From: Sam Hague Date: Sat, 23 Jan 2016 21:32:02 +0000 (+0000) Subject: Merge "IPv6 support in Security Groups." X-Git-Tag: release/boron~230 X-Git-Url: https://git.opendaylight.org/gerrit/gitweb?a=commitdiff_plain;h=e3936ff044b409a75777dec9c220725b19faff95;p=ovsdb.git Merge "IPv6 support in Security Groups." --- e3936ff044b409a75777dec9c220725b19faff95 diff --cc openstack/net-virt-providers/src/main/java/org/opendaylight/ovsdb/openstack/netvirt/providers/openflow13/services/IngressAclService.java index beb115f92,c437cea87..a185397ca --- a/openstack/net-virt-providers/src/main/java/org/opendaylight/ovsdb/openstack/netvirt/providers/openflow13/services/IngressAclService.java +++ b/openstack/net-virt-providers/src/main/java/org/opendaylight/ovsdb/openstack/netvirt/providers/openflow13/services/IngressAclService.java @@@ -582,6 -606,307 +606,54 @@@ public class IngressAclService extends syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false, securityServicesManager.isConntrackEnabled()); } + /** + * Creates a ingress icmpv6 match to the dst macaddress. If src address is specified + * source specific match will be created. Otherwise a match with a CIDR will + * be created. + * @param dpidLong the dpid + * @param segmentationId the segmentation id + * @param dstMac the destination mac address. + * @param portSecurityRule the security rule in the SG + * @param srcAddress the destination IP address + * @param write add or delete + * @param protoPortMatchPriority the protocol match priority + */ + private void ingressAclIcmpV6(Long dpidLong, String segmentationId, String dstMac, + NeutronSecurityRule portSecurityRule, String srcAddress, + boolean write, Integer protoPortMatchPriority) { + + MatchBuilder matchBuilder = new MatchBuilder(); + String flowId = "Ingress_ICMP_" + segmentationId + "_" + dstMac + "_"; + matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,null,dstMac); + + /* Custom ICMP Match */ + if (portSecurityRule.getSecurityRulePortMin() != null && + portSecurityRule.getSecurityRulePortMax() != null) { + flowId = flowId + portSecurityRule.getSecurityRulePortMin().shortValue() + "_" + + portSecurityRule.getSecurityRulePortMax().shortValue() + "_"; + matchBuilder = MatchUtils.createICMPv6Match(matchBuilder, + portSecurityRule.getSecurityRulePortMin().shortValue(), + portSecurityRule.getSecurityRulePortMax().shortValue()); + } else { + /* All ICMP Match */ + flowId = flowId + "all" + "_"; + matchBuilder = MatchUtils.createICMPv6Match(matchBuilder,MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP); + } + if (null != srcAddress) { + flowId = flowId + srcAddress; + matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, + MatchUtils.iPv6PrefixFromIPv6Address(srcAddress), null); + } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) { + flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix(); + matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, + new Ipv6Prefix(portSecurityRule + .getSecurityRuleRemoteIpPrefix()),null); + } + NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong); + flowId = flowId + "_Permit"; + syncFlow(flowId, nodeBuilder, matchBuilder, protoPortMatchPriority, write, false, false); + } + - - public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write, - Integer securityRulePortMin, Integer protoPortMatchPriority) { - - String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong; - PortNumber tcpPort = new PortNumber(securityRulePortMin); - MatchBuilder matchBuilder = new MatchBuilder(); - NodeBuilder nodeBuilder = createNodeBuilder(nodeName); - FlowBuilder flowBuilder = new FlowBuilder(); - - flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort, - Constants.TCP_SYN, segmentationId).build()); - - LOG.debug("ingressACLTcpSyn MatchBuilder contains: {}", flowBuilder.getMatch()); - String flowId = "UcastOut_ACL2_" + segmentationId + "_" + attachedMac + securityRulePortMin; - // Add Flow Attributes - flowBuilder.setId(new FlowId(flowId)); - FlowKey key = new FlowKey(new FlowId(flowId)); - flowBuilder.setStrict(false); - flowBuilder.setPriority(protoPortMatchPriority); - flowBuilder.setBarrier(true); - flowBuilder.setTableId(this.getTable()); - flowBuilder.setKey(key); - flowBuilder.setFlowName(flowId); - flowBuilder.setHardTimeout(0); - flowBuilder.setIdleTimeout(0); - - if (write) { - // Instantiate the Builders for the OF Actions and Instructions - InstructionsBuilder isb = new InstructionsBuilder(); - List instructionsList = Lists.newArrayList(); - - InstructionBuilder ib = this.getMutablePipelineInstructionBuilder(); - ib.setOrder(0); - ib.setKey(new InstructionKey(0)); - instructionsList.add(ib.build()); - isb.setInstruction(instructionsList); - - LOG.debug("Instructions are: {}", ib.getInstruction()); - // Add InstructionsBuilder to FlowBuilder - flowBuilder.setInstructions(isb.build()); - writeFlow(flowBuilder, nodeBuilder); - } else { - removeFlow(flowBuilder, nodeBuilder); - } - } - - public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac, - boolean write, Integer securityRulePortMin, String securityRuleIpPrefix, - Integer protoPortPrefixMatchPriority) { - - String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong; - PortNumber tcpPort = new PortNumber(securityRulePortMin); - - MatchBuilder matchBuilder = new MatchBuilder(); - NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName); - FlowBuilder flowBuilder = new FlowBuilder(); - Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix); - - flowBuilder.setMatch(MatchUtils - .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac), - tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build()); - - LOG.debug(" MatchBuilder contains: {}", flowBuilder.getMatch()); - String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac + - securityRulePortMin + securityRuleIpPrefix; - // Add Flow Attributes - flowBuilder.setId(new FlowId(flowId)); - FlowKey key = new FlowKey(new FlowId(flowId)); - flowBuilder.setStrict(false); - flowBuilder.setPriority(protoPortPrefixMatchPriority); - flowBuilder.setBarrier(true); - flowBuilder.setTableId(this.getTable()); - flowBuilder.setKey(key); - flowBuilder.setFlowName(flowId); - flowBuilder.setHardTimeout(0); - flowBuilder.setIdleTimeout(0); - - if (write) { - // Instantiate the Builders for the OF Actions and Instructions - InstructionsBuilder isb = new InstructionsBuilder(); - - List instructionsList = Lists.newArrayList(); - InstructionBuilder ib = this.getMutablePipelineInstructionBuilder(); - ib.setOrder(0); - ib.setKey(new InstructionKey(0)); - instructionsList.add(ib.build()); - isb.setInstruction(instructionsList); - - LOG.debug("Instructions contain: {}", ib.getInstruction()); - // Add InstructionsBuilder to FlowBuilder - flowBuilder.setInstructions(isb.build()); - writeFlow(flowBuilder, nodeBuilder); - } else { - removeFlow(flowBuilder, nodeBuilder); - } - } - - public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write, - String securityRuleProtcol, Integer protoMatchPriority) { - - String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong; - - MatchBuilder matchBuilder = new MatchBuilder(); - NodeBuilder nodeBuilder = createNodeBuilder(nodeName); - FlowBuilder flowBuilder = new FlowBuilder(); - - flowBuilder.setMatch(MatchUtils - .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build()); - flowBuilder.setMatch(MatchUtils - .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build()); - LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch()); - - String flowId = "UcastOut_" + segmentationId + "_" + - attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol; - // Add Flow Attributes - flowBuilder.setId(new FlowId(flowId)); - FlowKey key = new FlowKey(new FlowId(flowId)); - flowBuilder.setStrict(false); - flowBuilder.setPriority(protoMatchPriority); - flowBuilder.setBarrier(true); - flowBuilder.setTableId(this.getTable()); - flowBuilder.setKey(key); - flowBuilder.setFlowName(flowId); - flowBuilder.setHardTimeout(0); - flowBuilder.setIdleTimeout(0); - - if (write) { - // Instantiate the Builders for the OF Actions and Instructions - InstructionsBuilder isb = new InstructionsBuilder(); - List instructionsList = Lists.newArrayList(); - - InstructionBuilder ib = this.getMutablePipelineInstructionBuilder(); - ib.setOrder(1); - ib.setKey(new InstructionKey(1)); - instructionsList.add(ib.build()); - isb.setInstruction(instructionsList); - LOG.debug("Instructions contain: {}", ib.getInstruction()); - - // Add InstructionsBuilder to FlowBuilder - flowBuilder.setInstructions(isb.build()); - writeFlow(flowBuilder, nodeBuilder); - } else { - removeFlow(flowBuilder, nodeBuilder); - } - } - - - public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac, - int priority, boolean write) { - - String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong; - MatchBuilder matchBuilder = new MatchBuilder(); - NodeBuilder nodeBuilder = createNodeBuilder(nodeName); - FlowBuilder flowBuilder = new FlowBuilder(); - - flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder, - attachedMac, Constants.TCP_SYN, segmentationId).build()); - - LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch()); - String flowId = "PortSec_TCP_Syn_Default_Drop_" + segmentationId + "_" + attachedMac; - flowBuilder.setId(new FlowId(flowId)); - FlowKey key = new FlowKey(new FlowId(flowId)); - flowBuilder.setStrict(false); - flowBuilder.setPriority(priority); - flowBuilder.setBarrier(true); - flowBuilder.setTableId(this.getTable()); - flowBuilder.setKey(key); - flowBuilder.setFlowName(flowId); - flowBuilder.setHardTimeout(0); - flowBuilder.setIdleTimeout(0); - - if (write) { - // Instantiate the Builders for the OF Actions and Instructions - InstructionBuilder ib = new InstructionBuilder(); - InstructionsBuilder isb = new InstructionsBuilder(); - - // Instructions List Stores Individual Instructions - List instructions = Lists.newArrayList(); - - // Set the Output Port/Iface - InstructionUtils.createDropInstructions(ib); - ib.setOrder(0); - ib.setKey(new InstructionKey(0)); - instructions.add(ib.build()); - - // Add InstructionBuilder to the Instruction(s)Builder List - isb.setInstruction(instructions); - LOG.debug("Instructions contain: {}", ib.getInstruction()); - // Add InstructionsBuilder to FlowBuilder - flowBuilder.setInstructions(isb.build()); - writeFlow(flowBuilder, nodeBuilder); - } else { - removeFlow(flowBuilder, nodeBuilder); - } - } - - public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac, - boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) { - String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong; - Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix); - MatchBuilder matchBuilder = new MatchBuilder(); - NodeBuilder nodeBuilder = createNodeBuilder(nodeName); - FlowBuilder flowBuilder = new FlowBuilder(); - - flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)) - .build()); - if (securityRuleIpPrefix != null) { - flowBuilder.setMatch(MatchUtils - .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix) - .build()); - } else { - flowBuilder.setMatch(MatchUtils - .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null) - .build()); - } - - LOG.debug("MatchBuilder contains: {}", flowBuilder.getMatch()); - String flowId = "IngressProto_ACL_" + segmentationId + "_" + - attachedMac + "_Permit_" + securityRuleIpPrefix; - // Add Flow Attributes - flowBuilder.setId(new FlowId(flowId)); - FlowKey key = new FlowKey(new FlowId(flowId)); - flowBuilder.setStrict(false); - flowBuilder.setPriority(protoPortMatchPriority); - flowBuilder.setBarrier(true); - flowBuilder.setTableId(this.getTable()); - flowBuilder.setKey(key); - flowBuilder.setFlowName(flowId); - flowBuilder.setHardTimeout(0); - flowBuilder.setIdleTimeout(0); - - if (write) { - // Instantiate the Builders for the OF Actions and Instructions - InstructionBuilder ib = new InstructionBuilder(); - InstructionsBuilder isb = new InstructionsBuilder(); - List instructionsList = Lists.newArrayList(); - - ib = this.getMutablePipelineInstructionBuilder(); - ib.setOrder(1); - ib.setKey(new InstructionKey(0)); - instructionsList.add(ib.build()); - isb.setInstruction(instructionsList); - - LOG.debug("Instructions contain: {}", ib.getInstruction()); - // Add InstructionsBuilder to FlowBuilder - flowBuilder.setInstructions(isb.build()); - writeFlow(flowBuilder, nodeBuilder); - } else { - removeFlow(flowBuilder, nodeBuilder); - } - } - /** * Add rule to ensure only DHCP server traffic from the specified mac is allowed. *