2 * Copyright (C) 2014 Red Hat, Inc.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 * Authors : Madhu Venugopal
10 package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
12 import java.math.BigInteger;
13 import java.util.List;
15 import org.opendaylight.neutron.spi.NeutronSecurityGroup;
16 import org.opendaylight.neutron.spi.NeutronSecurityRule;
17 import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
18 import org.opendaylight.ovsdb.openstack.netvirt.api.IngressAclProvider;
19 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
20 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
21 import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
22 import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
23 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
24 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
25 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
26 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
27 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
28 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowKey;
29 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
30 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
31 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
32 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
35 import org.slf4j.Logger;
36 import org.slf4j.LoggerFactory;
38 import com.google.common.collect.Lists;
40 public class IngressAclService extends AbstractServiceInstance implements IngressAclProvider {
42 static final Logger logger = LoggerFactory.getLogger(IngressAclService.class);
44 public IngressAclService() {
45 super(Service.INGRESS_ACL);
48 public IngressAclService(Service service) {
53 public void programPortSecurityACL(Long dpid, String segmentationId, String attachedMac,
54 long localPort, NeutronSecurityGroup securityGroup) {
56 logger.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
57 List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
58 /* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
59 for (NeutronSecurityRule portSecurityRule : portSecurityList) {
61 * Neutron Port Security ACL "ingress" and "IPv4"
63 * Check that the base conditions for flow based Port Security are true:
64 * Port Security Rule Direction ("ingress") and Protocol ("IPv4")
65 * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
66 * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
69 if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
70 portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("ingress")) {
71 logger.debug("ACL Rule matching IPv4 and ingress is: {} ", portSecurityRule);
73 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
75 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
76 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
77 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
78 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
79 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
80 .equalsIgnoreCase("0.0.0.0/0"))) {
81 logger.debug("Rule #1 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
82 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
83 portSecurityRule.getSecurityRulePortMax(),
84 portSecurityRule.getSecurityRuleRemoteIpPrefix());
85 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
86 Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
88 ingressACLTcpPortWithPrefix(dpid, segmentationId,
89 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
90 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
94 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
96 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
97 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
98 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
99 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
100 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
101 .equalsIgnoreCase("0.0.0.0/0"))) {
102 logger.debug("Rule #2 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
103 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
104 portSecurityRule.getSecurityRulePortMax(),
105 portSecurityRule.getSecurityRuleRemoteIpPrefix());
106 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
107 Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
109 ingressACLTcpPortWithPrefix(dpid, segmentationId,
110 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
111 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
115 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
117 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
118 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
119 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
120 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
121 logger.debug("Rule #3 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
122 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
123 portSecurityRule.getSecurityRulePortMax(),
124 portSecurityRule.getSecurityRuleRemoteIpPrefix());
125 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PREFIX_MATCH_PRIORITY_DROP,
127 ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
128 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PREFIX_MATCH_PRIORITY);
132 * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
134 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
135 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
136 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
137 (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
138 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
139 .equalsIgnoreCase("0.0.0.0/0"))) {
140 logger.debug("Rule #4 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
141 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
142 portSecurityRule.getSecurityRulePortMax(),
143 portSecurityRule.getSecurityRuleRemoteIpPrefix());
144 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PREFIX_MATCH_PRIORITY_DROP, true);
145 ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
146 portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PREFIX_MATCH_PRIORITY);
150 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
152 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
153 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
154 !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
155 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
156 logger.debug("Rule #5 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
157 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
158 portSecurityRule.getSecurityRulePortMax(),
159 portSecurityRule.getSecurityRuleRemoteIpPrefix());
160 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PORT_MATCH_PRIORITY_DROP,
162 ingressACLTcpSyn(dpid, segmentationId,
163 attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
164 Constants.PREFIX_PORT_MATCH_PRIORITY_DROP);
168 * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
170 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
171 !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
172 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
173 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
174 logger.debug("Rule #6 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
175 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
176 portSecurityRule.getSecurityRulePortMax(),
177 portSecurityRule.getSecurityRuleRemoteIpPrefix());
178 ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
179 Constants.PROTO_PORT_MATCH_PRIORITY_DROP, true);
180 ingressACLTcpSyn(dpid, segmentationId, attachedMac, true,
181 portSecurityRule.getSecurityRulePortMin(), Constants.PROTO_PORT_MATCH_PRIORITY);
185 * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
187 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
188 String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
189 String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
190 ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
191 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
192 .equalsIgnoreCase("0.0.0.0/0"))) {
193 logger.debug("Rule #7 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
194 portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
195 portSecurityRule.getSecurityRulePortMax(),
196 portSecurityRule.getSecurityRuleRemoteIpPrefix());
197 // No need to drop until UDP/ICMP are implemented
198 // ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
199 handleIngressAllowProto(dpid, segmentationId, attachedMac, true,
200 portSecurityRule.getSecurityRuleProtocol(), Constants.PROTO_MATCH_PRIORITY);
203 logger.debug("Ingress ACL Match combination not found for rule: {}", portSecurityRule);
208 public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
209 Integer securityRulePortMin, Integer protoPortMatchPriority) {
211 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
212 PortNumber tcpPort = new PortNumber(securityRulePortMin);
213 MatchBuilder matchBuilder = new MatchBuilder();
214 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
215 FlowBuilder flowBuilder = new FlowBuilder();
217 flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort,
218 Constants.TCP_SYN, segmentationId).build());
220 logger.debug("ingressACLTcpSyn MatchBuilder contains: {}", flowBuilder.getMatch());
221 String flowId = "UcastOut_ACL2_" + segmentationId + "_" + attachedMac + securityRulePortMin;
222 // Add Flow Attributes
223 flowBuilder.setId(new FlowId(flowId));
224 FlowKey key = new FlowKey(new FlowId(flowId));
225 flowBuilder.setStrict(false);
226 flowBuilder.setPriority(protoPortMatchPriority);
227 flowBuilder.setBarrier(true);
228 flowBuilder.setTableId(this.getTable());
229 flowBuilder.setKey(key);
230 flowBuilder.setFlowName(flowId);
231 flowBuilder.setHardTimeout(0);
232 flowBuilder.setIdleTimeout(0);
235 // Instantiate the Builders for the OF Actions and Instructions
236 InstructionBuilder ib = new InstructionBuilder();
237 InstructionsBuilder isb = new InstructionsBuilder();
238 List<Instruction> instructionsList = Lists.newArrayList();
240 ib = this.getMutablePipelineInstructionBuilder();
242 ib.setKey(new InstructionKey(0));
243 instructionsList.add(ib.build());
244 isb.setInstruction(instructionsList);
246 logger.debug("Instructions are: {}", ib.getInstruction());
247 // Add InstructionsBuilder to FlowBuilder
248 flowBuilder.setInstructions(isb.build());
249 writeFlow(flowBuilder, nodeBuilder);
251 removeFlow(flowBuilder, nodeBuilder);
255 public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac,
256 boolean write, Integer securityRulePortMin, String securityRuleIpPrefix,
257 Integer protoPortPrefixMatchPriority) {
259 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
260 PortNumber tcpPort = new PortNumber(securityRulePortMin);
262 MatchBuilder matchBuilder = new MatchBuilder();
263 NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName);
264 FlowBuilder flowBuilder = new FlowBuilder();
265 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
267 flowBuilder.setMatch(MatchUtils
268 .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
269 tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
271 logger.debug(" MatchBuilder contains: {}", flowBuilder.getMatch());
272 String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac +
273 securityRulePortMin + securityRuleIpPrefix;
274 // Add Flow Attributes
275 flowBuilder.setId(new FlowId(flowId));
276 FlowKey key = new FlowKey(new FlowId(flowId));
277 flowBuilder.setStrict(false);
278 flowBuilder.setPriority(protoPortPrefixMatchPriority);
279 flowBuilder.setBarrier(true);
280 flowBuilder.setTableId(this.getTable());
281 flowBuilder.setKey(key);
282 flowBuilder.setFlowName(flowId);
283 flowBuilder.setHardTimeout(0);
284 flowBuilder.setIdleTimeout(0);
287 // Instantiate the Builders for the OF Actions and Instructions
288 InstructionBuilder ib = new InstructionBuilder();
289 InstructionsBuilder isb = new InstructionsBuilder();
291 List<Instruction> instructionsList = Lists.newArrayList();
292 ib = this.getMutablePipelineInstructionBuilder();
294 ib.setKey(new InstructionKey(0));
295 instructionsList.add(ib.build());
296 isb.setInstruction(instructionsList);
298 logger.debug("Instructions contain: {}", ib.getInstruction());
299 // Add InstructionsBuilder to FlowBuilder
300 flowBuilder.setInstructions(isb.build());
301 writeFlow(flowBuilder, nodeBuilder);
303 removeFlow(flowBuilder, nodeBuilder);
307 public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
308 String securityRuleProtcol, Integer protoMatchPriority) {
310 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
312 MatchBuilder matchBuilder = new MatchBuilder();
313 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
314 FlowBuilder flowBuilder = new FlowBuilder();
316 flowBuilder.setMatch(MatchUtils
317 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
318 flowBuilder.setMatch(MatchUtils
319 .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
320 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
322 String flowId = "UcastOut_" + segmentationId + "_" +
323 attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol;
324 // Add Flow Attributes
325 flowBuilder.setId(new FlowId(flowId));
326 FlowKey key = new FlowKey(new FlowId(flowId));
327 flowBuilder.setStrict(false);
328 flowBuilder.setPriority(protoMatchPriority);
329 flowBuilder.setBarrier(true);
330 flowBuilder.setTableId(this.getTable());
331 flowBuilder.setKey(key);
332 flowBuilder.setFlowName(flowId);
333 flowBuilder.setHardTimeout(0);
334 flowBuilder.setIdleTimeout(0);
337 // Instantiate the Builders for the OF Actions and Instructions
338 InstructionBuilder ib = new InstructionBuilder();
339 InstructionsBuilder isb = new InstructionsBuilder();
340 List<Instruction> instructionsList = Lists.newArrayList();
342 ib = this.getMutablePipelineInstructionBuilder();
344 ib.setKey(new InstructionKey(1));
345 instructionsList.add(ib.build());
346 isb.setInstruction(instructionsList);
347 logger.debug("Instructions contain: {}", ib.getInstruction());
349 // Add InstructionsBuilder to FlowBuilder
350 flowBuilder.setInstructions(isb.build());
351 writeFlow(flowBuilder, nodeBuilder);
353 removeFlow(flowBuilder, nodeBuilder);
358 public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
359 int priority, boolean write) {
361 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
362 MatchBuilder matchBuilder = new MatchBuilder();
363 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
364 FlowBuilder flowBuilder = new FlowBuilder();
366 flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder,
367 attachedMac, Constants.TCP_SYN, segmentationId).build());
369 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
370 String flowId = "PortSec_TCP_Syn_Default_Drop_" + segmentationId + "_" + attachedMac;
371 flowBuilder.setId(new FlowId(flowId));
372 FlowKey key = new FlowKey(new FlowId(flowId));
373 flowBuilder.setStrict(false);
374 flowBuilder.setPriority(priority);
375 flowBuilder.setBarrier(true);
376 flowBuilder.setTableId(this.getTable());
377 flowBuilder.setKey(key);
378 flowBuilder.setFlowName(flowId);
379 flowBuilder.setHardTimeout(0);
380 flowBuilder.setIdleTimeout(0);
383 // Instantiate the Builders for the OF Actions and Instructions
384 InstructionBuilder ib = new InstructionBuilder();
385 InstructionsBuilder isb = new InstructionsBuilder();
387 // Instructions List Stores Individual Instructions
388 List<Instruction> instructions = Lists.newArrayList();
390 // Set the Output Port/Iface
391 InstructionUtils.createDropInstructions(ib);
393 ib.setKey(new InstructionKey(0));
394 instructions.add(ib.build());
396 // Add InstructionBuilder to the Instruction(s)Builder List
397 isb.setInstruction(instructions);
398 logger.debug("Instructions contain: {}", ib.getInstruction());
399 // Add InstructionsBuilder to FlowBuilder
400 flowBuilder.setInstructions(isb.build());
401 writeFlow(flowBuilder, nodeBuilder);
403 removeFlow(flowBuilder, nodeBuilder);
407 public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
408 boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
410 String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
411 Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
412 MatchBuilder matchBuilder = new MatchBuilder();
413 NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
414 FlowBuilder flowBuilder = new FlowBuilder();
416 flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
418 if (securityRuleIpPrefix != null) {
419 flowBuilder.setMatch(MatchUtils
420 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
423 flowBuilder.setMatch(MatchUtils
424 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
428 logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
429 String flowId = "IngressProto_ACL_" + segmentationId + "_" +
430 attachedMac + "_Permit_" + securityRuleIpPrefix;
431 // Add Flow Attributes
432 flowBuilder.setId(new FlowId(flowId));
433 FlowKey key = new FlowKey(new FlowId(flowId));
434 flowBuilder.setStrict(false);
435 flowBuilder.setPriority(protoPortMatchPriority);
436 flowBuilder.setBarrier(true);
437 flowBuilder.setTableId(this.getTable());
438 flowBuilder.setKey(key);
439 flowBuilder.setFlowName(flowId);
440 flowBuilder.setHardTimeout(0);
441 flowBuilder.setIdleTimeout(0);
444 // Instantiate the Builders for the OF Actions and Instructions
445 InstructionBuilder ib = new InstructionBuilder();
446 InstructionsBuilder isb = new InstructionsBuilder();
447 List<Instruction> instructionsList = Lists.newArrayList();
449 ib = this.getMutablePipelineInstructionBuilder();
451 ib.setKey(new InstructionKey(0));
452 instructionsList.add(ib.build());
453 isb.setInstruction(instructionsList);
455 logger.debug("Instructions contain: {}", ib.getInstruction());
456 // Add InstructionsBuilder to FlowBuilder
457 flowBuilder.setInstructions(isb.build());
458 writeFlow(flowBuilder, nodeBuilder);
460 removeFlow(flowBuilder, nodeBuilder);