}
BigInteger dpId = port.getDpId();
if (dpId == null || port.getLPortTag() == null) {
- LOG.error("Unable to find DP Id from ACL interface with id {}", port.getInterfaceId());
+ LOG.error("Unable to find DpId from ACL interface with id {}", port.getInterfaceId());
return false;
}
+ LOG.debug("Applying ACL on port {} with DpId {}", port, dpId);
programAclWithAllowedAddress(port, port.getAllowedAddressPairs(), Action.ADD, NwConstants.ADD_FLOW);
updateRemoteAclFilterTable(port, NwConstants.ADD_FLOW);
return true;
public boolean unbindAcl(AclInterface port) {
BigInteger dpId = port.getDpId();
if (dpId == null) {
- LOG.error("Unable to find DP Id from ACL interface with id {}", port.getInterfaceId());
+ LOG.error("Unable to find DpId from ACL interface with id {}", port.getInterfaceId());
return false;
}
unbindService(port);
boolean isPortSecurityEnableBefore = portBefore.getPortSecurityEnabled();
// if port security is changed, apply/remove Acls
if (isPortSecurityEnableBefore != isPortSecurityEnable) {
+ LOG.debug("On ACL update, Port security is {} for {}", isPortSecurityEnable ? "Enabled" :
+ "Disabled", portAfter.getInterfaceId());
if (isPortSecurityEnable) {
result = applyAcl(portAfter) && bindAcl(portAfter);
} else {
} else if (isPortSecurityEnable) {
// Acls has been updated, find added/removed Acls and act accordingly.
processInterfaceUpdate(portBefore, portAfter);
+ LOG.debug("On ACL update, ACL has been updated for {}", portAfter.getInterfaceId());
}
return result;
Action action, int addOrRemove) {
BigInteger dpId = port.getDpId();
int lportTag = port.getLPortTag();
+ LOG.debug("Applying ACL Allowed Address on DpId {}, lportTag {}, Action {}", dpId, lportTag, action);
List<Uuid> aclUuidList = port.getSecurityGroups();
String portId = port.getInterfaceId();
programGeneralFixedRules(dpId, "", allowedAddresses, lportTag, action, addOrRemove);
if (vpnId != null) {
instructions.add(MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getVpnIdMetadata(vpnId),
MetaDataUtil.METADATA_MASK_VRFID, ++instructionKey));
+ LOG.debug("Binding ACL service for interface {} with vpnId {}", interfaceName, vpnId);
} else {
Long elanTag = aclInterface.getElanId();
instructions.add(
MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getElanTagMetadata(elanTag),
MetaDataUtil.METADATA_MASK_SERVICE, ++instructionKey));
+ LOG.debug("Binding ACL service for interface {} with ElanTag {}", interfaceName, elanTag);
}
instructions.add(
MDSALUtil.buildAndGetGotoTableInstruction(NwConstants.INGRESS_ACL_TABLE, ++instructionKey));
InstanceIdentifier<BoundServices> path =
AclServiceUtils.buildServiceId(interfaceName, serviceIndex, ServiceModeIngress.class);
+
WriteTransaction writeTxn = dataBroker.newWriteOnlyTransaction();
writeTxn.put(LogicalDatastoreType.CONFIGURATION, path, serviceInfo,
WriteTransaction.CREATE_MISSING_PARENTS);
ServiceModeIngress.class);
DataStoreJobCoordinator dataStoreCoordinator = DataStoreJobCoordinator.getInstance();
+ LOG.debug("UnBinding ACL service for interface {}", interfaceName);
dataStoreCoordinator.enqueueJob(interfaceName,
() -> {
WriteTransaction writeTxn = dataBroker.newWriteOnlyTransaction();
@Override
protected void programGeneralFixedRules(BigInteger dpid, String dhcpMacAddress,
List<AllowedAddressPairs> allowedAddresses, int lportTag, Action action, int addOrRemove) {
- LOG.info("programFixedRules : adding default rules.");
+ LOG.info("programFixedRules : {} default rules.", action == Action.ADD ? "adding" : "removing");
if (action == Action.ADD || action == Action.REMOVE) {
+
egressAclDhcpAllowClientTraffic(dpid, dhcpMacAddress, lportTag, addOrRemove);
egressAclDhcpv6AllowClientTraffic(dpid, dhcpMacAddress, lportTag, addOrRemove);
egressAclDhcpDropServerTraffic(dpid, dhcpMacAddress, lportTag, addOrRemove);
// Remove common macs to avoid delete and add of ARP flows having same MAC.
deletedAAPmacs.removeAll(addedAAPmacs);
-
programArpRule(dpId, deletedAAPmacs, lportTag, NwConstants.DEL_FLOW);
programArpRule(dpId, addedAAPmacs, lportTag, NwConstants.ADD_FLOW);
}
@Override
protected boolean programAclRules(AclInterface port, List<Uuid> aclUuidList, int addOrRemove) {
BigInteger dpId = port.getDpId();
- LOG.trace("Applying custom rules DpId {}, lportTag {}", dpId, port.getLPortTag());
+ LOG.debug("Applying custom rules on DpId {}, lportTag {}", dpId, port.getLPortTag());
if (aclUuidList == null || dpId == null) {
LOG.warn("one of the egress acl parameters can not be null. sg {}, dpId {}",
aclUuidList, dpId);
List<AllowedAddressPairs> syncAllowedAddresses) {
SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace);
if (!aceAttr.getDirection().equals(DirectionEgress.class)) {
+ LOG.debug("Ignoring Ingress direction ACE Rule {}", ace.getRuleName());
return;
}
Matches matches = ace.getMatches();
matches.add(buildLPortTagMatch(lportTag));
List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions(new ArrayList<>());
-
+ LOG.debug(addOrRemove == NwConstants.DEL_FLOW ? "Deleting " : "Adding " + "ARP Rule on DPID {}, "
+ + "lportTag {}", dpId, lportTag);
String flowName = "Egress_ARP_" + dpId + "_" + lportTag + "_" + mac.getValue();
syncFlow(dpId, NwConstants.INGRESS_ACL_TABLE, flowName,
AclConstants.PROTO_ARP_TRAFFIC_MATCH_PRIORITY, "ACL", 0, 0,
if (vpnId != null) {
instructions.add(MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getVpnIdMetadata(vpnId),
MetaDataUtil.METADATA_MASK_VRFID, ++instructionKey));
+ LOG.debug("Binding ACL service for interface {} with vpnId {}", interfaceName, vpnId);
} else {
Long elanTag = aclInterface.getElanId();
instructions.add(
MDSALUtil.buildAndGetWriteMetadaInstruction(MetaDataUtil.getElanTagMetadata(elanTag),
MetaDataUtil.METADATA_MASK_SERVICE, ++instructionKey));
+ LOG.debug("Binding ACL service for interface {} with ElanTag {}", interfaceName, elanTag);
}
instructions.add(
MDSALUtil.buildAndGetGotoTableInstruction(NwConstants.EGRESS_ACL_TABLE, ++instructionKey));
ServiceModeEgress.class);
DataStoreJobCoordinator dataStoreCoordinator = DataStoreJobCoordinator.getInstance();
+ LOG.debug("UnBinding ACL service for interface {}", interfaceName);
dataStoreCoordinator.enqueueJob(interfaceName,
() -> {
WriteTransaction writeTxn = dataBroker.newWriteOnlyTransaction();
@Override
protected boolean programAclRules(AclInterface port, List<Uuid> aclUuidList,int addOrRemove) {
BigInteger dpId = port.getDpId();
+ LOG.debug("Applying custom rules on DpId {}, lportTag {}", dpId, port.getLPortTag());
if (aclUuidList == null || dpId == null) {
LOG.warn("one of the ingress acl parameters can not be null. sg {}, dpId {}",
aclUuidList, dpId);
List<MatchInfoBase> matches = new ArrayList<>();
matches.add(MatchEthernetType.ARP);
matches.add(buildLPortTagMatch(lportTag));
-
List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions(new ArrayList<>());
+ LOG.debug(addOrRemove == NwConstants.DEL_FLOW ? "Deleting " : "Adding " + "ARP Rule on DPID {}, "
+ + "lportTag {}", dpId, lportTag);
String flowName = "Ingress_ARP_" + dpId + "_" + lportTag;
syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName,
AclConstants.PROTO_ARP_TRAFFIC_MATCH_PRIORITY, "ACL", 0, 0,
import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
/**
* Provides the stateful implementation for egress (w.r.t VM) ACL service.
*
* Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress
* and vice versa.
*/
+
public class StatefulEgressAclServiceImpl extends AbstractEgressAclServiceImpl {
private static final Logger LOG = LoggerFactory.getLogger(StatefulEgressAclServiceImpl.class);
// For flows related remote ACL, unique flow priority is used for
// each flow to avoid overlapping flows
int priority = getEgressSpecificAclFlowPriority(dpId, addOrRemove, flowName, packetHandling);
-
syncFlow(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE, flowName, priority, "ACL", 0, 0,
AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
return flowName;
programConntrackRecircRules(dpid, allowedAddresses, AclConstants.CT_STATE_UNTRACKED_PRIORITY,
"Recirc", portId, write);
programEgressConntrackDropRules(dpid, lportTag, write);
- LOG.info("programEgressAclFixedConntrackRule : default connection tracking rule are added.");
+ LOG.info("programEgressAclFixedConntrackRule : default connection tracking rule are {} on DpId {}"
+ + "lportTag {}.", write == NwConstants.ADD_FLOW ? "added" : "removed", dpid, lportTag);
}
/**
* @param addOrRemove whether to add or remove the flow
*/
private void programEgressConntrackDropRules(BigInteger dpId, int lportTag, int addOrRemove) {
+ LOG.debug("Applying Egress ConnTrack Drop Rules on DpId {}, lportTag {}", dpId, lportTag);
programConntrackDropRule(dpId, lportTag, AclConstants.CT_STATE_TRACKED_NEW_DROP_PRIORITY, "Tracked_New",
AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK, addOrRemove);
programConntrackDropRule(dpId, lportTag, AclConstants.CT_STATE_TRACKED_INVALID_PRIORITY, "Tracked_Invalid",
programConntrackRecircRules(dpid, allowedAddresses, AclConstants.CT_STATE_UNTRACKED_PRIORITY,
"Recirc",portId, write);
programIngressConntrackDropRules(dpid, lportTag, write);
- LOG.info("programIngressAclFixedConntrackRule : default connection tracking rule are added.");
+ LOG.info("programEgressAclFixedConntrackRule : default connection tracking rule are {} on DpId {}"
+ + "lportTag {}.", write == NwConstants.ADD_FLOW ? "added" : "removed", dpid, lportTag);
}
/**
* @param addOrRemove whether to add or remove the flow
*/
private void programIngressConntrackDropRules(BigInteger dpId, int lportTag, int addOrRemove) {
+ LOG.debug("Applying Egress ConnTrack Drop Rules on DpId {}, lportTag {}", dpId, lportTag);
programConntrackDropRule(dpId, lportTag, AclConstants.CT_STATE_TRACKED_NEW_DROP_PRIORITY, "Tracked_New",
AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK, addOrRemove);
programConntrackDropRule(dpId, lportTag, AclConstants.CT_STATE_TRACKED_INVALID_PRIORITY, "Tracked_Invalid",