use of org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace in project netvirt by opendaylight.
the class ConfigurationClassifierImpl method getEntriesForSfpRedirect.
private Set<ClassifierRenderableEntry> getEntriesForSfpRedirect(String ruleName, String srcPort, String dstPort, String sfpName, Matches matches) {
if (srcPort == null && dstPort == null) {
LOG.warn("Ace {} ignored: no source or destination port to match against", ruleName);
return Collections.emptySet();
}
if (Objects.equals(srcPort, dstPort)) {
LOG.warn("Ace {} ignored: equal source and destination port not supported", ruleName);
return Collections.emptySet();
}
List<RenderedServicePath> rsps = sfcProvider.readServicePathState(sfpName).orElse(Collections.emptyList()).stream().map(sfcProvider::getRenderedServicePath).filter(Optional::isPresent).map(Optional::get).collect(Collectors.toList());
// be missing. It will be handled on a later listener event.
if (rsps.isEmpty()) {
LOG.debug("Ace {} ignored: no RSPs for SFP {} yet available", ruleName, sfpName);
return Collections.emptySet();
}
// An SFP will have two RSPs associated if symmetric, one otherwise.
if (rsps.size() > 2) {
LOG.warn("Ace {} ignored: more than two RSPs associated to SFP {} not supported", ruleName, sfpName);
return Collections.emptySet();
}
RenderedServicePath forwardRsp = rsps.stream().filter(rsp -> !rsp.isReversePath()).findAny().orElse(null);
RenderedServicePath reverseRsp = rsps.stream().filter(RenderedServicePath::isReversePath).filter(rsp -> forwardRsp != null && rsp.getSymmetricPathId().equals(forwardRsp.getPathId())).findAny().orElse(null);
if (srcPort != null && forwardRsp == null) {
LOG.debug("Ace {} ignored: no forward RSP yet available for SFP {} and source port {}", ruleName, sfpName, srcPort);
return Collections.emptySet();
}
if (dstPort != null && reverseRsp == null) {
LOG.debug("Ace {} ignored: no reverse RSP yet available for SFP {} and destination port {}", ruleName, sfpName, dstPort);
return Collections.emptySet();
}
Set<ClassifierRenderableEntry> entries = new HashSet<>();
if (srcPort != null) {
entries.addAll(this.buildEntries(ruleName, Collections.singletonList(srcPort), matches, forwardRsp));
}
if (dstPort != null) {
Matches invertedMatches = AclMatches.invertMatches(matches);
entries.addAll(this.buildEntries(ruleName, Collections.singletonList(dstPort), invertedMatches, reverseRsp));
}
return entries;
}
use of org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace in project netvirt by opendaylight.
the class ConfigurationClassifierImpl method buildEntries.
private Set<ClassifierRenderableEntry> buildEntries(String ruleName, @NonNull List<String> interfaces, @NonNull Matches matches, @NonNull RenderedServicePath rsp) {
String rspName = rsp.getName().getValue();
Long nsp = rsp.getPathId();
Short nsi = rsp.getStartingIndex();
Short nsl = rsp.getRenderedServicePathHop() == null ? null : (short) rsp.getRenderedServicePathHop().size();
if (nsp == null || nsi == null || nsl == null) {
LOG.warn("Ace {} RSP {} ignored: no valid NSI or NSP or length", ruleName, rspName);
return Collections.emptySet();
}
DpnIdType firstHopDpn = sfcProvider.getFirstHopIngressInterfaceFromRsp(rsp).flatMap(geniusProvider::getDpnIdFromInterfaceName).orElse(null);
if (firstHopDpn == null) {
LOG.warn("Ace {} RSP {} ignored: no valid first hop DPN", ruleName, rspName);
return Collections.emptySet();
}
String lastHopInterface = sfcProvider.getLastHopEgressInterfaceFromRsp(rsp).orElse(null);
if (lastHopInterface == null) {
LOG.warn("Ace {} RSP {} ignored: has no valid last hop interface", ruleName, rspName);
return Collections.emptySet();
}
DpnIdType lastHopDpn = geniusProvider.getDpnIdFromInterfaceName(lastHopInterface).orElse(null);
if (lastHopDpn == null) {
LOG.warn("Ace {} RSP {} ignored: has no valid last hop DPN", ruleName, rspName);
return Collections.emptySet();
}
Map<NodeId, List<InterfaceKey>> nodeToInterfaces = new HashMap<>();
for (String iface : interfaces) {
geniusProvider.getNodeIdFromLogicalInterface(iface).ifPresent(nodeId -> nodeToInterfaces.computeIfAbsent(nodeId, key -> new ArrayList<>()).add(new InterfaceKey(iface)));
}
LOG.trace("Ace {} RSP {}: got classifier nodes and interfaces: {}", ruleName, rspName, nodeToInterfaces);
String firstHopIp = geniusProvider.getIpFromDpnId(firstHopDpn).orElse(null);
Set<ClassifierRenderableEntry> entries = new HashSet<>();
nodeToInterfaces.forEach((nodeId, ifaces) -> {
// Get node info
DpnIdType nodeDpn = new DpnIdType(OpenFlow13Provider.getDpnIdFromNodeId(nodeId));
String nodeIp = geniusProvider.getIpFromDpnId(nodeDpn).orElse(LOCAL_HOST_IP);
if (firstHopIp == null && !nodeDpn.equals(firstHopDpn)) {
LOG.warn("Ace {} RSP {} classifier {} ignored: no IP to reach first hop DPN {}", ruleName, rspName, nodeId, firstHopDpn);
return;
}
// Add entries that are not based on ingress or egress interface
entries.add(ClassifierEntry.buildNodeEntry(nodeId));
entries.add(ClassifierEntry.buildPathEntry(nodeId, nsp, nsi, nsl, nodeDpn.equals(firstHopDpn) ? null : firstHopIp));
// Add entries based on ingress interface
ifaces.forEach(interfaceKey -> {
entries.add(ClassifierEntry.buildIngressEntry(interfaceKey));
entries.add(ClassifierEntry.buildMatchEntry(nodeId, geniusProvider.getNodeConnectorIdFromInterfaceName(interfaceKey.getName()).get(), matches, nsp, nsi));
});
// hand-off can happen through the dispatcher table
if (nodeDpn.equals(lastHopDpn)) {
entries.add(ClassifierEntry.buildIngressEntry(new InterfaceKey(lastHopInterface)));
}
// Egress services must bind to egress ports. Since we dont know before-hand what
// the egress ports will be, we will bind on all switch ports. If the packet
// doesnt have NSH, it will be returned to the the egress dispatcher table.
List<Interfaces> interfaceUuidStrList = geniusProvider.getInterfacesFromNode(nodeId);
interfaceUuidStrList.forEach(interfaceUuidStr -> {
InterfaceKey interfaceKey = new InterfaceKey(interfaceUuidStr.getInterfaceName());
Optional<String> remoteIp = geniusProvider.getRemoteIpAddress(interfaceUuidStr.getInterfaceName());
entries.add(ClassifierEntry.buildEgressEntry(interfaceKey, remoteIp.orElse(nodeIp)));
});
});
return entries;
}
use of org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace in project netvirt by opendaylight.
the class FlowClassifierTranslator method buildAcl.
public static Acl buildAcl(SfcFlowClassifier flowClassifier, String sfpName) {
LOG.info("OpenStack Networking SFC pushed Flow classifier : {}", flowClassifier);
AclBuilder aclBuilder = new AclBuilder();
AceBuilder aceBuilder = new AceBuilder();
ActionsBuilder actionsBuilder = new ActionsBuilder();
RedirectToSfcBuilder redirectToSfcBuilder = new RedirectToSfcBuilder();
NeutronPortsBuilder neutronPortsBuilder = new NeutronPortsBuilder();
AceIpBuilder aceIpBuilder = new AceIpBuilder();
DestinationPortRangeBuilder destinationPortRange = new DestinationPortRangeBuilder();
SourcePortRangeBuilder sourcePortRangeBuilder = new SourcePortRangeBuilder();
if (flowClassifier.getUuid() != null) {
if (flowClassifier.getName() != null) {
aclBuilder.setAclName(flowClassifier.getUuid().getValue() + "_" + flowClassifier.getName());
} else {
aclBuilder.setAclName(flowClassifier.getUuid().getValue());
}
}
if (flowClassifier.getEthertype() != null) {
IpPrefix sourceIp = null;
IpPrefix destinationIp = null;
if (flowClassifier.getSourceIpPrefix() != null) {
sourceIp = flowClassifier.getSourceIpPrefix();
}
if (flowClassifier.getDestinationIpPrefix() != null) {
destinationIp = flowClassifier.getDestinationIpPrefix();
}
if (flowClassifier.getEthertype() == EthertypeV4.class) {
AceIpv4Builder aceIpv4Builder = new AceIpv4Builder();
if (sourceIp != null && sourceIp.getIpv4Prefix() != null) {
aceIpv4Builder.setSourceIpv4Network(sourceIp.getIpv4Prefix());
}
if (destinationIp != null && destinationIp.getIpv4Prefix() != null) {
aceIpv4Builder.setDestinationIpv4Network(destinationIp.getIpv4Prefix());
}
aceIpBuilder.setAceIpVersion(aceIpv4Builder.build());
aclBuilder.setAclType(Ipv4Acl.class);
}
if (flowClassifier.getEthertype() == EthertypeV6.class) {
AceIpv6Builder aceIpv6Builder = new AceIpv6Builder();
if (sourceIp != null && sourceIp.getIpv6Prefix() != null) {
aceIpv6Builder.setSourceIpv6Network(sourceIp.getIpv6Prefix());
}
if (sourceIp != null && destinationIp.getIpv6Prefix() != null) {
aceIpv6Builder.setDestinationIpv6Network(destinationIp.getIpv6Prefix());
}
aceIpBuilder.setAceIpVersion(aceIpv6Builder.build());
aclBuilder.setAclType(Ipv6Acl.class);
}
}
if (flowClassifier.getProtocol() != null) {
if (flowClassifier.getProtocol() == ProtocolTcp.class) {
aceIpBuilder.setProtocol(PROTO_TCP);
}
if (flowClassifier.getProtocol() == ProtocolUdp.class) {
aceIpBuilder.setProtocol(PROTO_UDP);
}
}
if (flowClassifier.getSourcePortRangeMin() != null) {
sourcePortRangeBuilder.setLowerPort(new PortNumber(flowClassifier.getSourcePortRangeMin()));
// set source port range only if lower port is specified as it is a mandatory parameter in acl model
aceIpBuilder.setSourcePortRange(sourcePortRangeBuilder.build());
}
if (flowClassifier.getSourcePortRangeMax() != null) {
sourcePortRangeBuilder.setUpperPort(new PortNumber(flowClassifier.getSourcePortRangeMax()));
}
if (flowClassifier.getDestinationPortRangeMin() != null) {
destinationPortRange.setLowerPort(new PortNumber(flowClassifier.getDestinationPortRangeMin()));
// set destination port range only if lower port is specified as it is a mandatory parameter in acl model
aceIpBuilder.setDestinationPortRange(destinationPortRange.build());
}
if (flowClassifier.getDestinationPortRangeMax() != null) {
destinationPortRange.setUpperPort(new PortNumber(flowClassifier.getDestinationPortRangeMax()));
}
if (flowClassifier.getLogicalSourcePort() != null) {
neutronPortsBuilder.setSourcePortUuid(flowClassifier.getLogicalSourcePort().getValue());
}
if (flowClassifier.getLogicalDestinationPort() != null) {
neutronPortsBuilder.setDestinationPortUuid(flowClassifier.getLogicalDestinationPort().getValue());
}
// currently not supported.
// if (flowClassifier.getL7Parameter() != null) {
// }
MatchesBuilder matchesBuilder = new MatchesBuilder();
matchesBuilder.setAceType(aceIpBuilder.build());
matchesBuilder.addAugmentation(NeutronPorts.class, neutronPortsBuilder.build());
// Set redirect-to-rsp action if rsp name is provided
if (sfpName != null) {
redirectToSfcBuilder.setSfpName(sfpName);
actionsBuilder.addAugmentation(RedirectToSfc.class, redirectToSfcBuilder.build());
aceBuilder.setActions(actionsBuilder.build());
}
aceBuilder.setMatches(matchesBuilder.build());
// OpenStack networking-sfc don't pass action information
// with flow classifier. It need to be determined using the
// Port Chain data and then flow calssifier need to be updated
// with the actions.
aceBuilder.setRuleName(aclBuilder.getAclName() + RULE);
aceBuilder.setKey(new AceKey(aceBuilder.getRuleName()));
ArrayList<Ace> aceList = new ArrayList<>();
aceList.add(aceBuilder.build());
AccessListEntriesBuilder accessListEntriesBuilder = new AccessListEntriesBuilder();
accessListEntriesBuilder.setAce(aceList);
aclBuilder.setAccessListEntries(accessListEntriesBuilder.build());
aclBuilder.setKey(new AclKey(aclBuilder.getAclName(), aclBuilder.getAclType()));
LOG.info("Translated ACL Flow classfier : {}", aclBuilder.toString());
return aclBuilder.build();
}
use of org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace in project netvirt by opendaylight.
the class AclServiceUtils method getAceFlowPriority.
/**
* Gets the ace flow priority.
*
* @param aclName the acl name
* @return the ace flow priority
*/
public Integer getAceFlowPriority(String aclName) {
Integer priority = AclConstants.ACE_DEFAULT_PRIORITY;
Integer aclTag = getAclTag(new Uuid(aclName));
if (aclTag != null && aclTag != AclConstants.INVALID_ACL_TAG) {
// To handle overlapping rules, aclTag is added to priority
priority += aclTag;
} else {
LOG.warn("aclTag={} is null or invalid for aclName={}", aclTag, aclName);
}
return priority;
}
use of org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160218.access.lists.acl.access.list.entries.Ace in project netvirt by opendaylight.
the class AclServiceUtils method getHardTimoutForApplyStatefulChangeOnExistingTraffic.
/**
* Returns the hard timeout based on the protocol when a ACL rule removed from the instance.
* It will returns the timeout configured in the {@link AclserviceConfig} class.
*
* @param ace the ace
* @param aclServiceUtils acl service utils
* @return the hard time out
*/
public static Integer getHardTimoutForApplyStatefulChangeOnExistingTraffic(Ace ace, AclServiceUtils aclServiceUtils) {
int hardTimeout = AclConstants.SECURITY_GROUP_ICMP_IDLE_TIME_OUT;
Matches matches = ace.getMatches();
AceIp acl = (AceIp) matches.getAceType();
Short protocol = acl.getProtocol();
if (protocol == null) {
return hardTimeout;
} else if (protocol == NwConstants.IP_PROT_TCP) {
hardTimeout = aclServiceUtils.getConfig().getSecurityGroupTcpIdleTimeout();
} else if (protocol == NwConstants.IP_PROT_UDP) {
hardTimeout = aclServiceUtils.getConfig().getSecurityGroupUdpIdleTimeout();
}
return hardTimeout;
}
Aggregations