public NeutronSecurityRule extractFields(List<String> fields) { NeutronSecurityRule ans = new NeutronSecurityRule(); for (String s : fields) { switch (s) { case "id": ans.setID(this.getID()); break; case "direction": ans.setSecurityRuleDirection(this.getSecurityRuleDirection()); break; case "protocol": ans.setSecurityRuleProtocol(this.getSecurityRuleProtocol()); break; case "port_range_min": ans.setSecurityRulePortMin(this.getSecurityRulePortMin()); break; case "port_range_max": ans.setSecurityRulePortMax(this.getSecurityRulePortMax()); break; case "ethertype": ans.setSecurityRuleEthertype(this.getSecurityRuleEthertype()); break; case "remote_ip_prefix": ans.setSecurityRuleRemoteIpPrefix(this.getSecurityRuleRemoteIpPrefix()); break; case "remote_group_id": ans.setSecurityRemoteGroupID(this.getSecurityRemoteGroupID()); break; case "security_group_id": ans.setSecurityRuleGroupID(this.getSecurityRuleGroupID());
/** * Build a NeutronSecurityRule that can be passed in to createNeutronSecurityGroup. * @param direction e.g., "ingress". May be null. * @param ethertype e.g., "IPv4". May be null. * @param protocol e.g., "TCP". May be null. * @param ipPrefix e.g., "10.9.8.0/24". May be null. * @param portMin or null * @param portMax or null * @return A new NeutronSecurityRule */ public NeutronSecurityRule buildNeutronSecurityRule(String direction, String ethertype, String protocol, String ipPrefix, Integer portMin, Integer portMax) { NeutronSecurityRule rule = new NeutronSecurityRule(); rule.setID(UUID.randomUUID().toString()); rule.setSecurityRemoteGroupID(null); rule.setSecurityRuleDirection(direction); rule.setSecurityRuleEthertype(ethertype); rule.setSecurityRuleProtocol(protocol); rule.setSecurityRuleRemoteIpPrefix(ipPrefix); rule.setSecurityRulePortMin(portMin); rule.setSecurityRulePortMax(portMax); return rule; }
if (securityRule.getSecurityRuleTenantID() != null) { securityRuleBuilder.setTenantId(toUuid(securityRule.getSecurityRuleTenantID())); if (securityRule.getSecurityRuleDirection() != null) { ImmutableBiMap<String, Class<? extends DirectionBase>> mapper = DIRECTION_MAP.inverse(); securityRuleBuilder.setDirection(mapper.get(securityRule.getSecurityRuleDirection())); if (securityRule.getSecurityRuleGroupID() != null) { securityRuleBuilder.setSecurityGroupId(toUuid(securityRule.getSecurityRuleGroupID())); if (securityRule.getSecurityRemoteGroupID() != null) { securityRuleBuilder.setRemoteGroupId(toUuid(securityRule.getSecurityRemoteGroupID())); if (securityRule.getSecurityRuleRemoteIpPrefix() != null) { securityRuleBuilder.setRemoteIpPrefix(new IpPrefix(securityRule.getSecurityRuleRemoteIpPrefix().toCharArray())); if (securityRule.getSecurityRuleProtocol() != null) { String protocolString = securityRule.getSecurityRuleProtocol(); SecurityRuleAttributes.Protocol protocol = new SecurityRuleAttributes.Protocol(protocolString.toCharArray()); securityRuleBuilder.setProtocol(protocol); if (securityRule.getSecurityRuleEthertype() != null) { ImmutableBiMap<String, Class<? extends EthertypeBase>> mapper = ETHERTYPE_MAP.inverse(); securityRuleBuilder.setEthertype(mapper.get(securityRule.getSecurityRuleEthertype())); if (securityRule.getSecurityRulePortMin() != null) { securityRuleBuilder.setPortRangeMin(securityRule.getSecurityRulePortMin());
MatchBuilder matchBuilder = new MatchBuilder(); String flowId = "Egress_TCP_" + segmentationId + "_" + srcMac + "_"; boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(portSecurityRule.getSecurityRuleEthertype()); if (isIpv6) { matchBuilder = MatchUtils.createV6EtherMatchWithType(matchBuilder,srcMac,null); if (portSecurityRule.getSecurityRulePortMin() != null && portSecurityRule.getSecurityRulePortMax() != null) { if (portSecurityRule.getSecurityRulePortMin().equals(portSecurityRule.getSecurityRulePortMax())) { flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_"; matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.TCP_SHORT, 0, portSecurityRule.getSecurityRulePortMin()); } else if (portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN) && portSecurityRule.getSecurityRulePortMax().equals(PORT_RANGE_MAX)) { flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_" + portSecurityRule.getSecurityRulePortMax() + "_"; matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.TCP_SHORT, 0, 0); } else { } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) { flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix(); if (isIpv6) { matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder,null, new Ipv6Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix())); } else { if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) { matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null, new Ipv4Prefix(portSecurityRule
matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null,MatchUtils.ETHERTYPE_IPV4); if (portSecurityRule.getSecurityRulePortMin() != null && portSecurityRule.getSecurityRulePortMax() != null) { flowId = flowId + portSecurityRule.getSecurityRulePortMin().shortValue() + "_" + portSecurityRule.getSecurityRulePortMax().shortValue() + "_"; matchBuilder = MatchUtils.createICMPv4Match(matchBuilder, portSecurityRule.getSecurityRulePortMin().shortValue(), portSecurityRule.getSecurityRulePortMax().shortValue()); } else { /* All ICMP Match */ // We are getting from neutron NULL for both min and max matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null, MatchUtils.iPv4PrefixFromIPv4Address(dstAddress)); } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) { flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix(); if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) { matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder,null, new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()));
|| portSecurityRule.getSecurityRuleEthertype() == null || portSecurityRule.getSecurityRuleDirection() == null) { continue; if (NeutronSecurityRule.DIRECTION_INGRESS.equals(portSecurityRule.getSecurityRuleDirection())) { LOG.debug("programPortSecurityGroup: Rule matching IP and ingress is: {} ", portSecurityRule); if (null != portSecurityRule.getSecurityRemoteGroupID()) { .getVmListForSecurityGroup(portUuid,portSecurityRule.getSecurityRemoteGroupID()); if (null != remoteSrcAddressList) { for (Neutron_IPs vmIp :remoteSrcAddressList ) { securityGroupCacheManger.addToCache(portSecurityRule.getSecurityRemoteGroupID(), portUuid); } else { securityGroupCacheManger.removeFromCache(portSecurityRule.getSecurityRemoteGroupID(), portUuid);
private List<NeutronSecurityRule> getSecurityRulesforGroup(NeutronSecurityGroup securityGroup) { List<NeutronSecurityRule> securityRules = new ArrayList<>(); List<NeutronSecurityRule> rules = neutronSecurityRule.getAllNeutronSecurityRules(); for (NeutronSecurityRule securityRule : rules) { if (securityGroup.getID().equals(securityRule.getSecurityRuleGroupID())) { securityRules.add(securityRule); } } return securityRules; }
private void egressOtherProtocolAclHandler(Long dpidLong, String segmentationId, String srcMac, NeutronSecurityRule portSecurityRule, String dstAddress, boolean write, Integer priority) { MatchBuilder matchBuilder = new MatchBuilder(); String flowId = "Egress_Other_" + segmentationId + "_" + srcMac + "_"; matchBuilder = MatchUtils.createV4EtherMatchWithType(matchBuilder,srcMac,null,MatchUtils.ETHERTYPE_IPV4); short proto = 0; try { Integer protocol = new Integer(portSecurityRule.getSecurityRuleProtocol()); proto = protocol.shortValue(); flowId = flowId + proto; } catch (NumberFormatException e) { LOG.error("Protocol vlaue conversion failure", e); } matchBuilder = MatchUtils.createIpProtocolMatch(matchBuilder, proto); if (null != dstAddress) { flowId = flowId + dstAddress; matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null, MatchUtils.iPv4PrefixFromIPv4Address(dstAddress)); } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) { flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix(); matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, null, new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix())); } flowId = flowId + "_Permit"; NodeBuilder nodeBuilder = FlowUtils.createNodeBuilder(dpidLong); FlowBuilder flowBuilder = FlowUtils.createFlowBuilder(flowId, priority, matchBuilder, getTable()); addInstructionWithConntrackCommit(flowBuilder, false); syncFlow(flowBuilder ,nodeBuilder, write); }
long localPort, NeutronSecurityRule portSecurityRule, Neutron_IPs vmIp, boolean write) { String securityRuleEtherType = portSecurityRule.getSecurityRuleEthertype(); boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(securityRuleEtherType); if (!isIpv6 && !NeutronSecurityRule.ETHERTYPE_IPV4.equals(securityRuleEtherType)) { if (null == portSecurityRule.getSecurityRuleProtocol()) { switch (portSecurityRule.getSecurityRuleProtocol()) { case MatchUtils.TCP: LOG.debug("programPortSecurityRule: Rule matching TCP", portSecurityRule); default: LOG.info("programPortSecurityAcl: Protocol is not TCP/UDP/ICMP but other " + "protocol = ", portSecurityRule.getSecurityRuleProtocol()); egressOtherProtocolAclHandler(dpid, segmentationId, attachedMac, portSecurityRule, ipaddress, write,
return; if (NeutronSecurityRule.ETHERTYPE_IPV4.equals(securityRule.getSecurityRuleEthertype())) { if (NeutronSecurityRule.DIRECTION_INGRESS.equals(securityRule.getSecurityRuleDirection())) { ingressAclProvider.programPortSecurityRule(dpid, segmentationId, attachedMac, localPort, securityRule, vmIp, write); } else if (NeutronSecurityRule.DIRECTION_EGRESS.equals(securityRule.getSecurityRuleDirection())) { egressAclProvider.programPortSecurityRule(dpid, segmentationId, attachedMac, localPort, securityRule, vmIp, write);
private void syncSecurityGroup(NeutronSecurityRule securityRule,NeutronPort port, boolean write) { if (!port.getPortSecurityEnabled()) { LOG.info("Port security not enabled port", port); return; } if (null != securityRule.getSecurityRemoteGroupID()) { List<Neutron_IPs> vmIpList = securityServicesManager .getVmListForSecurityGroup(port.getID(), securityRule.getSecurityRemoteGroupID()); for (Neutron_IPs vmIp :vmIpList ) { securityServicesManager.syncSecurityRule(port, securityRule, vmIp, write); } } else { securityServicesManager.syncSecurityRule(port, securityRule, null, write); } }
private void ingressAclIcmp(Long dpidLong, String segmentationId, String dstMac, NeutronSecurityRule portSecurityRule, String srcAddress, boolean write, Integer protoPortMatchPriority) { boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(portSecurityRule.getSecurityRuleEthertype()); if (isIpv6) { ingressAclIcmpV6(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress, write, protoPortMatchPriority); } else { ingressAclIcmpV4(dpidLong, segmentationId, dstMac, portSecurityRule, srcAddress, write, protoPortMatchPriority); } }
protected NeutronSecurityRule fromMd(SecurityRule rule) { NeutronSecurityRule answer = new NeutronSecurityRule(); if (rule.getTenantId() != null) { answer.setSecurityRuleTenantID(rule.getTenantId().getValue().replace("-","")); answer.setSecurityRuleDirection(DIRECTION_MAP.get(rule.getDirection())); answer.setSecurityRuleGroupID(rule.getSecurityGroupId().getValue()); answer.setSecurityRemoteGroupID(rule.getRemoteGroupId().getValue()); answer.setSecurityRuleRemoteIpPrefix(rule.getRemoteIpPrefix().getIpv4Prefix() != null? rule.getRemoteIpPrefix().getIpv4Prefix().getValue():rule.getRemoteIpPrefix().getIpv6Prefix().getValue()); if (protocol.getUint8() != null) { answer.setSecurityRuleProtocol(protocol.getUint8().toString()); } else { answer.setSecurityRuleProtocol(NeutronUtils.ProtocolMapper.getName(protocol.getIdentityref())); answer.setSecurityRuleEthertype(ETHERTYPE_MAP.get(rule.getEthertype())); answer.setSecurityRulePortMin(rule.getPortRangeMin()); answer.setSecurityRulePortMax(rule.getPortRangeMax()); answer.setID(rule.getUuid().getValue());
boolean write, Integer protoPortMatchPriority ) { boolean portRange = false; boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(portSecurityRule.getSecurityRuleEthertype()); MatchBuilder matchBuilder = new MatchBuilder(); String flowId = "Ingress_UDP_" + segmentationId + "_" + dstMac + "_"; if (portSecurityRule.getSecurityRulePortMin() != null && portSecurityRule.getSecurityRulePortMax() != null) { if (portSecurityRule.getSecurityRulePortMin().equals(portSecurityRule.getSecurityRulePortMax())) { flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_"; matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 0, portSecurityRule.getSecurityRulePortMin()); } else if (portSecurityRule.getSecurityRulePortMin().equals(PORT_RANGE_MIN) && portSecurityRule.getSecurityRulePortMax().equals(PORT_RANGE_MAX)) { flowId = flowId + portSecurityRule.getSecurityRulePortMin() + "_" + portSecurityRule.getSecurityRulePortMax() + "_"; matchBuilder = MatchUtils.addLayer4Match(matchBuilder, MatchUtils.UDP_SHORT, 0, 0); } else { } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) { flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix(); if (isIpv6) { matchBuilder = MatchUtils.addRemoteIpv6Prefix(matchBuilder, new Ipv6Prefix(portSecurityRule .getSecurityRuleRemoteIpPrefix()),null); } else { matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, new Ipv4Prefix(portSecurityRule .getSecurityRuleRemoteIpPrefix()),null);
if (portSecurityRule.getSecurityRulePortMin() != null && portSecurityRule.getSecurityRulePortMax() != null) { flowId = flowId + portSecurityRule.getSecurityRulePortMin().shortValue() + "_" + portSecurityRule.getSecurityRulePortMax().shortValue() + "_"; matchBuilder = MatchUtils.createICMPv4Match(matchBuilder, portSecurityRule.getSecurityRulePortMin().shortValue(), portSecurityRule.getSecurityRulePortMax().shortValue()); } else { matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null); } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) { flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix(); if (!portSecurityRule.getSecurityRuleRemoteIpPrefix().contains("/0")) { matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()),null);
|| portSecurityRule.getSecurityRuleEthertype() == null || portSecurityRule.getSecurityRuleDirection() == null) { continue; if (NeutronSecurityRule.DIRECTION_EGRESS.equals(portSecurityRule.getSecurityRuleDirection())) { LOG.debug("programPortSecurityGroup: Acl Rule matching IP and ingress is: {} ", portSecurityRule); if (null != portSecurityRule.getSecurityRemoteGroupID()) { .getVmListForSecurityGroup(portUuid,portSecurityRule.getSecurityRemoteGroupID()); if (null != remoteSrcAddressList) { for (Neutron_IPs vmIp :remoteSrcAddressList ) { securityGroupCacheManger.addToCache(portSecurityRule.getSecurityRemoteGroupID(), portUuid); } else { securityGroupCacheManger.removeFromCache(portSecurityRule.getSecurityRemoteGroupID(), portUuid);
private List<NeutronSecurityRule> getSecurityRulesforGroup(NeutronSecurityGroup securityGroup) { List<NeutronSecurityRule> securityRules = new ArrayList<>(); List<NeutronSecurityRule> rules = neutronSecurityRule.getAllNeutronSecurityRules(); for (NeutronSecurityRule securityRule : rules) { if (securityGroup.getID().equals(securityRule.getSecurityRuleGroupID())) { securityRules.add(securityRule); } } return securityRules; }
short proto = 0; try { Integer protocol = new Integer(portSecurityRule.getSecurityRuleProtocol()); proto = protocol.shortValue(); flowId = flowId + proto; matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, MatchUtils.iPv4PrefixFromIPv4Address(srcAddress), null); } else if (null != portSecurityRule.getSecurityRuleRemoteIpPrefix()) { flowId = flowId + portSecurityRule.getSecurityRuleRemoteIpPrefix(); matchBuilder = MatchUtils.addRemoteIpPrefix(matchBuilder, new Ipv4Prefix(portSecurityRule.getSecurityRuleRemoteIpPrefix()),null);
long localPort, NeutronSecurityRule portSecurityRule, Neutron_IPs vmIp, boolean write) { String securityRuleEtherType = portSecurityRule.getSecurityRuleEthertype(); boolean isIpv6 = NeutronSecurityRule.ETHERTYPE_IPV6.equals(securityRuleEtherType); if (!isIpv6 && !NeutronSecurityRule.ETHERTYPE_IPV4.equals(securityRuleEtherType)) { if (null == portSecurityRule.getSecurityRuleProtocol()) { ingressAclIp(dpid, isIpv6, segmentationId, attachedMac, write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY); switch (portSecurityRule.getSecurityRuleProtocol()) { case MatchUtils.TCP: LOG.debug("programPortSecurityRule: Rule matching TCP", portSecurityRule); default: LOG.info("programPortSecurityAcl: Protocol is not TCP/UDP/ICMP but other " + "protocol = ", portSecurityRule.getSecurityRuleProtocol()); ingressOtherProtocolAclHandler(dpid, segmentationId, attachedMac, portSecurityRule, null, write, Constants.PROTO_PORT_PREFIX_MATCH_PRIORITY);
private List<NeutronSecurityRule> retrieveSecurityRules(String securityGroupUuid, String portUuid) { /* * Get the list of security rules in the port with portUuid that has securityGroupUuid as a remote * security group. */ LOG.debug("In retrieveSecurityRules securityGroupUuid:" + securityGroupUuid + " portUuid:" + portUuid); NeutronPort port = neutronPortCache.getPort(portUuid); if (port == null) { port = neutronL3Adapter.getPortFromCleanupCache(portUuid); if (null == port) { LOG.error("In retrieveSecurityRules no neutron port found:" + " portUuid:" + portUuid); return null; } } List<NeutronSecurityRule> remoteSecurityRules = new ArrayList<>(); List<NeutronSecurityGroup> securityGroups = port.getSecurityGroups(); for (NeutronSecurityGroup securityGroup : securityGroups) { List<NeutronSecurityRule> securityRules = getSecurityRulesforGroup(securityGroup); for (NeutronSecurityRule securityRule : securityRules) { if (securityGroupUuid.equals(securityRule.getSecurityRemoteGroupID())) { remoteSecurityRules.add(securityRule); } } } return remoteSecurityRules; }