From: Slava Date: Mon, 22 Aug 2016 11:58:30 +0000 (+0300) Subject: Refactor aclservice to for all the acl types to inherit the same abstract class X-Git-Tag: release/boron~48^2 X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?a=commitdiff_plain;h=570613c5dee7b4dfba8a334869c595205007a993;p=netvirt.git Refactor aclservice to for all the acl types to inherit the same abstract class Depends on: https://git.opendaylight.org/gerrit/#/c/44453 Change-Id: I7bb81dc1249a4fcf2684bad879198be00aff0be4 Signed-off-by: Slava --- diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/EgressAclServiceImpl.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AbstractEgressAclServiceImpl.java similarity index 74% rename from vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/EgressAclServiceImpl.java rename to vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AbstractEgressAclServiceImpl.java index 574ef22ac5..fade9b3e04 100644 --- a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/EgressAclServiceImpl.java +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AbstractEgressAclServiceImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved. + * Copyright (c) 2016 HPE, Inc. and others. All rights reserved. * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v1.0 which accompanies this distribution, @@ -11,19 +11,17 @@ import java.math.BigInteger; import java.util.ArrayList; import java.util.List; import java.util.Map; + import org.opendaylight.controller.md.sal.binding.api.DataBroker; import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; import org.opendaylight.genius.mdsalutil.ActionInfo; import org.opendaylight.genius.mdsalutil.ActionType; import org.opendaylight.genius.mdsalutil.InstructionInfo; -import org.opendaylight.genius.mdsalutil.InstructionType; import org.opendaylight.genius.mdsalutil.MDSALUtil; import org.opendaylight.genius.mdsalutil.MatchFieldType; import org.opendaylight.genius.mdsalutil.MatchInfo; import org.opendaylight.genius.mdsalutil.MatchInfoBase; import org.opendaylight.genius.mdsalutil.NwConstants; -import org.opendaylight.genius.mdsalutil.NxMatchFieldType; -import org.opendaylight.genius.mdsalutil.NxMatchInfo; import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager; import org.opendaylight.genius.utils.ServiceIndex; import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action; @@ -41,7 +39,6 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instru import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeIngress; import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices; import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress; -import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress; import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr; import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs; import org.opendaylight.yangtools.yang.binding.InstanceIdentifier; @@ -49,15 +46,15 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * Provides the stateful implementation for egress (w.r.t VM) ACL service. + * Provides abstract implementation for egress (w.r.t VM) ACL service. * *

* Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress * and vice versa. */ -public class EgressAclServiceImpl extends AbstractAclServiceImpl { +public abstract class AbstractEgressAclServiceImpl extends AbstractAclServiceImpl { - private static final Logger LOG = LoggerFactory.getLogger(EgressAclServiceImpl.class); + private static final Logger LOG = LoggerFactory.getLogger(AbstractEgressAclServiceImpl.class); /** * Initialize the member variables. @@ -65,7 +62,7 @@ public class EgressAclServiceImpl extends AbstractAclServiceImpl { * @param dataBroker the data broker instance. * @param mdsalManager the mdsal manager instance. */ - public EgressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) { + public AbstractEgressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) { // Service mode is w.rt. switch super(ServiceModeIngress.class, dataBroker, mdsalManager); } @@ -105,21 +102,6 @@ public class EgressAclServiceImpl extends AbstractAclServiceImpl { MDSALUtil.syncDelete(dataBroker, LogicalDatastoreType.CONFIGURATION, path); } - /** - * Program conntrack rules. - * - * @param dpid the dpid - * @param dhcpMacAddress the dhcp mac address. - * @param allowedAddresses the allowed addresses - * @param lportTag the lport tag - * @param addOrRemove addorRemove - */ - @Override - protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress, - List allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) { - programEgressAclFixedConntrackRule(dpid, allowedAddresses, lportTag, portId, action, addOrRemove); - } - @Override protected void programGeneralFixedRules(BigInteger dpid, String dhcpMacAddress, List allowedAddresses, int lportTag, Action action, int addOrRemove) { @@ -180,23 +162,13 @@ public class EgressAclServiceImpl extends AbstractAclServiceImpl { } //The flow map contains list of flows if port range is selected. for ( String flowName : flowMap.keySet()) { - List flows = flowMap.get(flowName); - flowName += "Egress" + lportTag + ace.getKey().getRuleName(); - flows.add(AclServiceUtils.buildLPortTagMatch(lportTag)); - flows.add(new NxMatchInfo(NxMatchFieldType.ct_state, - new long[] {AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK})); - - Long elanId = AclServiceUtils.getElanIdFromInterface(portId, dataBroker); - List actionsInfos = new ArrayList<>(); - actionsInfos.add(new ActionInfo(ActionType.nx_conntrack, - new String[] {"1", "0", elanId.toString(), "255"}, 2)); - List instructions = getDispatcherTableResubmitInstructions(actionsInfos); - - syncFlow(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, - "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove); + flowName = syncSpecificAclFlow(dpId, lportTag, addOrRemove, ace, portId, flowMap, flowName); } } + protected abstract String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, + String portId, Map> flowMap, String flowName); + /** * Anti-spoofing rule to block the Ipv4 DHCP server traffic from the port. * @@ -321,47 +293,6 @@ public class EgressAclServiceImpl extends AbstractAclServiceImpl { "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove); } - /** - * Adds the rule to send the packet to the netfilter to check whether it is - * a known packet. - * - * @param dpId the dpId - * @param allowedAddresses the allowed addresses - * @param priority the priority of the flow - * @param flowId the flowId - * @param conntrackState the conntrack state of the packets thats should be - * send - * @param conntrackMask the conntrack mask - * @param portId the portId - * @param addOrRemove whether to add or remove the flow - */ - private void programConntrackRecircRules(BigInteger dpId, List allowedAddresses, - Integer priority, String flowId, int conntrackState, int conntrackMask, String portId, int addOrRemove) { - for (AllowedAddressPairs allowedAddress : allowedAddresses) { - IpPrefixOrAddress attachIp = allowedAddress.getIpAddress(); - String attachMac = allowedAddress.getMacAddress().getValue(); - - List matches = new ArrayList<>(); - matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] {NwConstants.ETHTYPE_IPV4})); - matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask})); - matches.add(new MatchInfo(MatchFieldType.eth_src, new String[] {attachMac})); - matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_source)); - - Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker); - List instructions = new ArrayList<>(); - List actionsInfos = new ArrayList<>(); - actionsInfos.add(new ActionInfo(ActionType.nx_conntrack, - new String[] {"0", "0", elanTag.toString(), Short.toString( - NwConstants.INGRESS_ACL_FILTER_TABLE)}, 2)); - instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos)); - - String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" - + String.valueOf(attachIp.getValue()) + "_" + flowId; - syncFlow(dpId, NwConstants.INGRESS_ACL_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0, - AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove); - } - } - /** * Adds the rule to allow arp packets. * @@ -387,21 +318,4 @@ public class EgressAclServiceImpl extends AbstractAclServiceImpl { AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove); } } - - /** - * Programs the default connection tracking rules. - * - * @param dpid the dp id - * @param allowedAddresses the allowed addresses - * @param lportTag the lport tag - * @param portId the portId - * @param action the action - * @param write whether to add or remove the flow. - */ - private void programEgressAclFixedConntrackRule(BigInteger dpid, List allowedAddresses, - int lportTag, String portId, Action action, int write) { - programConntrackRecircRules(dpid, allowedAddresses, AclConstants.CT_STATE_UNTRACKED_PRIORITY, - "Untracked",AclConstants.UNTRACKED_CT_STATE,AclConstants.UNTRACKED_CT_STATE_MASK, portId, write ); - LOG.info("programEgressAclFixedConntrackRule : default connection tracking rule are added."); - } } diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/IngressAclServiceImpl.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AbstractIngressAclServiceImpl.java similarity index 65% rename from vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/IngressAclServiceImpl.java rename to vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AbstractIngressAclServiceImpl.java index 7c2ff2d973..4b5744c2cf 100644 --- a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/IngressAclServiceImpl.java +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AbstractIngressAclServiceImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved. + * Copyright (c) 2016 HPE, Inc. and others. All rights reserved. * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v1.0 which accompanies this distribution, @@ -15,16 +15,12 @@ import java.util.Map; import org.opendaylight.controller.md.sal.binding.api.DataBroker; import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; import org.opendaylight.genius.mdsalutil.ActionInfo; -import org.opendaylight.genius.mdsalutil.ActionType; import org.opendaylight.genius.mdsalutil.InstructionInfo; -import org.opendaylight.genius.mdsalutil.InstructionType; import org.opendaylight.genius.mdsalutil.MDSALUtil; import org.opendaylight.genius.mdsalutil.MatchFieldType; import org.opendaylight.genius.mdsalutil.MatchInfo; import org.opendaylight.genius.mdsalutil.MatchInfoBase; import org.opendaylight.genius.mdsalutil.NwConstants; -import org.opendaylight.genius.mdsalutil.NxMatchFieldType; -import org.opendaylight.genius.mdsalutil.NxMatchInfo; import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager; import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action; import org.opendaylight.netvirt.aclservice.utils.AclConstants; @@ -41,7 +37,6 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instru import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.ServiceModeEgress; import org.opendaylight.yang.gen.v1.urn.opendaylight.genius.interfacemanager.servicebinding.rev160406.service.bindings.services.info.BoundServices; import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionIngress; -import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress; import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr; import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs; import org.opendaylight.yangtools.yang.binding.InstanceIdentifier; @@ -49,15 +44,15 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * Provides the stateful implementation for ingress (w.r.t VM) ACL service. + * Provides abstract implementation for ingress (w.r.t VM) ACL service. * *

* Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress * and vice versa. */ -public class IngressAclServiceImpl extends AbstractAclServiceImpl { +public abstract class AbstractIngressAclServiceImpl extends AbstractAclServiceImpl { - private static final Logger LOG = LoggerFactory.getLogger(IngressAclServiceImpl.class); + private static final Logger LOG = LoggerFactory.getLogger(AbstractIngressAclServiceImpl.class); /** * Initialize the member variables. @@ -65,7 +60,7 @@ public class IngressAclServiceImpl extends AbstractAclServiceImpl { * @param dataBroker the data broker instance. * @param mdsalManager the mdsal manager. */ - public IngressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) { + public AbstractIngressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) { // Service mode is w.rt. switch super(ServiceModeEgress.class, dataBroker, mdsalManager); } @@ -112,10 +107,8 @@ public class IngressAclServiceImpl extends AbstractAclServiceImpl { * @param addOrRemove add or remove the flow */ @Override - protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress, - List allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) { - programIngressAclFixedConntrackRule(dpid, allowedAddresses, portId, action, addOrRemove); - } + protected abstract void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress, + List allowedAddresses, int lportTag, String portId, Action action, int addOrRemove); @Override protected void programGeneralFixedRules(BigInteger dpid, String dhcpMacAddress, @@ -180,23 +173,13 @@ public class IngressAclServiceImpl extends AbstractAclServiceImpl { return; } for ( String flowName : flowMap.keySet()) { - List flows = flowMap.get(flowName); - flowName += "Ingress" + lportTag + ace.getKey().getRuleName(); - flows.add(AclServiceUtils.buildLPortTagMatch(lportTag)); - flows.add(new NxMatchInfo(NxMatchFieldType.ct_state, - new long[] {AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK})); - - Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker); - List actionsInfos = new ArrayList<>(); - actionsInfos.add(new ActionInfo(ActionType.nx_conntrack, - new String[] {"1", "0", elanTag.toString(), "255"}, 2)); - List instructions = getDispatcherTableResubmitInstructions(actionsInfos); - - syncFlow(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, - "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove); + flowName = syncSpecificAclFlow(dpId, lportTag, addOrRemove, ace, portId, flowMap, flowName); } } + protected abstract String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, + String portId, Map> flowMap, String flowName); + /** * Add rule to ensure only DHCP server traffic from the specified mac is * allowed. @@ -281,84 +264,6 @@ public class IngressAclServiceImpl extends AbstractAclServiceImpl { 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove); } - /** - * Adds the rule to send the packet to the netfilter to check whether it is - * a known packet. - * - * @param dpId the dpId - * @param allowedAddresses the allowed addresses - * @param priority the priority of the flow - * @param flowId the flowId - * @param conntrackState the conntrack state of the packets thats should be - * send - * @param conntrackMask the conntrack mask - * @param portId the portId - * @param addOrRemove whether to add or remove the flow - */ - private void programConntrackRecircRules(BigInteger dpId, List allowedAddresses, - Integer priority, String flowId, int conntrackState, int conntrackMask, String portId, int addOrRemove) { - for (AllowedAddressPairs allowedAddress : allowedAddresses) { - IpPrefixOrAddress attachIp = allowedAddress.getIpAddress(); - String attachMac = allowedAddress.getMacAddress().getValue(); - - List matches = new ArrayList<>(); - matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] { NwConstants.ETHTYPE_IPV4 })); - matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask})); - matches.add(new MatchInfo(MatchFieldType.eth_dst, new String[] { attachMac })); - matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_destination)); - - List instructions = new ArrayList<>(); - List actionsInfos = new ArrayList<>(); - - Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker); - actionsInfos.add(new ActionInfo(ActionType.nx_conntrack, - new String[] {"0", "0", elanTag.toString(), Short.toString( - NwConstants.EGRESS_ACL_FILTER_TABLE)}, 2)); - instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos)); - String flowName = "Ingress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" - + String.valueOf(attachIp.getValue()) + "_" + flowId; - syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0, - AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove); - } - } - - /** - * Program conntrack tracked rule. - * - * @param dpId the dp id - * @param allowedAddresses the allowed addresses - * @param priority the priority - * @param flowId the flow id - * @param conntrackState the conntrack state - * @param conntrackMask the conntrack mask - * @param addOrRemove the add or remove - */ - private void programConntrackTrackedRule(BigInteger dpId, List allowedAddresses, - Integer priority, String flowId, int conntrackState, int conntrackMask, int addOrRemove) { - for (AllowedAddressPairs allowedAddress : allowedAddresses) { - IpPrefixOrAddress attachIp = allowedAddress.getIpAddress(); - String attachMac = allowedAddress.getMacAddress().getValue(); - - List matches = new ArrayList<>(); - matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] {NwConstants.ETHTYPE_IPV4})); - matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask})); - matches.add(new MatchInfo(MatchFieldType.eth_dst, new String[] {attachMac})); - matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_destination)); - - List actionsInfos = new ArrayList<>(); - actionsInfos.add(new ActionInfo(ActionType.goto_table, new String[] {})); - - List instructions = new ArrayList<>(); - instructions.add(new InstructionInfo(InstructionType.goto_table, - new long[] {NwConstants.EGRESS_ACL_FILTER_TABLE})); - - String flowName = "Ingress_Fixed_Conntrk_Trk_" + dpId + "_" + attachMac + "_" - + String.valueOf(attachIp.getValue()) + "_" + flowId; - syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, priority, "ACL", 0, 0, - AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove); - } - } - /** * Adds the rule to allow arp packets. * @@ -377,21 +282,4 @@ public class IngressAclServiceImpl extends AbstractAclServiceImpl { AclConstants.PROTO_ARP_TRAFFIC_MATCH_PRIORITY, "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove); } - - /** - * Programs the default connection tracking rules. - * - * @param dpid the dp id - * @param allowedAddresses the allowed addresses - * @param portId the portId - * @param write whether to add or remove the flow. - */ - private void programIngressAclFixedConntrackRule(BigInteger dpid, List allowedAddresses, - String portId, Action action, int write) { - programConntrackRecircRules(dpid, allowedAddresses, AclConstants.CT_STATE_UNTRACKED_PRIORITY, - "Untracked", AclConstants.UNTRACKED_CT_STATE, AclConstants.UNTRACKED_CT_STATE_MASK, portId, write); - programConntrackTrackedRule(dpid, allowedAddresses, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY, "Tracked", - AclConstants.TRACKED_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK, write); - LOG.info("programIngressAclFixedConntrackRule : default connection tracking rule are added."); - } } diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AclServiceImplFactory.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AclServiceImplFactory.java index 254098f8d7..98a037e4ea 100644 --- a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AclServiceImplFactory.java +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AclServiceImplFactory.java @@ -48,10 +48,10 @@ public class AclServiceImplFactory implements AutoCloseable { LOG.info("{} close", getClass().getSimpleName()); } - public IngressAclServiceImpl createIngressAclServiceImpl() { + public AbstractIngressAclServiceImpl createIngressAclServiceImpl() { LOG.info("creating ingress acl service using mode {}", securityGroupMode); if (securityGroupMode == null || securityGroupMode == SecurityGroupMode.Stateful) { - return new IngressAclServiceImpl(dataBroker, mdsalManager); + return new StatefulIngressAclServiceImpl(dataBroker, mdsalManager); } else if (securityGroupMode == SecurityGroupMode.Stateless) { return new StatelessIngressAclServiceImpl(dataBroker, mdsalManager); } else if (securityGroupMode == SecurityGroupMode.Transparent) { @@ -61,10 +61,10 @@ public class AclServiceImplFactory implements AutoCloseable { } } - public EgressAclServiceImpl createEgressAclServiceImpl() { + public AbstractEgressAclServiceImpl createEgressAclServiceImpl() { LOG.info("creating egress acl service using mode {}", securityGroupMode); if (securityGroupMode == null || securityGroupMode == SecurityGroupMode.Stateful) { - return new EgressAclServiceImpl(dataBroker, mdsalManager); + return new StatefulEgressAclServiceImpl(dataBroker, mdsalManager); } else if (securityGroupMode == SecurityGroupMode.Stateless) { return new StatelessEgressAclServiceImpl(dataBroker, mdsalManager); } else if (securityGroupMode == SecurityGroupMode.Transparent) { diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AclServiceManagerImpl.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AclServiceManagerImpl.java index 5c010bf7a8..8d9066c057 100644 --- a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AclServiceManagerImpl.java +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/AclServiceManagerImpl.java @@ -28,8 +28,8 @@ public class AclServiceManagerImpl implements AclServiceManager { * @param ingressAclService ingress acl service * @param egressAclService egress acl service */ - public AclServiceManagerImpl(final IngressAclServiceImpl ingressAclService, - final EgressAclServiceImpl egressAclService) { + public AclServiceManagerImpl(final AbstractIngressAclServiceImpl ingressAclService, + final AbstractEgressAclServiceImpl egressAclService) { addAclServiceListner(ingressAclService); addAclServiceListner(egressAclService); diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/LearnEgressAclServiceImpl.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/LearnEgressAclServiceImpl.java index 495c2051ae..e784e08071 100644 --- a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/LearnEgressAclServiceImpl.java +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/LearnEgressAclServiceImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved. + * Copyright (c) 2016 HPE, Inc. and others. All rights reserved. * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v1.0 which accompanies this distribution, @@ -23,19 +23,13 @@ import org.opendaylight.genius.mdsalutil.NxMatchFieldType; import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager; import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action; import org.opendaylight.netvirt.aclservice.utils.AclConstants; -import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder; import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp; -import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionEgress; -import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr; import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class LearnEgressAclServiceImpl extends EgressAclServiceImpl { +public class LearnEgressAclServiceImpl extends AbstractEgressAclServiceImpl { private static final Logger LOG = LoggerFactory.getLogger(LearnEgressAclServiceImpl.class); @@ -55,44 +49,26 @@ public class LearnEgressAclServiceImpl extends EgressAclServiceImpl { @Override protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress, List allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) { - } @Override - protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, - List syncAllowedAddresses) { - SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace); - if (!aceAttr.getDirection().equals(DirectionEgress.class)) { - return; - } - Matches matches = ace.getMatches(); - AceType aceType = matches.getAceType(); - Map> flowMap = null; - if (aceType instanceof AceIp) { - flowMap = AclServiceOFFlowBuilder.programIpFlow(matches); - } - if (null == flowMap) { - LOG.error("Failed to apply ACL {} lportTag {}", ace.getKey(), lportTag); - return; - } - - // The flow map contains list of flows if port range is selected. - for (Map.Entry> flow : flowMap.entrySet()) { - List flowMatches = flow.getValue(); - flowMatches.add(AclServiceUtils.buildLPortTagMatch(lportTag)); - List actionsInfos = new ArrayList<>(); - addLearnActions(flowMatches, actionsInfos); - - actionsInfos.add(new ActionInfo(ActionType.nx_resubmit, - new String[] {Short.toString(NwConstants.LPORT_DISPATCHER_TABLE)})); - - List instructions = new ArrayList<>(); - instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos)); - - String flowName = flow.getKey() + "Egress" + lportTag + ace.getKey().getRuleName(); - syncFlow(dpId, NwConstants.INGRESS_LEARN2_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0, - AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove); - } + protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, + Map> flowMap, String flowName) { + List flowMatches = flowMap.get(flowName); + flowMatches.add(AclServiceUtils.buildLPortTagMatch(lportTag)); + List actionsInfos = new ArrayList<>(); + addLearnActions(flowMatches, actionsInfos); + + actionsInfos.add(new ActionInfo(ActionType.nx_resubmit, + new String[] {Short.toString(NwConstants.LPORT_DISPATCHER_TABLE)})); + + List instructions = new ArrayList<>(); + instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos)); + + String flowNameAdded = flowName + "Egress" + lportTag + ace.getKey().getRuleName(); + syncFlow(dpId, NwConstants.INGRESS_LEARN2_TABLE, flowNameAdded, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0, + AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove); + return flowName; } /* diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/LearnIngressAclServiceImpl.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/LearnIngressAclServiceImpl.java index 6afcd12737..67f5a75a13 100644 --- a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/LearnIngressAclServiceImpl.java +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/LearnIngressAclServiceImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved. + * Copyright (c) 2016 HPE, Inc. and others. All rights reserved. * * This program and the accompanying materials are made available under the * terms of the Eclipse Public License v1.0 which accompanies this distribution, @@ -23,19 +23,13 @@ import org.opendaylight.genius.mdsalutil.NxMatchFieldType; import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager; import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action; import org.opendaylight.netvirt.aclservice.utils.AclConstants; -import org.opendaylight.netvirt.aclservice.utils.AclServiceOFFlowBuilder; import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.Matches; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.AceType; -import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.ace.matches.ace.type.AceIp; -import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.DirectionIngress; -import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.SecurityRuleAttr; import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -public class LearnIngressAclServiceImpl extends IngressAclServiceImpl { +public class LearnIngressAclServiceImpl extends AbstractIngressAclServiceImpl { private static final Logger LOG = LoggerFactory.getLogger(LearnIngressAclServiceImpl.class); @@ -50,40 +44,23 @@ public class LearnIngressAclServiceImpl extends IngressAclServiceImpl { } @Override - protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, - List syncAllowedAddresses) { - SecurityRuleAttr aceAttr = AclServiceUtils.getAccesssListAttributes(ace); - if (!aceAttr.getDirection().equals(DirectionIngress.class)) { - return; - } - Matches matches = ace.getMatches(); - AceType aceType = matches.getAceType(); - Map> flowMap = null; - if (aceType instanceof AceIp) { - flowMap = AclServiceOFFlowBuilder.programIpFlow(matches); - } - if (null == flowMap) { - LOG.error("Failed to apply ACL {} lportTag {}", ace.getKey(), lportTag); - return; - } - - // The flow map contains list of flows if port range is selected. - for (Map.Entry> flow : flowMap.entrySet()) { - List flowMatches = flow.getValue(); - flowMatches.add(AclServiceUtils.buildLPortTagMatch(lportTag)); - List actionsInfos = new ArrayList<>(); - addLearnActions(flowMatches, actionsInfos); - - actionsInfos.add(new ActionInfo(ActionType.nx_resubmit, - new String[] {Short.toString(NwConstants.EGRESS_LPORT_DISPATCHER_TABLE)})); - - List instructions = new ArrayList<>(); - instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos)); - - String flowName = flow.getKey() + "Ingress" + lportTag + ace.getKey().getRuleName(); - syncFlow(dpId, NwConstants.EGRESS_LEARN2_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0, - AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove); - } + protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, + Map> flowMap, String flowName) { + List flowMatches = flowMap.get(flowName); + flowMatches.add(AclServiceUtils.buildLPortTagMatch(lportTag)); + List actionsInfos = new ArrayList<>(); + addLearnActions(flowMatches, actionsInfos); + + actionsInfos.add(new ActionInfo(ActionType.nx_resubmit, + new String[] {Short.toString(NwConstants.EGRESS_LPORT_DISPATCHER_TABLE)})); + + List instructions = new ArrayList<>(); + instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos)); + + String flowNameAdded = flowName + "Ingress" + lportTag + ace.getKey().getRuleName(); + syncFlow(dpId, NwConstants.EGRESS_LEARN2_TABLE, flowNameAdded, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0, + AclConstants.COOKIE_ACL_BASE, flowMatches, instructions, addOrRemove); + return flowName; } /* diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatefulEgressAclServiceImpl.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatefulEgressAclServiceImpl.java new file mode 100644 index 0000000000..1ef56ea6ad --- /dev/null +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatefulEgressAclServiceImpl.java @@ -0,0 +1,144 @@ +/* + * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ +package org.opendaylight.netvirt.aclservice; + +import java.math.BigInteger; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import org.opendaylight.controller.md.sal.binding.api.DataBroker; +import org.opendaylight.genius.mdsalutil.ActionInfo; +import org.opendaylight.genius.mdsalutil.ActionType; +import org.opendaylight.genius.mdsalutil.InstructionInfo; +import org.opendaylight.genius.mdsalutil.InstructionType; +import org.opendaylight.genius.mdsalutil.MatchFieldType; +import org.opendaylight.genius.mdsalutil.MatchInfo; +import org.opendaylight.genius.mdsalutil.MatchInfoBase; +import org.opendaylight.genius.mdsalutil.NwConstants; +import org.opendaylight.genius.mdsalutil.NxMatchFieldType; +import org.opendaylight.genius.mdsalutil.NxMatchInfo; +import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager; +import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action; +import org.opendaylight.netvirt.aclservice.utils.AclConstants; +import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace; +import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress; +import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Provides the stateful implementation for egress (w.r.t VM) ACL service. + * + *

+ * Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress + * and vice versa. + */ +public class StatefulEgressAclServiceImpl extends AbstractEgressAclServiceImpl { + + public StatefulEgressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) { + super(dataBroker, mdsalManager); + } + + private static final Logger LOG = LoggerFactory.getLogger(StatefulEgressAclServiceImpl.class); + + + /** + * Program conntrack rules. + * + * @param dpid the dpid + * @param dhcpMacAddress the dhcp mac address. + * @param allowedAddresses the allowed addresses + * @param lportTag the lport tag + * @param addOrRemove addorRemove + */ + @Override + protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress, + List allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) { + programEgressAclFixedConntrackRule(dpid, allowedAddresses, lportTag, portId, action, addOrRemove); + } + + @Override + protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, + Map> flowMap, String flowName) { + List flows = flowMap.get(flowName); + flowName += "Egress" + lportTag + ace.getKey().getRuleName(); + flows.add(AclServiceUtils.buildLPortTagMatch(lportTag)); + flows.add(new NxMatchInfo(NxMatchFieldType.ct_state, + new long[] {AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK})); + + Long elanId = AclServiceUtils.getElanIdFromInterface(portId, dataBroker); + List actionsInfos = new ArrayList<>(); + actionsInfos.add(new ActionInfo(ActionType.nx_conntrack, + new String[] {"1", "0", elanId.toString(), "255"}, 2)); + List instructions = getDispatcherTableResubmitInstructions(actionsInfos); + + syncFlow(dpId, NwConstants.INGRESS_ACL_FILTER_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, + "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove); + return flowName; + } + + /** + * Adds the rule to send the packet to the netfilter to check whether it is + * a known packet. + * + * @param dpId the dpId + * @param allowedAddresses the allowed addresses + * @param priority the priority of the flow + * @param flowId the flowId + * @param conntrackState the conntrack state of the packets thats should be + * send + * @param conntrackMask the conntrack mask + * @param portId the portId + * @param addOrRemove whether to add or remove the flow + */ + private void programConntrackRecircRules(BigInteger dpId, List allowedAddresses, + Integer priority, String flowId, int conntrackState, int conntrackMask, String portId, int addOrRemove) { + for (AllowedAddressPairs allowedAddress : allowedAddresses) { + IpPrefixOrAddress attachIp = allowedAddress.getIpAddress(); + String attachMac = allowedAddress.getMacAddress().getValue(); + + List matches = new ArrayList<>(); + matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] {NwConstants.ETHTYPE_IPV4})); + matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask})); + matches.add(new MatchInfo(MatchFieldType.eth_src, new String[] {attachMac})); + matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_source)); + + Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker); + List instructions = new ArrayList<>(); + List actionsInfos = new ArrayList<>(); + actionsInfos.add(new ActionInfo(ActionType.nx_conntrack, + new String[] {"0", "0", elanTag.toString(), Short.toString( + NwConstants.INGRESS_ACL_FILTER_TABLE)}, 2)); + instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos)); + + String flowName = "Egress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + + String.valueOf(attachIp.getValue()) + "_" + flowId; + syncFlow(dpId, NwConstants.INGRESS_ACL_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0, + AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove); + } + } + + /** + * Programs the default connection tracking rules. + * + * @param dpid the dp id + * @param allowedAddresses the allowed addresses + * @param lportTag the lport tag + * @param portId the portId + * @param action the action + * @param write whether to add or remove the flow. + */ + private void programEgressAclFixedConntrackRule(BigInteger dpid, List allowedAddresses, + int lportTag, String portId, Action action, int write) { + programConntrackRecircRules(dpid, allowedAddresses, AclConstants.CT_STATE_UNTRACKED_PRIORITY, + "Untracked",AclConstants.UNTRACKED_CT_STATE,AclConstants.UNTRACKED_CT_STATE_MASK, portId, write ); + LOG.info("programEgressAclFixedConntrackRule : default connection tracking rule are added."); + } +} diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatefulIngressAclServiceImpl.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatefulIngressAclServiceImpl.java new file mode 100644 index 0000000000..149b56a2ce --- /dev/null +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatefulIngressAclServiceImpl.java @@ -0,0 +1,187 @@ +/* + * Copyright (c) 2016 Red Hat, Inc. and others. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ +package org.opendaylight.netvirt.aclservice; + +import java.math.BigInteger; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import org.opendaylight.controller.md.sal.binding.api.DataBroker; +import org.opendaylight.genius.mdsalutil.ActionInfo; +import org.opendaylight.genius.mdsalutil.ActionType; +import org.opendaylight.genius.mdsalutil.InstructionInfo; +import org.opendaylight.genius.mdsalutil.InstructionType; +import org.opendaylight.genius.mdsalutil.MatchFieldType; +import org.opendaylight.genius.mdsalutil.MatchInfo; +import org.opendaylight.genius.mdsalutil.MatchInfoBase; +import org.opendaylight.genius.mdsalutil.NwConstants; +import org.opendaylight.genius.mdsalutil.NxMatchFieldType; +import org.opendaylight.genius.mdsalutil.NxMatchInfo; +import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager; +import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action; +import org.opendaylight.netvirt.aclservice.utils.AclConstants; +import org.opendaylight.netvirt.aclservice.utils.AclServiceUtils; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace; +import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.IpPrefixOrAddress; +import org.opendaylight.yang.gen.v1.urn.opendaylight.netvirt.aclservice.rev160608.interfaces._interface.AllowedAddressPairs; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * Provides the stateful implementation for ingress (w.r.t VM) ACL service. + * + *

+ * Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress + * and vice versa. + */ +public class StatefulIngressAclServiceImpl extends AbstractIngressAclServiceImpl { + + private static final Logger LOG = LoggerFactory.getLogger(StatefulIngressAclServiceImpl.class); + + /** + * Initialize the member variables. + * + * @param dataBroker the data broker instance. + * @param mdsalManager the mdsal manager. + */ + public StatefulIngressAclServiceImpl(DataBroker dataBroker, IMdsalApiManager mdsalManager) { + // Service mode is w.rt. switch + super(dataBroker, mdsalManager); + } + + /** + * Program conntrack rules. + * + * @param dpid the dpid + * @param dhcpMacAddress the dhcp mac address. + * @param allowedAddresses the allowed addresses + * @param lportTag the lport tag + * @param addOrRemove add or remove the flow + */ + @Override + protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress, + List allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) { + programIngressAclFixedConntrackRule(dpid, allowedAddresses, portId, action, addOrRemove); + } + + @Override + protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, + Map> flowMap, String flowName) { + List flows = flowMap.get(flowName); + flowName += "Ingress" + lportTag + ace.getKey().getRuleName(); + flows.add(AclServiceUtils.buildLPortTagMatch(lportTag)); + flows.add(new NxMatchInfo(NxMatchFieldType.ct_state, + new long[] {AclConstants.TRACKED_NEW_CT_STATE, AclConstants.TRACKED_NEW_CT_STATE_MASK})); + + Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker); + List actionsInfos = new ArrayList<>(); + actionsInfos.add(new ActionInfo(ActionType.nx_conntrack, + new String[] {"1", "0", elanTag.toString(), "255"}, 2)); + List instructions = getDispatcherTableResubmitInstructions(actionsInfos); + + syncFlow(dpId, NwConstants.EGRESS_ACL_FILTER_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, + "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, flows, instructions, addOrRemove); + return flowName; + } + + /** + * Adds the rule to send the packet to the netfilter to check whether it is + * a known packet. + * + * @param dpId the dpId + * @param allowedAddresses the allowed addresses + * @param priority the priority of the flow + * @param flowId the flowId + * @param conntrackState the conntrack state of the packets thats should be + * send + * @param conntrackMask the conntrack mask + * @param portId the portId + * @param addOrRemove whether to add or remove the flow + */ + private void programConntrackRecircRules(BigInteger dpId, List allowedAddresses, + Integer priority, String flowId, int conntrackState, int conntrackMask, String portId, int addOrRemove) { + for (AllowedAddressPairs allowedAddress : allowedAddresses) { + IpPrefixOrAddress attachIp = allowedAddress.getIpAddress(); + String attachMac = allowedAddress.getMacAddress().getValue(); + + List matches = new ArrayList<>(); + matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] { NwConstants.ETHTYPE_IPV4 })); + matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask})); + matches.add(new MatchInfo(MatchFieldType.eth_dst, new String[] { attachMac })); + matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_destination)); + + List instructions = new ArrayList<>(); + List actionsInfos = new ArrayList<>(); + + Long elanTag = AclServiceUtils.getElanIdFromInterface(portId, dataBroker); + actionsInfos.add(new ActionInfo(ActionType.nx_conntrack, + new String[] {"0", "0", elanTag.toString(), Short.toString( + NwConstants.EGRESS_ACL_FILTER_TABLE)}, 2)); + instructions.add(new InstructionInfo(InstructionType.apply_actions, actionsInfos)); + String flowName = "Ingress_Fixed_Conntrk_Untrk_" + dpId + "_" + attachMac + "_" + + String.valueOf(attachIp.getValue()) + "_" + flowId; + syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0, + AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove); + } + } + + /** + * Program conntrack tracked rule. + * + * @param dpId the dp id + * @param allowedAddresses the allowed addresses + * @param priority the priority + * @param flowId the flow id + * @param conntrackState the conntrack state + * @param conntrackMask the conntrack mask + * @param addOrRemove the add or remove + */ + private void programConntrackTrackedRule(BigInteger dpId, List allowedAddresses, + Integer priority, String flowId, int conntrackState, int conntrackMask, int addOrRemove) { + for (AllowedAddressPairs allowedAddress : allowedAddresses) { + IpPrefixOrAddress attachIp = allowedAddress.getIpAddress(); + String attachMac = allowedAddress.getMacAddress().getValue(); + + List matches = new ArrayList<>(); + matches.add(new MatchInfo(MatchFieldType.eth_type, new long[] {NwConstants.ETHTYPE_IPV4})); + matches.add(new NxMatchInfo(NxMatchFieldType.ct_state, new long[] {conntrackState, conntrackMask})); + matches.add(new MatchInfo(MatchFieldType.eth_dst, new String[] {attachMac})); + matches.addAll(AclServiceUtils.buildIpMatches(attachIp, MatchFieldType.ipv4_destination)); + + List actionsInfos = new ArrayList<>(); + actionsInfos.add(new ActionInfo(ActionType.goto_table, new String[] {})); + + List instructions = new ArrayList<>(); + instructions.add(new InstructionInfo(InstructionType.goto_table, + new long[] {NwConstants.EGRESS_ACL_FILTER_TABLE})); + + String flowName = "Ingress_Fixed_Conntrk_Trk_" + dpId + "_" + attachMac + "_" + + String.valueOf(attachIp.getValue()) + "_" + flowId; + syncFlow(dpId, NwConstants.EGRESS_ACL_TABLE, flowName, priority, "ACL", 0, 0, + AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove); + } + } + + /** + * Programs the default connection tracking rules. + * + * @param dpid the dp id + * @param allowedAddresses the allowed addresses + * @param portId the portId + * @param write whether to add or remove the flow. + */ + private void programIngressAclFixedConntrackRule(BigInteger dpid, List allowedAddresses, + String portId, Action action, int write) { + programConntrackRecircRules(dpid, allowedAddresses, AclConstants.CT_STATE_UNTRACKED_PRIORITY, + "Untracked", AclConstants.UNTRACKED_CT_STATE, AclConstants.UNTRACKED_CT_STATE_MASK, portId, write); + programConntrackTrackedRule(dpid, allowedAddresses, AclConstants.CT_STATE_TRACKED_EXIST_PRIORITY, "Tracked", + AclConstants.TRACKED_CT_STATE, AclConstants.TRACKED_CT_STATE_MASK, write); + LOG.info("programIngressAclFixedConntrackRule : default connection tracking rule are added."); + } +} diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatelessEgressAclServiceImpl.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatelessEgressAclServiceImpl.java index 08b0c5c1f7..5fb36a9fc7 100644 --- a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatelessEgressAclServiceImpl.java +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatelessEgressAclServiceImpl.java @@ -42,7 +42,7 @@ import org.slf4j.LoggerFactory; * Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress * and vice versa. */ -public class StatelessEgressAclServiceImpl extends EgressAclServiceImpl { +public class StatelessEgressAclServiceImpl extends AbstractEgressAclServiceImpl { private static final Logger LOG = LoggerFactory.getLogger(StatelessEgressAclServiceImpl.class); @@ -56,6 +56,13 @@ public class StatelessEgressAclServiceImpl extends EgressAclServiceImpl { List allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) { } + @Override + protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, + Map> flowMap, String flowName) { + // Not in use here. programAceRule function is overridden. + return null; + } + @Override protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, List syncAllowedAddresses) { diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatelessIngressAclServiceImpl.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatelessIngressAclServiceImpl.java index 6369ca09d7..8fed362ce9 100644 --- a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatelessIngressAclServiceImpl.java +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/StatelessIngressAclServiceImpl.java @@ -42,7 +42,7 @@ import org.slf4j.LoggerFactory; * Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress * and vice versa. */ -public class StatelessIngressAclServiceImpl extends IngressAclServiceImpl { +public class StatelessIngressAclServiceImpl extends AbstractIngressAclServiceImpl { private static final Logger LOG = LoggerFactory.getLogger(StatelessIngressAclServiceImpl.class); @@ -55,6 +55,13 @@ public class StatelessIngressAclServiceImpl extends IngressAclServiceImpl { List allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) { } + @Override + protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, + Map> flowMap, String flowName) { + // Not in use here. programAceRule function is overridden. + return null; + } + @Override protected void programAceRule(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, List syncAllowedAddresses) { @@ -101,4 +108,5 @@ public class StatelessIngressAclServiceImpl extends IngressAclServiceImpl { String oper = getOperAsString(addOrRemove); LOG.debug("{} allow syn packet flow {}", oper, flowName); } + } diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/TransparentEgressAclServiceImpl.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/TransparentEgressAclServiceImpl.java index 9715bc0da3..5a1544748b 100644 --- a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/TransparentEgressAclServiceImpl.java +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/TransparentEgressAclServiceImpl.java @@ -9,8 +9,10 @@ package org.opendaylight.netvirt.aclservice; import java.math.BigInteger; import java.util.List; +import java.util.Map; import org.opendaylight.controller.md.sal.binding.api.DataBroker; +import org.opendaylight.genius.mdsalutil.MatchInfoBase; import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager; import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace; @@ -22,7 +24,7 @@ import org.slf4j.LoggerFactory; * Provides the transparent implementation for egress (w.r.t VM) ACL service. * */ -public class TransparentEgressAclServiceImpl extends EgressAclServiceImpl { +public class TransparentEgressAclServiceImpl extends AbstractEgressAclServiceImpl { private static final Logger LOG = LoggerFactory.getLogger(TransparentEgressAclServiceImpl.class); @@ -42,4 +44,11 @@ public class TransparentEgressAclServiceImpl extends EgressAclServiceImpl { LOG.debug("transparent egress acl service - do nothing"); } + @Override + protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, + Map> flowMap, String flowName) { + // Not in use here. programAceRule function is overridden. + return null; + } + } diff --git a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/TransparentIngressAclServiceImpl.java b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/TransparentIngressAclServiceImpl.java index dddd6aac4c..2573aa9533 100644 --- a/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/TransparentIngressAclServiceImpl.java +++ b/vpnservice/aclservice/impl/src/main/java/org/opendaylight/netvirt/aclservice/TransparentIngressAclServiceImpl.java @@ -9,8 +9,10 @@ package org.opendaylight.netvirt.aclservice; import java.math.BigInteger; import java.util.List; +import java.util.Map; import org.opendaylight.controller.md.sal.binding.api.DataBroker; +import org.opendaylight.genius.mdsalutil.MatchInfoBase; import org.opendaylight.genius.mdsalutil.interfaces.IMdsalApiManager; import org.opendaylight.netvirt.aclservice.api.AclServiceManager.Action; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace; @@ -25,7 +27,7 @@ import org.slf4j.LoggerFactory; * Note: Table names used are w.r.t switch. Hence, switch ingress is VM egress * and vice versa. */ -public class TransparentIngressAclServiceImpl extends IngressAclServiceImpl { +public class TransparentIngressAclServiceImpl extends AbstractIngressAclServiceImpl { private static final Logger LOG = LoggerFactory.getLogger(TransparentIngressAclServiceImpl.class); @@ -33,6 +35,13 @@ public class TransparentIngressAclServiceImpl extends IngressAclServiceImpl { super(dataBroker, mdsalManager); } + @Override + protected String syncSpecificAclFlow(BigInteger dpId, int lportTag, int addOrRemove, Ace ace, String portId, + Map> flowMap, String flowName) { + // Not in use here. programAceRule function is overridden. + return null; + } + @Override protected void programSpecificFixedRules(BigInteger dpid, String dhcpMacAddress, List allowedAddresses, int lportTag, String portId, Action action, int addOrRemove) {