diff options
author | Marek Gradzki <mgradzki@cisco.com> | 2016-10-18 09:48:01 +0200 |
---|---|---|
committer | Marek Gradzki <mgradzki@cisco.com> | 2016-10-18 10:52:04 +0200 |
commit | d5b62161bc45e5885de332f554eaa235d6bce347 (patch) | |
tree | 73a13233b5be2dfa87daf39706c1137bca993424 | |
parent | ae735b4aacfc7008b0c12425367a419b47646350 (diff) |
Make ip-version mandatory for all ACEs
- ip-version was mandatory only when mixing l2/l3 rules in one ACE
(vpp api limitation). It needs to be provided also in case of
ACEs that define l3 only rules (we allow mixing ip4/ip6 ACEs
in one list).
- updates postman collestion with example of L4 only acl
Change-Id: Ifb863208c21a504cd61843f7540341bc35a6174a
Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
3 files changed, 67 insertions, 13 deletions
diff --git a/v3po/api/src/main/yang/vpp-acl.yang b/v3po/api/src/main/yang/vpp-acl.yang index d0d24c98a..f0c93f45e 100644 --- a/v3po/api/src/main/yang/vpp-acl.yang +++ b/v3po/api/src/main/yang/vpp-acl.yang @@ -82,14 +82,19 @@ module vpp-acl { Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first). Read is supported only for acls that were created and assigned by Honeycomb agent - (corresponding metadata are present). + (corresponding metadata is present). + + Extensions: + - mixing ACEs of different type in one list is permited + - mixing L2/L3/L4 rules in one ACE is permited Limitations (due to vpp limitations): - egress rules are currently ignored (HONEYCOMB-234) - - L4 rules are currently not supported (limited support will by provided by HONEYCOMB-218) - - mixing L2 and L3 rules is possible only if ace-ip-version is provided - (vpp classfier api limitation: common header fields for IP4/IP6 have different offsets) - - L2 rules on L3 interfaces only to IP traffic (vpp classfier limitation) + - L4 rules support is limited (every <src,dst> port pair from provided ranges is translated to single classify + session; which can very slow or even crash vpp if ranges are big, see HONEYCOMB-260) + - ace-ip-version needs to be provided for all aces (consequence of posibility to mix ACEs of different types, + and vpp classfier api limitation: common header fields for IP4/IP6 have different offsets) + - L2 rules on L3 interfaces are applied only to IP traffic (vpp classfier limitation) - vlan tags are supported only for sub-interfaces defined as exact-match"; list acl { diff --git a/v3po/postman_rest_collection.json b/v3po/postman_rest_collection.json index 5617a98a4..e25cfb6f2 100644 --- a/v3po/postman_rest_collection.json +++ b/v3po/postman_rest_collection.json @@ -98,11 +98,13 @@ "5e93fbca-86d0-12a5-45fd-45d7dfa3bd40", "5140ac58-342a-1576-8b0e-99eb8b3b1fb2", "9f58c827-d698-fc60-ec49-c2ccbca97c35", + "93b5345a-434f-9459-26c2-dc2cad9176e0", "4d3d06fe-8a64-d0e4-400a-79c4fbd6db73", "33280f11-2d61-09d3-f726-9907ef00dc19", "60d4ab79-dea1-de5a-63eb-6e26d3d1481b", "d668c31c-b904-cd65-124c-dd2a89149b70", "13b938a5-7a53-513f-44b9-33d869b8cb53", + "bca26b70-fe05-a1b4-f93a-1f683341d492", "4442a2fd-497d-ee8d-22cd-43b72c358f67", "161987f9-8912-f724-2f2d-d7548b12e8f9" ], @@ -1631,6 +1633,27 @@ "folder": "c05d7211-11b0-5688-2079-afa51196045c" }, { + "id": "93b5345a-434f-9459-26c2-dc2cad9176e0", + "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n", + "url": "http://localhost:8183/restconf/config/ietf-access-control-list:access-lists/acl/vpp-acl:mixed-acl/acl6", + "preRequestScript": "", + "pathVariables": {}, + "method": "PUT", + "data": [], + "dataMode": "raw", + "version": 2, + "tests": "", + "currentHelper": "normal", + "helperAttributes": {}, + "time": 1476780298679, + "name": "Write acl6 list (L4 rules)", + "description": "Deny any traffic where destination port is 80 and source port in range [1000,2000].", + "collectionId": "5bad4634-e5cf-900e-9733-0976aa9bea64", + "responses": [], + "rawModeData": "{\n\t\"acl\": [\n\t\t{\n\t\t\t\"acl-name\": \"acl6\", \n\t\t\t\"acl-type\": \"vpp-acl:mixed-acl\", \n\t\t\t\"access-list-entries\": {\n\t\t\t\t\"ace\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"matches\": {\n \"destination-ipv4-network\": \"0.0.0.0/0\",\n\t\t\t\t\t\t\t\"destination-port-range\": {\n\t\t\t\t\t\t\t\t\"lower-port\": 80\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t}, \n\t\t\t\t\t\t\t\"source-port-range\": {\n\t\t\t\t\t\t\t\t\"lower-port\": 1000,\n\t\t\t\t\t\t\t\t\"upper-port\": 2000\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}, \n\t\t\t\t\t\t\"actions\": {\n\t\t\t\t\t\t\t\"deny\": {}\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\"rule-name\": \"rule1\"\n\t\t\t\t\t}]}}]}\n", + "folder": "c05d7211-11b0-5688-2079-afa51196045c" + }, + { "id": "4d3d06fe-8a64-d0e4-400a-79c4fbd6db73", "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n", "url": "http://localhost:8183/restconf/config/ietf-access-control-list:access-lists/acl/ietf-access-control-list:eth-acl/acl1", @@ -1736,6 +1759,27 @@ "folder": "c05d7211-11b0-5688-2079-afa51196045c" }, { + "id": "bca26b70-fe05-a1b4-f93a-1f683341d492", + "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n", + "url": "http://localhost:8183/restconf/config/ietf-interfaces:interfaces/interface/local0/ietf-acl/ingress/access-lists/acl/vpp-acl:mixed-acl/acl6", + "preRequestScript": "", + "pathVariables": {}, + "method": "PUT", + "data": [], + "dataMode": "raw", + "version": 2, + "tests": "", + "currentHelper": "normal", + "helperAttributes": {}, + "time": 1476778885469, + "name": "Enable L4 ACL on local0 interface", + "description": "Creates chain of classfy tabless/sessions in VPP and assigns them to local0 interface.\n\nCan be verified with:\nvppctl show classify table verbose\n\nthen (depending on acl mode):\n\nvppctl show inacl type l2\n\nor\n\nvppctl show inacl type ip4\n\nvppctl show inacl type ip6", + "collectionId": "5bad4634-e5cf-900e-9733-0976aa9bea64", + "responses": [], + "rawModeData": "{\n\n \"acl\": [\n {\n \"type\" : \"vpp-acl:mixed-acl\",\n \"name\" : \"acl6\"\n }\n ]\n}", + "folder": "c05d7211-11b0-5688-2079-afa51196045c" + }, + { "id": "4442a2fd-497d-ee8d-22cd-43b72c358f67", "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n", "url": "http://localhost:8183/restconf/config/ietf-interfaces:interfaces/interface/local0/v3po:ietf-acl", diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java index 58a72ab30..c74845ce7 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java @@ -152,13 +152,14 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator { private static boolean appliesToIp4Path(final Ace ace) { final AceType aceType = ace.getMatches().getAceType(); - if (aceType instanceof AceIp && ((AceIp) aceType).getAceIpVersion() instanceof AceIpv4) { + final AclType aclType = AclType.fromAce(ace); + if (aclType == AclType.IP4) { return true; } - if (aceType instanceof AceEth) { + if (aclType == AclType.ETH) { return true; // L2 only rules are possible for IP4 traffic } - if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType) + if (aclType == AclType.ETH_AND_IP && ((AceIpAndEth) aceType) .getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv4) { return true; } @@ -167,13 +168,14 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator { private static boolean appliesToIp6Path(final Ace ace) { final AceType aceType = ace.getMatches().getAceType(); - if (aceType instanceof AceIp && ((AceIp) aceType).getAceIpVersion() instanceof AceIpv6) { + final AclType aclType = AclType.fromAce(ace); + if (aclType == AclType.IP6) { return true; } - if (aceType instanceof AceEth) { - return true; // L2 only rules are possible for IP6 traffic + if (aclType == AclType.ETH) { + return true; // L2 only rules are possible for IP6 traffic } - if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType) + if (aclType == AclType.ETH_AND_IP && ((AceIpAndEth) aceType) .getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv6) { return true; } @@ -291,9 +293,12 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator { result = ETH; } else if (aceType instanceof AceIp) { final AceIpVersion aceIpVersion = ((AceIp) aceType).getAceIpVersion(); + if (aceIpVersion == null) { + throw new IllegalArgumentException("Incomplete ACE (ip-version was not provided): " + ace); + } if (aceIpVersion instanceof AceIpv4) { result = IP4; - } else { + } else if (aceIpVersion instanceof AceIpv6) { result = IP6; } } else if (aceType instanceof AceIpAndEth) { |