths\": {\n \"service-function-path\": [\n {\n \"name\": \"SFC-Path\",\n \"symmetric\": false,\n \"service-chain-name\": \"SFC\",\n \"starting-index\": 255\n }\n ]\n }\n}"
}
]
-}
\ No newline at end of file
+}
Code Review / netvirt.git / commitdiff