boolean bindAcl(AclInterface port);
- void bindService(String interfaceName, Long vpnId);
-
boolean unbindAcl(AclInterface port);
boolean applyAce(AclInterface port, String aclName, Ace ace);
boolean removeAce(AclInterface port, String aclName, Ace ace);
-
- void updateRemoteAclFilterTable(AclInterface port, int addOrRemove, Long vpnId);
-
}
void notify(AclInterface port, AclInterface oldPort, Action action);
void notifyAce(AclInterface port, Action action, String aclName, Ace ace);
-
- void updateRemoteAclFilterTable(AclInterface port, int addOrRemove, Long vpnId);
-
- void bindAclTableForVpn(AclInterface port, Long vpnId);
-
}
/** The dp id. */
BigInteger dpId;
+ /** Elan tag of the interface. */
+ Long elanId;
+
+ /** VPN Id of the interface. */
+ Long vpnId;
+
/** The security groups. */
List<Uuid> securityGroups;
this.dpId = dpId;
}
+ /**
+ * Gets elan id.
+ *
+ * @return elan id of the interface
+ */
+ public Long getElanId() {
+ return elanId;
+ }
+
+ /**
+ * Sets elan id of the interface.
+ *
+ * @param elanId elan id of the interface
+ */
+ public void setElanId(Long elanId) {
+ this.elanId = elanId;
+ }
+
+ /**
+ * Gets vpn id.
+ *
+ * @return VPN Id of the interface
+ */
+ public Long getVpnId() {
+ return vpnId;
+ }
+
+ /**
+ * Sets VPN Id of the interface.
+ *
+ * @param vpnId VPN Id of the interface
+ */
+ public void setVpnId(Long vpnId) {
+ this.vpnId = vpnId;
+ }
+
/**
* Gets the security groups.
*
package org.opendaylight.netvirt.aclservice.api.utils;
-import java.math.BigInteger;
import java.util.List;
import java.util.Map;
Map<String, List<MatchInfoBase>> programIpFlow(Matches matches);
- void updateBoundServicesFlow(String interfaceName, Long vpnId);
-
- void updateRemoteAclFilterTable(String interfaceName, Long vpnId, BigInteger dpnId, int addOrDelete);
-
}
import org.opendaylight.netvirt.aclservice.api.utils.AclInterfaceCacheUtil;
import org.opendaylight.netvirt.aclservice.utils.AclDataUtil;
import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
-import org.opendaylight.netvirt.vpnmanager.api.VpnHelper;
-import org.opendaylight.yang.gen.v1.urn.huawei.params.xml.ns.yang.l3vpn.rev140815.vpn.interfaces.VpnInterface;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.AccessListEntries;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
LOG.error("Unable to find DP Id from ACL interface with id {}", port.getInterfaceId());
return false;
}
- programAclWithAllowedAddress(dpId, port.getAllowedAddressPairs(), port.getLPortTag(), port.getSecurityGroups(),
- Action.ADD, NwConstants.ADD_FLOW, port.getInterfaceId());
- updateRemoteAclFilterTable(port, NwConstants.ADD_FLOW, null /*vpnId*/);
+ programAclWithAllowedAddress(port, port.getAllowedAddressPairs(), Action.ADD, NwConstants.ADD_FLOW);
+ updateRemoteAclFilterTable(port, NwConstants.ADD_FLOW);
return true;
}
LOG.error("port and port security groups cannot be null");
return false;
}
- bindService(port.getInterfaceId(), null/*vpnName*/);
- updateRemoteAclFilterTable(port, NwConstants.ADD_FLOW, null /*vpnId*/);
+ bindService(port);
+ updateRemoteAclFilterTable(port, NwConstants.ADD_FLOW);
return true;
}
LOG.error("Unable to find DP Id from ACL interface with id {}", port.getInterfaceId());
return false;
}
- unbindService(port.getInterfaceId());
- updateRemoteAclFilterTable(port, NwConstants.DEL_FLOW, null /*vpnId*/);
+ unbindService(port);
+ updateRemoteAclFilterTable(port, NwConstants.DEL_FLOW);
return true;
}
if (isPortSecurityEnable) {
result = applyAcl(portAfter) && bindAcl(portAfter);
} else {
- result = removeAcl(portAfter) && unbindAcl(portAfter);
+ result = removeAcl(portBefore) && unbindAcl(portBefore);
}
} else if (isPortSecurityEnable) {
// Acls has been updated, find added/removed Acls and act accordingly.
AclServiceUtils.getUpdatedAllowedAddressPairs(portBefore.getAllowedAddressPairs(),
portAfter.getAllowedAddressPairs());
if (deletedAllowedAddressPairs != null && !deletedAllowedAddressPairs.isEmpty()) {
- programAclWithAllowedAddress(dpId, deletedAllowedAddressPairs, portAfter.getLPortTag(),
- portAfter.getSecurityGroups(), Action.UPDATE, NwConstants.DEL_FLOW, portAfter.getInterfaceId());
+ programAclWithAllowedAddress(portAfter, deletedAllowedAddressPairs, Action.UPDATE, NwConstants.DEL_FLOW);
}
if (addedAllowedAddressPairs != null && !addedAllowedAddressPairs.isEmpty()) {
- programAclWithAllowedAddress(dpId, addedAllowedAddressPairs, portAfter.getLPortTag(),
- portAfter.getSecurityGroups(), Action.UPDATE, NwConstants.ADD_FLOW, portAfter.getInterfaceId());
+ programAclWithAllowedAddress(portAfter, addedAllowedAddressPairs, Action.UPDATE, NwConstants.ADD_FLOW);
}
updateArpForAllowedAddressPairs(dpId, portAfter.getLPortTag(), deletedAllowedAddressPairs,
portAfter.getAllowedAddressPairs());
// with SG2 (which has ACE with remote SG1). Now When we add SG3 to Interface1, the rule for Interface2 which
// match the IP of Interface1 will not be installed (but it have to be because Interface1 has more than one SG).
// So we need to remove all rules and install them from 0, and we cannot handle only the delta.
- updateCustomRules(dpId, portAfter.getLPortTag(), portBefore.getSecurityGroups(), NwConstants.DEL_FLOW,
- portAfter.getInterfaceId(), portAfter.getAllowedAddressPairs());
- updateRemoteAclFilterTable(portBefore, NwConstants.DEL_FLOW, null /*vpnId*/);
+ updateCustomRules(portBefore, portBefore.getSecurityGroups(), NwConstants.DEL_FLOW,
+ portAfter.getAllowedAddressPairs());
+ updateRemoteAclFilterTable(portBefore, NwConstants.DEL_FLOW);
updateAclInterfaceInCache(portAfter);
- updateCustomRules(dpId, portAfter.getLPortTag(), portAfter.getSecurityGroups(), NwConstants.ADD_FLOW,
- portAfter.getInterfaceId(), portAfter.getAllowedAddressPairs());
- updateRemoteAclFilterTable(portAfter, NwConstants.ADD_FLOW, null /*vpnId*/);
+ updateCustomRules(portAfter, portAfter.getSecurityGroups(), NwConstants.ADD_FLOW,
+ portAfter.getAllowedAddressPairs());
+ updateRemoteAclFilterTable(portAfter, NwConstants.ADD_FLOW);
}
private void updateAclInterfaceInCache(AclInterface aclInterfaceNew) {
aclDataUtil.addOrUpdateAclInterfaceMap(aclInterfaceNew.getSecurityGroups(), aclInterfaceNew);
}
- private void updateCustomRules(BigInteger dpId, int lportTag, List<Uuid> aclUuidList, int action, String portId,
+ private void updateCustomRules(AclInterface port, List<Uuid> aclUuidList, int action,
List<AllowedAddressPairs> syncAllowedAddresses) {
- programAclRules(aclUuidList, dpId, lportTag, action, portId);
- syncRemoteAclRules(aclUuidList, action, portId, syncAllowedAddresses);
+ programAclRules(port, aclUuidList, action);
+ syncRemoteAclRules(aclUuidList, action, port.getInterfaceId(), syncAllowedAddresses);
}
private void syncRemoteAclRules(List<Uuid> aclUuidList, int action, String currentPortId,
- List<AllowedAddressPairs> syncAllowedAddresses) {
+ List<AllowedAddressPairs> syncAllowedAddresses) {
if (aclUuidList == null) {
LOG.warn("security groups are null");
return;
}
+
for (Uuid remoteAclId : aclUuidList) {
Map<String, Set<AclInterface>> mapAclWithPortSet = aclDataUtil.getRemoteAclInterfaces(remoteAclId);
if (mapAclWithPortSet == null) {
for (Entry<String, Set<AclInterface>> entry : mapAclWithPortSet.entrySet()) {
String aclName = entry.getKey();
for (AclInterface port : entry.getValue()) {
- if (currentPortId.equals(port.getInterfaceId())) {
+ if (currentPortId.equals(port.getInterfaceId())
+ || (port.getSecurityGroups() != null && port.getSecurityGroups().size() == 1)) {
continue;
}
List<Ace> remoteAceList = AclServiceUtils.getAceWithRemoteAclId(dataBroker, port, remoteAclId);
for (Ace ace : remoteAceList) {
- programAceRule(port.getDpId(), port.getLPortTag(), action, aclName, ace, port.getInterfaceId(),
- syncAllowedAddresses);
+ programAceRule(port, action, aclName, ace, syncAllowedAddresses);
}
}
}
}
}
- private void programAclWithAllowedAddress(BigInteger dpId, List<AllowedAddressPairs> allowedAddresses,
- int lportTag, List<Uuid> aclUuidList, Action action, int addOrRemove,
- String portId) {
+ private void programAclWithAllowedAddress(AclInterface port, List<AllowedAddressPairs> allowedAddresses,
+ Action action, int addOrRemove) {
+ BigInteger dpId = port.getDpId();
+ int lportTag = port.getLPortTag();
+ List<Uuid> aclUuidList = port.getSecurityGroups();
+ String portId = port.getInterfaceId();
programGeneralFixedRules(dpId, "", allowedAddresses, lportTag, action, addOrRemove);
programSpecificFixedRules(dpId, "", allowedAddresses, lportTag, portId, action, addOrRemove);
if (action == Action.ADD || action == Action.REMOVE) {
- programAclRules(aclUuidList, dpId, lportTag, addOrRemove, portId);
+ programAclRules(port, aclUuidList, addOrRemove);
}
syncRemoteAclRules(aclUuidList, addOrRemove, portId, allowedAddresses);
}
LOG.error("Unable to find DP Id from ACL interface with id {}", port.getInterfaceId());
return false;
}
- programAclWithAllowedAddress(dpId, port.getAllowedAddressPairs(), port.getLPortTag(), port.getSecurityGroups(),
- Action.REMOVE, NwConstants.DEL_FLOW, port.getInterfaceId());
- updateRemoteAclFilterTable(port, NwConstants.DEL_FLOW, null /*vpnId*/);
+ programAclWithAllowedAddress(port, port.getAllowedAddressPairs(), Action.REMOVE, NwConstants.DEL_FLOW);
+ updateRemoteAclFilterTable(port, NwConstants.DEL_FLOW, true);
return true;
}
if (!port.isPortSecurityEnabled()) {
return false;
}
- programAceRule(port.getDpId(), port.getLPortTag(), NwConstants.ADD_FLOW, aclName, ace, port.getInterfaceId(),
- null);
- updateRemoteAclFilterTable(port, NwConstants.ADD_FLOW, null /*vpnId*/);
- updateRemoteAclFilterTableForVpn(port, NwConstants.ADD_FLOW);
+ programAceRule(port, NwConstants.ADD_FLOW, aclName, ace, null);
+ updateRemoteAclFilterTable(port, NwConstants.ADD_FLOW);
return true;
}
- private void updateRemoteAclFilterTableForVpn(AclInterface port, int addOrRemove) {
- VpnInterface vpnInterface = VpnHelper.getVpnInterface(dataBroker, port.getInterfaceId());
- if (vpnInterface != null) {
- Long vpnId = VpnHelper.getVpnId(dataBroker, vpnInterface.getVpnInstanceName());
- updateRemoteAclFilterTable(port, addOrRemove, vpnId);
- }
- }
-
@Override
public boolean removeAce(AclInterface port, String aclName, Ace ace) {
if (!port.isPortSecurityEnabled()) {
return false;
}
- programAceRule(port.getDpId(), port.getLPortTag(), NwConstants.DEL_FLOW, aclName, ace, port.getInterfaceId(),
- null);
- updateRemoteAclFilterTable(port, NwConstants.DEL_FLOW, null /*vpnId*/);
- updateRemoteAclFilterTableForVpn(port, NwConstants.DEL_FLOW);
+ programAceRule(port, NwConstants.DEL_FLOW, aclName, ace, null);
+ updateRemoteAclFilterTable(port, NwConstants.DEL_FLOW);
return true;
}
/**
* Bind service.
*
- * @param interfaceName
- * the interface name
+ * @param aclInterface the acl interface
*/
- public abstract void bindService(String interfaceName, Long vpnId);
+ public abstract void bindService(AclInterface aclInterface);
/**
* Unbind service.
*
- * @param interfaceName
- * the interface name
+ * @param aclInterface the acl interface
*/
- protected abstract void unbindService(String interfaceName);
+ protected abstract void unbindService(AclInterface aclInterface);
/**
* Program the default anti-spoofing rules.
/**
* Programs the acl custom rules.
*
+ * @param port acl interface
* @param aclUuidList the list of acl uuid to be applied
- * @param dpId the dpId
- * @param lportTag the lport tag
* @param addOrRemove whether to delete or add flow
- * @param portId the port id
* @return program succeeded
*/
- protected abstract boolean programAclRules(List<Uuid> aclUuidList, BigInteger dpId, int lportTag, int addOrRemove,
- String portId);
+ protected abstract boolean programAclRules(AclInterface port, List<Uuid> aclUuidList, int addOrRemove);
/**
* Programs the ace custom rule.
*
- * @param dpId the dpId
- * @param lportTag the lport tag
+ * @param port acl interface
* @param addOrRemove whether to delete or add flow
* @param aclName the acl name
* @param ace rule to be program
- * @param portId the port id
* @param syncAllowedAddresses the allowed addresses
*/
- protected abstract void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, String aclName, Ace ace,
- String portId, List<AllowedAddressPairs> syncAllowedAddresses);
+ protected abstract void programAceRule(AclInterface port, int addOrRemove, String aclName, Ace ace,
+ List<AllowedAddressPairs> syncAllowedAddresses);
/**
* Writes/remove the flow to/from the datastore.
return instructions;
}
- @Override
- public void updateRemoteAclFilterTable(AclInterface port, int addOrRemove, Long vpnId) {
+ private void updateRemoteAclFilterTable(AclInterface port, int addOrRemove) {
+ updateRemoteAclFilterTable(port, addOrRemove, false);
+ }
+
+ private void updateRemoteAclFilterTable(AclInterface port, int addOrRemove, boolean isAclDeleted) {
if (port.getSecurityGroups() == null) {
LOG.debug("Port {} without SGs", port.getInterfaceId());
return;
}
- for (Uuid sg : port.getSecurityGroups()) {
- updateRemoteAclFilterTableForSg(port, sg, addOrRemove, vpnId);
+ if (AclServiceUtils.exactlyOneAcl(port)) {
+ Uuid acl = port.getSecurityGroups().get(0);
+ BigInteger aclId = aclServiceUtils.buildAclId(acl);
+ if (aclDataUtil.getRemoteAcl(acl) != null) {
+ Map<String, Set<AclInterface>> mapAclWithPortSet = aclDataUtil.getRemoteAclInterfaces(acl);
+ Set<BigInteger> dpns = collectDpns(mapAclWithPortSet);
+
+ for (AllowedAddressPairs ip : port.getAllowedAddressPairs()) {
+ if (!AclServiceUtils.isNotIpv4AllNetwork(ip)) {
+ continue;
+ }
+ for (BigInteger dpId : dpns) {
+ updateRemoteAclTableForPort(port, acl, addOrRemove, ip, aclId, dpId);
+ }
+ }
+ syncRemoteAclTableFromOtherDpns(port, acl, aclId, addOrRemove);
+ } else {
+ LOG.debug("Port {} with more than one SG ({}). Don't change ACL filter table", port.getInterfaceId(),
+ port.getSecurityGroups().size());
+ }
+ } else if (port.getSecurityGroups() != null && port.getSecurityGroups().size() > 1) {
+ updateRemoteAclTableForMultipleAcls(port, addOrRemove, port.getInterfaceId());
}
+ syncRemoteAclTable(port, addOrRemove, port.getInterfaceId(), isAclDeleted);
}
- protected void updateRemoteAclFilterTableForSg(AclInterface port, Uuid acl, int addOrRemove, Long vpnId) {
- BigInteger aclId = aclServiceUtils.buildAclId(acl);
-
- Long elanTag = AclServiceUtils.getElanIdFromInterface(port.getInterfaceId(), dataBroker);
- if (elanTag == null) {
- LOG.debug("Can't find elan id for port {} ", port.getInterfaceId());
- return;
+ private void syncRemoteAclTableFromOtherDpns(AclInterface port, Uuid acl, BigInteger aclId, int addOrRemove) {
+ List<AclInterface> aclInterfaces = aclDataUtil.getInterfaceList(acl);
+ BigInteger dpId = port.getDpId();
+ boolean isFirstPortInDpn = true;
+ for (AclInterface aclInterface : aclInterfaces) {
+ if (port.getInterfaceId().equals(aclInterface.getInterfaceId())) {
+ continue;
+ }
+ if (dpId.equals(aclInterface.getDpId())) {
+ isFirstPortInDpn = false;
+ break;
+ }
}
+ if (isFirstPortInDpn) {
+ for (AclInterface aclInterface : aclInterfaces) {
+ if (port.getInterfaceId().equals(aclInterface.getInterfaceId())) {
+ continue;
+ }
+ for (AllowedAddressPairs ip : aclInterface.getAllowedAddressPairs()) {
+ updateRemoteAclTableForPort(aclInterface, acl, addOrRemove, ip, aclId, port.getDpId());
+ }
+ }
+ }
+ }
- if (AclServiceUtils.exactlyOneAcl(port)) {
- for (AllowedAddressPairs ip : port.getAllowedAddressPairs()) {
- if (!AclServiceUtils.isNotIpv4AllNetwork(ip)) {
+ private void syncRemoteAclTable(AclInterface port, int addOrRemove, String ignorePort, boolean isAclDeleted) {
+ for (Uuid aclUuid : port.getSecurityGroups()) {
+ if (aclDataUtil.getRemoteAcl(aclUuid) == null) {
+ continue;
+ }
+ List<AclInterface> aclInterfaces = aclDataUtil.getInterfaceList(aclUuid);
+ for (AclInterface aclInterface : aclInterfaces) {
+ if (aclInterface.getInterfaceId().equals(port.getInterfaceId())
+ || AclServiceUtils.exactlyOneAcl(aclInterface)) {
continue;
}
- writeCurrentAclForRemoteAcls(acl, addOrRemove, elanTag, ip, aclId, vpnId);
+ boolean allMultipleAcls = true;
+ List<Uuid> remoteInterfaceRemoteAcls = aclInterface.getSecurityGroups();
+ if (remoteInterfaceRemoteAcls != null) {
+ for (Uuid remoteInterfaceRemoteAcl : remoteInterfaceRemoteAcls) {
+ if (aclDataUtil.getRemoteAcl(remoteInterfaceRemoteAcl) == null) {
+ continue;
+ }
+ List<AclInterface> aclInterfaces2 = aclDataUtil.getInterfaceList(remoteInterfaceRemoteAcl);
+ for (AclInterface aclInterface2 : aclInterfaces2) {
+ if (aclInterface2.getInterfaceId().equals(aclInterface.getInterfaceId())) {
+ continue;
+ }
+ if (aclInterface2.getSecurityGroups().size() == 1) {
+ allMultipleAcls = false;
+ break;
+ }
+ }
+ }
+ }
+ int addRremove = (allMultipleAcls) ? NwConstants.DEL_FLOW : NwConstants.ADD_FLOW;
+ addRremove = (isAclDeleted) ? NwConstants.DEL_FLOW : addRremove;
+ for (AllowedAddressPairs ip : aclInterface.getAllowedAddressPairs()) {
+ if (!AclServiceUtils.isNotIpv4AllNetwork(ip)) {
+ continue;
+ }
+ updateRemoteAclTableForPort(aclInterface, aclUuid, addRremove, ip,
+ aclServiceUtils.buildAclId(aclUuid), aclInterface.getDpId());
+ }
}
- } else {
- LOG.debug("Port {} with more than one SG ({}). Don't change ACL filter table", port.getInterfaceId(),
- port.getSecurityGroups().size());
}
- writeRemoteAclsForCurrentAcl(acl, port.getDpId(), addOrRemove, port.getInterfaceId(), vpnId);
}
- private void writeRemoteAclsForCurrentAcl(Uuid sgUuid, BigInteger dpId, int addOrRemove, String ignorePort,
- Long vpnId) {
+ private void updateRemoteAclTableForMultipleAcls(AclInterface port, int addOrRemove, String ignorePort) {
+ BigInteger dpId = port.getDpId();
if (dpId == null) {
LOG.warn("trying to write to null dpnId");
return;
}
- Acl acl = AclServiceUtils.getAcl(dataBroker, sgUuid.getValue());
- if (null == acl) {
- LOG.debug("The ACL {} is empty", sgUuid);
- return;
- }
-
- AccessListEntries accessListEntries = acl.getAccessListEntries();
- List<Ace> aceList = accessListEntries.getAce();
- for (Ace ace : aceList) {
- SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
- if (aceAttr.getRemoteGroupId() == null) {
+ for (Uuid aclUuid : port.getSecurityGroups()) {
+ if (aclDataUtil.getRemoteAcl(aclUuid) == null) {
continue;
}
- List<AclInterface> interfaceList = aclDataUtil.getInterfaceList(aceAttr.getRemoteGroupId());
- if (interfaceList == null) {
- continue;
+ Acl acl = AclServiceUtils.getAcl(dataBroker, aclUuid.getValue());
+ if (null == acl) {
+ LOG.debug("The ACL {} is empty", aclUuid);
+ return;
}
- for (AclInterface inter : interfaceList) {
- if (ignorePort.equals(inter.getInterfaceId())) {
+
+ Map<String, Set<AclInterface>> mapAclWithPortSet = aclDataUtil.getRemoteAclInterfaces(aclUuid);
+ Set<BigInteger> dpns = collectDpns(mapAclWithPortSet);
+
+ AccessListEntries accessListEntries = acl.getAccessListEntries();
+ List<Ace> aceList = accessListEntries.getAce();
+ for (Ace ace : aceList) {
+ SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
+ if (aceAttr.getRemoteGroupId() == null) {
+ continue;
+ }
+ List<AclInterface> interfaceList = aclDataUtil.getInterfaceList(aceAttr.getRemoteGroupId());
+ if (interfaceList == null) {
continue;
}
- if (AclServiceUtils.exactlyOneAcl(inter)) {
- BigInteger aclId = aclServiceUtils.buildAclId(aceAttr.getRemoteGroupId());
- Long elanTag = AclServiceUtils.getElanIdFromInterface(inter.getInterfaceId(), dataBroker);
- if (elanTag == null) {
- LOG.warn("Can't find elan id for port {} ", inter.getInterfaceId());
+ for (AclInterface inter : interfaceList) {
+ if (ignorePort.equals(inter.getInterfaceId())) {
continue;
}
- writeRemoteAclForCurrentAclForInterface(dpId, addOrRemove, inter, aclId, elanTag,
- vpnId);
- } else {
- LOG.debug("Port {} with more than one SG ({}). Don't change ACL filter table",
- inter.getInterfaceId(), inter.getSecurityGroups().size());
+ if (inter.getSecurityGroups() != null && inter.getSecurityGroups().size() == 1) {
+ BigInteger aclId = aclServiceUtils.buildAclId(aceAttr.getRemoteGroupId());
+ for (AllowedAddressPairs ip : port.getAllowedAddressPairs()) {
+ if (!AclServiceUtils.isNotIpv4AllNetwork(ip)) {
+ continue;
+ }
+ for (BigInteger dpnId : dpns) {
+ updateRemoteAclTableForPort(port, aceAttr.getRemoteGroupId(), addOrRemove, ip, aclId,
+ dpnId);
+ }
+ }
+ syncRemoteAclTableFromOtherDpns(port, aclUuid, aclId, addOrRemove);
+ }
}
}
}
}
- protected abstract void writeCurrentAclForRemoteAcls(Uuid acl, int addOrRemove, Long elanTag,
- AllowedAddressPairs ip, BigInteger aclId, Long vpnId);
-
- protected abstract void writeRemoteAclForCurrentAclForInterface(BigInteger dpId, int addOrRemove,
- AclInterface inter, BigInteger aclId, Long elanTag, Long vpnId);
+ protected abstract void updateRemoteAclTableForPort(AclInterface port, Uuid acl, int addOrRemove,
+ AllowedAddressPairs ip, BigInteger aclId, BigInteger dpId);
protected String getOperAsString(int flowOper) {
String oper;
}
return null;
}
-
}
/**
* Bind service.
*
- * @param interfaceName the interface name
+ * @param aclInterface the acl interface
*/
@Override
- public void bindService(String interfaceName, Long vpnId) {
- int instructionKey = 0;
- List<Instruction> instructions = new ArrayList<>();
- if (vpnId != null) {
- instructions.add(MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getVpnIdMetadata(vpnId),
- MetaDataUtil.METADATA_MASK_VRFID, ++instructionKey));
- } else {
- Long elanTag = AclServiceUtils.getElanIdFromInterface(interfaceName, dataBroker);
- instructions.add(MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getElanTagMetadata(elanTag),
- MetaDataUtil.METADATA_MASK_SERVICE, ++instructionKey));
- }
- instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(NwConstants.INGRESS_ACL_TABLE, ++instructionKey));
- short serviceIndex = ServiceIndex.getIndex(NwConstants.ACL_SERVICE_NAME, NwConstants.ACL_SERVICE_INDEX);
- int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
- BoundServices serviceInfo =
- AclServiceUtils.getBoundServices(String.format("%s.%s.%s", "acl", "egressacl", interfaceName),
- serviceIndex, flowPriority, AclConstants.COOKIE_ACL_BASE, instructions);
- InstanceIdentifier<BoundServices> path =
- AclServiceUtils.buildServiceId(interfaceName, serviceIndex, ServiceModeIngress.class);
-
+ public void bindService(AclInterface aclInterface) {
+ String interfaceName = aclInterface.getInterfaceId();
DataStoreJobCoordinator dataStoreCoordinator = DataStoreJobCoordinator.getInstance();
dataStoreCoordinator.enqueueJob(interfaceName,
() -> {
+ int instructionKey = 0;
+ List<Instruction> instructions = new ArrayList<>();
+ Long vpnId = aclInterface.getVpnId();
+ if (vpnId != null) {
+ instructions.add(MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getVpnIdMetadata(vpnId),
+ MetaDataUtil.METADATA_MASK_VRFID, ++instructionKey));
+ } else {
+ Long elanTag = aclInterface.getElanId();
+ instructions.add(
+ MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getElanTagMetadata(elanTag),
+ MetaDataUtil.METADATA_MASK_SERVICE, ++instructionKey));
+ }
+ instructions.add(
+ MDSALUtil.buildAndGetGotoTableInstruction(NwConstants.INGRESS_ACL_TABLE, ++instructionKey));
+ short serviceIndex = ServiceIndex.getIndex(NwConstants.ACL_SERVICE_NAME,
+ NwConstants.ACL_SERVICE_INDEX);
+ int flowPriority = AclConstants.EGRESS_ACL_DEFAULT_FLOW_PRIORITY;
+ BoundServices serviceInfo = AclServiceUtils.getBoundServices(
+ String.format("%s.%s.%s", "acl", "egressacl", interfaceName), serviceIndex, flowPriority,
+ AclConstants.COOKIE_ACL_BASE, instructions);
+ InstanceIdentifier<BoundServices> path =
+ AclServiceUtils.buildServiceId(interfaceName, serviceIndex, ServiceModeIngress.class);
+
WriteTransaction writeTxn = dataBroker.newWriteOnlyTransaction();
writeTxn.put(LogicalDatastoreType.CONFIGURATION, path, serviceInfo, true);
/**
* Unbind service.
*
- * @param interfaceName the interface name
+ * @param aclInterface the acl interface
*/
@Override
- protected void unbindService(String interfaceName) {
+ protected void unbindService(AclInterface aclInterface) {
+ String interfaceName = aclInterface.getInterfaceId();
InstanceIdentifier<BoundServices> path =
AclServiceUtils.buildServiceId(interfaceName,
ServiceIndex.getIndex(NwConstants.ACL_SERVICE_NAME, NwConstants.ACL_SERVICE_INDEX),
}
@Override
- protected boolean programAclRules(List<Uuid> aclUuidList, BigInteger dpId, int lportTag, int addOrRemove, String
- portId) {
- LOG.trace("Applying custom rules DpId {}, lportTag {}", dpId, lportTag);
+ protected boolean programAclRules(AclInterface port, List<Uuid> aclUuidList, int addOrRemove) {
+ BigInteger dpId = port.getDpId();
+ LOG.trace("Applying custom rules DpId {}, lportTag {}", dpId, port.getLPortTag());
if (aclUuidList == null || dpId == null) {
LOG.warn("one of the egress acl parameters can not be null. sg {}, dpId {}",
aclUuidList, dpId);
AccessListEntries accessListEntries = acl.getAccessListEntries();
List<Ace> aceList = accessListEntries.getAce();
for (Ace ace: aceList) {
- programAceRule(dpId, lportTag, addOrRemove, acl.getAclName(), ace, portId, null);
+ programAceRule(port, addOrRemove, acl.getAclName(), ace, null);
}
}
return true;
}
@Override
- protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, String aclName, Ace ace,
- String portId, List<AllowedAddressPairs> syncAllowedAddresses) {
+ protected void programAceRule(AclInterface port, int addOrRemove, String aclName, Ace ace,
+ List<AllowedAddressPairs> syncAllowedAddresses) {
SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
return;
Map<String,List<MatchInfoBase>> flowMap = null;
if (aceType instanceof AceIp) {
flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
- if (aceAttr.getRemoteGroupId() != null) {
- flowMap = aclServiceUtils.getFlowForRemoteAcl(aceAttr.getRemoteGroupId(), portId, flowMap, false);
- } else if (syncAllowedAddresses != null) {
+ if (syncAllowedAddresses != null) {
flowMap = AclServiceUtils.getFlowForAllowedAddresses(syncAllowedAddresses, flowMap, false);
+ } else if (aceAttr.getRemoteGroupId() != null) {
+ flowMap = aclServiceUtils.getFlowForRemoteAcl(port, aceAttr.getRemoteGroupId(), port.getInterfaceId(),
+ flowMap, false);
}
}
+ int lportTag = port.getLPortTag();
if (null == flowMap) {
LOG.error("Failed to apply ACL {} lportTag {}", ace.getKey(), lportTag);
return;
}
for (String flowName : flowMap.keySet()) {
- syncSpecificAclFlow(dpId, lportTag, addOrRemove, ace, portId, flowMap, flowName);
+ syncSpecificAclFlow(port.getDpId(), lportTag, addOrRemove, ace, port.getInterfaceId(), flowMap, flowName);
}
}
@Override
- protected void writeCurrentAclForRemoteAcls(Uuid acl, int addOrRemove, Long elanTag, AllowedAddressPairs ip,
- BigInteger aclId, Long vpnId) {
+ protected void updateRemoteAclTableForPort(AclInterface port, Uuid acl, int addOrRemove,
+ AllowedAddressPairs ip, BigInteger aclId, BigInteger dpId) {
+ Long elanTag = port.getElanId();
+ Long vpnId = port.getVpnId();
List<MatchInfoBase> flowMatches = new ArrayList<>();
flowMatches.addAll(AclServiceUtils.buildIpAndDstServiceMatch(elanTag, ip, dataBroker, vpnId));
Long serviceTag = vpnId != null ? vpnId : elanTag;
String flowNameAdded = "Acl_Filter_Egress_" + new String(ip.getIpAddress().getValue()) + "_" + serviceTag;
- Map<String, Set<AclInterface>> mapAclWithPortSet = aclDataUtil.getAllRemoteAclInterfaces();
- Set<BigInteger> dpns = collectDpns(mapAclWithPortSet);
- for (BigInteger dpId : dpns) {
- LOG.debug("writing rule for ip {} and rlanId {} in egress acl remote table {}", getIpPrefixOrAddress(ip),
- elanTag, getEgressAclRemoteAclTable());
- syncFlow(dpId, getEgressAclRemoteAclTable(), flowNameAdded, AclConstants.NO_PRIORITY, "ACL", 0, 0,
- AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove);
- }
+ syncFlow(dpId, getEgressAclRemoteAclTable(), flowNameAdded, AclConstants.NO_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove);
}
protected short getEgressAclFilterTable() {
return NwConstants.INGRESS_ACL_REMOTE_ACL_TABLE;
}
- @Override
- protected void writeRemoteAclForCurrentAclForInterface(BigInteger dpId, int addOrRemove, AclInterface inter,
- BigInteger aclId, Long elanTag, Long vpnId) {
- for (AllowedAddressPairs ip : inter.getAllowedAddressPairs()) {
- if (!AclServiceUtils.isNotIpv4AllNetwork(ip)) {
- continue;
- }
- List<MatchInfoBase> flowMatches = new ArrayList<>();
- flowMatches.addAll(AclServiceUtils.buildIpAndDstServiceMatch(elanTag, ip, dataBroker, vpnId));
-
- List<InstructionInfo> instructions = new ArrayList<>();
-
- InstructionWriteMetadata writeMetatdata =
- new InstructionWriteMetadata(AclServiceUtils.getAclIdMetadata(aclId),
- MetaDataUtil.METADATA_MASK_REMOTE_ACL_ID);
- instructions.add(writeMetatdata);
- instructions.add(new InstructionGotoTable(getEgressAclFilterTable()));
-
- Long serviceTag = vpnId != null ? vpnId : elanTag;
- String flowNameAdded =
- "Acl_Filter_Egress_" + new String(ip.getIpAddress().getValue()) + "_" + serviceTag;
-
- LOG.debug("writing rule for ip {} and elanId {} in egress acl remote table {}",
- getIpPrefixOrAddress(ip), elanTag, getEgressAclRemoteAclTable());
- syncFlow(dpId, getEgressAclRemoteAclTable(), flowNameAdded, AclConstants.NO_PRIORITY, "ACL", 0,
- 0, AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove);
- }
- }
-
protected abstract String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace,
String portId, Map<String, List<MatchInfoBase>> flowMap, String flowName);
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
-import java.util.Set;
import org.opendaylight.controller.md.sal.binding.api.DataBroker;
import org.opendaylight.controller.md.sal.binding.api.WriteTransaction;
/**
* Bind service.
*
- * @param interfaceName the interface name
+ * @param aclInterface the acl interface
*/
@Override
- public void bindService(String interfaceName, Long vpnId) {
- int instructionKey = 0;
- List<Instruction> instructions = new ArrayList<>();
- if (vpnId != null) {
- instructions.add(MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getVpnIdMetadata(vpnId),
- MetaDataUtil.METADATA_MASK_VRFID, ++instructionKey));
- } else {
- Long elanTag = AclServiceUtils.getElanIdFromInterface(interfaceName, dataBroker);
- instructions.add(MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getElanTagMetadata(elanTag),
- MetaDataUtil.METADATA_MASK_SERVICE, ++instructionKey));
- }
- instructions.add(MDSALUtil.buildAndGetGotoTableInstruction(NwConstants.EGRESS_ACL_TABLE, ++instructionKey));
- int flowPriority = AclConstants.INGRESS_ACL_DEFAULT_FLOW_PRIORITY;
- BoundServices serviceInfo = AclServiceUtils.getBoundServices(
- String.format("%s.%s.%s", "acl", "ingressacl", interfaceName),
- ServiceIndex.getIndex(NwConstants.EGRESS_ACL_SERVICE_NAME, NwConstants.EGRESS_ACL_SERVICE_INDEX),
- flowPriority, AclConstants.COOKIE_ACL_BASE, instructions);
- InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
- ServiceIndex.getIndex(NwConstants.EGRESS_ACL_SERVICE_NAME,
- NwConstants.EGRESS_ACL_SERVICE_INDEX), ServiceModeEgress.class);
-
+ public void bindService(AclInterface aclInterface) {
+ String interfaceName = aclInterface.getInterfaceId();
DataStoreJobCoordinator dataStoreCoordinator = DataStoreJobCoordinator.getInstance();
dataStoreCoordinator.enqueueJob(interfaceName,
() -> {
+ int instructionKey = 0;
+ List<Instruction> instructions = new ArrayList<>();
+ Long vpnId = aclInterface.getVpnId();
+ if (vpnId != null) {
+ instructions.add(MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getVpnIdMetadata(vpnId),
+ MetaDataUtil.METADATA_MASK_VRFID, ++instructionKey));
+ } else {
+ Long elanTag = aclInterface.getElanId();
+ instructions.add(
+ MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getElanTagMetadata(elanTag),
+ MetaDataUtil.METADATA_MASK_SERVICE, ++instructionKey));
+ }
+ instructions.add(
+ MDSALUtil.buildAndGetGotoTableInstruction(NwConstants.EGRESS_ACL_TABLE, ++instructionKey));
+ int flowPriority = AclConstants.INGRESS_ACL_DEFAULT_FLOW_PRIORITY;
+ short serviceIndex = ServiceIndex.getIndex(NwConstants.EGRESS_ACL_SERVICE_NAME,
+ NwConstants.EGRESS_ACL_SERVICE_INDEX);
+ BoundServices serviceInfo = AclServiceUtils.getBoundServices(
+ String.format("%s.%s.%s", "acl", "ingressacl", interfaceName), serviceIndex, flowPriority,
+ AclConstants.COOKIE_ACL_BASE, instructions);
+ InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
+ ServiceIndex.getIndex(NwConstants.EGRESS_ACL_SERVICE_NAME,
+ NwConstants.EGRESS_ACL_SERVICE_INDEX), ServiceModeEgress.class);
+
WriteTransaction writeTxn = dataBroker.newWriteOnlyTransaction();
writeTxn.put(LogicalDatastoreType.CONFIGURATION, path, serviceInfo, true);
/**
* Unbind service.
*
- * @param interfaceName the interface name
+ * @param aclInterface the acl interface
*/
@Override
- protected void unbindService(String interfaceName) {
+ protected void unbindService(AclInterface aclInterface) {
+ String interfaceName = aclInterface.getInterfaceId();
InstanceIdentifier<BoundServices> path = AclServiceUtils.buildServiceId(interfaceName,
ServiceIndex.getIndex(NwConstants.EGRESS_ACL_SERVICE_NAME, NwConstants.EGRESS_ACL_SERVICE_INDEX),
ServiceModeEgress.class);
}
@Override
- protected boolean programAclRules(List<Uuid> aclUuidList, BigInteger dpId, int lportTag, int addOrRemove, String
- portId) {
+ protected boolean programAclRules(AclInterface port, List<Uuid> aclUuidList,int addOrRemove) {
+ BigInteger dpId = port.getDpId();
if (aclUuidList == null || dpId == null) {
LOG.warn("one of the ingress acl parameters can not be null. sg {}, dpId {}",
aclUuidList, dpId);
AccessListEntries accessListEntries = acl.getAccessListEntries();
List<Ace> aceList = accessListEntries.getAce();
for (Ace ace : aceList) {
- programAceRule(dpId, lportTag, addOrRemove, acl.getAclName(), ace, portId, null);
+ programAceRule(port, addOrRemove, acl.getAclName(), ace, null);
}
}
return true;
}
@Override
- protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, String aclName, Ace ace,
- String portId, List<AllowedAddressPairs> syncAllowedAddresses) {
+ protected void programAceRule(AclInterface port, int addOrRemove, String aclName, Ace ace,
+ List<AllowedAddressPairs> syncAllowedAddresses) {
SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
if (!aceAttr.getDirection().equals(DirectionIngress.class)) {
return;
Map<String, List<MatchInfoBase>> flowMap = null;
if (aceType instanceof AceIp) {
flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
- if (aceAttr.getRemoteGroupId() != null) {
- flowMap = aclServiceUtils.getFlowForRemoteAcl(aceAttr.getRemoteGroupId(), portId, flowMap, true);
- } else if (syncAllowedAddresses != null) {
+ if (syncAllowedAddresses != null) {
flowMap = AclServiceUtils.getFlowForAllowedAddresses(syncAllowedAddresses, flowMap, true);
+ } else if (aceAttr.getRemoteGroupId() != null) {
+ flowMap = aclServiceUtils.getFlowForRemoteAcl(port, aceAttr.getRemoteGroupId(), port.getInterfaceId(),
+ flowMap, true);
}
}
+ int lportTag = port.getLPortTag();
if (null == flowMap) {
LOG.error("Failed to apply ACL {} lportTag {}", ace.getKey(), lportTag);
return;
}
for (String flowName : flowMap.keySet()) {
- syncSpecificAclFlow(dpId, lportTag, addOrRemove, ace, portId, flowMap, flowName);
+ syncSpecificAclFlow(port.getDpId(), lportTag, addOrRemove, ace, port.getInterfaceId(), flowMap, flowName);
}
}
@Override
- protected void writeCurrentAclForRemoteAcls(Uuid acl, int addOrRemove, Long elanTag, AllowedAddressPairs ip,
- BigInteger aclId, Long vpnId) {
+ protected void updateRemoteAclTableForPort(AclInterface port, Uuid acl, int addOrRemove,
+ AllowedAddressPairs ip, BigInteger aclId, BigInteger dpId) {
+ Long elanTag = port.getElanId();
+ Long vpnId = port.getVpnId();
List<MatchInfoBase> flowMatches = new ArrayList<>();
flowMatches.addAll(AclServiceUtils.buildIpAndSrcServiceMatch(elanTag, ip, dataBroker, vpnId));
Long serviceTag = vpnId != null ? vpnId : elanTag;
String flowNameAdded = "Acl_Filter_Ingress_" + new String(ip.getIpAddress().getValue()) + "_" + serviceTag;
- LOG.warn((addOrRemove == 0 ? "ADD" : "REMOVE") + flowNameAdded);
-
- Map<String, Set<AclInterface>> mapAclWithPortSet = aclDataUtil.getAllRemoteAclInterfaces();
- Set<BigInteger> dpns = collectDpns(mapAclWithPortSet);
- for (BigInteger dpId : dpns) {
- LOG.debug("writing rule for ip {} and rlanId {} in ingress acl remote table {}", getIpPrefixOrAddress(ip),
- elanTag, getIngressAclRemoteAclTable());
- syncFlow(dpId, getIngressAclRemoteAclTable(), flowNameAdded, AclConstants.NO_PRIORITY, "ACL", 0, 0,
- AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove);
- }
+
+ syncFlow(dpId, getIngressAclRemoteAclTable(), flowNameAdded, AclConstants.NO_PRIORITY, "ACL", 0, 0,
+ AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove);
}
protected short getIngressAclFilterTable() {
return NwConstants.EGRESS_ACL_REMOTE_ACL_TABLE;
}
- @Override
- protected void writeRemoteAclForCurrentAclForInterface(BigInteger dpId, int addOrRemove, AclInterface inter,
- BigInteger aclId, Long elanTag, Long vpnId) {
- for (AllowedAddressPairs ip : inter.getAllowedAddressPairs()) {
- if (!AclServiceUtils.isNotIpv4AllNetwork(ip)) {
- continue;
- }
- List<MatchInfoBase> flowMatches = new ArrayList<>();
- flowMatches.addAll(AclServiceUtils.buildIpAndSrcServiceMatch(elanTag, ip, dataBroker, vpnId));
-
- List<InstructionInfo> instructions = new ArrayList<>();
-
- InstructionWriteMetadata writeMetatdata =
- new InstructionWriteMetadata(AclServiceUtils.getAclIdMetadata(aclId),
- MetaDataUtil.METADATA_MASK_REMOTE_ACL_ID);
- instructions.add(writeMetatdata);
- instructions.add(new InstructionGotoTable(getIngressAclFilterTable()));
-
- Long serviceTag = vpnId != null ? vpnId : elanTag;
- String flowNameAdded =
- "Acl_Filter_Ingress_" + new String(ip.getIpAddress().getValue()) + "_" + serviceTag;
-
- LOG.debug("writing rule for ip {} and elanId {} in ingress acl remote table {}",
- getIpPrefixOrAddress(ip), elanTag, getIngressAclRemoteAclTable());
- syncFlow(dpId, getIngressAclRemoteAclTable(), flowNameAdded, AclConstants.NO_PRIORITY, "ACL", 0,
- 0, AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove);
- }
- }
-
protected abstract String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace,
String portId, Map<String, List<MatchInfoBase>> flowMap, String flowName);
}
}
}
-
- @Override
- public void updateRemoteAclFilterTable(AclInterface port, int addOrRemove, Long vpnId) {
- for (AclServiceListener aclServiceListener : aclServiceListeners) {
- aclServiceListener.updateRemoteAclFilterTable(port, addOrRemove, vpnId);
- }
- }
-
- @Override
- public void bindAclTableForVpn(AclInterface port, Long vpnId) {
- for (AclServiceListener aclServiceListener : aclServiceListeners) {
- aclServiceListener.bindService(port.getInterfaceId(), vpnId);
- }
- }
}
import org.opendaylight.genius.mdsalutil.nxmatches.NxMatchTcpDestinationPort;
import org.opendaylight.genius.mdsalutil.nxmatches.NxMatchTcpSourcePort;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
+import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
import org.opendaylight.netvirt.aclservice.utils.AclConstants;
import org.opendaylight.netvirt.aclservice.utils.AclDataUtil;
import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder;
}
@Override
- protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, String aclName, Ace ace,
- String portId, List<AllowedAddressPairs> syncAllowedAddresses) {
+ protected void programAceRule(AclInterface port, int addOrRemove, String aclName, Ace ace,
+ List<AllowedAddressPairs> syncAllowedAddresses) {
SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
return;
NxMatchTcpDestinationPort.class) || AclServiceUtils.containsMatchFieldType(flowMatches,
NxMatchTcpSourcePort.class);
if (hasTcpMatch || protocol == null) {
+ int lportTag = port.getLPortTag();
flowName += "Egress" + lportTag + ace.getKey().getRuleName();
flowMatches.add(buildLPortTagMatch(lportTag));
- programSynRules(dpId, flowName, flowMatches, addOrRemove, protocol, ace.getActions());
+ programSynRules(port.getDpId(), flowName, flowMatches, addOrRemove, protocol, ace.getActions());
}
}
}
import org.opendaylight.genius.mdsalutil.nxmatches.NxMatchTcpDestinationPort;
import org.opendaylight.genius.mdsalutil.nxmatches.NxMatchTcpSourcePort;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
+import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
import org.opendaylight.netvirt.aclservice.utils.AclConstants;
import org.opendaylight.netvirt.aclservice.utils.AclDataUtil;
import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder;
}
@Override
- protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, String aclName, Ace ace,
- String portId, List<AllowedAddressPairs> syncAllowedAddresses) {
+ protected void programAceRule(AclInterface port, int addOrRemove, String aclName, Ace ace,
+ List<AllowedAddressPairs> syncAllowedAddresses) {
SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
if (!aceAttr.getDirection().equals(DirectionIngress.class)) {
return;
protocol = ((AceIp)aceType).getProtocol();
flowMap = AclServiceOFFlowBuilder.programIpFlow(matches);
}
+ int lportTag = port.getLPortTag();
if (null == flowMap) {
LOG.error("Failed to apply ACL {} lPortTag {}", ace.getKey(), lportTag);
return;
if (hasTcpMatch || protocol == null) {
String flowName = flow.getKey() + "Ingress" + lportTag + ace.getKey().getRuleName();
flowMatches.add(buildLPortTagMatch(lportTag));
- programSynRules(dpId, flowName, flowMatches, addOrRemove, protocol, ace.getActions());
+ programSynRules(port.getDpId(), flowName, flowMatches, addOrRemove, protocol, ace.getActions());
}
}
}
import org.opendaylight.genius.mdsalutil.MatchInfoBase;
import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
+import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
import org.opendaylight.netvirt.aclservice.utils.AclDataUtil;
import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
}
@Override
- public void bindService(String interfaceName, Long vpnId) {
+ public void bindService(AclInterface aclInterface) {
LOG.debug("transparent egress acl service - do nothing");
}
@Override
- protected void unbindService(String interfaceName) {
+ protected void unbindService(AclInterface aclInterface) {
LOG.debug("transparent egress acl service - do nothing");
}
}
@Override
- protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, String aclName, Ace ace,
- String portId, List<AllowedAddressPairs> syncAllowedAddresses) {
+ protected void programAceRule(AclInterface port, int addOrRemove, String aclName, Ace ace,
+ List<AllowedAddressPairs> syncAllowedAddresses) {
LOG.debug("transparent egress acl service - do nothing");
}
import org.opendaylight.genius.mdsalutil.MatchInfoBase;
import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
+import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
import org.opendaylight.netvirt.aclservice.utils.AclDataUtil;
import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace;
}
@Override
- public void bindService(String interfaceName, Long vpnId) {
+ public void bindService(AclInterface aclInterface) {
LOG.debug("transparent ingress acl service - do nothing");
}
@Override
- protected void unbindService(String interfaceName) {
+ protected void unbindService(AclInterface aclInterface) {
LOG.debug("transparent ingress acl service - do nothing");
}
}
@Override
- protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, String aclName, Ace ace,
- String portId, List<AllowedAddressPairs> syncAllowedAddresses) {
+ protected void programAceRule(AclInterface port, int addOrRemove, String aclName, Ace ace,
+ List<AllowedAddressPairs> syncAllowedAddresses) {
LOG.debug("Transparent ingress acl service - do nothing");
}
}
oldAclInterface.setInterfaceId(aclInterface.getInterfaceId());
oldAclInterface.setDpId(aclInterface.getDpId());
oldAclInterface.setLPortTag(aclInterface.getLPortTag());
+ oldAclInterface.setElanId(aclInterface.getElanId());
+ oldAclInterface.setVpnId(aclInterface.getVpnId());
oldAclInterface.setPortSecurityEnabled(aclInPortBefore.isPortSecurityEnabled());
oldAclInterface.setAllowedAddressPairs(aclInPortBefore.getAllowedAddressPairs());
aclInterface.setPortSecurityEnabled(aclInPort.isPortSecurityEnabled());
aclInterface.setSecurityGroups(aclInPort.getSecurityGroups());
aclInterface.setAllowedAddressPairs(aclInPort.getAllowedAddressPairs());
+ aclInterface.setElanId(AclServiceUtils.getElanIdFromInterface(interfaceId, dataBroker));
+ aclInterface.setVpnId(AclServiceUtils.getVpnIdFromInterface(dataBroker, interfaceId));
return aclInterface;
}
*/
package org.opendaylight.netvirt.aclservice.listeners;
-import java.math.BigInteger;
-
import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy;
import javax.inject.Inject;
import javax.inject.Singleton;
-import org.opendaylight.controller.md.sal.binding.api.DataBroker;
-import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager;
-import org.opendaylight.netvirt.aclservice.api.utils.IAclServiceUtil;
+import org.opendaylight.netvirt.aclservice.api.AclServiceManager;
+import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action;
+import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
+import org.opendaylight.netvirt.aclservice.api.utils.AclInterfaceCacheUtil;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.l3vpn.rev130911.AddDpnEvent;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.l3vpn.rev130911.AddInterfaceToDpnOnVpnEvent;
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.l3vpn.rev130911.OdlL3vpnListener;
@Singleton
public class AclVpnChangeListener implements OdlL3vpnListener {
private static final Logger LOG = LoggerFactory.getLogger(AclVpnChangeListener.class);
- private final DataBroker dataBroker;
- private final IMdsalApiManager mdsalManager;
- private final IAclServiceUtil aclServiceUtil;
+ private final AclServiceManager aclServiceManager;
@Inject
- public AclVpnChangeListener(DataBroker dataBroker, IMdsalApiManager mdsalManager,
- IAclServiceUtil aclServiceUtil) {
- this.dataBroker = dataBroker;
- this.mdsalManager = mdsalManager;
- this.aclServiceUtil = aclServiceUtil;
+ public AclVpnChangeListener(AclServiceManager aclServiceManager) {
+ this.aclServiceManager = aclServiceManager;
}
@PostConstruct
@Override
public void onAddInterfaceToDpnOnVpnEvent(AddInterfaceToDpnOnVpnEvent notification) {
AddInterfaceEventData data = notification.getAddInterfaceEventData();
- String interfaceName = data.getInterfaceName();
+ LOG.trace("Processing vpn interface {} addition", data.getInterfaceName());
Long vpnId = data.getVpnId();
- BigInteger dpnId = data.getDpnId();
- LOG.trace("Processing vpn interface {} addition", interfaceName);
- aclServiceUtil.updateBoundServicesFlow(interfaceName, vpnId);
- aclServiceUtil.updateRemoteAclFilterTable(interfaceName, vpnId, dpnId, 0/*ADD*/);
-
+ AclInterface aclInterface = AclInterfaceCacheUtil.getAclInterfaceFromCache(data.getInterfaceName());
+ if (!vpnId.equals(aclInterface.getVpnId())) {
+ aclServiceManager.notify(aclInterface, null, Action.UNBIND);
+ aclInterface.setVpnId(vpnId);
+ aclServiceManager.notify(aclInterface, null, Action.BIND);
+ }
}
@Override
public void onRemoveInterfaceFromDpnOnVpnEvent(RemoveInterfaceFromDpnOnVpnEvent notification) {
RemoveInterfaceEventData data = notification.getRemoveInterfaceEventData();
- String interfaceName = data.getInterfaceName();
+ LOG.trace("Processing vpn interface {} deletion", data.getInterfaceName());
Long vpnId = data.getVpnId();
- BigInteger dpnId = data.getDpnId();
- LOG.trace("Processing vpn interface {} deletion", interfaceName);
- aclServiceUtil.updateBoundServicesFlow(interfaceName, null/*vpnName*/);
- aclServiceUtil.updateRemoteAclFilterTable(interfaceName, vpnId, dpnId, 1/*DELETE*/);
+ AclInterface aclInterface = AclInterfaceCacheUtil.getAclInterfaceFromCache(data.getInterfaceName());
+ if (vpnId.equals(aclInterface.getVpnId())) {
+ aclServiceManager.notify(aclInterface, null, Action.UNBIND);
+ aclInterface.setVpnId(null);
+ aclServiceManager.notify(aclInterface, null, Action.BIND);
+ }
}
}
package org.opendaylight.netvirt.aclservice.utils;
-import com.google.common.base.Optional;
-import java.math.BigInteger;
import java.util.List;
import java.util.Map;
import javax.inject.Inject;
import javax.inject.Singleton;
-import org.opendaylight.controller.md.sal.binding.api.DataBroker;
import org.opendaylight.genius.mdsalutil.MatchInfoBase;
-import org.opendaylight.netvirt.aclservice.api.AclServiceManager;
-import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
import org.opendaylight.netvirt.aclservice.api.utils.IAclServiceUtil;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches;
-import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface;
-import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.InterfaceAcl;
@Singleton
public class AclServiceUtilFacade implements IAclServiceUtil {
- private final AclServiceManager aclServiceManager;
- private final DataBroker broker;
@Inject
- public AclServiceUtilFacade(DataBroker broker, AclServiceManager aclServiceManager) {
- this.broker = broker;
- this.aclServiceManager = aclServiceManager;
+ public AclServiceUtilFacade() {
}
@Override
return AclServiceOFFlowBuilder.programIpFlow(matches);
}
- @Override
- public void updateBoundServicesFlow(String interfaceName, Long vpnId) {
- Optional<Interface> intfc = AclServiceUtils.getInterface(broker, interfaceName);
- InterfaceAcl aclInPort = intfc.get().getAugmentation(InterfaceAcl.class);
- if (aclInPort != null && aclInPort.isPortSecurityEnabled()) {
- aclServiceManager.bindAclTableForVpn(AclServiceUtils.buildAclInterfaceState(interfaceName, aclInPort),
- vpnId);
- }
- }
-
- @Override
- public void updateRemoteAclFilterTable(String interfaceName, Long vpnId, BigInteger dpnId, int addOrDelete) {
- Optional<Interface> intfc = AclServiceUtils.getInterface(broker, interfaceName);
- InterfaceAcl aclInPort = intfc.get().getAugmentation(InterfaceAcl.class);
- if (aclInPort != null && aclInPort.isPortSecurityEnabled()) {
- AclInterface aclInterface = AclServiceUtils.buildAclInterfaceState(interfaceName, aclInPort);
- aclInterface.setDpId(dpnId);
- aclServiceManager.updateRemoteAclFilterTable(aclInterface, addOrDelete, vpnId);
- }
- }
-
}
import org.opendaylight.genius.mdsalutil.nxmatches.NxMatchRegister;
import org.opendaylight.netvirt.aclservice.api.AclServiceManager.MatchCriteria;
import org.opendaylight.netvirt.aclservice.api.utils.AclInterface;
+import org.opendaylight.netvirt.vpnmanager.api.VpnHelper;
+import org.opendaylight.yang.gen.v1.urn.huawei.params.xml.ns.yang.l3vpn.rev140815.vpn.interfaces.VpnInterface;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.AccessLists;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.Ipv4Acl;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl;
return remoteAclRuleList;
}
- public Map<String, List<MatchInfoBase>> getFlowForRemoteAcl(Uuid remoteAclId, String ignoreInterfaceId,
- Map<String, List<MatchInfoBase>> flowMatchesMap, boolean isSourceIpMacMatch) {
- List<AclInterface> interfaceList = aclDataUtil.getInterfaceList(remoteAclId);
- if (flowMatchesMap == null || interfaceList == null || interfaceList.isEmpty()) {
- return null;
+ public Map<String, List<MatchInfoBase>> getFlowForRemoteAcl(AclInterface aclInterface, Uuid remoteAclId,
+ String ignoreInterfaceId, Map<String, List<MatchInfoBase>> flowMatchesMap, boolean isSourceIpMacMatch) {
+ boolean singleAcl = false;
+ List<AclInterface> interfaceList = null;
+ if (aclInterface.getSecurityGroups() != null && aclInterface.getSecurityGroups().size() == 1) {
+ singleAcl = true;
+ } else {
+ interfaceList = aclDataUtil.getInterfaceList(remoteAclId);
+ if (flowMatchesMap == null || interfaceList == null || interfaceList.isEmpty()) {
+ return null;
+ }
}
Map<String, List<MatchInfoBase>> updatedFlowMatchesMap = new HashMap<>();
MatchInfoBase ipv4Match = MatchEthernetType.IPV4;
MatchInfoBase ipv6Match = MatchEthernetType.IPV6;
for (String flowName : flowMatchesMap.keySet()) {
List<MatchInfoBase> flows = flowMatchesMap.get(flowName);
+ if (singleAcl) {
+ LOG.debug("port {} is in only one SG. "
+ + "Doesn't adding it's IPs {} to matches (handled in acl id match)",
+ aclInterface.getLPortTag(), aclInterface.getAllowedAddressPairs());
+ List<MatchInfoBase> matchInfoBaseList = addFlowMatchForAclId(remoteAclId, flows);
+ String flowId = flowName + "_remoteACL_id_" + remoteAclId.getValue();
+ updatedFlowMatchesMap.put(flowId, matchInfoBaseList);
+ continue;
+ }
for (AclInterface port : interfaceList) {
if (port.getInterfaceId().equals(ignoreInterfaceId)) {
continue;
}
- if (port.getSecurityGroups() != null && port.getSecurityGroups().size() == 1) {
- LOG.debug(
- "port {} is in only one SG. "
- + "Doesn't adding it's IPs {} to matches (handled in acl id match)",
- port.getLPortTag(), port.getAllowedAddressPairs());
- List<MatchInfoBase> matchInfoBaseList = addFlowMatchForAclId(remoteAclId, flows);
- String flowId = flowName + "_remoteACL_id_" + remoteAclId.getValue();
- updatedFlowMatchesMap.put(flowId, matchInfoBaseList);
- continue;
- }
// get allow address pair
List<AllowedAddressPairs> allowedAddressPair = port.getAllowedAddressPairs();
// iterate over allow address pair and update match type
.child(ElanInstance.class, new ElanInstanceKey(elanInstanceName)).build();
}
+ public static Long getVpnIdFromInterface(DataBroker broker, String vpnInterfaceName) {
+ VpnInterface vpnInterface = VpnHelper.getVpnInterface(broker, vpnInterfaceName);
+ if (vpnInterface != null) {
+ return VpnHelper.getVpnId(broker, vpnInterface.getVpnInstanceName());
+ }
+ return null;
+ }
+
private static List<MatchInfoBase> updateAAPMatches(boolean isSourceIpMacMatch, List<MatchInfoBase> flows,
AllowedAddressPairs aap) {
List<MatchInfoBase> matchInfoBaseList;
protected def remoteFlows() {
remoteIngressFlowsPort1
- + remoteIngressFlowsPort1
- + remoteEgressFlowsPort1
+ remoteEgressFlowsPort1
+ remoteIngressFlowsPort2
+ remoteEgressFlowsPort2
+ fixedConntrackIngressFlowsPort2
+ etherIngressFlowsPort2
+ etherIngressFlowsPort2
- + etherIngressFlowsPort2
+ fixedEgressFlowsPort2
+ fixedConntrackEgressFlowsPort2
+ etheregressFlowPort2
+ remoteFlows
- + remoteIngressFlowsPort2
- + remoteEgressFlowsPort2
+ + remoteIngressFlowsPort1
+ + remoteIngressFlowsPort1
+ + remoteEgressFlowsPort1
+ + remoteEgressFlowsPort1
+ fixedEgressArpFlowsPort1()
+ fixedEgressArpFlowsPort2()
+ tcpEgressFlowPort2WithRemoteIpSg
]
priority = 61005
tableId = 241 as short
- ],
- new FlowEntityBuilder >> [
- dpnId = 123bi
- cookie = 110100480bi
- flowId = "SYN_ETHERnullIngress98785cc3048-abc3-43cc-89b3-377341426ac7"
- flowName = "ACL_SYN_"
- instructionInfoList = #[
- new InstructionApplyActions(#[
- new ActionNxResubmit(220 as short)
- ])
- ]
- matchInfoList = #[
- new MatchEthernetType(2048L),
- new MatchEthernetType(2048L),
- new NxMatchRegister(NxmNxReg6, 252672L, 268435200L)
- ]
- priority = 61005
- tableId = 241 as short
]
]
}
protected def tcpEgressFlowPort2() {
#[
- new FlowEntityBuilder >> [
- dpnId = 123bi
- cookie = 110100480bi
- flowId = "SYN_TCP_DESTINATION_80_65535Egress98785cc3048-abc3-43cc-89b3-377341426ac6"
- flowName = "ACL_SYN_"
- instructionInfoList = #[
- new InstructionApplyActions(#[
- new ActionNxResubmit(17 as short)
- ])
- ]
- matchInfoList = #[
- new MatchEthernetType(2048L),
- new MatchEthernetType(2048L),
- new NxMatchTcpDestinationPort(80, 65535),
- new MatchIpProtocol(6 as short),
- new MatchMetadata(1085217976614912bi, MetaDataUtil.METADATA_MASK_LPORT_TAG),
- new MatchTcpFlags(2)
- ]
- priority = 61005
- tableId = 211 as short
- ],
new FlowEntityBuilder >> [
dpnId = 123bi
cookie = 110100480bi