From: Sam Hague Date: Wed, 4 May 2016 01:26:38 +0000 (+0000) Subject: Merge "Remove ovsdb related in resources" X-Git-Tag: release/boron~376 X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?a=commitdiff_plain;h=753a12cf591f68bc01972ba7442669ff19f7c30f;hp=e099da1a55674297ef002a28c5e9ca6b474f070d;p=netvirt.git Merge "Remove ovsdb related in resources" --- diff --git a/features/pom.xml b/features/pom.xml index 68f37ab3ee..519060f095 100644 --- a/features/pom.xml +++ b/features/pom.xml @@ -166,20 +166,6 @@ and is available at http://www.eclipse.org/legal/epl-v10.html features xml - - org.opendaylight.openflowplugin - features-openflowplugin-li - ${openflowplugin.version} - features - xml - - - org.opendaylight.openflowplugin - features-openflowplugin-extension-li - ${openflowplugin.version} - features - xml - ${project.groupId} openstack.net-virt diff --git a/features/src/main/features/features.xml b/features/src/main/features/features.xml index f80997a4a5..752f8e6ded 100644 --- a/features/src/main/features/features.xml +++ b/features/src/main/features/features.xml @@ -8,8 +8,6 @@ mvn:org.opendaylight.netconf/features-restconf/{{VERSION}}/xml/features mvn:org.opendaylight.openflowplugin/features-openflowplugin-extension/{{VERSION}}/xml/features mvn:org.opendaylight.openflowplugin/features-openflowplugin/{{VERSION}}/xml/features - mvn:org.opendaylight.openflowplugin/features-openflowplugin-extension-li/{{VERSION}}/xml/features - mvn:org.opendaylight.openflowplugin/features-openflowplugin-li/{{VERSION}}/xml/features mvn:org.opendaylight.neutron/features-neutron/{{VERSION}}/xml/features mvn:org.opendaylight.ovsdb/hwvtepsouthbound-features/{{VERSION}}/xml/features mvn:org.opendaylight.ovsdb/southbound-features/{{VERSION}}/xml/features @@ -44,26 +42,6 @@ mvn:org.opendaylight.netvirt/utils.neutron-utils/{{VERSION}} - - odl-mdsal-broker - odl-openflowplugin-nsf-model-li - odl-neutron-service - odl-ovsdb-southbound-impl - odl-openflowplugin-flow-services-li - odl-openflowplugin-nxm-extensions-li - mvn:org.opendaylight.netvirt/utils.servicehelper/{{VERSION}} - mvn:org.opendaylight.netvirt/utils.neutron-utils/{{VERSION}} - mvn:org.opendaylight.netvirt/utils.mdsal-utils/{{VERSION}} - mvn:org.opendaylight.ovsdb/utils.mdsal-utils/{{VERSION}} - mvn:org.opendaylight.ovsdb/utils.southbound-utils/{{VERSION}} - mvn:org.opendaylight.netvirt/openstack.net-virt/{{VERSION}} - mvn:org.opendaylight.netvirt/openstack.net-virt-providers/{{VERSION}} - mvn:commons-net/commons-net/{{VERSION}} - mvn:org.opendaylight.netvirt/openstack.net-virt/{{VERSION}}/xml/config - mvn:org.opendaylight.netvirt/openstack.net-virt-providers/{{VERSION}}/xml/config - - odl-dlux-core mvn:org.opendaylight.netvirt/ovsdb-ui-bundle/{{VERSION}} diff --git a/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/OF13Provider.java b/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/OF13Provider.java index 85be27b31a..356be18770 100644 --- a/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/OF13Provider.java +++ b/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/OF13Provider.java @@ -1000,49 +1000,43 @@ public class OF13Provider implements ConfigInterface, NetworkingProvider { } private void programLocalSecurityGroupRules(String attachedMac, Node node, OvsdbTerminationPointAugmentation intf, - Long dpid,long localPort, String segmentationId, - boolean write) { + Long dpid,long localPort, String segmentationId, + boolean write) { LOG.debug("programLocalRules: Program fixed security group rules for interface {}", intf.getName()); + boolean isPortSecurityEnabled = securityServicesManager.isPortSecurityEnabled(intf); + if (!isPortSecurityEnabled) { + LOG.info("Port security is not enabled" + intf); + return; + } NeutronPort dhcpPort = securityServicesManager.getDhcpServerPort(intf); - boolean isComputePort = false; - boolean isLastPortinBridge = false; - boolean isLastPortinSubnet = false; List srcAddressList = null; if (null != dhcpPort) { - isComputePort = securityServicesManager.isComputePort(intf); - isLastPortinBridge = securityServicesManager.isLastPortinBridge(node, intf); - isLastPortinSubnet = false; - if (isComputePort) { - isLastPortinSubnet = securityServicesManager.isLastPortinSubnet(node, intf); - srcAddressList = securityServicesManager.getIpAddressList(intf); - if (null == srcAddressList) { - LOG.warn("programLocalRules: No Ip address assigned {}", intf); - return; - } + srcAddressList = securityServicesManager.getIpAddressList(intf); + if (null == srcAddressList) { + LOG.warn("programLocalRules: No Ip address assigned {}", intf); + return; } ingressAclProvider.programFixedSecurityGroup(dpid, segmentationId, dhcpPort.getMacAddress(), localPort, - isLastPortinSubnet, isComputePort, attachedMac, write); + attachedMac, write); egressAclProvider.programFixedSecurityGroup(dpid, segmentationId, attachedMac, localPort, - srcAddressList, isLastPortinBridge, isComputePort,write); + srcAddressList, write); /* If the network type is tunnel based (VXLAN/GRRE/etc) with Neutron Port Security ACLs */ /* TODO SB_MIGRATION */ LOG.debug("Neutron port has a Port Security Group"); // Retrieve the security group from the Neutron Port and apply the rules - if (securityServicesManager.isPortSecurityReady(intf)) { - //Associate the security group flows. - List securityGroupListInPort = securityServicesManager - .getSecurityGroupInPortList(intf); - String neutronPortId = southbound.getInterfaceExternalIdsValue(intf, - Constants.EXTERNAL_ID_INTERFACE_ID); - for (NeutronSecurityGroup securityGroupInPort:securityGroupListInPort) { - ingressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort, - securityGroupInPort, neutronPortId, write); - egressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort, - securityGroupInPort, neutronPortId, write); - } + List securityGroupListInPort = securityServicesManager + .getSecurityGroupInPortList(intf); + String neutronPortId = southbound.getInterfaceExternalIdsValue(intf, + Constants.EXTERNAL_ID_INTERFACE_ID); + for (NeutronSecurityGroup securityGroupInPort:securityGroupListInPort) { + ingressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort, + securityGroupInPort, neutronPortId, write); + egressAclProvider.programPortSecurityGroup(dpid, segmentationId, attachedMac, localPort, + securityGroupInPort, neutronPortId, write); } + } else { LOG.warn("programLocalRules: No DCHP port seen in network of {}", intf); } diff --git a/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclService.java b/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclService.java index 47fdc7029d..e7ac0c244e 100644 --- a/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclService.java +++ b/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclService.java @@ -230,41 +230,39 @@ public class EgressAclService extends AbstractServiceInstance implements EgressA @Override public void programFixedSecurityGroup(Long dpid, String segmentationId, String attachedMac, - long localPort, List srcAddressList, - boolean isLastPortinBridge, boolean isComputePort ,boolean write) { - // If it is the only port in the bridge add the rule to allow any DHCP client traffic - //if (isLastPortinBridge) { - egressAclDhcpAllowClientTrafficFromVm(dpid, write, Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY); - egressAclDhcpv6AllowClientTrafficFromVm(dpid, write, Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY); - // } - if (isComputePort) { - programArpRule(dpid, segmentationId, localPort, attachedMac, write); - if (securityServicesManager.isConntrackEnabled()) { - programEgressAclFixedConntrackRule(dpid, segmentationId, localPort, attachedMac, write); - } - // add rule to drop the DHCP server traffic originating from the vm. - egressAclDhcpDropServerTrafficfromVm(dpid, localPort, write, - Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP); - egressAclDhcpv6DropServerTrafficfromVm(dpid, localPort, write, - Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP); - //Adds rule to check legitimate ip/mac pair for each packet from the vm - for (Neutron_IPs srcAddress : srcAddressList) { - try { - InetAddress address = InetAddress.getByName(srcAddress.getIpAddress()); - if (address instanceof Inet4Address) { - String addressWithPrefix = srcAddress.getIpAddress() + HOST_MASK; - egressAclAllowTrafficFromVmIpMacPair(dpid, localPort, attachedMac, addressWithPrefix, - Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write); - } else if (address instanceof Inet6Address) { - String addressWithPrefix = srcAddress.getIpAddress() + V6_HOST_MASK; - egressAclAllowTrafficFromVmIpV6MacPair(dpid, localPort, attachedMac, addressWithPrefix, - Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write); - } - } catch (UnknownHostException e) { - LOG.warn("Invalid IP address {}", srcAddress.getIpAddress(), e); + long localPort, List srcAddressList, boolean write) { + + egressAclDhcpAllowClientTrafficFromVm(dpid, write, localPort, + Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY); + egressAclDhcpv6AllowClientTrafficFromVm(dpid, write, localPort, + Constants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY); + programArpRule(dpid, segmentationId, localPort, attachedMac, write); + if (securityServicesManager.isConntrackEnabled()) { + programEgressAclFixedConntrackRule(dpid, segmentationId, localPort, attachedMac, write); + } + // add rule to drop the DHCP server traffic originating from the vm. + egressAclDhcpDropServerTrafficfromVm(dpid, localPort, write, + Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP); + egressAclDhcpv6DropServerTrafficfromVm(dpid, localPort, write, + Constants.PROTO_DHCP_CLIENT_SPOOF_MATCH_PRIORITY_DROP); + //Adds rule to check legitimate ip/mac pair for each packet from the vm + for (Neutron_IPs srcAddress : srcAddressList) { + try { + InetAddress address = InetAddress.getByName(srcAddress.getIpAddress()); + if (address instanceof Inet4Address) { + String addressWithPrefix = srcAddress.getIpAddress() + HOST_MASK; + egressAclAllowTrafficFromVmIpMacPair(dpid, localPort, attachedMac, addressWithPrefix, + Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write); + } else if (address instanceof Inet6Address) { + String addressWithPrefix = srcAddress.getIpAddress() + V6_HOST_MASK; + egressAclAllowTrafficFromVmIpV6MacPair(dpid, localPort, attachedMac, addressWithPrefix, + Constants.PROTO_VM_IP_MAC_MATCH_PRIORITY,write); } + } catch (UnknownHostException e) { + LOG.warn("Invalid IP address {}", srcAddress.getIpAddress(), e); } } + } private void programArpRule(Long dpid, String segmentationId, long localPort, String attachedMac, boolean write) { @@ -683,16 +681,18 @@ public class EgressAclService extends AbstractServiceInstance implements EgressA * * @param dpidLong the dpid * @param write whether to write or delete the flow + * @param localPort the local port. * @param priority the priority */ private void egressAclDhcpAllowClientTrafficFromVm(Long dpidLong, - boolean write, Integer priority) { - NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong); + boolean write, long localPort, Integer priority) { String flowName = "Egress_DHCP_Client" + "_Permit_"; MatchBuilder matchBuilder = new MatchBuilder(); + MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort); MatchUtils.createDhcpMatch(matchBuilder, DHCP_DESTINATION_PORT, DHCP_SOURCE_PORT); FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable()); addPipelineInstruction(flowBuilder, null, false); + NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong); syncFlow(flowBuilder ,nodeBuilder, write); } @@ -701,16 +701,18 @@ public class EgressAclService extends AbstractServiceInstance implements EgressA * * @param dpidLong the dpid * @param write whether to write or delete the flow + * @param localPort the local port * @param priority the priority */ private void egressAclDhcpv6AllowClientTrafficFromVm(Long dpidLong, - boolean write, Integer priority) { - NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong); + boolean write, long localPort, Integer priority) { String flowName = "Egress_DHCPv6_Client" + "_Permit_"; MatchBuilder matchBuilder = new MatchBuilder(); + MatchUtils.createInPortMatch(matchBuilder, dpidLong, localPort); MatchUtils.createDhcpv6Match(matchBuilder, DHCPV6_DESTINATION_PORT, DHCPV6_SOURCE_PORT); FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowName, priority, matchBuilder, getTable()); addPipelineInstruction(flowBuilder, null, false); + NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong); syncFlow(flowBuilder ,nodeBuilder, write); } diff --git a/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclService.java b/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclService.java index d0d3cf03ef..ce9155ca9c 100644 --- a/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclService.java +++ b/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclService.java @@ -215,21 +215,17 @@ public class IngressAclService extends AbstractServiceInstance implements Ingres @Override public void programFixedSecurityGroup(Long dpid, String segmentationId, String dhcpMacAddress, - long localPort, boolean isLastPortinSubnet, - boolean isComputePort, String attachMac, boolean write) { - //If this port is the only port in the compute node add the DHCP server rule. - if (isLastPortinSubnet && isComputePort ) { - ingressAclDhcpAllowServerTraffic(dpid, segmentationId,dhcpMacAddress, - write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY); - ingressAclDhcpv6AllowServerTraffic(dpid, segmentationId,dhcpMacAddress, - write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY); - } - if (isComputePort) { - if (securityServicesManager.isConntrackEnabled()) { - programIngressAclFixedConntrackRule(dpid, segmentationId, attachMac, localPort, write); - } - programArpRule(dpid, segmentationId, localPort, attachMac, write); + long localPort, String attachMac, boolean write) { + + ingressAclDhcpAllowServerTraffic(dpid, segmentationId,dhcpMacAddress, attachMac, + write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY); + ingressAclDhcpv6AllowServerTraffic(dpid, segmentationId,dhcpMacAddress, attachMac, + write,Constants.PROTO_DHCP_SERVER_MATCH_PRIORITY); + + if (securityServicesManager.isConntrackEnabled()) { + programIngressAclFixedConntrackRule(dpid, segmentationId, attachMac, localPort, write); } + programArpRule(dpid, segmentationId, localPort, attachMac, write); } private void programArpRule(Long dpid, String segmentationId, long localPort, String attachMac, boolean write) { @@ -654,18 +650,21 @@ public class IngressAclService extends AbstractServiceInstance implements Ingres * @param dpidLong the dpid * @param segmentationId the segmentation id * @param dhcpMacAddress the DHCP server mac address + * @param attachMac the mac address of the port * @param write is write or delete * @param protoPortMatchPriority the priority */ private void ingressAclDhcpAllowServerTraffic(Long dpidLong, String segmentationId, String dhcpMacAddress, - boolean write, Integer protoPortMatchPriority) { + String attachMac, boolean write, Integer protoPortMatchPriority) { - NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong); MatchBuilder matchBuilder = new MatchBuilder(); - MatchUtils.createDhcpServerMatch(matchBuilder, dhcpMacAddress, 67, 68).build(); + matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,dhcpMacAddress,attachMac, + MatchUtils.ETHERTYPE_IPV4); + MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 67, 68); String flowId = "Ingress_DHCP_Server" + segmentationId + "_" + dhcpMacAddress + "_Permit_"; FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable()); addPipelineInstruction(flowBuilder, null, false); + NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong); syncFlow(flowBuilder ,nodeBuilder, write); } @@ -675,18 +674,21 @@ public class IngressAclService extends AbstractServiceInstance implements Ingres * @param dpidLong the dpid * @param segmentationId the segmentation id * @param dhcpMacAddress the DHCP server mac address + * @param attachMac the mac address of the port * @param write is write or delete * @param protoPortMatchPriority the priority */ private void ingressAclDhcpv6AllowServerTraffic(Long dpidLong, String segmentationId, String dhcpMacAddress, - boolean write, Integer protoPortMatchPriority) { + String attachMac, boolean write, Integer protoPortMatchPriority) { - NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong); MatchBuilder matchBuilder = new MatchBuilder(); - MatchUtils.createDhcpv6ServerMatch(matchBuilder, dhcpMacAddress, 547, 546).build(); + matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,dhcpMacAddress,attachMac, + MatchUtils.ETHERTYPE_IPV6); + MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 547, 546); String flowId = "Ingress_DHCPv6_Server" + segmentationId + "_" + dhcpMacAddress + "_Permit_"; FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, protoPortMatchPriority, matchBuilder, getTable()); addPipelineInstruction(flowBuilder, null, false); + NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong); syncFlow(flowBuilder ,nodeBuilder, write); } diff --git a/openstack/net-virt-providers/src/test/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclServiceTest.java b/openstack/net-virt-providers/src/test/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclServiceTest.java index 48f6717168..3bbd1d84e2 100644 --- a/openstack/net-virt-providers/src/test/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclServiceTest.java +++ b/openstack/net-virt-providers/src/test/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclServiceTest.java @@ -48,6 +48,7 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026 import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.Icmpv6Match; import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._4.match.TcpMatch; import org.opendaylight.yang.gen.v1.urn.opendaylight.model.match.types.rev131026.match.layer._4.match.UdpMatch; +import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.ovsdb.rev150105.OvsdbTerminationPointAugmentation; import org.opendaylight.yangtools.yang.binding.InstanceIdentifier; import org.powermock.api.mockito.PowerMockito; import org.powermock.api.support.membermodification.MemberModifier; @@ -1504,40 +1505,13 @@ public class EgressAclServiceTest { } /** - * Test With isConntrackEnabled false isComputeNode false - */ - @Test - public void testProgramFixedSecurityACLAdd1() throws Exception { - when(securityServices.isConntrackEnabled()).thenReturn(false); - - egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true); - - verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true)); - verify(writeTransaction, times(2)).submit(); - verify(commitFuture, times(2)).checkedGet(); - } - /** - * Test With isConntrackEnabled false isComputeNode false - */ - @Test - public void testProgramFixedSecurityACLRemove1() throws Exception { - when(securityServices.isConntrackEnabled()).thenReturn(false); - - egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false); - - verify(writeTransaction, times(2)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class)); - verify(writeTransaction, times(2)).submit(); - verify(commitFuture, times(2)).get(); - } - - /** - * Test With isConntrackEnabled false isComputeNode true + * Test With isConntrackEnabled false */ @Test public void testProgramFixedSecurityACLAdd2() throws Exception { when(securityServices.isConntrackEnabled()).thenReturn(false); - egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true); + egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true); verify(writeTransaction, times(9)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true)); verify(writeTransaction, times(9)).submit(); @@ -1545,13 +1519,13 @@ public class EgressAclServiceTest { } /** - * Test With isConntrackEnabled false isComputeNode true + * Test With isConntrackEnabled false */ @Test public void testProgramFixedSecurityACLRemove2() throws Exception { when(securityServices.isConntrackEnabled()).thenReturn(false); - egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false); + egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false); verify(writeTransaction, times(9)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class)); verify(writeTransaction, times(9)).submit(); @@ -1559,41 +1533,13 @@ public class EgressAclServiceTest { } /** - * Test With isConntrackEnabled true isComputeNode false - */ - @Test - public void testProgramFixedSecurityACLAdd3() throws Exception { - when(securityServices.isConntrackEnabled()).thenReturn(true); - - egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, true); - - verify(writeTransaction, times(2)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true)); - verify(writeTransaction, times(2)).submit(); - verify(commitFuture, times(2)).checkedGet(); - } - - /** - * Test With isConntrackEnabled true isComputeNode false - */ - @Test - public void testProgramFixedSecurityACLRemove3() throws Exception { - when(securityServices.isConntrackEnabled()).thenReturn(true); - - egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, false, false); - - verify(writeTransaction, times(2)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class)); - verify(writeTransaction, times(2)).submit(); - verify(commitFuture, times(2)).get(); - } - - /** - * Test With isConntrackEnabled true isComputeNode true + * Test With isConntrackEnabled true */ @Test public void testProgramFixedSecurityACLAdd4() throws Exception { when(securityServices.isConntrackEnabled()).thenReturn(true); - egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, true); + egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, true); verify(writeTransaction, times(14)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true)); @@ -1602,13 +1548,13 @@ public class EgressAclServiceTest { } /** - * Test With isConntrackEnabled true isComputeNode true + * Test With isConntrackEnabled true */ @Test public void testProgramFixedSecurityACLRemove4() throws Exception { when(securityServices.isConntrackEnabled()).thenReturn(true); - egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false, true, false); + egressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", MAC_ADDRESS, 1, neutronDestIpList, false); verify(writeTransaction, times(14)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class)); verify(writeTransaction, times(14)).submit(); diff --git a/openstack/net-virt-providers/src/test/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclServiceTest.java b/openstack/net-virt-providers/src/test/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclServiceTest.java index 5d2e75d7d0..e5d3b061d1 100644 --- a/openstack/net-virt-providers/src/test/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclServiceTest.java +++ b/openstack/net-virt-providers/src/test/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclServiceTest.java @@ -1536,108 +1536,56 @@ public class IngressAclServiceTest { } /** - * Test With isConntrackEnabled false isComputeNode false - */ - @Test - public void testProgramFixedSecurityACLAdd1() throws Exception { - when(securityServices.isConntrackEnabled()).thenReturn(false); - - ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, true); - - verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true)); - verify(writeTransaction, times(0)).submit(); - verify(commitFuture, times(0)).get(); - } - /** - * Test With isConntrackEnabled false isComputeNode false - */ - @Test - public void testProgramFixedSecurityACLRemove1() throws Exception { - when(securityServices.isConntrackEnabled()).thenReturn(false); - - ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, false); - - verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class)); - verify(writeTransaction, times(0)).submit(); - verify(commitFuture, times(0)).get(); - } - /** - * Test With isConntrackEnabled false isComputeNode false + * Test With isConntrackEnabled false */ @Test public void testProgramFixedSecurityACLAdd2() throws Exception { when(securityServices.isConntrackEnabled()).thenReturn(false); - ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, true); + ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, true); - verify(writeTransaction, times(1)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true)); - verify(writeTransaction, times(1)).submit(); - verify(commitFuture, times(1)).checkedGet(); + verify(writeTransaction, times(3)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true)); + verify(writeTransaction, times(3)).submit(); + verify(commitFuture, times(3)).checkedGet(); } /** - * Test With isConntrackEnabled false isComputeNode false + * Test With isConntrackEnabled false */ @Test public void testProgramFixedSecurityACLRemove2() throws Exception { when(securityServices.isConntrackEnabled()).thenReturn(false); - ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, false); + ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, false); - verify(writeTransaction, times(1)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class)); - verify(writeTransaction, times(1)).submit(); - verify(commitFuture, times(1)).get(); - } - /** - * Test With isConntrackEnabled true isComputeNode false - */ - @Test - public void testProgramFixedSecurityACLAdd3() throws Exception { - when(securityServices.isConntrackEnabled()).thenReturn(true); - - ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, true); - - verify(writeTransaction, times(0)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true)); - verify(writeTransaction, times(0)).submit(); - verify(commitFuture, times(0)).get(); - } - /** - * Test With isConntrackEnabled true isComputeNode false - */ - @Test - public void testProgramFixedSecurityACLRemove3() throws Exception { - when(securityServices.isConntrackEnabled()).thenReturn(true); - - ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, false, MAC_ADDRESS, false); - - verify(writeTransaction, times(0)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class)); - verify(writeTransaction, times(0)).submit(); - verify(commitFuture, times(0)).get(); + verify(writeTransaction, times(3)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class)); + verify(writeTransaction, times(3)).submit(); + verify(commitFuture, times(3)).get(); } /** - * Test With isConntrackEnabled true isComputeNode true + * Test With isConntrackEnabled true */ @Test public void testProgramFixedSecurityACLAdd4() throws Exception { when(securityServices.isConntrackEnabled()).thenReturn(true); - ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, true); + ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, true); - verify(writeTransaction, times(6)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true)); - verify(writeTransaction, times(6)).submit(); - verify(commitFuture, times(6)).checkedGet(); + verify(writeTransaction, times(8)).put(any(LogicalDatastoreType.class), any(InstanceIdentifier.class), any(Node.class), eq(true)); + verify(writeTransaction, times(8)).submit(); + verify(commitFuture, times(8)).checkedGet(); } /** - * Test With isConntrackEnabled true isComputeNode true + * Test With isConntrackEnabled true */ @Test public void testProgramFixedSecurityACLRemove4() throws Exception { when(securityServices.isConntrackEnabled()).thenReturn(true); - ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, false, true, MAC_ADDRESS, false); + ingressAclServiceSpy.programFixedSecurityGroup(Long.valueOf(1554), "2", DHCP_MAC_ADDRESS, 1, MAC_ADDRESS, false); - verify(writeTransaction, times(6)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class)); - verify(writeTransaction, times(6)).submit(); - verify(commitFuture, times(6)).get(); + verify(writeTransaction, times(8)).delete(any(LogicalDatastoreType.class), any(InstanceIdentifier.class)); + verify(writeTransaction, times(8)).submit(); + verify(commitFuture, times(8)).get(); } } diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/ConfigActivator.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/ConfigActivator.java index 91e77d7430..7623e8cb7a 100644 --- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/ConfigActivator.java +++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/ConfigActivator.java @@ -49,6 +49,7 @@ import org.opendaylight.netvirt.openstack.netvirt.impl.ProviderNetworkManagerImp import org.opendaylight.netvirt.openstack.netvirt.impl.SecurityGroupCacheManagerImpl; import org.opendaylight.netvirt.openstack.netvirt.impl.SecurityServicesImpl; import org.opendaylight.netvirt.openstack.netvirt.impl.SouthboundImpl; +import org.opendaylight.netvirt.openstack.netvirt.impl.HostConfigService; import org.opendaylight.netvirt.openstack.netvirt.impl.VlanConfigurationCacheImpl; import org.opendaylight.netvirt.openstack.netvirt.translator.crud.INeutronLoadBalancerCRUD; import org.opendaylight.netvirt.openstack.netvirt.translator.crud.INeutronLoadBalancerPoolCRUD; @@ -218,6 +219,10 @@ public class ConfigActivator implements BundleActivator { registerService(context, new String[]{Southbound.class.getName()}, null, southbound); + HostConfigService hostConfigService = new HostConfigService(providerContext.getSALService(DataBroker.class)); + registerService(context, + new String[]{HostConfigService.class.getName()}, null, hostConfigService); + NodeCacheManagerImpl nodeCacheManager = new NodeCacheManagerImpl(); registerAbstractHandlerService(context, new Class[] {NodeCacheManager.class}, AbstractEvent.HandlerType.NODE, nodeCacheManager); diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/PortSecurityHandler.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/PortSecurityHandler.java index 0d3d8b370a..78e1c4276b 100644 --- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/PortSecurityHandler.java +++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/PortSecurityHandler.java @@ -154,7 +154,10 @@ public class PortSecurityHandler extends AbstractHandler private void syncSecurityGroup(NeutronSecurityRule securityRule,NeutronPort port, boolean write) { - + if (!port.getPortSecurityEnabled()) { + LOG.info("Port security not enabled port", port); + return; + } if (null != securityRule.getSecurityRemoteGroupID()) { List vmIpList = securityServicesManager .getVmListForSecurityGroup(port.getID(), securityRule.getSecurityRemoteGroupID()); @@ -169,17 +172,17 @@ public class PortSecurityHandler extends AbstractHandler private List getPortWithSecurityGroup(String securityGroupUuid) { List neutronPortList = neutronPortCache.getAllPorts(); - List neutronPortInSG = new ArrayList(); + List neutronPortInSg = new ArrayList(); for (NeutronPort neutronPort:neutronPortList) { List securityGroupList = neutronPort.getSecurityGroups(); for (NeutronSecurityGroup neutronSecurityGroup:securityGroupList) { if (neutronSecurityGroup.getID().equals(securityGroupUuid)) { - neutronPortInSG.add(neutronPort); + neutronPortInSg.add(neutronPort); break; } } } - return neutronPortInSG; + return neutronPortInSg; } @Override diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/EgressAclProvider.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/EgressAclProvider.java index d82f30aa90..1f049b0838 100644 --- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/EgressAclProvider.java +++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/EgressAclProvider.java @@ -55,11 +55,8 @@ public interface EgressAclProvider { * @param attachedMac the attached mac * @param localPort the local port * @param srcAddressList the list of source ip address assigned to vm - * @param isLastPortinBridge is this the last port in the bridge - * @param isComputePort indicates whether this port is a compute port or not * @param write is this flow writing or deleting */ void programFixedSecurityGroup(Long dpid, String segmentationId,String attachedMac, long localPort, - List srcAddressList, boolean isLastPortinBridge, - boolean isComputePort, boolean write); + List srcAddressList, boolean write); } \ No newline at end of file diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/IngressAclProvider.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/IngressAclProvider.java index a4005e0c02..b587a245d1 100644 --- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/IngressAclProvider.java +++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/IngressAclProvider.java @@ -52,11 +52,9 @@ public interface IngressAclProvider { * @param segmentationId the segmentation id * @param attachedMac the dhcp mac * @param localPort the local port - * @param isLastPortinSubnet is this the last port in the subnet - * @param isComputePort indicates whether this port is a compute port or not * @param attachedMac2 the src mac * @param write is this flow writing or deleting */ void programFixedSecurityGroup(Long dpid, String segmentationId, String attachedMac, long localPort, - boolean isLastPortinSubnet, boolean isComputePort, String attachedMac2, boolean write); + String attachedMac2, boolean write); } \ No newline at end of file diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/SecurityServicesManager.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/SecurityServicesManager.java index 09d452ccc6..2418792b28 100644 --- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/SecurityServicesManager.java +++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/SecurityServicesManager.java @@ -70,7 +70,7 @@ public interface SecurityServicesManager { /** * Is this the last port in the subnet to which interface belongs to. * @param node The node to which the intf is connected. - * @param intf the intf + * @param intf the interface * @return whether last port in the subnet */ boolean isLastPortinSubnet(Node node, OvsdbTerminationPointAugmentation intf); @@ -116,4 +116,11 @@ public interface SecurityServicesManager { * @return whether connection tracking enabled. */ boolean isConntrackEnabled(); + /** + * Is the port a PortSecurity Enabled. + * + * @param intf the port + * @return whether it is a compute port or not + */ + boolean isPortSecurityEnabled(OvsdbTerminationPointAugmentation intf); } \ No newline at end of file diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/HostConfigService.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/HostConfigService.java new file mode 100644 index 0000000000..171abd0a10 --- /dev/null +++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/HostConfigService.java @@ -0,0 +1,137 @@ +/* + * Copyright (c) 2016 Intel Corporation. All rights reserved. + * + * This program and the accompanying materials are made available under the + * terms of the Eclipse Public License v1.0 which accompanies this distribution, + * and is available at http://www.eclipse.org/legal/epl-v10.html + */ + +package org.opendaylight.netvirt.openstack.netvirt.impl; + +import org.opendaylight.controller.md.sal.binding.api.DataBroker; +import org.opendaylight.controller.md.sal.common.api.data.LogicalDatastoreType; +import org.opendaylight.netvirt.openstack.netvirt.ClusterAwareMdsalUtils; +import org.opendaylight.netvirt.openstack.netvirt.ConfigInterface; +import org.opendaylight.netvirt.openstack.netvirt.api.Action; +import org.opendaylight.netvirt.openstack.netvirt.api.OvsdbInventoryListener; +import org.opendaylight.netvirt.openstack.netvirt.api.OvsdbInventoryService; +import org.opendaylight.netvirt.openstack.netvirt.api.Southbound; +import org.opendaylight.netvirt.openstack.netvirt.api.OvsdbTables; +import org.opendaylight.netvirt.utils.servicehelper.ServiceHelper; +import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.hostconfig.rev150712.hostconfig.attributes.Hostconfigs; +import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.hostconfig.rev150712.hostconfig.attributes.hostconfigs.Hostconfig; +import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.rev150712.Neutron; +import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.ovsdb.rev150105.OvsdbNodeAugmentation; +import org.opendaylight.yang.gen.v1.urn.tbd.params.xml.ns.yang.network.topology.rev131021.network.topology.topology.Node; +import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.hostconfig.rev150712.hostconfig.attributes.hostconfigs.HostconfigBuilder; +import org.opendaylight.yangtools.yang.binding.DataObject; +import org.opendaylight.yangtools.yang.binding.InstanceIdentifier; +import org.osgi.framework.ServiceReference; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.List; + + +public class HostConfigService implements OvsdbInventoryListener, ConfigInterface { + private static final Logger LOG = LoggerFactory.getLogger(HostConfigService.class); + + private static final String OS_HOST_CONFIG_HOST_ID_KEY = "odl_os_hostconfig_hostid"; + private static final String OS_HOST_CONFIG_HOST_TYPE_KEY = "odl_os_hostconfig_hosttype"; + private static final String OS_HOST_CONFIG_CONFIG_KEY = "odl_os_hostconfig_config"; + + private final DataBroker databroker; + private final ClusterAwareMdsalUtils mdsalUtils; + private volatile OvsdbInventoryService ovsdbInventoryService; + private volatile Southbound southbound; + + public HostConfigService(DataBroker dataBroker) { + this.databroker = dataBroker; + mdsalUtils = new ClusterAwareMdsalUtils(dataBroker); + } + + @Override + public void ovsdbUpdate(Node node, DataObject resourceAugmentationData, OvsdbType ovsdbType, Action action) { + boolean result; + Hostconfig hostConfig; + InstanceIdentifier hostConfigId; + + if (ovsdbType != OvsdbType.NODE) { + return; + } + hostConfig = buildHostConfigInfo(node); + if (hostConfig == null) { + return; + } + LOG.trace("ovsdbUpdate: {} - {} - <<{}>> <<{}>>", ovsdbType, action, node, resourceAugmentationData); + switch (action) { + case ADD: + case UPDATE: + hostConfigId = createInstanceIdentifier(hostConfig); + result = mdsalUtils.put(LogicalDatastoreType.OPERATIONAL, hostConfigId, hostConfig); + LOG.trace("Add Node: result: {}", result); + break; + case DELETE: + hostConfigId = createInstanceIdentifier(hostConfig); + result = mdsalUtils.delete(LogicalDatastoreType.OPERATIONAL, hostConfigId); + LOG.trace("Delete Node: result: {}", result); + break; + } + } + + @Override + public void triggerUpdates() { + List ovsdbNodes = southbound.readOvsdbTopologyNodes(); + for (Node node : ovsdbNodes) { + ovsdbUpdate(node, node.getAugmentation(OvsdbNodeAugmentation.class), + OvsdbInventoryListener.OvsdbType.NODE, Action.ADD); + } + } + + private Hostconfig buildHostConfigInfo(Node node) { + HostconfigBuilder hostconfigBuilder = new HostconfigBuilder(); + String value; + + value = southbound.getExternalId(node, OvsdbTables.OPENVSWITCH, OS_HOST_CONFIG_HOST_ID_KEY); + if (value == null){ + return null; + } + hostconfigBuilder.setHostId(value); + value = southbound.getExternalId(node, OvsdbTables.OPENVSWITCH, OS_HOST_CONFIG_HOST_TYPE_KEY); + if (value == null) { + return null; + } + hostconfigBuilder.setHostType(value); + value = southbound.getExternalId(node, OvsdbTables.OPENVSWITCH, OS_HOST_CONFIG_CONFIG_KEY); + if (value == null) { + return null; + } + hostconfigBuilder.setConfig(value); + return hostconfigBuilder.build(); + } + + private InstanceIdentifier createInstanceIdentifier() { + return InstanceIdentifier.create(Neutron.class) + .child(Hostconfigs.class) + .child(Hostconfig.class); + } + + private InstanceIdentifier createInstanceIdentifier(Hostconfig hostconfig) { + return InstanceIdentifier.create(Neutron.class) + .child(Hostconfigs.class) + .child(Hostconfig.class, hostconfig.getKey()); + } + + @Override + public void setDependencies(ServiceReference serviceReference) { + southbound = + (Southbound) ServiceHelper.getGlobalInstance(Southbound.class, this); + ovsdbInventoryService = + (OvsdbInventoryService) ServiceHelper.getGlobalInstance(OvsdbInventoryService.class, this); + ovsdbInventoryService.listenerAdded(this); + } + + @Override + public void setDependencies(Object impl) { + } +} diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/NeutronL3Adapter.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/NeutronL3Adapter.java index d9a601338b..13b535448a 100644 --- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/NeutronL3Adapter.java +++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/NeutronL3Adapter.java @@ -428,7 +428,9 @@ public class NeutronL3Adapter extends AbstractHandler implements GatewayMacResol if (action == UPDATE) { // FIXME: Bug 4971 Move cleanup cache to SG Impl this.updatePortInCleanupCache(neutronPort, neutronPort.getOriginalPort()); - this.processSecurityGroupUpdate(neutronPort); + if (neutronPort.getPortSecurityEnabled()) { + this.processSecurityGroupUpdate(neutronPort); + } } if (!this.enabled) { diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/SecurityServicesImpl.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/SecurityServicesImpl.java index e853b4843a..fc2486aa91 100644 --- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/SecurityServicesImpl.java +++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/impl/SecurityServicesImpl.java @@ -575,6 +575,21 @@ public class SecurityServicesImpl implements ConfigInterface, SecurityServicesMa return null; } + @Override + public boolean isPortSecurityEnabled(OvsdbTerminationPointAugmentation intf) { + NeutronPort neutronPort = getNeutronPortFromCache(intf); + if (null == neutronPort) { + LOG.error("Neutron Port is null: " + intf); + return false; + } + if (neutronPort.getPortSecurityEnabled()) { + LOG.info("Port Security is enabled for Port: " + neutronPort); + return true; + } + LOG.info("Port Security is not enabled for Port: " + neutronPort); + return false; + } + @Override public void setDependencies(ServiceReference serviceReference) { neutronL3Adapter = diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/NeutronPort.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/NeutronPort.java index 903c388d27..a7b4a6196f 100644 --- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/NeutronPort.java +++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/NeutronPort.java @@ -83,6 +83,11 @@ public class NeutronPort implements Serializable, INeutronObject { @XmlElement (name = "extra_dhcp_opts") List extraDHCPOptions; + //Port security is enabled by default for backward compatibility. + @XmlElement (defaultValue = "true", name = "port_security_enabled") + Boolean portSecurityEnabled; + + NeutronPort originalPort; public NeutronPort() { @@ -233,6 +238,18 @@ public class NeutronPort implements Serializable, INeutronObject { this.bindingvifType = bindingvifType; } + public Boolean getPortSecurityEnabled() { + if (portSecurityEnabled == null) { + return true; + } + return portSecurityEnabled; + } + + public void setPortSecurityEnabled(Boolean newValue) { + portSecurityEnabled = newValue; + } + + public NeutronPort getOriginalPort() { return originalPort; } @@ -288,12 +305,16 @@ public class NeutronPort implements Serializable, INeutronObject { if ("security_groups".equals(field)) { ans.setSecurityGroups(new ArrayList<>(this.getSecurityGroups())); } + if ("port_security_enabled".equals(field)) { + ans.setPortSecurityEnabled(this.getPortSecurityEnabled()); + } } return ans; } public void initDefaults() { adminStateUp = true; + portSecurityEnabled = true; if (status == null) { status = "ACTIVE"; } @@ -309,6 +330,6 @@ public class NeutronPort implements Serializable, INeutronObject { + ", fixedIPs=" + fixedIPs + ", deviceID=" + deviceID + ", deviceOwner=" + deviceOwner + ", tenantID=" + tenantID + ", securityGroups=" + securityGroups + ", bindinghostID=" + bindinghostID + ", bindingvnicType=" + bindingvnicType - + ", bindingvnicType=" + bindingvnicType + "]"; + + ", bindingvnicType=" + bindingvnicType + ", portSecurityEnabled=" + portSecurityEnabled +"]"; } } diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/crud/impl/NeutronPortInterface.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/crud/impl/NeutronPortInterface.java index 8814fb3973..e2dbab6d22 100644 --- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/crud/impl/NeutronPortInterface.java +++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/translator/crud/impl/NeutronPortInterface.java @@ -38,6 +38,8 @@ import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.por import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.ports.attributes.Ports; import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.ports.attributes.ports.Port; import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.ports.rev150712.ports.attributes.ports.PortBuilder; +import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.portsecurity.rev150712.PortSecurityExtension; +import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.portsecurity.rev150712.PortSecurityExtensionBuilder; import org.opendaylight.yang.gen.v1.urn.opendaylight.neutron.rev150712.Neutron; import org.opendaylight.yangtools.yang.binding.InstanceIdentifier; import org.osgi.framework.BundleContext; @@ -151,6 +153,13 @@ public class NeutronPortInterface extends AbstractNeutronInterface listAllowedAddressPairs = new ArrayList<>(); diff --git a/resources/commons/NetvirtSfc.v2.json.postman_collection b/resources/commons/NetvirtSfc.v2.json.postman_collection index 924754a30d..25b967ab7e 100644 --- a/resources/commons/NetvirtSfc.v2.json.postman_collection +++ b/resources/commons/NetvirtSfc.v2.json.postman_collection @@ -338,7 +338,7 @@ "version": 2, "preRequestScript": "", "tests": "", - "rawModeData": "{\n \"netvirt-providers-config\": {\n \"table-offset\": 10\n }\n}" + "rawModeData": "{\n \"netvirt-providers-config\": {\n \"table-offset\": 1\n }\n}" }, { "id": "a1bd4157-09e1-d6a8-2ee7-8c503747511c", @@ -446,4 +446,4 @@ "rawModeData": "{\n \"service-function-paths\": {\n \"service-function-path\": [\n {\n \"name\": \"SFC-Path\",\n \"symmetric\": false,\n \"service-chain-name\": \"SFC\",\n \"starting-index\": 255\n }\n ]\n }\n}" } ] -} \ No newline at end of file +}