From ea6d27ab8d2b8217e5ef2f0524fc0582ab3ae6c6 Mon Sep 17 00:00:00 2001 From: VinothB Date: Tue, 8 Nov 2016 01:00:40 +0530 Subject: [PATCH] Bug-7128: Added learn support for other protocols rule (ANY) This patch supports user option to create a security rule for other protocol and no protocol number (ANY). It treats such a rule as TCP(ALL)+ICMP(ALL)+UDP(ALL)+other. Change-Id: I542d149ce8375ecad6727732a2eb063a8bc1db57 Signed-off-by: VinothB --- .../openflow13/services/EgressAclService.java | 47 ++++++++++++++++--- .../services/IngressAclService.java | 44 ++++++++++++++--- .../openstack/netvirt/api/Constants.java | 2 +- 3 files changed, 80 insertions(+), 13 deletions(-) diff --git a/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclService.java b/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclService.java index fb8b2999d4..c8dc66291e 100644 --- a/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclService.java +++ b/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/EgressAclService.java @@ -28,6 +28,7 @@ import org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.Service; import org.opendaylight.netvirt.openstack.netvirt.translator.NeutronSecurityGroup; import org.opendaylight.netvirt.openstack.netvirt.translator.NeutronSecurityRule; import org.opendaylight.netvirt.openstack.netvirt.translator.Neutron_IPs; +import org.opendaylight.netvirt.openstack.netvirt.translator.crud.INeutronSecurityGroupCRUD; import org.opendaylight.netvirt.openstack.netvirt.translator.crud.INeutronSecurityRuleCRUD; import org.opendaylight.netvirt.utils.mdsal.openflow.ActionUtils; import org.opendaylight.netvirt.utils.mdsal.openflow.FlowUtils; @@ -165,11 +166,33 @@ public class EgressAclService extends AbstractServiceInstance implements EgressA return; } } - if (null == portSecurityRule.getSecurityRuleProtocol()) { + INeutronSecurityGroupCRUD groupCRUD = + (INeutronSecurityGroupCRUD) ServiceHelper.getGlobalInstance(INeutronSecurityGroupCRUD.class, this); + NeutronSecurityGroup securityGrp = groupCRUD.getNeutronSecurityGroup(portSecurityRule.getSecurityRuleGroupID()); + if (null == portSecurityRule.getSecurityRuleProtocol() && securityGrp.getSecurityGroupName().equals("default")) { /* TODO Rework on the priority values */ egressAclIp(dpid, isIpv6, segmentationId, attachedMac, portSecurityRule, ipaddress, - write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY); + write, Constants.PROTO_PORT_MATCH_PRIORITY - 1); + if(!isIpv6) { + portSecurityRule.setSecurityRuleProtocol(MatchUtils.TCP); + portSecurityRule.setSecurityRulePortMin(PORT_RANGE_MIN); + portSecurityRule.setSecurityRulePortMax(PORT_RANGE_MAX); + egressAclTcp(dpid, segmentationId, attachedMac, + portSecurityRule,ipaddress, write, + Constants.PROTO_PORT_MATCH_PRIORITY); + portSecurityRule.setSecurityRuleProtocol(MatchUtils.UDP); + egressAclUdp(dpid, segmentationId, attachedMac, + portSecurityRule, ipaddress, write, + Constants.PROTO_PORT_MATCH_PRIORITY); + portSecurityRule.setSecurityRuleProtocol(MatchUtils.ICMP); + portSecurityRule.setSecurityRulePortMin(null); + portSecurityRule.setSecurityRulePortMax(null); + egressAclIcmp(dpid, segmentationId, attachedMac, + portSecurityRule, ipaddress,write, + Constants.PROTO_PORT_MATCH_PRIORITY); + portSecurityRule.setSecurityRuleProtocol(null); + } } else { switch (portSecurityRule.getSecurityRuleProtocol()) { case MatchUtils.TCP: @@ -614,7 +637,7 @@ public class EgressAclService extends AbstractServiceInstance implements EgressA addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, entry.getValue(), "0"); syncFlow(flowBuilder ,nodeBuilder, write); } - addIcmpFlow(nodeBuilder, portSecurityRule, segmentationId, srcMac, write); + addIcmpFlow(nodeBuilder, portSecurityRule, segmentationId, srcMac, protoPortMatchPriority - 1, dstAddress, write); } else { flowId = flowId + "_Permit"; addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK); @@ -629,7 +652,8 @@ public class EgressAclService extends AbstractServiceInstance implements EgressA } } - private void addIcmpFlow(NodeBuilder nodeBuilder, NeutronSecurityRule portSecurityRule, String segmentationId, String srcMac, boolean write){ + private void addIcmpFlow(NodeBuilder nodeBuilder, NeutronSecurityRule portSecurityRule, String segmentationId, String srcMac, + Integer protoPortMatchPriority, String dstAddress, boolean write){ MatchBuilder matchBuilder = new MatchBuilder(); InstructionBuilder instructionBuilder = null; short learnTableId=getTable(Service.ACL_LEARN_SERVICE); @@ -638,12 +662,23 @@ public class EgressAclService extends AbstractServiceInstance implements EgressA matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null,MatchUtils.ETHERTYPE_IPV4); flowId = flowId + "all" + "_" ; matchBuilder = MatchUtils.createICMPv4Match(matchBuilder, MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP); + if (null != dstAddress) { + flowId = flowId + dstAddress; + matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null, + MatchUtils.iPv4PrefixFromIPv4Address(dstAddress)); + } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) { + flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix(); + if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) { + matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null, + new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix())); + } + } Icmpv4MatchBuilder icmpv4match = new Icmpv4MatchBuilder(); matchBuilder.setIcmpv4Match(icmpv4match.build()); String rangeflowId = flowId; addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK); - FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, Constants.PROTO_PORT_ICMP_MATCH_PRIORITY, matchBuilder, getTable()); - flowBuilder = EgressAclLearnServiceUtil.programEgressAclLearnRuleForIcmpAll(flowBuilder,instructionBuilder, learnTableId, resubmitId); + FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, protoPortMatchPriority, matchBuilder, getTable()); + addPipelineInstruction(flowBuilder, null, false); syncFlow(flowBuilder ,nodeBuilder, write); } diff --git a/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclService.java b/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclService.java index b4435577d4..3fd3f32b47 100644 --- a/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclService.java +++ b/openstack/net-virt-providers/src/main/java/org/opendaylight/netvirt/openstack/netvirt/providers/openflow13/services/IngressAclService.java @@ -27,6 +27,7 @@ import org.opendaylight.netvirt.openstack.netvirt.providers.openflow13.Service; import org.opendaylight.netvirt.openstack.netvirt.translator.NeutronSecurityGroup; import org.opendaylight.netvirt.openstack.netvirt.translator.NeutronSecurityRule; import org.opendaylight.netvirt.openstack.netvirt.translator.Neutron_IPs; +import org.opendaylight.netvirt.openstack.netvirt.translator.crud.INeutronSecurityGroupCRUD; import org.opendaylight.netvirt.openstack.netvirt.translator.crud.INeutronSecurityRuleCRUD; import org.opendaylight.netvirt.utils.mdsal.openflow.ActionUtils; import org.opendaylight.netvirt.utils.mdsal.openflow.FlowUtils; @@ -157,10 +158,29 @@ public class IngressAclService extends AbstractServiceInstance implements Ingres return; } } - if (null == portSecurityRule.getSecurityRuleProtocol()) { + INeutronSecurityGroupCRUD groupCRUD = + (INeutronSecurityGroupCRUD) ServiceHelper.getGlobalInstance(INeutronSecurityGroupCRUD.class, this); + NeutronSecurityGroup securityGrp = groupCRUD.getNeutronSecurityGroup(portSecurityRule.getSecurityRuleGroupID()); + if (null == portSecurityRule.getSecurityRuleProtocol() && securityGrp.getSecurityGroupName().equals("default")) { ingressAclIp(dpid, isIpv6, segmentationId, attachedMac, portSecurityRule, ipaddress, - write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY); + write, Constants.PROTO_PORT_MATCH_PRIORITY - 1); + if(!isIpv6) { + portSecurityRule.setSecurityRuleProtocol(MatchUtils.TCP); + portSecurityRule.setSecurityRulePortMin(PORT_RANGE_MIN); + portSecurityRule.setSecurityRulePortMax(PORT_RANGE_MAX); + ingressAclTcp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress, + write, Constants.PROTO_PORT_MATCH_PRIORITY); + portSecurityRule.setSecurityRuleProtocol(MatchUtils.UDP); + ingressAclUdp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress, + write, Constants.PROTO_PORT_MATCH_PRIORITY); + portSecurityRule.setSecurityRuleProtocol(MatchUtils.ICMP); + portSecurityRule.setSecurityRulePortMin(null); + portSecurityRule.setSecurityRulePortMax(null); + ingressAclIcmp(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress, + write, Constants.PROTO_PORT_MATCH_PRIORITY); + portSecurityRule.setSecurityRuleProtocol(null); + } } else { switch (portSecurityRule.getSecurityRuleProtocol()) { @@ -691,7 +711,7 @@ public class IngressAclService extends AbstractServiceInstance implements Ingres addInstructionWithLearnConntrackCommit(portSecurityRule, flowBuilder, entry.getValue(), "0"); syncFlow(flowBuilder ,nodeBuilder, write); } - addIcmpFlow(nodeBuilder, portSecurityRule, segmentationId, dstMac, write); + addIcmpFlow(nodeBuilder, portSecurityRule, segmentationId, dstMac, protoPortMatchPriority - 1, srcAddress, write); } else { flowId = flowId + "_Permit"; addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK); @@ -706,21 +726,33 @@ public class IngressAclService extends AbstractServiceInstance implements Ingres } } - private void addIcmpFlow(NodeBuilder nodeBuilder, NeutronSecurityRule portSecurityRule, String segmentationId, String dstMac, boolean write){ + private void addIcmpFlow(NodeBuilder nodeBuilder, NeutronSecurityRule portSecurityRule, String segmentationId, String dstMac, + Integer protoPortMatchPriority, String srcAddress, boolean write){ MatchBuilder matchBuilder = new MatchBuilder(); InstructionBuilder instructionBuilder = null; short learnTableId=getTable(Service.ACL_LEARN_SERVICE); short resubmitId=getTable(Service.OUTBOUND_NAT); String flowId = "Ingress_ICMP_" + segmentationId + "_" + dstMac + "_"; matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,null,dstMac,MatchUtils.ETHERTYPE_IPV4); + if (null != srcAddress) { + flowId = flowId + srcAddress; + matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, + MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null); + } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) { + flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix(); + if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) { + matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, + new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()),null); + } + } flowId = flowId + "all" + "_"; matchBuilder = MatchUtils.createICMPv4Match(matchBuilder,MatchUtils.ALL_ICMP, MatchUtils.ALL_ICMP); Icmpv4MatchBuilder icmpv4match = new Icmpv4MatchBuilder(); matchBuilder.setIcmpv4Match(icmpv4match.build()); String rangeflowId = flowId; addConntrackMatch(matchBuilder, MatchUtils.TRACKED_NEW_CT_STATE,MatchUtils.TRACKED_NEW_CT_STATE_MASK); - FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, Constants.PROTO_PORT_ICMP_MATCH_PRIORITY, matchBuilder, getTable()); - flowBuilder = IngressAclLearnServiceUtil.programIngressAclLearnRuleForIcmpAll(flowBuilder,instructionBuilder, learnTableId, resubmitId); + FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(rangeflowId, protoPortMatchPriority, matchBuilder, getTable()); + addPipelineInstruction(flowBuilder, null, false); syncFlow(flowBuilder ,nodeBuilder, write); } diff --git a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/Constants.java b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/Constants.java index 93fd8f2bd0..b29c623c1d 100644 --- a/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/Constants.java +++ b/openstack/net-virt/src/main/java/org/opendaylight/netvirt/openstack/netvirt/api/Constants.java @@ -89,7 +89,7 @@ public final class Constants { public static final Integer PROTO_PREFIX_MATCH_PRIORITY = 61008; public static final Integer PROTO_PORT_MATCH_PRIORITY = 61007; public static final Integer PROTO_PORT_PREFIX_MATCH_PRIORITY = 61004; - public static final Integer PROTO_DHCP_SERVER_MATCH_PRIORITY = 61006; + public static final Integer PROTO_DHCP_SERVER_MATCH_PRIORITY = 61008; public static final Integer PROTO_PORT_ICMP_MATCH_PRIORITY = 61003; public static final Integer PROTO_TCP_SYN_MATCH_PRIORITY_DROP = 61002; public static final Integer PROTO_REG6_MATCH_PRIORITY = 61005; -- 2.36.6