}
private void programLocalSecurityGroupRules(String attachedMac, Node node, OvsdbTerminationPointAugmentation intf,
- Long dpid,long localPort, String segmentationId,
- boolean write) {
+ Long dpid,long localPort, String segmentationId,
+ boolean write) {
LOG.debug("programLocalRules: Program fixed security group rules for interface {}", intf.getName());
+ boolean isPortSecurityEnabled = securityServicesManager.isPortSecurityEnabled(intf);
+ if (!isPortSecurityEnabled) {
+ LOG.info("Port security is not enabled" + intf);
+ return;
+ }
NeutronPort dhcpPort = securityServicesManager.getDhcpServerPort(intf);
- boolean isComputePort = false;
- boolean isLastPortinBridge = false;
- boolean isLastPortinSubnet = false;
List<Neutron_IPs> srcAddressList = null;
if (null != dhcpPort) {
- isComputePort = securityServicesManager.isComputePort(intf);
- isLastPortinBridge = securityServicesManager.isLastPortinBridge(node, intf);
- isLastPortinSubnet = false;
- if (isComputePort) {
- isLastPortinSubnet = securityServicesManager.isLastPortinSubnet(node, intf);
- srcAddressList = securityServicesManager.getIpAddressList(intf);
- if (null == srcAddressList) {
- LOG.warn("programLocalRules: No Ip address assigned {}", intf);
- return;
- }
+ srcAddressList = securityServicesManager.getIpAddressList(intf);
+ if (null == srcAddressList) {
+ LOG.warn("programLocalRules: No Ip address assigned {}", intf);
+ return;
}
ingressAclProvider.programFixedSecurityGroup(dpid, segmentationId, dhcpPort.getMacAddress(), localPort,
- isLastPortinSubnet, isComputePort, attachedMac, write);
+ attachedMac, write);
egressAclProvider.programFixedSecurityGroup(dpid, segmentationId, attachedMac, localPort,
- srcAddressList, isLastPortinBridge, isComputePort,write);
+ srcAddressList, write);
/* If the network type is tunnel based (VXLAN/GRRE/etc) with Neutron Port Security ACLs */
/* TODO SB_MIGRATION */
LOG.debug("Neutron port has a Port Security Group");
// Retrieve the security group from the Neutron Port and apply the rules
- if (securityServicesManager.isPortSecurityReady(intf)) {
- //Associate the security group flows.
- List<NeutronSecurityGroup> securityGroupListInPort = securityServicesManager
- .getSecurityGroupInPortList(intf);
- String neutronPortId = southbound.getInterfaceExternalIdsValue(intf,
- Constants.EXTERNAL_ID_INTERFACE_ID);
- for (NeutronSecurityGroup securityGroupInPort:securityGroupListInPort) {
- ingressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
- securityGroupInPort, neutronPortId, write);
- egressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
- securityGroupInPort, neutronPortId, write);
- }
+ List<NeutronSecurityGroup> securityGroupListInPort = securityServicesManager
+ .getSecurityGroupInPortList(intf);
+ String neutronPortId = southbound.getInterfaceExternalIdsValue(intf,
+ Constants.EXTERNAL_ID_INTERFACE_ID);
+ for (NeutronSecurityGroup securityGroupInPort:securityGroupListInPort) {
+ ingressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
+ securityGroupInPort, neutronPortId, write);
+ egressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort,
+ securityGroupInPort, neutronPortId, write);
}
+
} else {
LOG.warn("programLocalRules: No DCHP port seen in network of {}", intf);
}
@Override
public void programFixedSecurityGroup(Long dpid, String segmentationId, String attachedMac,
- long localPort, List<Neutron_IPs> srcAddressList,
- boolean isLastPortinBridge, boolean isComputePort ,boolean write) {
- // If it is the only port in the bridge add the rule to allow any DHCP client traffic
- //if (isLastPortinBridge) {
- egressAclDhcpAllowClientTrafficFromVm(dpid, write, Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
- egressAclDhcpv6AllowClientTrafficFromVm(dpid, write, Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
- // }
- if (isComputePort) {
- programArpRule(dpid, segmentationId, localPort, attachedMac, write);
- if (securityServicesManager.isConntrackEnabled()) {
- programEgressAclFixedConntrackRule(dpid, segmentationId, localPort, attachedMac, write);
- }
- // add rule to drop the DHCP server traffic originating from the vm.
- egressAclDhcpDropServerTrafficfromVm(dpid, localPort, write,
- Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
- egressAclDhcpv6DropServerTrafficfromVm(dpid, localPort, write,
- Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
- //Adds rule to check legitimate ip/mac pair for each packet from the vm
- for (Neutron_IPs srcAddress : srcAddressList) {
- try {
- InetAddress address = InetAddress.getByName(srcAddress.getIpAddress());
- if (address instanceof Inet4Address) {
- String addressWithPrefix = srcAddress.getIpAddress() + HOST_MASK;
- egressAclAllowTrafficFromVmIpMacPair(dpid, localPort, attachedMac, addressWithPrefix,
- Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
- } else if (address instanceof Inet6Address) {
- String addressWithPrefix = srcAddress.getIpAddress() + V6_HOST_MASK;
- egressAclAllowTrafficFromVmIpV6MacPair(dpid, localPort, attachedMac, addressWithPrefix,
- Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
- }
- } catch (UnknownHostException e) {
- LOG.warn("Invalid IP address {}", srcAddress.getIpAddress(), e);
+ long localPort, List<Neutron_IPs> srcAddressList, boolean write) {
+
+ egressAclDhcpAllowClientTrafficFromVm(dpid, write, localPort,
+ Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
+ egressAclDhcpv6AllowClientTrafficFromVm(dpid, write, localPort,
+ Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY);
+ programArpRule(dpid, segmentationId, localPort, attachedMac, write);
+ if (securityServicesManager.isConntrackEnabled()) {
+ programEgressAclFixedConntrackRule(dpid, segmentationId, localPort, attachedMac, write);
+ }
+ // add rule to drop the DHCP server traffic originating from the vm.
+ egressAclDhcpDropServerTrafficfromVm(dpid, localPort, write,
+ Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
+ egressAclDhcpv6DropServerTrafficfromVm(dpid, localPort, write,
+ Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP);
+ //Adds rule to check legitimate ip/mac pair for each packet from the vm
+ for (Neutron_IPs srcAddress : srcAddressList) {
+ try {
+ InetAddress address = InetAddress.getByName(srcAddress.getIpAddress());
+ if (address instanceof Inet4Address) {
+ String addressWithPrefix = srcAddress.getIpAddress() + HOST_MASK;
+ egressAclAllowTrafficFromVmIpMacPair(dpid, localPort, attachedMac, addressWithPrefix,
+ Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
+ } else if (address instanceof Inet6Address) {
+ String addressWithPrefix = srcAddress.getIpAddress() + V6_HOST_MASK;
+ egressAclAllowTrafficFromVmIpV6MacPair(dpid, localPort, attachedMac, addressWithPrefix,
+ Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write);
}
+ } catch (UnknownHostException e) {
+ LOG.warn("Invalid IP address {}", srcAddress.getIpAddress(), e);
}
}
+
}
private void programArpRule(Long dpid, String segmentationId, long localPort, String attachedMac, boolean write) {
*
* @param dpidLong the dpid
* @param write whether to write or delete the flow
+ * @param localPort the local port.
* @param priority the priority
*/
private void egressAclDhcpAllowClientTrafficFromVm(Long dpidLong,
- boolean write, Integer priority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ boolean write, long localPort, Integer priority) {
String flowName = "Egress_DHCP_Client" + "_Permit_";
MatchBuilder matchBuilder = new MatchBuilder();
+ MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
MatchUtils.createDhcpMatch(matchBuilder, DHCP_DESTINATION_PORT, DHCP_SOURCE_PORT);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
syncFlow(flowBuilder ,nodeBuilder, write);
}
*
* @param dpidLong the dpid
* @param write whether to write or delete the flow
+ * @param localPort the local port
* @param priority the priority
*/
private void egressAclDhcpv6AllowClientTrafficFromVm(Long dpidLong,
- boolean write, Integer priority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
+ boolean write, long localPort, Integer priority) {
String flowName = "Egress_DHCPv6_Client" + "_Permit_";
MatchBuilder matchBuilder = new MatchBuilder();
+ MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort);
MatchUtils.createDhcpv6Match(matchBuilder, DHCPV6_DESTINATION_PORT, DHCPV6_SOURCE_PORT);
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
syncFlow(flowBuilder ,nodeBuilder, write);
}
@Override
public void programFixedSecurityGroup(Long dpid, String segmentationId, String dhcpMacAddress,
- long localPort, boolean isLastPortinSubnet,
- boolean isComputePort, String attachMac, boolean write) {
- //If this port is the only port in the compute node add the DHCP server rule.
- if (isLastPortinSubnet && isComputePort ) {
- ingressAclDhcpAllowServerTraffic(dpid, segmentationId,dhcpMacAddress,
- write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
- ingressAclDhcpv6AllowServerTraffic(dpid, segmentationId,dhcpMacAddress,
- write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
- }
- if (isComputePort) {
- if (securityServicesManager.isConntrackEnabled()) {
- programIngressAclFixedConntrackRule(dpid, segmentationId, attachMac, localPort, write);
- }
- programArpRule(dpid, segmentationId, localPort, attachMac, write);
+ long localPort, String attachMac, boolean write) {
+
+ ingressAclDhcpAllowServerTraffic(dpid, segmentationId,dhcpMacAddress, attachMac,
+ write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
+ ingressAclDhcpv6AllowServerTraffic(dpid, segmentationId,dhcpMacAddress, attachMac,
+ write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY);
+
+ if (securityServicesManager.isConntrackEnabled()) {
+ programIngressAclFixedConntrackRule(dpid, segmentationId, attachMac, localPort, write);
}
+ programArpRule(dpid, segmentationId, localPort, attachMac, write);
}
private void programArpRule(Long dpid, String segmentationId, long localPort, String attachMac, boolean write) {
* @param dpidLong the dpid
* @param segmentationId the segmentation id
* @param dhcpMacAddress the DHCP server mac address
+ * @param attachMac the mac address of the port
* @param write is write or delete
* @param protoPortMatchPriority the priority
*/
private void ingressAclDhcpAllowServerTraffic(Long dpidLong, String segmentationId, String dhcpMacAddress,
- boolean write, Integer protoPortMatchPriority) {
+ String attachMac, boolean write, Integer protoPortMatchPriority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createDhcpServerMatch(matchBuilder, dhcpMacAddress, 67, 68).build();
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,dhcpMacAddress,attachMac,
+ MatchUtils.ETHERTYPE_IPV4);
+ MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 67, 68);
String flowId = "Ingress_DHCP_Server" + segmentationId + "_" + dhcpMacAddress + "_Permit_";
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
syncFlow(flowBuilder ,nodeBuilder, write);
}
* @param dpidLong the dpid
* @param segmentationId the segmentation id
* @param dhcpMacAddress the DHCP server mac address
+ * @param attachMac the mac address of the port
* @param write is write or delete
* @param protoPortMatchPriority the priority
*/
private void ingressAclDhcpv6AllowServerTraffic(Long dpidLong, String segmentationId, String dhcpMacAddress,
- boolean write, Integer protoPortMatchPriority) {
+ String attachMac, boolean write, Integer protoPortMatchPriority) {
- NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
MatchBuilder matchBuilder = new MatchBuilder();
- MatchUtils.createDhcpv6ServerMatch(matchBuilder, dhcpMacAddress, 547, 546).build();
+ matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,dhcpMacAddress,attachMac,
+ MatchUtils.ETHERTYPE_IPV6);
+ MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 547, 546);
String flowId = "Ingress_DHCPv6_Server" + segmentationId + "_" + dhcpMacAddress + "_Permit_";
FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable());
addPipelineInstruction(flowBuilder, null, false);
+ NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong);
syncFlow(flowBuilder ,nodeBuilder, write);
}
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.Icmpv6Match;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._4.match.TcpMatch;
import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._4.match.UdpMatch;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.ovsdb.rev150105.OvsdbTerminationPointAugmentation;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.powermock.api.mockito.PowerMockito;
import org.powermock.api.support.membermodification.MemberModifier;
}
/**
- * Test With isConntrackEnabled false isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLAdd1() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(false);
-
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true);
-
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).checkedGet();
- }
- /**
- * Test With isConntrackEnabled false isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLRemove1() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(false);
-
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false);
-
- verify(writeTransaction, times(2)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- /**
- * Test With isConntrackEnabled false isComputeNode true
+ * Test With isConntrackEnabled false
*/
@Test
public void testProgramFixedSecurityACLAdd2() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(false);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true);
verify(writeTransaction, times(9)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
verify(writeTransaction, times(9)).submit();
}
/**
- * Test With isConntrackEnabled false isComputeNode true
+ * Test With isConntrackEnabled false
*/
@Test
public void testProgramFixedSecurityACLRemove2() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(false);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false);
verify(writeTransaction, times(9)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(9)).submit();
}
/**
- * Test With isConntrackEnabled true isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLAdd3() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(true);
-
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true);
-
- verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).checkedGet();
- }
-
- /**
- * Test With isConntrackEnabled true isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLRemove3() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(true);
-
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false);
-
- verify(writeTransaction, times(2)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(2)).submit();
- verify(commitFuture, times(2)).get();
- }
-
- /**
- * Test With isConntrackEnabled true isComputeNode true
+ * Test With isConntrackEnabled true
*/
@Test
public void testProgramFixedSecurityACLAdd4() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true);
verify(writeTransaction, times(14)).put(any(LogicalDatastoreType.class),
any(InstanceIdentifier.class), any(Node.class), eq(true));
}
/**
- * Test With isConntrackEnabled true isComputeNode true
+ * Test With isConntrackEnabled true
*/
@Test
public void testProgramFixedSecurityACLRemove4() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(true);
- egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false);
+ egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false);
verify(writeTransaction, times(14)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
verify(writeTransaction, times(14)).submit();
}
/**
- * Test With isConntrackEnabled false isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLAdd1() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(false);
-
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, true);
-
- verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
- }
- /**
- * Test With isConntrackEnabled false isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLRemove1() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(false);
-
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, false);
-
- verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
- }
- /**
- * Test With isConntrackEnabled false isComputeNode false
+ * Test With isConntrackEnabled false
*/
@Test
public void testProgramFixedSecurityACLAdd2() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(false);
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, true);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, true);
- verify(writeTransaction, times(1)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).checkedGet();
+ verify(writeTransaction, times(3)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(3)).submit();
+ verify(commitFuture, times(3)).checkedGet();
}
/**
- * Test With isConntrackEnabled false isComputeNode false
+ * Test With isConntrackEnabled false
*/
@Test
public void testProgramFixedSecurityACLRemove2() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(false);
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, false);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, false);
- verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(1)).submit();
- verify(commitFuture, times(1)).get();
- }
- /**
- * Test With isConntrackEnabled true isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLAdd3() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(true);
-
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, true);
-
- verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
- }
- /**
- * Test With isConntrackEnabled true isComputeNode false
- */
- @Test
- public void testProgramFixedSecurityACLRemove3() throws Exception {
- when(securityServices.isConntrackEnabled()).thenReturn(true);
-
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, false);
-
- verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(0)).submit();
- verify(commitFuture, times(0)).get();
+ verify(writeTransaction, times(3)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(3)).submit();
+ verify(commitFuture, times(3)).get();
}
/**
- * Test With isConntrackEnabled true isComputeNode true
+ * Test With isConntrackEnabled true
*/
@Test
public void testProgramFixedSecurityACLAdd4() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(true);
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, true);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, true);
- verify(writeTransaction, times(6)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
- verify(writeTransaction, times(6)).submit();
- verify(commitFuture, times(6)).checkedGet();
+ verify(writeTransaction, times(8)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true));
+ verify(writeTransaction, times(8)).submit();
+ verify(commitFuture, times(8)).checkedGet();
}
/**
- * Test With isConntrackEnabled true isComputeNode true
+ * Test With isConntrackEnabled true
*/
@Test
public void testProgramFixedSecurityACLRemove4() throws Exception {
when(securityServices.isConntrackEnabled()).thenReturn(true);
- ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, false);
+ ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, false);
- verify(writeTransaction, times(6)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
- verify(writeTransaction, times(6)).submit();
- verify(commitFuture, times(6)).get();
+ verify(writeTransaction, times(8)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class));
+ verify(writeTransaction, times(8)).submit();
+ verify(commitFuture, times(8)).get();
}
}
private void syncSecurityGroup(NeutronSecurityRule securityRule,NeutronPort port,
boolean write) {
-
+ if (!port.getPortSecurityEnabled()) {
+ LOG.info("Port security not enabled port", port);
+ return;
+ }
if (null != securityRule.getSecurityRemoteGroupID()) {
List<Neutron_IPs> vmIpList = securityServicesManager
.getVmListForSecurityGroup(port.getID(), securityRule.getSecurityRemoteGroupID());
private List<NeutronPort> getPortWithSecurityGroup(String securityGroupUuid) {
List<NeutronPort> neutronPortList = neutronPortCache.getAllPorts();
- List<NeutronPort> neutronPortInSG = new ArrayList<NeutronPort>();
+ List<NeutronPort> neutronPortInSg = new ArrayList<NeutronPort>();
for (NeutronPort neutronPort:neutronPortList) {
List<NeutronSecurityGroup> securityGroupList = neutronPort.getSecurityGroups();
for (NeutronSecurityGroup neutronSecurityGroup:securityGroupList) {
if (neutronSecurityGroup.getID().equals(securityGroupUuid)) {
- neutronPortInSG.add(neutronPort);
+ neutronPortInSg.add(neutronPort);
break;
}
}
}
- return neutronPortInSG;
+ return neutronPortInSg;
}
@Override
* @param attachedMac the attached mac
* @param localPort the local port
* @param srcAddressList the list of source ip address assigned to vm
- * @param isLastPortinBridge is this the last port in the bridge
- * @param isComputePort indicates whether this port is a compute port or not
* @param write is this flow writing or deleting
*/
void programFixedSecurityGroup(Long dpid, String segmentationId,String attachedMac, long localPort,
- List<Neutron_IPs> srcAddressList, boolean isLastPortinBridge,
- boolean isComputePort, boolean write);
+ List<Neutron_IPs> srcAddressList, boolean write);
}
\ No newline at end of file
* @param segmentationId the segmentation id
* @param attachedMac the dhcp mac
* @param localPort the local port
- * @param isLastPortinSubnet is this the last port in the subnet
- * @param isComputePort indicates whether this port is a compute port or not
* @param attachedMac2 the src mac
* @param write is this flow writing or deleting
*/
void programFixedSecurityGroup(Long dpid, String segmentationId, String attachedMac, long localPort,
- boolean isLastPortinSubnet, boolean isComputePort, String attachedMac2, boolean write);
+ String attachedMac2, boolean write);
}
\ No newline at end of file
/**
* Is this the last port in the subnet to which interface belongs to.
* @param node The node to which the intf is connected.
- * @param intf the intf
+ * @param intf the interface
* @return whether last port in the subnet
*/
boolean isLastPortinSubnet(Node node, OvsdbTerminationPointAugmentation intf);
* @return whether connection tracking enabled.
*/
boolean isConntrackEnabled();
+ /**
+ * Is the port a PortSecurity Enabled.
+ *
+ * @param intf the port
+ * @return whether it is a compute port or not
+ */
+ boolean isPortSecurityEnabled(OvsdbTerminationPointAugmentation intf);
}
\ No newline at end of file
if (action == UPDATE) {
// FIXME: Bug 4971 Move cleanup cache to SG Impl
this.updatePortInCleanupCache(neutronPort, neutronPort.getOriginalPort());
- this.processSecurityGroupUpdate(neutronPort);
+ if (neutronPort.getPortSecurityEnabled()) {
+ this.processSecurityGroupUpdate(neutronPort);
+ }
}
if (!this.enabled) {
return null;
}
+ @Override
+ public boolean isPortSecurityEnabled(OvsdbTerminationPointAugmentation intf) {
+ NeutronPort neutronPort = getNeutronPortFromCache(intf);
+ if (null == neutronPort) {
+ LOG.error("Neutron Port is null: " + intf);
+ return false;
+ }
+ if (neutronPort.getPortSecurityEnabled()) {
+ LOG.info("Port Security is enabled for Port: " + neutronPort);
+ return true;
+ }
+ LOG.info("Port Security is not enabled for Port: " + neutronPort);
+ return false;
+ }
+
@Override
public void setDependencies(ServiceReference serviceReference) {
neutronL3Adapter =
@XmlElement (name = "extra_dhcp_opts")
List<NeutronPort_ExtraDHCPOption> extraDHCPOptions;
+ //Port security is enabled by default for backward compatibility.
+ @XmlElement (defaultValue = "true", name = "port_security_enabled")
+ Boolean portSecurityEnabled;
+
+
NeutronPort originalPort;
public NeutronPort() {
this.bindingvifType = bindingvifType;
}
+ public Boolean getPortSecurityEnabled() {
+ if (portSecurityEnabled == null) {
+ return true;
+ }
+ return portSecurityEnabled;
+ }
+
+ public void setPortSecurityEnabled(Boolean newValue) {
+ portSecurityEnabled = newValue;
+ }
+
+
public NeutronPort getOriginalPort() {
return originalPort;
}
if ("security_groups".equals(field)) {
ans.setSecurityGroups(new ArrayList<>(this.getSecurityGroups()));
}
+ if ("port_security_enabled".equals(field)) {
+ ans.setPortSecurityEnabled(this.getPortSecurityEnabled());
+ }
}
return ans;
}
public void initDefaults() {
adminStateUp = true;
+ portSecurityEnabled = true;
if (status == null) {
status = "ACTIVE";
}
+ ", fixedIPs=" + fixedIPs + ", deviceID=" + deviceID + ", deviceOwner=" + deviceOwner + ", tenantID="
+ tenantID + ", securityGroups=" + securityGroups
+ ", bindinghostID=" + bindinghostID + ", bindingvnicType=" + bindingvnicType
- + ", bindingvnicType=" + bindingvnicType + "]";
+ + ", bindingvnicType=" + bindingvnicType + ", portSecurityEnabled=" + portSecurityEnabled +"]";
}
}
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.ports.attributes.Ports;
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.ports.attributes.ports.Port;
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.ports.attributes.ports.PortBuilder;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.portsecurity.rev150712.PortSecurityExtension;
+import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.portsecurity.rev150712.PortSecurityExtensionBuilder;
import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.rev150712.Neutron;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.osgi.framework.BundleContext;
result.setBindingvnicType(binding.getVnicType());
}
+ private void portSecurityExtension(Port port, NeutronPort result) {
+ PortSecurityExtension portSecurity = port.getAugmentation(PortSecurityExtension.class);
+ if(portSecurity != null && portSecurity.isPortSecurityEnabled() != null) {
+ result.setPortSecurityEnabled(portSecurity.isPortSecurityEnabled());
+ }
+ }
+
protected NeutronPort fromMd(Port port) {
NeutronPort result = new NeutronPort();
result.setAdminStateUp(port.isAdminStateUp());
}
result.setPortUUID(String.valueOf(port.getUuid().getValue()));
addExtensions(port, result);
+ portSecurityExtension(port, result);
return result;
}
bindingBuilder.setVnicType(neutronPort.getBindingvnicType());
}
+ PortSecurityExtensionBuilder portSecurityBuilder = new PortSecurityExtensionBuilder();
+ if (neutronPort.getPortSecurityEnabled() != null) {
+ portSecurityBuilder.setPortSecurityEnabled(neutronPort.getPortSecurityEnabled());
+ }
PortBuilder portBuilder = new PortBuilder();
portBuilder.addAugmentation(PortBindingExtension.class,
bindingBuilder.build());
+ portBuilder.addAugmentation(PortSecurityExtension.class, portSecurityBuilder.build());
portBuilder.setAdminStateUp(neutronPort.isAdminStateUp());
if(neutronPort.getAllowedAddressPairs() != null) {
List<AllowedAddressPairs> listAllowedAddressPairs = new ArrayList<>();
Code Review / netvirt.git / commitdiff