Examples with Acl org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl used on opensource projects

Example 6 with Acl

use of org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl in project netvirt by opendaylight.

the class EgressAclServiceImpl method egressAclDhcpAllowClientTraffic.

/**
 * Add rule to ensure only DHCP server traffic from the specified mac is allowed.
 *
 * @param dpId the dpid
 * @param allowedAddresses the allowed addresses
 * @param lportTag the lport tag
 * @param addOrRemove whether to add or remove the flow
 */
private void egressAclDhcpAllowClientTraffic(BigInteger dpId, List<AllowedAddressPairs> allowedAddresses, int lportTag, int addOrRemove) {
    List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions();
    for (AllowedAddressPairs aap : allowedAddresses) {
        if (!AclServiceUtils.isIPv4Address(aap)) {
            continue;
        }
        List<MatchInfoBase> matches = new ArrayList<>();
        matches.addAll(AclServiceUtils.buildDhcpMatches(AclConstants.DHCP_CLIENT_PORT_IPV4, AclConstants.DHCP_SERVER_PORT_IPV4, lportTag, serviceMode));
        matches.add(new MatchEthernetSource(aap.getMacAddress()));
        String flowName = "Egress_DHCP_Client_v4" + dpId + "_" + lportTag + "_" + aap.getMacAddress().getValue() + "_Permit_";
        syncFlow(dpId, getAclAntiSpoofingTable(), flowName, AclConstants.PROTO_DHCP_CLIENT_TRAFFIC_MATCH_PRIORITY, "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
    }
}

Example 7 with Acl

use of org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl in project netvirt by opendaylight.

the class EgressAclServiceImpl method programL2BroadcastAllowRule.

/**
 * Programs Non-IP broadcast rules.
 *
 * @param port the Acl Interface port
 * @param addOrRemove whether to delete or add flow
 */
private void programL2BroadcastAllowRule(AclInterface port, int addOrRemove) {
    BigInteger dpId = port.getDpId();
    int lportTag = port.getLPortTag();
    List<AllowedAddressPairs> allowedAddresses = port.getAllowedAddressPairs();
    Set<MacAddress> macs = allowedAddresses.stream().map(aap -> aap.getMacAddress()).collect(Collectors.toSet());
    for (MacAddress mac : macs) {
        List<MatchInfoBase> matches = new ArrayList<>();
        matches.add(new MatchEthernetSource(mac));
        matches.add(AclServiceUtils.buildLPortTagMatch(lportTag, serviceMode));
        List<InstructionInfo> instructions = getDispatcherTableResubmitInstructions();
        String flowName = "Egress_L2Broadcast_" + dpId + "_" + lportTag + "_" + mac.getValue();
        syncFlow(dpId, getAclAntiSpoofingTable(), flowName, AclConstants.PROTO_L2BROADCAST_TRAFFIC_MATCH_PRIORITY, "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
    }
}

Example 8 with Acl

use of org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl in project netvirt by opendaylight.

the class IngressAclServiceImpl method programIpv4BroadcastRule.

/**
 * Programs IPv4 broadcast rules.
 *
 * @param port the Acl Interface port
 * @param addOrRemove whether to delete or add flow
 */
private void programIpv4BroadcastRule(AclInterface port, int addOrRemove) {
    BigInteger dpId = port.getDpId();
    int lportTag = port.getLPortTag();
    MatchInfoBase lportMatchInfo = AclServiceUtils.buildLPortTagMatch(lportTag, serviceMode);
    List<IpPrefixOrAddress> cidrs = port.getSubnetIpPrefixes();
    if (cidrs != null) {
        List<String> broadcastAddresses = AclServiceUtils.getIpBroadcastAddresses(cidrs);
        for (String broadcastAddress : broadcastAddresses) {
            List<MatchInfoBase> matches = AclServiceUtils.buildBroadcastIpV4Matches(broadcastAddress);
            matches.add(lportMatchInfo);
            List<InstructionInfo> instructions = new ArrayList<>();
            instructions.add(new InstructionGotoTable(getAclConntrackClassifierTable()));
            String flowName = "Ingress_v4_Broadcast_" + dpId + "_" + lportTag + "_" + broadcastAddress + "_Permit";
            syncFlow(dpId, getAclAntiSpoofingTable(), flowName, AclConstants.PROTO_MATCH_PRIORITY, "ACL", 0, 0, AclConstants.COOKIE_ACL_BASE, matches, instructions, addOrRemove);
        }
    } else {
        LOG.warn("IP Broadcast CIDRs are missing for port {}", port.getInterfaceId());
    }
}

Example 9 with Acl

use of org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl in project netvirt by opendaylight.

the class AclEventListener method updateAclCaches.

private void updateAclCaches(Acl aclBefore, Acl aclAfter, Collection<AclInterface> aclInterfaces, Class<? extends DirectionBase> direction) {
    Uuid aclId = new Uuid(aclAfter.getAclName());
    Set<Uuid> remoteAclsBefore = AclServiceUtils.getRemoteAclIdsByDirection(aclBefore, direction);
    Set<Uuid> remoteAclsAfter = AclServiceUtils.getRemoteAclIdsByDirection(aclAfter, direction);
    Set<Uuid> remoteAclsDeleted = new HashSet<>(remoteAclsBefore);
    remoteAclsDeleted.removeAll(remoteAclsAfter);
    for (Uuid remoteAcl : remoteAclsDeleted) {
        aclDataUtil.removeRemoteAclId(remoteAcl, aclId, direction);
    }
    Set<Uuid> remoteAclsAdded = new HashSet<>(remoteAclsAfter);
    remoteAclsAdded.removeAll(remoteAclsBefore);
    for (Uuid remoteAcl : remoteAclsAdded) {
        aclDataUtil.addRemoteAclId(remoteAcl, aclId, direction);
    }
    if (remoteAclsDeleted.isEmpty() && remoteAclsAdded.isEmpty()) {
        return;
    }
    if (aclInterfaces != null) {
        for (AclInterface aclInterface : aclInterfaces) {
            AclInterface aclInterfaceInCache = aclInterfaceCache.addOrUpdate(aclInterface.getInterfaceId(), (prevAclInterface, builder) -> {
                SortedSet<Integer> remoteAclTags = aclServiceUtils.getRemoteAclTags(aclInterface.getSecurityGroups(), direction);
                if (DirectionEgress.class.equals(direction)) {
                    builder.egressRemoteAclTags(remoteAclTags);
                } else {
                    builder.ingressRemoteAclTags(remoteAclTags);
                }
            });
            aclDataUtil.addOrUpdateAclInterfaceMap(aclInterface.getSecurityGroups(), aclInterfaceInCache);
        }
    }
}

Example 10 with Acl

use of org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.Acl in project netvirt by opendaylight.

the class AclInterfaceStateListener method add.

@Override
protected void add(InstanceIdentifier<Interface> key, Interface added) {
    if (!L2vlan.class.equals(added.getType())) {
        return;
    }
    org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.interfaces.rev140508.interfaces.Interface iface;
    iface = interfaceManager.getInterfaceInfoFromConfigDataStore(added.getName());
    if (iface == null) {
        LOG.error("No interface with name {} available in interfaceConfig, servicing interfaceState ADD" + "for ACL failed", added.getName());
        return;
    }
    InterfaceAcl aclInPort = iface.getAugmentation(InterfaceAcl.class);
    if (aclInPort == null) {
        LOG.trace("Interface {} is not an ACL Interface, ignoring ADD interfaceState event", added.getName());
        return;
    }
    AclInterface aclInterface = aclInterfaceCache.addOrUpdate(added.getName(), (prevAclInterface, builder) -> {
        builder.dpId(AclServiceUtils.getDpIdFromIterfaceState(added)).lPortTag(added.getIfIndex()).isMarkedForDelete(false);
        if (AclServiceUtils.isOfInterest(prevAclInterface)) {
            if (prevAclInterface.getSubnetIpPrefixes() == null) {
                // For upgrades
                List<IpPrefixOrAddress> subnetIpPrefixes = AclServiceUtils.getSubnetIpPrefixes(dataBroker, added.getName());
                builder.subnetIpPrefixes(subnetIpPrefixes);
            }
            SortedSet<Integer> ingressRemoteAclTags = aclServiceUtils.getRemoteAclTags(aclInPort.getSecurityGroups(), DirectionIngress.class);
            SortedSet<Integer> egressRemoteAclTags = aclServiceUtils.getRemoteAclTags(aclInPort.getSecurityGroups(), DirectionEgress.class);
            builder.ingressRemoteAclTags(ingressRemoteAclTags).egressRemoteAclTags(egressRemoteAclTags);
        }
    });
    if (AclServiceUtils.isOfInterest(aclInterface)) {
        List<Uuid> aclList = aclInterface.getSecurityGroups();
        if (aclList != null) {
            aclDataUtil.addAclInterfaceMap(aclList, aclInterface);
        }
        if (aclInterface.getElanId() == null) {
            LOG.debug("On Add event, skip ADD since ElanId is not updated");
            return;
        }
        if (aclClusterUtil.isEntityOwner()) {
            LOG.debug("On add event, notify ACL service manager to add ACL for interface: {}", aclInterface);
            aclServiceManger.notify(aclInterface, null, Action.BIND);
            if (aclList != null) {
                aclServiceUtils.addAclPortsLookup(aclInterface, aclList, aclInterface.getAllowedAddressPairs());
            }
            aclServiceManger.notify(aclInterface, null, Action.ADD);
        }
    }
}