openstack/net-virt-providers/src/main/java/org/opendaylight/ovsdb/openstack/netvirt/providers/openflow13/services/IngressAclService.java

   1 /*
   2  * Copyright (C) 2014 Red Hat, Inc.
   3  *
   4  * This program and the accompanying materials are made available under the
   5  * terms of the Eclipse Public License v1.0 which accompanies this distribution,
   6  * and is available at http://www.eclipse.org/legal/epl-v10.html
   7  *
   8  * Authors : Madhu Venugopal
   9  */
  10 package org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.services;
  11
  12 import java.math.BigInteger;
  13 import java.util.List;
  14
  15 import org.opendaylight.neutron.spi.NeutronSecurityGroup;
  16 import org.opendaylight.neutron.spi.NeutronSecurityRule;
  17 import org.opendaylight.ovsdb.openstack.netvirt.api.Constants;
  18 import org.opendaylight.ovsdb.openstack.netvirt.api.IngressAclProvider;
  19 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.AbstractServiceInstance;
  20 import org.opendaylight.ovsdb.openstack.netvirt.providers.openflow13.Service;
  21 import org.opendaylight.ovsdb.utils.mdsal.openflow.InstructionUtils;
  22 import org.opendaylight.ovsdb.utils.mdsal.openflow.MatchUtils;
  23 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.Ipv4Prefix;
  24 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev100924.PortNumber;
  25 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.yang.types.rev100924.MacAddress;
  26 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.FlowId;
  27 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowBuilder;
  28 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.inventory.rev130819.tables.table.FlowKey;
  29 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.InstructionsBuilder;
  30 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.flow.MatchBuilder;
  31 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.Instruction;
  32 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionBuilder;
  33 import org.opendaylight.yang.gen.v1.urn.opendaylight.flow.types.rev131026.instruction.list.InstructionKey;
  34 import org.opendaylight.yang.gen.v1.urn.opendaylight.inventory.rev130819.nodes.NodeBuilder;
  35 import org.slf4j.Logger;
  36 import org.slf4j.LoggerFactory;
  37
  38 import com.google.common.collect.Lists;
  39
  40 public class IngressAclService extends AbstractServiceInstance implements IngressAclProvider {
  41
  42     static final Logger logger = LoggerFactory.getLogger(IngressAclService.class);
  43
  44     public IngressAclService() {
  45         super(Service.INGRESS_ACL);
  46     }
  47
  48     public IngressAclService(Service service) {
  49         super(service);
  50     }
  51
  52     @Override
  53     public void programPortSecurityACL(Long dpid, String segmentationId, String attachedMac,
  54             long localPort, NeutronSecurityGroup securityGroup) {
  55
  56         logger.trace("programLocalBridgeRulesWithSec neutronSecurityGroup: {} ", securityGroup);
  57         List<NeutronSecurityRule> portSecurityList = securityGroup.getSecurityRules();
  58         /* Iterate over the Port Security Rules in the Port Security Group bound to the port*/
  59         for (NeutronSecurityRule portSecurityRule : portSecurityList) {
  60             /**
  61              * Neutron Port Security ACL "ingress" and "IPv4"
  62              *
  63              * Check that the base conditions for flow based Port Security are true:
  64              * Port Security Rule Direction ("ingress") and Protocol ("IPv4")
  65              * Neutron defines the direction "ingress" as the vSwitch to the VM as defined in:
  66              * http://docs.openstack.org/api/openstack-network/2.0/content/security_groups.html
  67              *
  68              */
  69             if (portSecurityRule.getSecurityRuleEthertype().equalsIgnoreCase("IPv4") &&
  70                     portSecurityRule.getSecurityRuleDirection().equalsIgnoreCase("ingress")) {
  71                 logger.debug("ACL Rule matching IPv4 and ingress is: {} ", portSecurityRule);
  72                 /**
  73                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (True)
  74                  */
  75                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
  76                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
  77                         !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
  78                         (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
  79                                 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
  80                                         .equalsIgnoreCase("0.0.0.0/0"))) {
  81                     logger.debug("Rule #1 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
  82                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
  83                             portSecurityRule.getSecurityRulePortMax(),
  84                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
  85                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
  86                             Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
  87                             true);
  88                     ingressACLTcpPortWithPrefix(dpid, segmentationId,
  89                             attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
  90                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
  91                     continue;
  92                 }
  93                 /**
  94                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (True)
  95                  */
  96                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
  97                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
  98                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
  99                         (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
 100                                 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
 101                                         .equalsIgnoreCase("0.0.0.0/0"))) {
 102                     logger.debug("Rule #2 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 103                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 104                             portSecurityRule.getSecurityRulePortMax(),
 105                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 106                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
 107                                              Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY_DROP,
 108                             true);
 109                     ingressACLTcpPortWithPrefix(dpid, segmentationId,
 110                             attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
 111                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
 112                     continue;
 113                 }
 114                 /**
 115                  * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
 116                  */
 117                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
 118                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 119                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
 120                         !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
 121                     logger.debug("Rule #3 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 122                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 123                             portSecurityRule.getSecurityRulePortMax(),
 124                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 125                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PREFIX_MATCH_PRIORITY_DROP,
 126                             true);
 127                     ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
 128                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PROTO_PREFIX_MATCH_PRIORITY);
 129                     continue;
 130                 }
 131                 /**
 132                  * TCP Proto (False), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (True)
 133                  */
 134                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("null") &&
 135                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 136                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 137                         (!String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null") &&
 138                                 !String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
 139                                         .equalsIgnoreCase("0.0.0.0/0"))) {
 140                     logger.debug("Rule #4 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 141                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 142                             portSecurityRule.getSecurityRulePortMax(),
 143                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 144                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PREFIX_MATCH_PRIORITY_DROP, true);
 145                     ingressACLPermitAllProto(dpid, segmentationId, attachedMac, true,
 146                             portSecurityRule.getSecurityRuleRemoteIpPrefix(), Constants.PREFIX_MATCH_PRIORITY);
 147                     continue;
 148                 }
 149                 /**
 150                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (True), IP Prefix (False)
 151                  */
 152                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
 153                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 154                         !String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
 155                         String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
 156                     logger.debug("Rule #5 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 157                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 158                             portSecurityRule.getSecurityRulePortMax(),
 159                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 160                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, Constants.PROTO_PORT_MATCH_PRIORITY_DROP,
 161                             true);
 162                     ingressACLTcpSyn(dpid, segmentationId,
 163                             attachedMac, true, portSecurityRule.getSecurityRulePortMin(),
 164                             Constants.PREFIX_PORT_MATCH_PRIORITY_DROP);
 165                     continue;
 166                 }
 167                 /**
 168                  * TCP Proto (True), TCP Port Minimum (True), TCP Port Max (False), IP Prefix (False)
 169                  */
 170                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
 171                         !String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 172                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
 173                         String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) {
 174                     logger.debug("Rule #6 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 175                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 176                             portSecurityRule.getSecurityRulePortMax(),
 177                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 178                     ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac,
 179                                              Constants.PROTO_PORT_MATCH_PRIORITY_DROP, true);
 180                     ingressACLTcpSyn(dpid, segmentationId, attachedMac, true,
 181                             portSecurityRule.getSecurityRulePortMin(), Constants.PROTO_PORT_MATCH_PRIORITY);
 182                     continue;
 183                 }
 184                 /**
 185                  * TCP Proto (True), TCP Port Minimum (False), TCP Port Max (False), IP Prefix (False or 0.0.0.0/0)
 186                  */
 187                 if (String.valueOf(portSecurityRule.getSecurityRuleProtocol()).equalsIgnoreCase("tcp") &&
 188                         String.valueOf(portSecurityRule.getSecurityRulePortMin()).equalsIgnoreCase("null") &&
 189                         String.valueOf(portSecurityRule.getSecurityRulePortMax()).equalsIgnoreCase("null") &&
 190                         ((String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix()).equalsIgnoreCase("null")) ||
 191                                 String.valueOf(portSecurityRule.getSecurityRuleRemoteIpPrefix())
 192                                         .equalsIgnoreCase("0.0.0.0/0"))) {
 193                     logger.debug("Rule #7 ingress PortSec Rule Matches -> TCP Protocol: {}, TCP Port Min: {}, TCP Port Max: {}, IP Prefix: {}",
 194                             portSecurityRule.getSecurityRuleProtocol(), portSecurityRule.getSecurityRulePortMin(),
 195                             portSecurityRule.getSecurityRulePortMax(),
 196                             portSecurityRule.getSecurityRuleRemoteIpPrefix());
 197                     // No need to drop until UDP/ICMP are implemented
 198                     // ingressACLDefaultTcpDrop(dpid, segmentationId, attachedMac, PROTO_MATCH_PRIORITY_DROP, true);
 199                     handleIngressAllowProto(dpid, segmentationId, attachedMac, true,
 200                             portSecurityRule.getSecurityRuleProtocol(), Constants.PROTO_MATCH_PRIORITY);
 201                     continue;
 202                 }
 203                 logger.debug("Ingress ACL Match combination not found for rule: {}", portSecurityRule);
 204             }
 205         }
 206     }
 207
 208     public void ingressACLTcpSyn(Long dpidLong, String segmentationId, String attachedMac, boolean write,
 209             Integer securityRulePortMin, Integer protoPortMatchPriority) {
 210
 211         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
 212         PortNumber tcpPort = new PortNumber(securityRulePortMin);
 213         MatchBuilder matchBuilder = new MatchBuilder();
 214         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
 215         FlowBuilder flowBuilder = new FlowBuilder();
 216
 217         flowBuilder.setMatch(MatchUtils.createDmacTcpSynMatch(matchBuilder, attachedMac, tcpPort,
 218                                                               Constants.TCP_SYN, segmentationId).build());
 219
 220         logger.debug("ingressACLTcpSyn MatchBuilder contains:  {}", flowBuilder.getMatch());
 221         String flowId = "UcastOut_ACL2_" + segmentationId + "_" + attachedMac + securityRulePortMin;
 222         // Add Flow Attributes
 223         flowBuilder.setId(new FlowId(flowId));
 224         FlowKey key = new FlowKey(new FlowId(flowId));
 225         flowBuilder.setStrict(false);
 226         flowBuilder.setPriority(protoPortMatchPriority);
 227         flowBuilder.setBarrier(true);
 228         flowBuilder.setTableId(this.getTable());
 229         flowBuilder.setKey(key);
 230         flowBuilder.setFlowName(flowId);
 231         flowBuilder.setHardTimeout(0);
 232         flowBuilder.setIdleTimeout(0);
 233
 234         if (write) {
 235             // Instantiate the Builders for the OF Actions and Instructions
 236             InstructionBuilder ib = new InstructionBuilder();
 237             InstructionsBuilder isb = new InstructionsBuilder();
 238             List<Instruction> instructionsList = Lists.newArrayList();
 239
 240             ib = this.getMutablePipelineInstructionBuilder();
 241             ib.setOrder(0);
 242             ib.setKey(new InstructionKey(0));
 243             instructionsList.add(ib.build());
 244             isb.setInstruction(instructionsList);
 245
 246             logger.debug("Instructions are: {}", ib.getInstruction());
 247             // Add InstructionsBuilder to FlowBuilder
 248             flowBuilder.setInstructions(isb.build());
 249             writeFlow(flowBuilder, nodeBuilder);
 250         } else {
 251             removeFlow(flowBuilder, nodeBuilder);
 252         }
 253     }
 254
 255     public void ingressACLTcpPortWithPrefix(Long dpidLong, String segmentationId, String attachedMac,
 256             boolean write, Integer securityRulePortMin, String securityRuleIpPrefix,
 257             Integer protoPortPrefixMatchPriority) {
 258
 259         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
 260         PortNumber tcpPort = new PortNumber(securityRulePortMin);
 261
 262         MatchBuilder matchBuilder = new MatchBuilder();
 263         NodeBuilder nodeBuilder = this.createNodeBuilder(nodeName);
 264         FlowBuilder flowBuilder = new FlowBuilder();
 265         Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
 266
 267         flowBuilder.setMatch(MatchUtils
 268                 .createDmacTcpSynDstIpPrefixTcpPort(matchBuilder, new MacAddress(attachedMac),
 269                         tcpPort, Constants.TCP_SYN, segmentationId, srcIpPrefix).build());
 270
 271         logger.debug(" MatchBuilder contains:  {}", flowBuilder.getMatch());
 272         String flowId = "UcastOut2_" + segmentationId + "_" + attachedMac +
 273                 securityRulePortMin + securityRuleIpPrefix;
 274         // Add Flow Attributes
 275         flowBuilder.setId(new FlowId(flowId));
 276         FlowKey key = new FlowKey(new FlowId(flowId));
 277         flowBuilder.setStrict(false);
 278         flowBuilder.setPriority(protoPortPrefixMatchPriority);
 279         flowBuilder.setBarrier(true);
 280         flowBuilder.setTableId(this.getTable());
 281         flowBuilder.setKey(key);
 282         flowBuilder.setFlowName(flowId);
 283         flowBuilder.setHardTimeout(0);
 284         flowBuilder.setIdleTimeout(0);
 285
 286         if (write) {
 287             // Instantiate the Builders for the OF Actions and Instructions
 288             InstructionBuilder ib = new InstructionBuilder();
 289             InstructionsBuilder isb = new InstructionsBuilder();
 290
 291             List<Instruction> instructionsList = Lists.newArrayList();
 292             ib = this.getMutablePipelineInstructionBuilder();
 293             ib.setOrder(0);
 294             ib.setKey(new InstructionKey(0));
 295             instructionsList.add(ib.build());
 296             isb.setInstruction(instructionsList);
 297
 298             logger.debug("Instructions contain: {}", ib.getInstruction());
 299             // Add InstructionsBuilder to FlowBuilder
 300             flowBuilder.setInstructions(isb.build());
 301             writeFlow(flowBuilder, nodeBuilder);
 302         } else {
 303             removeFlow(flowBuilder, nodeBuilder);
 304         }
 305     }
 306
 307     public void handleIngressAllowProto(Long dpidLong, String segmentationId, String attachedMac, boolean write,
 308             String securityRuleProtcol, Integer protoMatchPriority) {
 309
 310         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
 311
 312         MatchBuilder matchBuilder = new MatchBuilder();
 313         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
 314         FlowBuilder flowBuilder = new FlowBuilder();
 315
 316         flowBuilder.setMatch(MatchUtils
 317                 .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null).build());
 318         flowBuilder.setMatch(MatchUtils
 319                 .createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId)).build());
 320         logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
 321
 322         String flowId = "UcastOut_" + segmentationId + "_" +
 323                 attachedMac + "_AllowTCPSynPrefix_" + securityRuleProtcol;
 324         // Add Flow Attributes
 325         flowBuilder.setId(new FlowId(flowId));
 326         FlowKey key = new FlowKey(new FlowId(flowId));
 327         flowBuilder.setStrict(false);
 328         flowBuilder.setPriority(protoMatchPriority);
 329         flowBuilder.setBarrier(true);
 330         flowBuilder.setTableId(this.getTable());
 331         flowBuilder.setKey(key);
 332         flowBuilder.setFlowName(flowId);
 333         flowBuilder.setHardTimeout(0);
 334         flowBuilder.setIdleTimeout(0);
 335
 336         if (write) {
 337             // Instantiate the Builders for the OF Actions and Instructions
 338             InstructionBuilder ib = new InstructionBuilder();
 339             InstructionsBuilder isb = new InstructionsBuilder();
 340             List<Instruction> instructionsList = Lists.newArrayList();
 341
 342             ib = this.getMutablePipelineInstructionBuilder();
 343             ib.setOrder(1);
 344             ib.setKey(new InstructionKey(1));
 345             instructionsList.add(ib.build());
 346             isb.setInstruction(instructionsList);
 347             logger.debug("Instructions contain: {}", ib.getInstruction());
 348
 349             // Add InstructionsBuilder to FlowBuilder
 350             flowBuilder.setInstructions(isb.build());
 351             writeFlow(flowBuilder, nodeBuilder);
 352         } else {
 353             removeFlow(flowBuilder, nodeBuilder);
 354         }
 355     }
 356
 357
 358     public void ingressACLDefaultTcpDrop(Long dpidLong, String segmentationId, String attachedMac,
 359             int priority, boolean write) {
 360
 361         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
 362         MatchBuilder matchBuilder = new MatchBuilder();
 363         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
 364         FlowBuilder flowBuilder = new FlowBuilder();
 365
 366         flowBuilder.setMatch(MatchUtils.createDmacTcpPortWithFlagMatch(matchBuilder,
 367                 attachedMac, Constants.TCP_SYN, segmentationId).build());
 368
 369         logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
 370         String flowId = "PortSec_TCP_Syn_Default_Drop_" + segmentationId + "_" + attachedMac;
 371         flowBuilder.setId(new FlowId(flowId));
 372         FlowKey key = new FlowKey(new FlowId(flowId));
 373         flowBuilder.setStrict(false);
 374         flowBuilder.setPriority(priority);
 375         flowBuilder.setBarrier(true);
 376         flowBuilder.setTableId(this.getTable());
 377         flowBuilder.setKey(key);
 378         flowBuilder.setFlowName(flowId);
 379         flowBuilder.setHardTimeout(0);
 380         flowBuilder.setIdleTimeout(0);
 381
 382         if (write) {
 383             // Instantiate the Builders for the OF Actions and Instructions
 384             InstructionBuilder ib = new InstructionBuilder();
 385             InstructionsBuilder isb = new InstructionsBuilder();
 386
 387             // Instructions List Stores Individual Instructions
 388             List<Instruction> instructions = Lists.newArrayList();
 389
 390             // Set the Output Port/Iface
 391             InstructionUtils.createDropInstructions(ib);
 392             ib.setOrder(0);
 393             ib.setKey(new InstructionKey(0));
 394             instructions.add(ib.build());
 395
 396             // Add InstructionBuilder to the Instruction(s)Builder List
 397             isb.setInstruction(instructions);
 398             logger.debug("Instructions contain: {}", ib.getInstruction());
 399             // Add InstructionsBuilder to FlowBuilder
 400             flowBuilder.setInstructions(isb.build());
 401             writeFlow(flowBuilder, nodeBuilder);
 402         } else {
 403             removeFlow(flowBuilder, nodeBuilder);
 404         }
 405     }
 406
 407     public void ingressACLPermitAllProto(Long dpidLong, String segmentationId, String attachedMac,
 408             boolean write, String securityRuleIpPrefix, Integer protoPortMatchPriority) {
 409
 410         String nodeName = Constants.OPENFLOW_NODE_PREFIX + dpidLong;
 411         Ipv4Prefix srcIpPrefix = new Ipv4Prefix(securityRuleIpPrefix);
 412         MatchBuilder matchBuilder = new MatchBuilder();
 413         NodeBuilder nodeBuilder = createNodeBuilder(nodeName);
 414         FlowBuilder flowBuilder = new FlowBuilder();
 415
 416         flowBuilder.setMatch(MatchUtils.createTunnelIDMatch(matchBuilder, new BigInteger(segmentationId))
 417                 .build());
 418         if (securityRuleIpPrefix != null) {
 419             flowBuilder.setMatch(MatchUtils
 420                     .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, srcIpPrefix)
 421                     .build());
 422         } else {
 423             flowBuilder.setMatch(MatchUtils
 424                     .createDmacIpTcpSynMatch(matchBuilder, new MacAddress(attachedMac), null, null)
 425                     .build());
 426         }
 427
 428         logger.debug("MatchBuilder contains: {}", flowBuilder.getMatch());
 429         String flowId = "IngressProto_ACL_" + segmentationId + "_" +
 430                 attachedMac + "_Permit_" + securityRuleIpPrefix;
 431         // Add Flow Attributes
 432         flowBuilder.setId(new FlowId(flowId));
 433         FlowKey key = new FlowKey(new FlowId(flowId));
 434         flowBuilder.setStrict(false);
 435         flowBuilder.setPriority(protoPortMatchPriority);
 436         flowBuilder.setBarrier(true);
 437         flowBuilder.setTableId(this.getTable());
 438         flowBuilder.setKey(key);
 439         flowBuilder.setFlowName(flowId);
 440         flowBuilder.setHardTimeout(0);
 441         flowBuilder.setIdleTimeout(0);
 442
 443         if (write) {
 444             // Instantiate the Builders for the OF Actions and Instructions
 445             InstructionBuilder ib = new InstructionBuilder();
 446             InstructionsBuilder isb = new InstructionsBuilder();
 447             List<Instruction> instructionsList = Lists.newArrayList();
 448
 449             ib = this.getMutablePipelineInstructionBuilder();
 450             ib.setOrder(1);
 451             ib.setKey(new InstructionKey(0));
 452             instructionsList.add(ib.build());
 453             isb.setInstruction(instructionsList);
 454
 455             logger.debug("Instructions contain: {}", ib.getInstruction());
 456             // Add InstructionsBuilder to FlowBuilder
 457             flowBuilder.setInstructions(isb.build());
 458             writeFlow(flowBuilder, nodeBuilder);
 459         } else {
 460             removeFlow(flowBuilder, nodeBuilder);
 461         }
 462     }
 463 }