summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarek Gradzki <mgradzki@cisco.com>2016-10-18 09:48:01 +0200
committerMarek Gradzki <mgradzki@cisco.com>2016-10-18 10:52:04 +0200
commitd5b62161bc45e5885de332f554eaa235d6bce347 (patch)
tree73a13233b5be2dfa87daf39706c1137bca993424
parentae735b4aacfc7008b0c12425367a419b47646350 (diff)
Make ip-version mandatory for all ACEs
- ip-version was mandatory only when mixing l2/l3 rules in one ACE (vpp api limitation). It needs to be provided also in case of ACEs that define l3 only rules (we allow mixing ip4/ip6 ACEs in one list). - updates postman collestion with example of L4 only acl Change-Id: Ifb863208c21a504cd61843f7540341bc35a6174a Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
-rw-r--r--v3po/api/src/main/yang/vpp-acl.yang15
-rw-r--r--v3po/postman_rest_collection.json44
-rw-r--r--v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java21
3 files changed, 67 insertions, 13 deletions
diff --git a/v3po/api/src/main/yang/vpp-acl.yang b/v3po/api/src/main/yang/vpp-acl.yang
index d0d24c98a..f0c93f45e 100644
--- a/v3po/api/src/main/yang/vpp-acl.yang
+++ b/v3po/api/src/main/yang/vpp-acl.yang
@@ -82,14 +82,19 @@ module vpp-acl {
Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first).
Read is supported only for acls that were created and assigned by Honeycomb agent
- (corresponding metadata are present).
+ (corresponding metadata is present).
+
+ Extensions:
+ - mixing ACEs of different type in one list is permited
+ - mixing L2/L3/L4 rules in one ACE is permited
Limitations (due to vpp limitations):
- egress rules are currently ignored (HONEYCOMB-234)
- - L4 rules are currently not supported (limited support will by provided by HONEYCOMB-218)
- - mixing L2 and L3 rules is possible only if ace-ip-version is provided
- (vpp classfier api limitation: common header fields for IP4/IP6 have different offsets)
- - L2 rules on L3 interfaces only to IP traffic (vpp classfier limitation)
+ - L4 rules support is limited (every <src,dst> port pair from provided ranges is translated to single classify
+ session; which can very slow or even crash vpp if ranges are big, see HONEYCOMB-260)
+ - ace-ip-version needs to be provided for all aces (consequence of posibility to mix ACEs of different types,
+ and vpp classfier api limitation: common header fields for IP4/IP6 have different offsets)
+ - L2 rules on L3 interfaces are applied only to IP traffic (vpp classfier limitation)
- vlan tags are supported only for sub-interfaces defined as exact-match";
list acl {
diff --git a/v3po/postman_rest_collection.json b/v3po/postman_rest_collection.json
index 5617a98a4..e25cfb6f2 100644
--- a/v3po/postman_rest_collection.json
+++ b/v3po/postman_rest_collection.json
@@ -98,11 +98,13 @@
"5e93fbca-86d0-12a5-45fd-45d7dfa3bd40",
"5140ac58-342a-1576-8b0e-99eb8b3b1fb2",
"9f58c827-d698-fc60-ec49-c2ccbca97c35",
+ "93b5345a-434f-9459-26c2-dc2cad9176e0",
"4d3d06fe-8a64-d0e4-400a-79c4fbd6db73",
"33280f11-2d61-09d3-f726-9907ef00dc19",
"60d4ab79-dea1-de5a-63eb-6e26d3d1481b",
"d668c31c-b904-cd65-124c-dd2a89149b70",
"13b938a5-7a53-513f-44b9-33d869b8cb53",
+ "bca26b70-fe05-a1b4-f93a-1f683341d492",
"4442a2fd-497d-ee8d-22cd-43b72c358f67",
"161987f9-8912-f724-2f2d-d7548b12e8f9"
],
@@ -1631,6 +1633,27 @@
"folder": "c05d7211-11b0-5688-2079-afa51196045c"
},
{
+ "id": "93b5345a-434f-9459-26c2-dc2cad9176e0",
+ "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n",
+ "url": "http://localhost:8183/restconf/config/ietf-access-control-list:access-lists/acl/vpp-acl:mixed-acl/acl6",
+ "preRequestScript": "",
+ "pathVariables": {},
+ "method": "PUT",
+ "data": [],
+ "dataMode": "raw",
+ "version": 2,
+ "tests": "",
+ "currentHelper": "normal",
+ "helperAttributes": {},
+ "time": 1476780298679,
+ "name": "Write acl6 list (L4 rules)",
+ "description": "Deny any traffic where destination port is 80 and source port in range [1000,2000].",
+ "collectionId": "5bad4634-e5cf-900e-9733-0976aa9bea64",
+ "responses": [],
+ "rawModeData": "{\n\t\"acl\": [\n\t\t{\n\t\t\t\"acl-name\": \"acl6\", \n\t\t\t\"acl-type\": \"vpp-acl:mixed-acl\", \n\t\t\t\"access-list-entries\": {\n\t\t\t\t\"ace\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"matches\": {\n \"destination-ipv4-network\": \"0.0.0.0/0\",\n\t\t\t\t\t\t\t\"destination-port-range\": {\n\t\t\t\t\t\t\t\t\"lower-port\": 80\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t}, \n\t\t\t\t\t\t\t\"source-port-range\": {\n\t\t\t\t\t\t\t\t\"lower-port\": 1000,\n\t\t\t\t\t\t\t\t\"upper-port\": 2000\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}, \n\t\t\t\t\t\t\"actions\": {\n\t\t\t\t\t\t\t\"deny\": {}\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\"rule-name\": \"rule1\"\n\t\t\t\t\t}]}}]}\n",
+ "folder": "c05d7211-11b0-5688-2079-afa51196045c"
+ },
+ {
"id": "4d3d06fe-8a64-d0e4-400a-79c4fbd6db73",
"headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n",
"url": "http://localhost:8183/restconf/config/ietf-access-control-list:access-lists/acl/ietf-access-control-list:eth-acl/acl1",
@@ -1736,6 +1759,27 @@
"folder": "c05d7211-11b0-5688-2079-afa51196045c"
},
{
+ "id": "bca26b70-fe05-a1b4-f93a-1f683341d492",
+ "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n",
+ "url": "http://localhost:8183/restconf/config/ietf-interfaces:interfaces/interface/local0/ietf-acl/ingress/access-lists/acl/vpp-acl:mixed-acl/acl6",
+ "preRequestScript": "",
+ "pathVariables": {},
+ "method": "PUT",
+ "data": [],
+ "dataMode": "raw",
+ "version": 2,
+ "tests": "",
+ "currentHelper": "normal",
+ "helperAttributes": {},
+ "time": 1476778885469,
+ "name": "Enable L4 ACL on local0 interface",
+ "description": "Creates chain of classfy tabless/sessions in VPP and assigns them to local0 interface.\n\nCan be verified with:\nvppctl show classify table verbose\n\nthen (depending on acl mode):\n\nvppctl show inacl type l2\n\nor\n\nvppctl show inacl type ip4\n\nvppctl show inacl type ip6",
+ "collectionId": "5bad4634-e5cf-900e-9733-0976aa9bea64",
+ "responses": [],
+ "rawModeData": "{\n\n \"acl\": [\n {\n \"type\" : \"vpp-acl:mixed-acl\",\n \"name\" : \"acl6\"\n }\n ]\n}",
+ "folder": "c05d7211-11b0-5688-2079-afa51196045c"
+ },
+ {
"id": "4442a2fd-497d-ee8d-22cd-43b72c358f67",
"headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n",
"url": "http://localhost:8183/restconf/config/ietf-interfaces:interfaces/interface/local0/v3po:ietf-acl",
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java
index 58a72ab30..c74845ce7 100644
--- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java
+++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java
@@ -152,13 +152,14 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator {
private static boolean appliesToIp4Path(final Ace ace) {
final AceType aceType = ace.getMatches().getAceType();
- if (aceType instanceof AceIp && ((AceIp) aceType).getAceIpVersion() instanceof AceIpv4) {
+ final AclType aclType = AclType.fromAce(ace);
+ if (aclType == AclType.IP4) {
return true;
}
- if (aceType instanceof AceEth) {
+ if (aclType == AclType.ETH) {
return true; // L2 only rules are possible for IP4 traffic
}
- if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType)
+ if (aclType == AclType.ETH_AND_IP && ((AceIpAndEth) aceType)
.getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv4) {
return true;
}
@@ -167,13 +168,14 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator {
private static boolean appliesToIp6Path(final Ace ace) {
final AceType aceType = ace.getMatches().getAceType();
- if (aceType instanceof AceIp && ((AceIp) aceType).getAceIpVersion() instanceof AceIpv6) {
+ final AclType aclType = AclType.fromAce(ace);
+ if (aclType == AclType.IP6) {
return true;
}
- if (aceType instanceof AceEth) {
- return true; // L2 only rules are possible for IP6 traffic
+ if (aclType == AclType.ETH) {
+ return true; // L2 only rules are possible for IP6 traffic
}
- if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType)
+ if (aclType == AclType.ETH_AND_IP && ((AceIpAndEth) aceType)
.getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv6) {
return true;
}
@@ -291,9 +293,12 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator {
result = ETH;
} else if (aceType instanceof AceIp) {
final AceIpVersion aceIpVersion = ((AceIp) aceType).getAceIpVersion();
+ if (aceIpVersion == null) {
+ throw new IllegalArgumentException("Incomplete ACE (ip-version was not provided): " + ace);
+ }
if (aceIpVersion instanceof AceIpv4) {
result = IP4;
- } else {
+ } else if (aceIpVersion instanceof AceIpv6) {
result = IP6;
}
} else if (aceType instanceof AceIpAndEth) {