diff options
author | Marek Gradzki <mgradzki@cisco.com> | 2016-10-13 15:16:39 +0200 |
---|---|---|
committer | Marek Gradzki <mgradzki@cisco.com> | 2016-10-17 14:00:08 +0000 |
commit | ae735b4aacfc7008b0c12425367a419b47646350 (patch) | |
tree | 7a9501671114da9eec48a525c9b882de6c9422a4 /v3po/v3po2vpp/src/main | |
parent | c88886b6e74c69693ac38b5440424577c9a5616e (diff) |
HONEYCOMB-218: add support for TCP/UDP port ranges
* can be used in combination with any other L2/L3 rule.
* assumes no ip options / extension headers
* provides naive implementation (vpp classfier api limitation):
every (src, dst) is mapped to single classify session.
Change-Id: Id6aa249b3e19f0aa47b9e15b5477d56bc70bee0e
Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
Diffstat (limited to 'v3po/v3po2vpp/src/main')
12 files changed, 322 insertions, 115 deletions
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/AclWriterFactory.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/AclWriterFactory.java index ef0fc7ea5..23fc2e314 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/AclWriterFactory.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/AclWriterFactory.java @@ -31,6 +31,8 @@ import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.cont import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.Ace; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.Actions; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.Matches; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.acl.transport.header.fields.DestinationPortRange; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.acl.transport.header.fields.SourcePortRange; import org.opendaylight.yangtools.yang.binding.InstanceIdentifier; public final class AclWriterFactory implements WriterFactory { @@ -46,8 +48,10 @@ public final class AclWriterFactory implements WriterFactory { final InstanceIdentifier<Ace> aceId = aclIdRelative.child(AccessListEntries.class).child(Ace.class); final InstanceIdentifier<Actions> actionsId = aceId.child(Actions.class); final InstanceIdentifier<Matches> matchesId = aceId.child(Matches.class); + final InstanceIdentifier<SourcePortRange> srcPortId = matchesId.child((Class)SourcePortRange.class); + final InstanceIdentifier<DestinationPortRange> dstPortId = matchesId.child((Class)DestinationPortRange.class); - registry.subtreeAddBefore(Sets.newHashSet(aceId, actionsId, matchesId), + registry.subtreeAddBefore(Sets.newHashSet(aceId, actionsId, matchesId, srcPortId, dstPortId), new GenericListWriter<>(ACL_ID, new IetfAclWriter()), Sets.newHashSet(IETF_ACL_ID, SUBIF_IETF_ACL_ID)); } diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceEthWriter.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceEthWriter.java index 91ab927fb..c0e79f194 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceEthWriter.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceEthWriter.java @@ -19,6 +19,8 @@ package io.fd.honeycomb.translate.v3po.interfaces.acl.ingress; import com.google.common.annotations.VisibleForTesting; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable; +import java.util.Collections; +import java.util.List; import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling; @@ -60,11 +62,11 @@ final class AceEthWriter implements AceWriter<AceEth>, AclTranslator, L2AclTrans } @Override - public ClassifyAddDelSession createSession(@Nonnull final PacketHandling action, - @Nonnull final AceEth aceEth, - @Nullable final InterfaceMode mode, - final int tableIndex, - final int vlanTags) { + public List<ClassifyAddDelSession> createSession(@Nonnull final PacketHandling action, + @Nonnull final AceEth aceEth, + @Nullable final InterfaceMode mode, + final int tableIndex, + final int vlanTags) { final ClassifyAddDelSession request = createSession(action, tableIndex); request.match = new byte[16]; @@ -78,6 +80,6 @@ final class AceEthWriter implements AceWriter<AceEth>, AclTranslator, L2AclTrans } LOG.debug("ACE action={}, rule={} translated to session={}.", action, aceEth, request); - return request; + return Collections.singletonList(request); } } diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp4Writer.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp4Writer.java index affc8735d..ceef19244 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp4Writer.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp4Writer.java @@ -21,6 +21,8 @@ import static com.google.common.base.Preconditions.checkArgument; import com.google.common.annotations.VisibleForTesting; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable; +import java.util.ArrayList; +import java.util.List; import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling; @@ -45,13 +47,14 @@ final class AceIp4Writer implements AceWriter<AceIp>, AclTranslator, Ip4AclTrans checkArgument(aceIp.getAceIpVersion() instanceof AceIpv4, "Expected AceIpv4 version, but was %", aceIp); final AceIpv4 ipVersion = (AceIpv4) aceIp.getAceIpVersion(); - final ClassifyAddDelTable request = createTable(nextTableIndex); + final int numberOfSessions = PortPair.fromRange(aceIp.getSourcePortRange(), aceIp.getDestinationPortRange()).size(); + final ClassifyAddDelTable request = createTable(nextTableIndex, numberOfSessions); request.skipNVectors = 0; // match entire L2 and L3 header request.matchNVectors = MATCH_N_VECTORS; request.mask = new byte[TABLE_MASK_LENGTH]; final int baseOffset = getVlanTagsLen(vlanTags); - boolean aceIsEmpty = ip4Mask(baseOffset, mode, aceIp, ipVersion, request, LOG); + boolean aceIsEmpty = ip4Mask(baseOffset, mode, aceIp, ipVersion, request); if (aceIsEmpty) { throw new IllegalArgumentException( String.format("Ace %s does not define packet field match values", aceIp.toString())); @@ -62,25 +65,30 @@ final class AceIp4Writer implements AceWriter<AceIp>, AclTranslator, Ip4AclTrans } @Override - public ClassifyAddDelSession createSession(@Nonnull final PacketHandling action, - @Nonnull final AceIp aceIp, - @Nullable final InterfaceMode mode, - final int tableIndex, - final int vlanTags) { + public List<ClassifyAddDelSession> createSession(@Nonnull final PacketHandling action, + @Nonnull final AceIp aceIp, + @Nullable final InterfaceMode mode, + final int tableIndex, + final int vlanTags) { checkArgument(aceIp.getAceIpVersion() instanceof AceIpv4, "Expected AceIpv4 version, but was %", aceIp); final AceIpv4 ipVersion = (AceIpv4) aceIp.getAceIpVersion(); - final ClassifyAddDelSession request = createSession(action, tableIndex); - request.match = new byte[TABLE_MASK_LENGTH]; + final List<PortPair> portPairs = PortPair.fromRange(aceIp.getSourcePortRange(), aceIp.getDestinationPortRange()); + final List<ClassifyAddDelSession> requests = new ArrayList<>(portPairs.size()); + for (final PortPair pair : portPairs) { + final ClassifyAddDelSession request = createSession(action, tableIndex); + request.match = new byte[TABLE_MASK_LENGTH]; - final int baseOffset = getVlanTagsLen(vlanTags); - boolean noMatch = ip4Match(baseOffset, mode, aceIp, ipVersion, request, LOG); - if (noMatch) { - throw new IllegalArgumentException( - String.format("Ace %s does not define packet field match values", aceIp.toString())); - } + final int baseOffset = getVlanTagsLen(vlanTags); + boolean noMatch = ip4Match(baseOffset, mode, aceIp, ipVersion, pair.getSrc(), pair.getDst(), request); + if (noMatch) { + throw new IllegalArgumentException( + String.format("Ace %s does not define packet field match values", aceIp.toString())); + } - LOG.debug("ACE action={}, rule={} translated to session={}.", action, aceIp, request); - return request; + LOG.debug("ACE action={}, rule={} translated to session={}.", action, aceIp, request); + requests.add(request); + } + return requests; } } diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp6Writer.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp6Writer.java index b1186440d..143fcb238 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp6Writer.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp6Writer.java @@ -18,9 +18,10 @@ package io.fd.honeycomb.translate.v3po.interfaces.acl.ingress; import static com.google.common.base.Preconditions.checkArgument; -import com.google.common.annotations.VisibleForTesting; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable; +import java.util.ArrayList; +import java.util.List; import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling; @@ -32,9 +33,6 @@ import org.slf4j.LoggerFactory; final class AceIp6Writer implements AceWriter<AceIp>, AclTranslator, Ip6AclTranslator { - @VisibleForTesting - static final int MATCH_N_VECTORS = 4; // number of 16B vectors - private static final int TABLE_MASK_LENGTH = 64; private static final Logger LOG = LoggerFactory.getLogger(AceIp6Writer.class); @Override @@ -45,13 +43,14 @@ final class AceIp6Writer implements AceWriter<AceIp>, AclTranslator, Ip6AclTrans checkArgument(aceIp.getAceIpVersion() instanceof AceIpv6, "Expected AceIpv6 version, but was %", aceIp); final AceIpv6 ipVersion = (AceIpv6) aceIp.getAceIpVersion(); - final ClassifyAddDelTable request = createTable(nextTableIndex); + final int numberOfSessions = PortPair.fromRange(aceIp.getSourcePortRange(), aceIp.getDestinationPortRange()).size(); + final ClassifyAddDelTable request = createTable(nextTableIndex, numberOfSessions); request.skipNVectors = 0; // match entire L2 and L3 header - request.matchNVectors = MATCH_N_VECTORS; - request.mask = new byte[TABLE_MASK_LENGTH]; + request.mask = new byte[getTableMaskLength(vlanTags)]; + request.matchNVectors = request.mask.length/16; final int baseOffset = getVlanTagsLen(vlanTags); - boolean aceIsEmpty = ip6Mask(baseOffset, mode, aceIp, ipVersion, request, LOG); + boolean aceIsEmpty = ip6Mask(baseOffset, mode, aceIp, ipVersion, request); if (aceIsEmpty) { throw new IllegalArgumentException( String.format("Ace %s does not define packet field match values", aceIp.toString())); @@ -61,26 +60,40 @@ final class AceIp6Writer implements AceWriter<AceIp>, AclTranslator, Ip6AclTrans return request; } + private static int getTableMaskLength(final int vlanTags) { + if (vlanTags == 2) { + return 80; + } else { + return 64; + } + } + @Override - public ClassifyAddDelSession createSession(@Nonnull final PacketHandling action, - @Nonnull final AceIp aceIp, - @Nullable final InterfaceMode mode, - final int tableIndex, - final int vlanTags) { + public List<ClassifyAddDelSession> createSession(@Nonnull final PacketHandling action, + @Nonnull final AceIp aceIp, + @Nullable final InterfaceMode mode, + final int tableIndex, + final int vlanTags) { checkArgument(aceIp.getAceIpVersion() instanceof AceIpv6, "Expected AceIpv6 version, but was %", aceIp); final AceIpv6 ipVersion = (AceIpv6) aceIp.getAceIpVersion(); + final List<PortPair> portPairs = + PortPair.fromRange(aceIp.getSourcePortRange(), aceIp.getDestinationPortRange()); - final ClassifyAddDelSession request = createSession(action, tableIndex); - request.match = new byte[TABLE_MASK_LENGTH]; + final List<ClassifyAddDelSession> requests = new ArrayList<>(portPairs.size()); + for (final PortPair pair : portPairs) { + final ClassifyAddDelSession request = createSession(action, tableIndex); + request.match = new byte[getTableMaskLength(vlanTags)]; - final int baseOffset = getVlanTagsLen(vlanTags); - boolean noMatch = ip6Match(baseOffset, mode, aceIp, ipVersion, request, LOG); - if (noMatch) { - throw new IllegalArgumentException( - String.format("Ace %s does not define packet field match values", aceIp.toString())); - } + final int baseOffset = getVlanTagsLen(vlanTags); + boolean noMatch = ip6Match(baseOffset, mode, aceIp, ipVersion, pair.getSrc(), pair.getDst(), request); + if (noMatch) { + throw new IllegalArgumentException( + String.format("Ace %s does not define packet field match values", aceIp.toString())); + } - LOG.debug("ACE action={}, rule={} translated to session={}.", action, aceIp, request); - return request; + LOG.debug("ACE action={}, rule={} translated to session={}.", action, aceIp, request); + requests.add(request); + } + return requests; } } diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIpAndEthWriter.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIpAndEthWriter.java index 40a050a6d..83a9848c9 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIpAndEthWriter.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIpAndEthWriter.java @@ -20,6 +20,8 @@ import static com.google.common.base.Preconditions.checkArgument; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable; +import java.util.ArrayList; +import java.util.List; import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling; @@ -36,12 +38,14 @@ final class AceIpAndEthWriter private static final Logger LOG = LoggerFactory.getLogger(AceIpAndEthWriter.class); - private static int maskLength(@Nonnull final AceIpAndEth ace) { + private static int maskLength(@Nonnull final AceIpAndEth ace, final int vlanTags) { if (ace.getAceIpVersion() != null) { if (ace.getAceIpVersion() instanceof AceIpv4) { return 48; } else { - return 64; + return vlanTags == 2 + ? 80 + : 64; } } return 16; @@ -50,8 +54,9 @@ final class AceIpAndEthWriter @Override public ClassifyAddDelTable createTable(@Nonnull final AceIpAndEth ace, @Nullable final InterfaceMode mode, final int nextTableIndex, final int vlanTags) { - final ClassifyAddDelTable request = createTable(nextTableIndex); - final int maskLength = maskLength(ace); + final int numberOfSessions = PortPair.fromRange(ace.getSourcePortRange(), ace.getDestinationPortRange()).size(); + final ClassifyAddDelTable request = createTable(nextTableIndex, numberOfSessions); + final int maskLength = maskLength(ace, vlanTags); request.mask = new byte[maskLength]; request.skipNVectors = 0; request.matchNVectors = maskLength / 16; @@ -67,10 +72,10 @@ final class AceIpAndEthWriter final int baseOffset = getVlanTagsLen(vlanTags); if (aceIpVersion instanceof AceIpv4) { final AceIpv4 ipVersion = (AceIpv4) aceIpVersion; - aceIsEmpty &= ip4Mask(baseOffset, mode, ace, ipVersion, request, LOG); + aceIsEmpty &= ip4Mask(baseOffset, mode, ace, ipVersion, request); } else if (aceIpVersion instanceof AceIpv6) { final AceIpv6 ipVersion = (AceIpv6) aceIpVersion; - aceIsEmpty &= ip6Mask(baseOffset, mode, ace, ipVersion, request, LOG); + aceIsEmpty &= ip6Mask(baseOffset, mode, ace, ipVersion, request); } else { throw new IllegalArgumentException(String.format("Unsupported IP version %s", aceIpVersion)); } @@ -85,36 +90,40 @@ final class AceIpAndEthWriter } @Override - public ClassifyAddDelSession createSession(@Nonnull final PacketHandling action, - @Nonnull final AceIpAndEth ace, - @Nullable final InterfaceMode mode, final int tableIndex, - final int vlanTags) { - final ClassifyAddDelSession request = createSession(action, tableIndex); - request.match = new byte[maskLength(ace)]; - - boolean noMatch = destinationMacAddressMatch(ace.getDestinationMacAddress(), request); - noMatch &= sourceMacAddressMatch(ace.getSourceMacAddress(), request); - - final AceIpVersion aceIpVersion = ace.getAceIpVersion(); - checkArgument(aceIpVersion != null, "AceIpAndEth have to define IpVersion"); - - final int baseOffset = getVlanTagsLen(vlanTags); - if (aceIpVersion instanceof AceIpv4) { - final AceIpv4 ipVersion = (AceIpv4) aceIpVersion; - noMatch &= ip4Match(baseOffset, mode, ace, ipVersion, request, LOG); - } else if (aceIpVersion instanceof AceIpv6) { - final AceIpv6 ipVersion = (AceIpv6) aceIpVersion; - noMatch &= ip6Match(baseOffset, mode, ace, ipVersion, request, LOG); - } else { - throw new IllegalArgumentException(String.format("Unsupported IP version %s", aceIpVersion)); - } + public List<ClassifyAddDelSession> createSession(@Nonnull final PacketHandling action, + @Nonnull final AceIpAndEth ace, + @Nullable final InterfaceMode mode, final int tableIndex, + final int vlanTags) { + final List<PortPair> portPairs = PortPair.fromRange(ace.getSourcePortRange(), ace.getDestinationPortRange()); + final List<ClassifyAddDelSession> requests = new ArrayList<>(portPairs.size()); + for (final PortPair pair : portPairs) { + final ClassifyAddDelSession request = createSession(action, tableIndex); + request.match = new byte[maskLength(ace, vlanTags)]; + + boolean noMatch = destinationMacAddressMatch(ace.getDestinationMacAddress(), request); + noMatch &= sourceMacAddressMatch(ace.getSourceMacAddress(), request); + + final AceIpVersion aceIpVersion = ace.getAceIpVersion(); + checkArgument(aceIpVersion != null, "AceIpAndEth have to define IpVersion"); + + final int baseOffset = getVlanTagsLen(vlanTags); + if (aceIpVersion instanceof AceIpv4) { + final AceIpv4 ipVersion = (AceIpv4) aceIpVersion; + noMatch &= ip4Match(baseOffset, mode, ace, ipVersion, pair.getSrc(), pair.getDst(), request); + } else if (aceIpVersion instanceof AceIpv6) { + final AceIpv6 ipVersion = (AceIpv6) aceIpVersion; + noMatch &= ip6Match(baseOffset, mode, ace, ipVersion, pair.getSrc(), pair.getDst(), request); + } else { + throw new IllegalArgumentException(String.format("Unsupported IP version %s", aceIpVersion)); + } - if (noMatch) { - throw new IllegalArgumentException( - String.format("Ace %s does not define packet field match values", ace.toString())); + if (noMatch) { + throw new IllegalArgumentException( + String.format("Ace %s does not define packet field match values", ace.toString())); + } + LOG.debug("ACE action={}, rule={} translated to session={}.", action, ace, request); + requests.add(request); } - - LOG.debug("ACE action={}, rule={} translated to session={}.", action, ace, request); - return request; + return requests; } } diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceWriter.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceWriter.java index 790b6d664..bc0b435bd 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceWriter.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceWriter.java @@ -18,6 +18,7 @@ package io.fd.honeycomb.translate.v3po.interfaces.acl.ingress; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable; +import java.util.List; import javax.annotation.Nonnull; import javax.annotation.Nullable; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling; @@ -48,6 +49,6 @@ interface AceWriter<T extends AceType> { * @param vlanTags number of vlan tags */ @Nonnull - ClassifyAddDelSession createSession(@Nonnull final PacketHandling action, @Nonnull T ace, - @Nullable final InterfaceMode mode, final int tableIndex, final int vlanTags); + List<ClassifyAddDelSession> createSession(@Nonnull final PacketHandling action, @Nonnull T ace, + @Nullable final InterfaceMode mode, final int tableIndex, final int vlanTags); } diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AclTranslator.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AclTranslator.java index 9a931a923..44e4622d8 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AclTranslator.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AclTranslator.java @@ -16,8 +16,11 @@ package io.fd.honeycomb.translate.v3po.interfaces.acl.ingress; +import static com.google.common.base.Preconditions.checkArgument; + import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable; +import javax.annotation.Nonnegative; import javax.annotation.Nonnull; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.packet.handling.Permit; @@ -26,21 +29,28 @@ import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.cont * Utility that helps translating of ietf-acl model ACEs to VPP's classify tables and sessions. */ interface AclTranslator { - - // TODO: HONEYCOMB-181 minimise memory used by classify tables (we create a lot of them to make ietf-acl model - // mapping more convenient): - // according to https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers#Creating_a_classifier_table, - // classify table needs 16*(1 + match_n_vectors) bytes, but this does not quite work, so setting 8K for now int TABLE_MEM_SIZE = 8 * 1024; int VLAN_TAG_LEN = 4; default ClassifyAddDelTable createTable(final int nextTableIndex) { + return createTable(nextTableIndex, 1); + } + + default ClassifyAddDelTable createTable(final int nextTableIndex, @Nonnegative final int numberOfSessions) { final ClassifyAddDelTable request = new ClassifyAddDelTable(); request.isAdd = 1; request.tableIndex = -1; // value not present - request.nbuckets = 1; // we expect exactly one session per table + request.nbuckets = numberOfSessions; request.nextTableIndex = nextTableIndex; - request.memorySize = TABLE_MEM_SIZE; + + + // TODO: HONEYCOMB-181 minimise memory used by classify tables (we create a lot of them to make ietf-acl model + // mapping more convenient): + // according to https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers#Creating_a_classifier_table, + // classify table needs 16*(1 + match_n_vectors) bytes, but this does not quite work, + // so setting 8K +1k*numberOfSessions for now + checkArgument(numberOfSessions>0, "negative numberOfSessions %s", numberOfSessions); + request.memorySize = TABLE_MEM_SIZE+1024*(numberOfSessions-1); request.missNextIndex = -1; // value not set, but anyway it is ignored for tables in chain return request; } diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java index 5814211f4..58a72ab30 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java @@ -85,9 +85,10 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator { // ietf-acl updates are handled first, so we use writeContext.readAfter final Optional<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.Acl> - aclOptional = writeContext.readAfter(io.fd.honeycomb.translate.v3po.interfaces.acl.IetfAclWriter.ACL_ID.child( - org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.Acl.class, - new AclKey(aclName, aclType))); + aclOptional = + writeContext.readAfter(io.fd.honeycomb.translate.v3po.interfaces.acl.IetfAclWriter.ACL_ID.child( + org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.Acl.class, + new AclKey(aclName, aclType))); checkArgument(aclOptional.isPresent(), "Acl lists not configured"); final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.Acl acl = aclOptional.get(); @@ -157,7 +158,8 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator { if (aceType instanceof AceEth) { return true; // L2 only rules are possible for IP4 traffic } - if (aceType instanceof AceIpAndEth && ((AceIpAndEth)aceType).getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv4) { + if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType) + .getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv4) { return true; } return false; @@ -171,7 +173,8 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator { if (aceType instanceof AceEth) { return true; // L2 only rules are possible for IP6 traffic } - if (aceType instanceof AceIpAndEth && ((AceIpAndEth)aceType).getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv6) { + if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType) + .getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv6) { return true; } return false; @@ -206,7 +209,7 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator { } private static List<Ace> getACEs(@Nonnull final List<Acl> acls, @Nonnull final WriteContext writeContext, - final Predicate<? super Ace> filter) { + final Predicate<? super Ace> filter) { return acls.stream().flatMap(acl -> aclToAceStream(acl, writeContext)).filter(filter) .collect(Collectors.toList()); } @@ -233,9 +236,11 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator { final PacketHandling action = ace.getActions().getPacketHandling(); final ClassifyAddDelTable ctRequest = aceWriter.createTable(aceType, mode, nextTableIndex, vlanTags); nextTableIndex = createClassifyTable(id, ctRequest); - final ClassifyAddDelSession csRequest = + final List<ClassifyAddDelSession> sessionRequests = aceWriter.createSession(action, aceType, mode, nextTableIndex, vlanTags); - createClassifySession(id, csRequest); + for (ClassifyAddDelSession csRequest : sessionRequests) { + createClassifySession(id, csRequest); + } } } return nextTableIndex; diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip4AclTranslator.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip4AclTranslator.java index 819561e78..55d73fccb 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip4AclTranslator.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip4AclTranslator.java @@ -24,7 +24,6 @@ import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types. import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.AclIpHeaderFields; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.AclIpv4HeaderFields; import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.InterfaceMode; -import org.slf4j.Logger; public interface Ip4AclTranslator extends Ipv4Translator { int ETHER_TYPE_OFFSET = 12; // first 14 bytes represent L2 header (2x6) @@ -38,9 +37,11 @@ public interface Ip4AclTranslator extends Ipv4Translator { int IP4_MASK_BIT_LENGTH = 32; int SRC_IP_OFFSET = ETHER_TYPE_OFFSET + 14; int DST_IP_OFFSET = SRC_IP_OFFSET + IP4_LEN; + int SRC_PORT_OFFSET = DST_IP_OFFSET + IP4_LEN; + int DST_PORT_OFFSET = SRC_PORT_OFFSET + 2; default boolean ip4Mask(final int baseOffset, final InterfaceMode mode, final AclIpHeaderFields header, - final AclIpv4HeaderFields ip4, final ClassifyAddDelTable request, final Logger log) { + final AclIpv4HeaderFields ip4, final ClassifyAddDelTable request) { boolean aceIsEmpty = true; if (InterfaceMode.L2.equals(mode)) { // in L2 mode we need to match ether type @@ -56,10 +57,16 @@ public interface Ip4AclTranslator extends Ipv4Translator { request.mask[baseOffset + IP_PROTOCOL_OFFSET] = (byte) IP_PROTOCOL_MASK; } if (header.getSourcePortRange() != null) { - log.warn("L4 Header fields are not supported. Ignoring {}", header.getSourcePortRange()); + // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present + aceIsEmpty = false; + request.mask[baseOffset + SRC_PORT_OFFSET] = (byte) 0xff; + request.mask[baseOffset + SRC_PORT_OFFSET + 1] = (byte) 0xff; } if (header.getDestinationPortRange() != null) { - log.warn("L4 Header fields are not supported. Ignoring {}", header.getDestinationPortRange()); + // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present + aceIsEmpty = false; + request.mask[baseOffset + DST_PORT_OFFSET] = (byte) 0xff; + request.mask[baseOffset + DST_PORT_OFFSET + 1] = (byte) 0xff; } if (ip4.getSourceIpv4Network() != null) { aceIsEmpty = false; @@ -75,7 +82,8 @@ public interface Ip4AclTranslator extends Ipv4Translator { } default boolean ip4Match(final int baseOffset, final InterfaceMode mode, final AclIpHeaderFields header, - final AclIpv4HeaderFields ip4, final ClassifyAddDelSession request, final Logger log) { + final AclIpv4HeaderFields ip4, final Integer srcPort, + final Integer dstPort, final ClassifyAddDelSession request) { boolean noMatch = true; if (InterfaceMode.L2.equals(mode)) { // match IP4 etherType (0x0800) @@ -90,11 +98,17 @@ public interface Ip4AclTranslator extends Ipv4Translator { noMatch = false; request.match[baseOffset + IP_PROTOCOL_OFFSET] = (byte) (IP_PROTOCOL_MASK & header.getProtocol()); } - if (header.getSourcePortRange() != null) { - log.warn("L4 Header fields are not supported. Ignoring {}", header.getSourcePortRange()); + if (srcPort != null) { + // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present + noMatch = false; + request.match[baseOffset + SRC_PORT_OFFSET] = (byte) (0xff & srcPort >> 8); + request.match[baseOffset + SRC_PORT_OFFSET + 1] = (byte) (0xff & srcPort); } if (header.getDestinationPortRange() != null) { - log.warn("L4 Header fields are not supported. Ignoring {}", header.getDestinationPortRange()); + // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present + noMatch = false; + request.match[baseOffset + DST_PORT_OFFSET] = (byte) (0xff & dstPort >> 8); + request.match[baseOffset + DST_PORT_OFFSET + 1] = (byte) (0xff & dstPort); } if (ip4.getSourceIpv4Network() != null) { noMatch = false; diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip6AclTranslator.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip6AclTranslator.java index eb2ec8c10..9dfab31c2 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip6AclTranslator.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip6AclTranslator.java @@ -25,7 +25,6 @@ import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types. import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.AclIpHeaderFields; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.AclIpv6HeaderFields; import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.InterfaceMode; -import org.slf4j.Logger; public interface Ip6AclTranslator { @@ -38,9 +37,11 @@ public interface Ip6AclTranslator { int IP6_LEN = 16; int SRC_IP_OFFSET = IP_VERSION_OFFSET + 8; int DST_IP_OFFSET = SRC_IP_OFFSET + IP6_LEN; + int SRC_PORT_OFFSET = DST_IP_OFFSET + IP6_LEN; + int DST_PORT_OFFSET = SRC_PORT_OFFSET + 2; default boolean ip6Mask(final int baseOffset, final InterfaceMode mode, final AclIpHeaderFields header, - final AclIpv6HeaderFields ip6, final ClassifyAddDelTable request, final Logger log) { + final AclIpv6HeaderFields ip6, final ClassifyAddDelTable request) { boolean aceIsEmpty = true; if (InterfaceMode.L2.equals(mode)) { // in L2 mode we need to match ether type @@ -65,10 +66,16 @@ public interface Ip6AclTranslator { request.mask[baseOffset + IP_VERSION_OFFSET + 3] = (byte) 0xff; } if (header.getSourcePortRange() != null) { - log.warn("L4 Header fields are not supported. Ignoring {}", header.getSourcePortRange()); + // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present + aceIsEmpty = false; + request.mask[baseOffset + SRC_PORT_OFFSET] = (byte) 0xff; + request.mask[baseOffset + SRC_PORT_OFFSET + 1] = (byte) 0xff; } if (header.getDestinationPortRange() != null) { - log.warn("L4 Header fields are not supported. Ignoring {}", header.getDestinationPortRange()); + // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present + aceIsEmpty = false; + request.mask[baseOffset + DST_PORT_OFFSET] = (byte) 0xff; + request.mask[baseOffset + DST_PORT_OFFSET + 1] = (byte) 0xff; } if (ip6.getSourceIpv6Network() != null) { aceIsEmpty = false; @@ -84,7 +91,7 @@ public interface Ip6AclTranslator { } default boolean ip6Match(final int baseOffset, final InterfaceMode mode, final AclIpHeaderFields header, - final AclIpv6HeaderFields ip6, final ClassifyAddDelSession request, final Logger log) { + final AclIpv6HeaderFields ip6, final Integer srcPort, final Integer dstPort, final ClassifyAddDelSession request) { boolean noMatch = true; if (InterfaceMode.L2.equals(mode)) { // match IP6 etherType (0x86dd) @@ -111,10 +118,16 @@ public interface Ip6AclTranslator { request.match[baseOffset + IP_VERSION_OFFSET + 3] = (byte) (0xff & flowLabel); } if (header.getSourcePortRange() != null) { - log.warn("L4 Header fields are not supported. Ignoring {}", header.getSourcePortRange()); + // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present + noMatch = false; + request.match[baseOffset + SRC_PORT_OFFSET] = (byte) (0xff & srcPort >> 8); + request.match[baseOffset + SRC_PORT_OFFSET + 1] = (byte) (0xff & srcPort); } if (header.getDestinationPortRange() != null) { - log.warn("L4 Header fields are not supported. Ignoring {}", header.getDestinationPortRange()); + // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present + noMatch = false; + request.match[baseOffset + DST_PORT_OFFSET] = (byte) (0xff & dstPort >> 8); + request.match[baseOffset + DST_PORT_OFFSET + 1] = (byte) (0xff & dstPort); } if (ip6.getSourceIpv6Network() != null) { noMatch = false; diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/PortPair.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/PortPair.java new file mode 100644 index 000000000..274303004 --- /dev/null +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/PortPair.java @@ -0,0 +1,126 @@ +/* + * Copyright (c) 2016 Cisco and/or its affiliates. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package io.fd.honeycomb.translate.v3po.interfaces.acl.ingress; + +import java.util.ArrayList; +import java.util.List; +import java.util.Objects; +import java.util.function.BiFunction; +import javax.annotation.Nullable; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.PortNumber; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.acl.transport.header.fields.DestinationPortRange; +import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.acl.transport.header.fields.SourcePortRange; + +/** + * Utility that produces cartesian product out of src and dst port ranges (used to translate ranges into + * list of classify sessions). + */ +final class PortPair { + private final Integer src; + private final Integer dst; + + PortPair(@Nullable final Integer src, @Nullable final Integer dst) { + this.src = src; + this.dst = dst; + } + + Integer getSrc() { + return src; + } + + Integer getDst() { + return dst; + } + + @Override + public String toString() { + return "(" + src + "," + dst + ")"; + } + + @Override + public boolean equals(final Object o) { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + + final PortPair that = (PortPair) o; + if (!Objects.equals(src, that.src)) { + return false; + } + if (!Objects.equals(dst, that.dst)) { + return false; + } + return true; + } + + @Override + public int hashCode() { + return Objects.hash(src, dst); + } + + static List<PortPair> fromRange(final SourcePortRange srcRange, + final DestinationPortRange dstRange) { + final List<PortPair> result = new ArrayList<>(); + if (srcRange == null && dstRange == null) { + result.add(new PortPair(null, null)); + } else if (srcRange != null && dstRange == null) { + processSingleRange(result, srcRange.getLowerPort(), srcRange.getUpperPort(), PortPair::new); + } else if (srcRange == null && dstRange != null) { + processSingleRange(result, dstRange.getLowerPort(), dstRange.getUpperPort(), + (dst, src) -> new PortPair(src, dst)); + } else { + processDoubleRange(result, srcRange, dstRange); + } + return result; + } + + private static void processSingleRange(final List<PortPair> result, + final PortNumber lowerPort, + final PortNumber upperPort, + final BiFunction<Integer, Integer, PortPair> f) { + int low = lowerPort.getValue(); // mandatory + int hi = low; + if (upperPort != null) { + hi = upperPort.getValue(); + } + for (; low <= hi; ++low) { + result.add(f.apply(low, null)); + } + } + + private static void processDoubleRange(final List<PortPair> result, final SourcePortRange srcRange, + final DestinationPortRange dstRange) { + int srcL = srcRange.getLowerPort().getValue(); + int srcH = srcL; + if (srcRange.getUpperPort() != null) { + srcH = srcRange.getUpperPort().getValue(); + } + int dstL = dstRange.getLowerPort().getValue(); + int dstH = dstL; + if (dstRange.getUpperPort() != null) { + dstH = dstRange.getUpperPort().getValue(); + } + for (int i=srcL; i <= srcH; ++i) { + for (int j=dstL; j <= dstH; ++j) { + result.add(new PortPair(i, j)); + } + } + } +} diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/vppclassifier/ClassifySessionReader.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/vppclassifier/ClassifySessionReader.java index be9d0d953..caa31c58f 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/vppclassifier/ClassifySessionReader.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/vppclassifier/ClassifySessionReader.java @@ -157,8 +157,10 @@ public class ClassifySessionReader extends FutureJVppCustomizer final ClassifySessionDump dumpRequest = new ClassifySessionDump(); dumpRequest.tableId = tableId; + final int timeOut = 30; // there can be many session with current ietf-acl implementation (could be probably + // removed after fixing HONEYCOMB-247) classifySessionDump = - getReplyForRead(getFutureJVpp().classifySessionDump(dumpRequest).toCompletableFuture(), id); + getReplyForRead(getFutureJVpp().classifySessionDump(dumpRequest).toCompletableFuture(), id, timeOut); if (classifySessionDump != null) { // update the cache: |