summaryrefslogtreecommitdiffstats
path: root/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress
diff options
context:
space:
mode:
authorMarek Gradzki <mgradzki@cisco.com>2016-10-13 15:16:39 +0200
committerMarek Gradzki <mgradzki@cisco.com>2016-10-17 14:00:08 +0000
commit009a3e6e33225e1cd9ff4dd8ce7c38cc94e5f9dd (patch)
tree133138b791b4bbb824e8987292f8530f4ad27e87 /v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress
parent4273f4e051b5f25ebe932e49e72388e56ef0ffd8 (diff)
HONEYCOMB-218: add support for TCP/UDP port ranges
* can be used in combination with any other L2/L3 rule. * assumes no ip options / extension headers * provides naive implementation (vpp classfier api limitation): every (src, dst) is mapped to single classify session. Change-Id: Id6aa249b3e19f0aa47b9e15b5477d56bc70bee0e Signed-off-by: Marek Gradzki <mgradzki@cisco.com>
Diffstat (limited to 'v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress')
-rw-r--r--v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceEthWriter.java14
-rw-r--r--v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp4Writer.java42
-rw-r--r--v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp6Writer.java59
-rw-r--r--v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIpAndEthWriter.java79
-rw-r--r--v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceWriter.java5
-rw-r--r--v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AclTranslator.java24
-rw-r--r--v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java21
-rw-r--r--v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip4AclTranslator.java30
-rw-r--r--v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip6AclTranslator.java27
-rw-r--r--v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/PortPair.java126
10 files changed, 314 insertions, 113 deletions
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceEthWriter.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceEthWriter.java
index 91ab927fb..c0e79f194 100644
--- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceEthWriter.java
+++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceEthWriter.java
@@ -19,6 +19,8 @@ package io.fd.honeycomb.translate.v3po.interfaces.acl.ingress;
import com.google.common.annotations.VisibleForTesting;
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession;
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable;
+import java.util.Collections;
+import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling;
@@ -60,11 +62,11 @@ final class AceEthWriter implements AceWriter<AceEth>, AclTranslator, L2AclTrans
}
@Override
- public ClassifyAddDelSession createSession(@Nonnull final PacketHandling action,
- @Nonnull final AceEth aceEth,
- @Nullable final InterfaceMode mode,
- final int tableIndex,
- final int vlanTags) {
+ public List<ClassifyAddDelSession> createSession(@Nonnull final PacketHandling action,
+ @Nonnull final AceEth aceEth,
+ @Nullable final InterfaceMode mode,
+ final int tableIndex,
+ final int vlanTags) {
final ClassifyAddDelSession request = createSession(action, tableIndex);
request.match = new byte[16];
@@ -78,6 +80,6 @@ final class AceEthWriter implements AceWriter<AceEth>, AclTranslator, L2AclTrans
}
LOG.debug("ACE action={}, rule={} translated to session={}.", action, aceEth, request);
- return request;
+ return Collections.singletonList(request);
}
}
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp4Writer.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp4Writer.java
index affc8735d..ceef19244 100644
--- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp4Writer.java
+++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp4Writer.java
@@ -21,6 +21,8 @@ import static com.google.common.base.Preconditions.checkArgument;
import com.google.common.annotations.VisibleForTesting;
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession;
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable;
+import java.util.ArrayList;
+import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling;
@@ -45,13 +47,14 @@ final class AceIp4Writer implements AceWriter<AceIp>, AclTranslator, Ip4AclTrans
checkArgument(aceIp.getAceIpVersion() instanceof AceIpv4, "Expected AceIpv4 version, but was %", aceIp);
final AceIpv4 ipVersion = (AceIpv4) aceIp.getAceIpVersion();
- final ClassifyAddDelTable request = createTable(nextTableIndex);
+ final int numberOfSessions = PortPair.fromRange(aceIp.getSourcePortRange(), aceIp.getDestinationPortRange()).size();
+ final ClassifyAddDelTable request = createTable(nextTableIndex, numberOfSessions);
request.skipNVectors = 0; // match entire L2 and L3 header
request.matchNVectors = MATCH_N_VECTORS;
request.mask = new byte[TABLE_MASK_LENGTH];
final int baseOffset = getVlanTagsLen(vlanTags);
- boolean aceIsEmpty = ip4Mask(baseOffset, mode, aceIp, ipVersion, request, LOG);
+ boolean aceIsEmpty = ip4Mask(baseOffset, mode, aceIp, ipVersion, request);
if (aceIsEmpty) {
throw new IllegalArgumentException(
String.format("Ace %s does not define packet field match values", aceIp.toString()));
@@ -62,25 +65,30 @@ final class AceIp4Writer implements AceWriter<AceIp>, AclTranslator, Ip4AclTrans
}
@Override
- public ClassifyAddDelSession createSession(@Nonnull final PacketHandling action,
- @Nonnull final AceIp aceIp,
- @Nullable final InterfaceMode mode,
- final int tableIndex,
- final int vlanTags) {
+ public List<ClassifyAddDelSession> createSession(@Nonnull final PacketHandling action,
+ @Nonnull final AceIp aceIp,
+ @Nullable final InterfaceMode mode,
+ final int tableIndex,
+ final int vlanTags) {
checkArgument(aceIp.getAceIpVersion() instanceof AceIpv4, "Expected AceIpv4 version, but was %", aceIp);
final AceIpv4 ipVersion = (AceIpv4) aceIp.getAceIpVersion();
- final ClassifyAddDelSession request = createSession(action, tableIndex);
- request.match = new byte[TABLE_MASK_LENGTH];
+ final List<PortPair> portPairs = PortPair.fromRange(aceIp.getSourcePortRange(), aceIp.getDestinationPortRange());
+ final List<ClassifyAddDelSession> requests = new ArrayList<>(portPairs.size());
+ for (final PortPair pair : portPairs) {
+ final ClassifyAddDelSession request = createSession(action, tableIndex);
+ request.match = new byte[TABLE_MASK_LENGTH];
- final int baseOffset = getVlanTagsLen(vlanTags);
- boolean noMatch = ip4Match(baseOffset, mode, aceIp, ipVersion, request, LOG);
- if (noMatch) {
- throw new IllegalArgumentException(
- String.format("Ace %s does not define packet field match values", aceIp.toString()));
- }
+ final int baseOffset = getVlanTagsLen(vlanTags);
+ boolean noMatch = ip4Match(baseOffset, mode, aceIp, ipVersion, pair.getSrc(), pair.getDst(), request);
+ if (noMatch) {
+ throw new IllegalArgumentException(
+ String.format("Ace %s does not define packet field match values", aceIp.toString()));
+ }
- LOG.debug("ACE action={}, rule={} translated to session={}.", action, aceIp, request);
- return request;
+ LOG.debug("ACE action={}, rule={} translated to session={}.", action, aceIp, request);
+ requests.add(request);
+ }
+ return requests;
}
}
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp6Writer.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp6Writer.java
index b1186440d..143fcb238 100644
--- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp6Writer.java
+++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIp6Writer.java
@@ -18,9 +18,10 @@ package io.fd.honeycomb.translate.v3po.interfaces.acl.ingress;
import static com.google.common.base.Preconditions.checkArgument;
-import com.google.common.annotations.VisibleForTesting;
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession;
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable;
+import java.util.ArrayList;
+import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling;
@@ -32,9 +33,6 @@ import org.slf4j.LoggerFactory;
final class AceIp6Writer implements AceWriter<AceIp>, AclTranslator, Ip6AclTranslator {
- @VisibleForTesting
- static final int MATCH_N_VECTORS = 4; // number of 16B vectors
- private static final int TABLE_MASK_LENGTH = 64;
private static final Logger LOG = LoggerFactory.getLogger(AceIp6Writer.class);
@Override
@@ -45,13 +43,14 @@ final class AceIp6Writer implements AceWriter<AceIp>, AclTranslator, Ip6AclTrans
checkArgument(aceIp.getAceIpVersion() instanceof AceIpv6, "Expected AceIpv6 version, but was %", aceIp);
final AceIpv6 ipVersion = (AceIpv6) aceIp.getAceIpVersion();
- final ClassifyAddDelTable request = createTable(nextTableIndex);
+ final int numberOfSessions = PortPair.fromRange(aceIp.getSourcePortRange(), aceIp.getDestinationPortRange()).size();
+ final ClassifyAddDelTable request = createTable(nextTableIndex, numberOfSessions);
request.skipNVectors = 0; // match entire L2 and L3 header
- request.matchNVectors = MATCH_N_VECTORS;
- request.mask = new byte[TABLE_MASK_LENGTH];
+ request.mask = new byte[getTableMaskLength(vlanTags)];
+ request.matchNVectors = request.mask.length/16;
final int baseOffset = getVlanTagsLen(vlanTags);
- boolean aceIsEmpty = ip6Mask(baseOffset, mode, aceIp, ipVersion, request, LOG);
+ boolean aceIsEmpty = ip6Mask(baseOffset, mode, aceIp, ipVersion, request);
if (aceIsEmpty) {
throw new IllegalArgumentException(
String.format("Ace %s does not define packet field match values", aceIp.toString()));
@@ -61,26 +60,40 @@ final class AceIp6Writer implements AceWriter<AceIp>, AclTranslator, Ip6AclTrans
return request;
}
+ private static int getTableMaskLength(final int vlanTags) {
+ if (vlanTags == 2) {
+ return 80;
+ } else {
+ return 64;
+ }
+ }
+
@Override
- public ClassifyAddDelSession createSession(@Nonnull final PacketHandling action,
- @Nonnull final AceIp aceIp,
- @Nullable final InterfaceMode mode,
- final int tableIndex,
- final int vlanTags) {
+ public List<ClassifyAddDelSession> createSession(@Nonnull final PacketHandling action,
+ @Nonnull final AceIp aceIp,
+ @Nullable final InterfaceMode mode,
+ final int tableIndex,
+ final int vlanTags) {
checkArgument(aceIp.getAceIpVersion() instanceof AceIpv6, "Expected AceIpv6 version, but was %", aceIp);
final AceIpv6 ipVersion = (AceIpv6) aceIp.getAceIpVersion();
+ final List<PortPair> portPairs =
+ PortPair.fromRange(aceIp.getSourcePortRange(), aceIp.getDestinationPortRange());
- final ClassifyAddDelSession request = createSession(action, tableIndex);
- request.match = new byte[TABLE_MASK_LENGTH];
+ final List<ClassifyAddDelSession> requests = new ArrayList<>(portPairs.size());
+ for (final PortPair pair : portPairs) {
+ final ClassifyAddDelSession request = createSession(action, tableIndex);
+ request.match = new byte[getTableMaskLength(vlanTags)];
- final int baseOffset = getVlanTagsLen(vlanTags);
- boolean noMatch = ip6Match(baseOffset, mode, aceIp, ipVersion, request, LOG);
- if (noMatch) {
- throw new IllegalArgumentException(
- String.format("Ace %s does not define packet field match values", aceIp.toString()));
- }
+ final int baseOffset = getVlanTagsLen(vlanTags);
+ boolean noMatch = ip6Match(baseOffset, mode, aceIp, ipVersion, pair.getSrc(), pair.getDst(), request);
+ if (noMatch) {
+ throw new IllegalArgumentException(
+ String.format("Ace %s does not define packet field match values", aceIp.toString()));
+ }
- LOG.debug("ACE action={}, rule={} translated to session={}.", action, aceIp, request);
- return request;
+ LOG.debug("ACE action={}, rule={} translated to session={}.", action, aceIp, request);
+ requests.add(request);
+ }
+ return requests;
}
}
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIpAndEthWriter.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIpAndEthWriter.java
index 40a050a6d..83a9848c9 100644
--- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIpAndEthWriter.java
+++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceIpAndEthWriter.java
@@ -20,6 +20,8 @@ import static com.google.common.base.Preconditions.checkArgument;
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession;
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable;
+import java.util.ArrayList;
+import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling;
@@ -36,12 +38,14 @@ final class AceIpAndEthWriter
private static final Logger LOG = LoggerFactory.getLogger(AceIpAndEthWriter.class);
- private static int maskLength(@Nonnull final AceIpAndEth ace) {
+ private static int maskLength(@Nonnull final AceIpAndEth ace, final int vlanTags) {
if (ace.getAceIpVersion() != null) {
if (ace.getAceIpVersion() instanceof AceIpv4) {
return 48;
} else {
- return 64;
+ return vlanTags == 2
+ ? 80
+ : 64;
}
}
return 16;
@@ -50,8 +54,9 @@ final class AceIpAndEthWriter
@Override
public ClassifyAddDelTable createTable(@Nonnull final AceIpAndEth ace, @Nullable final InterfaceMode mode,
final int nextTableIndex, final int vlanTags) {
- final ClassifyAddDelTable request = createTable(nextTableIndex);
- final int maskLength = maskLength(ace);
+ final int numberOfSessions = PortPair.fromRange(ace.getSourcePortRange(), ace.getDestinationPortRange()).size();
+ final ClassifyAddDelTable request = createTable(nextTableIndex, numberOfSessions);
+ final int maskLength = maskLength(ace, vlanTags);
request.mask = new byte[maskLength];
request.skipNVectors = 0;
request.matchNVectors = maskLength / 16;
@@ -67,10 +72,10 @@ final class AceIpAndEthWriter
final int baseOffset = getVlanTagsLen(vlanTags);
if (aceIpVersion instanceof AceIpv4) {
final AceIpv4 ipVersion = (AceIpv4) aceIpVersion;
- aceIsEmpty &= ip4Mask(baseOffset, mode, ace, ipVersion, request, LOG);
+ aceIsEmpty &= ip4Mask(baseOffset, mode, ace, ipVersion, request);
} else if (aceIpVersion instanceof AceIpv6) {
final AceIpv6 ipVersion = (AceIpv6) aceIpVersion;
- aceIsEmpty &= ip6Mask(baseOffset, mode, ace, ipVersion, request, LOG);
+ aceIsEmpty &= ip6Mask(baseOffset, mode, ace, ipVersion, request);
} else {
throw new IllegalArgumentException(String.format("Unsupported IP version %s", aceIpVersion));
}
@@ -85,36 +90,40 @@ final class AceIpAndEthWriter
}
@Override
- public ClassifyAddDelSession createSession(@Nonnull final PacketHandling action,
- @Nonnull final AceIpAndEth ace,
- @Nullable final InterfaceMode mode, final int tableIndex,
- final int vlanTags) {
- final ClassifyAddDelSession request = createSession(action, tableIndex);
- request.match = new byte[maskLength(ace)];
-
- boolean noMatch = destinationMacAddressMatch(ace.getDestinationMacAddress(), request);
- noMatch &= sourceMacAddressMatch(ace.getSourceMacAddress(), request);
-
- final AceIpVersion aceIpVersion = ace.getAceIpVersion();
- checkArgument(aceIpVersion != null, "AceIpAndEth have to define IpVersion");
-
- final int baseOffset = getVlanTagsLen(vlanTags);
- if (aceIpVersion instanceof AceIpv4) {
- final AceIpv4 ipVersion = (AceIpv4) aceIpVersion;
- noMatch &= ip4Match(baseOffset, mode, ace, ipVersion, request, LOG);
- } else if (aceIpVersion instanceof AceIpv6) {
- final AceIpv6 ipVersion = (AceIpv6) aceIpVersion;
- noMatch &= ip6Match(baseOffset, mode, ace, ipVersion, request, LOG);
- } else {
- throw new IllegalArgumentException(String.format("Unsupported IP version %s", aceIpVersion));
- }
+ public List<ClassifyAddDelSession> createSession(@Nonnull final PacketHandling action,
+ @Nonnull final AceIpAndEth ace,
+ @Nullable final InterfaceMode mode, final int tableIndex,
+ final int vlanTags) {
+ final List<PortPair> portPairs = PortPair.fromRange(ace.getSourcePortRange(), ace.getDestinationPortRange());
+ final List<ClassifyAddDelSession> requests = new ArrayList<>(portPairs.size());
+ for (final PortPair pair : portPairs) {
+ final ClassifyAddDelSession request = createSession(action, tableIndex);
+ request.match = new byte[maskLength(ace, vlanTags)];
+
+ boolean noMatch = destinationMacAddressMatch(ace.getDestinationMacAddress(), request);
+ noMatch &= sourceMacAddressMatch(ace.getSourceMacAddress(), request);
+
+ final AceIpVersion aceIpVersion = ace.getAceIpVersion();
+ checkArgument(aceIpVersion != null, "AceIpAndEth have to define IpVersion");
+
+ final int baseOffset = getVlanTagsLen(vlanTags);
+ if (aceIpVersion instanceof AceIpv4) {
+ final AceIpv4 ipVersion = (AceIpv4) aceIpVersion;
+ noMatch &= ip4Match(baseOffset, mode, ace, ipVersion, pair.getSrc(), pair.getDst(), request);
+ } else if (aceIpVersion instanceof AceIpv6) {
+ final AceIpv6 ipVersion = (AceIpv6) aceIpVersion;
+ noMatch &= ip6Match(baseOffset, mode, ace, ipVersion, pair.getSrc(), pair.getDst(), request);
+ } else {
+ throw new IllegalArgumentException(String.format("Unsupported IP version %s", aceIpVersion));
+ }
- if (noMatch) {
- throw new IllegalArgumentException(
- String.format("Ace %s does not define packet field match values", ace.toString()));
+ if (noMatch) {
+ throw new IllegalArgumentException(
+ String.format("Ace %s does not define packet field match values", ace.toString()));
+ }
+ LOG.debug("ACE action={}, rule={} translated to session={}.", action, ace, request);
+ requests.add(request);
}
-
- LOG.debug("ACE action={}, rule={} translated to session={}.", action, ace, request);
- return request;
+ return requests;
}
}
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceWriter.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceWriter.java
index 790b6d664..bc0b435bd 100644
--- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceWriter.java
+++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AceWriter.java
@@ -18,6 +18,7 @@ package io.fd.honeycomb.translate.v3po.interfaces.acl.ingress;
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession;
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable;
+import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling;
@@ -48,6 +49,6 @@ interface AceWriter<T extends AceType> {
* @param vlanTags number of vlan tags
*/
@Nonnull
- ClassifyAddDelSession createSession(@Nonnull final PacketHandling action, @Nonnull T ace,
- @Nullable final InterfaceMode mode, final int tableIndex, final int vlanTags);
+ List<ClassifyAddDelSession> createSession(@Nonnull final PacketHandling action, @Nonnull T ace,
+ @Nullable final InterfaceMode mode, final int tableIndex, final int vlanTags);
}
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AclTranslator.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AclTranslator.java
index 9a931a923..44e4622d8 100644
--- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AclTranslator.java
+++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/AclTranslator.java
@@ -16,8 +16,11 @@
package io.fd.honeycomb.translate.v3po.interfaces.acl.ingress;
+import static com.google.common.base.Preconditions.checkArgument;
+
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession;
import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable;
+import javax.annotation.Nonnegative;
import javax.annotation.Nonnull;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.PacketHandling;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.acl.access.list.entries.ace.actions.packet.handling.Permit;
@@ -26,21 +29,28 @@ import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.cont
* Utility that helps translating of ietf-acl model ACEs to VPP's classify tables and sessions.
*/
interface AclTranslator {
-
- // TODO: HONEYCOMB-181 minimise memory used by classify tables (we create a lot of them to make ietf-acl model
- // mapping more convenient):
- // according to https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers#Creating_a_classifier_table,
- // classify table needs 16*(1 + match_n_vectors) bytes, but this does not quite work, so setting 8K for now
int TABLE_MEM_SIZE = 8 * 1024;
int VLAN_TAG_LEN = 4;
default ClassifyAddDelTable createTable(final int nextTableIndex) {
+ return createTable(nextTableIndex, 1);
+ }
+
+ default ClassifyAddDelTable createTable(final int nextTableIndex, @Nonnegative final int numberOfSessions) {
final ClassifyAddDelTable request = new ClassifyAddDelTable();
request.isAdd = 1;
request.tableIndex = -1; // value not present
- request.nbuckets = 1; // we expect exactly one session per table
+ request.nbuckets = numberOfSessions;
request.nextTableIndex = nextTableIndex;
- request.memorySize = TABLE_MEM_SIZE;
+
+
+ // TODO: HONEYCOMB-181 minimise memory used by classify tables (we create a lot of them to make ietf-acl model
+ // mapping more convenient):
+ // according to https://wiki.fd.io/view/VPP/Introduction_To_N-tuple_Classifiers#Creating_a_classifier_table,
+ // classify table needs 16*(1 + match_n_vectors) bytes, but this does not quite work,
+ // so setting 8K +1k*numberOfSessions for now
+ checkArgument(numberOfSessions>0, "negative numberOfSessions %s", numberOfSessions);
+ request.memorySize = TABLE_MEM_SIZE+1024*(numberOfSessions-1);
request.missNextIndex = -1; // value not set, but anyway it is ignored for tables in chain
return request;
}
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java
index 5814211f4..58a72ab30 100644
--- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java
+++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java
@@ -85,9 +85,10 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator {
// ietf-acl updates are handled first, so we use writeContext.readAfter
final Optional<org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.Acl>
- aclOptional = writeContext.readAfter(io.fd.honeycomb.translate.v3po.interfaces.acl.IetfAclWriter.ACL_ID.child(
- org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.Acl.class,
- new AclKey(aclName, aclType)));
+ aclOptional =
+ writeContext.readAfter(io.fd.honeycomb.translate.v3po.interfaces.acl.IetfAclWriter.ACL_ID.child(
+ org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.Acl.class,
+ new AclKey(aclName, aclType)));
checkArgument(aclOptional.isPresent(), "Acl lists not configured");
final org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.access.control.list.rev160708.access.lists.Acl
acl = aclOptional.get();
@@ -157,7 +158,8 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator {
if (aceType instanceof AceEth) {
return true; // L2 only rules are possible for IP4 traffic
}
- if (aceType instanceof AceIpAndEth && ((AceIpAndEth)aceType).getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv4) {
+ if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType)
+ .getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv4) {
return true;
}
return false;
@@ -171,7 +173,8 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator {
if (aceType instanceof AceEth) {
return true; // L2 only rules are possible for IP6 traffic
}
- if (aceType instanceof AceIpAndEth && ((AceIpAndEth)aceType).getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv6) {
+ if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType)
+ .getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv6) {
return true;
}
return false;
@@ -206,7 +209,7 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator {
}
private static List<Ace> getACEs(@Nonnull final List<Acl> acls, @Nonnull final WriteContext writeContext,
- final Predicate<? super Ace> filter) {
+ final Predicate<? super Ace> filter) {
return acls.stream().flatMap(acl -> aclToAceStream(acl, writeContext)).filter(filter)
.collect(Collectors.toList());
}
@@ -233,9 +236,11 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator {
final PacketHandling action = ace.getActions().getPacketHandling();
final ClassifyAddDelTable ctRequest = aceWriter.createTable(aceType, mode, nextTableIndex, vlanTags);
nextTableIndex = createClassifyTable(id, ctRequest);
- final ClassifyAddDelSession csRequest =
+ final List<ClassifyAddDelSession> sessionRequests =
aceWriter.createSession(action, aceType, mode, nextTableIndex, vlanTags);
- createClassifySession(id, csRequest);
+ for (ClassifyAddDelSession csRequest : sessionRequests) {
+ createClassifySession(id, csRequest);
+ }
}
}
return nextTableIndex;
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip4AclTranslator.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip4AclTranslator.java
index 819561e78..55d73fccb 100644
--- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip4AclTranslator.java
+++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip4AclTranslator.java
@@ -24,7 +24,6 @@ import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.AclIpHeaderFields;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.AclIpv4HeaderFields;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.InterfaceMode;
-import org.slf4j.Logger;
public interface Ip4AclTranslator extends Ipv4Translator {
int ETHER_TYPE_OFFSET = 12; // first 14 bytes represent L2 header (2x6)
@@ -38,9 +37,11 @@ public interface Ip4AclTranslator extends Ipv4Translator {
int IP4_MASK_BIT_LENGTH = 32;
int SRC_IP_OFFSET = ETHER_TYPE_OFFSET + 14;
int DST_IP_OFFSET = SRC_IP_OFFSET + IP4_LEN;
+ int SRC_PORT_OFFSET = DST_IP_OFFSET + IP4_LEN;
+ int DST_PORT_OFFSET = SRC_PORT_OFFSET + 2;
default boolean ip4Mask(final int baseOffset, final InterfaceMode mode, final AclIpHeaderFields header,
- final AclIpv4HeaderFields ip4, final ClassifyAddDelTable request, final Logger log) {
+ final AclIpv4HeaderFields ip4, final ClassifyAddDelTable request) {
boolean aceIsEmpty = true;
if (InterfaceMode.L2.equals(mode)) {
// in L2 mode we need to match ether type
@@ -56,10 +57,16 @@ public interface Ip4AclTranslator extends Ipv4Translator {
request.mask[baseOffset + IP_PROTOCOL_OFFSET] = (byte) IP_PROTOCOL_MASK;
}
if (header.getSourcePortRange() != null) {
- log.warn("L4 Header fields are not supported. Ignoring {}", header.getSourcePortRange());
+ // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present
+ aceIsEmpty = false;
+ request.mask[baseOffset + SRC_PORT_OFFSET] = (byte) 0xff;
+ request.mask[baseOffset + SRC_PORT_OFFSET + 1] = (byte) 0xff;
}
if (header.getDestinationPortRange() != null) {
- log.warn("L4 Header fields are not supported. Ignoring {}", header.getDestinationPortRange());
+ // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present
+ aceIsEmpty = false;
+ request.mask[baseOffset + DST_PORT_OFFSET] = (byte) 0xff;
+ request.mask[baseOffset + DST_PORT_OFFSET + 1] = (byte) 0xff;
}
if (ip4.getSourceIpv4Network() != null) {
aceIsEmpty = false;
@@ -75,7 +82,8 @@ public interface Ip4AclTranslator extends Ipv4Translator {
}
default boolean ip4Match(final int baseOffset, final InterfaceMode mode, final AclIpHeaderFields header,
- final AclIpv4HeaderFields ip4, final ClassifyAddDelSession request, final Logger log) {
+ final AclIpv4HeaderFields ip4, final Integer srcPort,
+ final Integer dstPort, final ClassifyAddDelSession request) {
boolean noMatch = true;
if (InterfaceMode.L2.equals(mode)) {
// match IP4 etherType (0x0800)
@@ -90,11 +98,17 @@ public interface Ip4AclTranslator extends Ipv4Translator {
noMatch = false;
request.match[baseOffset + IP_PROTOCOL_OFFSET] = (byte) (IP_PROTOCOL_MASK & header.getProtocol());
}
- if (header.getSourcePortRange() != null) {
- log.warn("L4 Header fields are not supported. Ignoring {}", header.getSourcePortRange());
+ if (srcPort != null) {
+ // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present
+ noMatch = false;
+ request.match[baseOffset + SRC_PORT_OFFSET] = (byte) (0xff & srcPort >> 8);
+ request.match[baseOffset + SRC_PORT_OFFSET + 1] = (byte) (0xff & srcPort);
}
if (header.getDestinationPortRange() != null) {
- log.warn("L4 Header fields are not supported. Ignoring {}", header.getDestinationPortRange());
+ // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present
+ noMatch = false;
+ request.match[baseOffset + DST_PORT_OFFSET] = (byte) (0xff & dstPort >> 8);
+ request.match[baseOffset + DST_PORT_OFFSET + 1] = (byte) (0xff & dstPort);
}
if (ip4.getSourceIpv4Network() != null) {
noMatch = false;
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip6AclTranslator.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip6AclTranslator.java
index eb2ec8c10..9dfab31c2 100644
--- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip6AclTranslator.java
+++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/Ip6AclTranslator.java
@@ -25,7 +25,6 @@ import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.AclIpHeaderFields;
import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.AclIpv6HeaderFields;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.InterfaceMode;
-import org.slf4j.Logger;
public interface Ip6AclTranslator {
@@ -38,9 +37,11 @@ public interface Ip6AclTranslator {
int IP6_LEN = 16;
int SRC_IP_OFFSET = IP_VERSION_OFFSET + 8;
int DST_IP_OFFSET = SRC_IP_OFFSET + IP6_LEN;
+ int SRC_PORT_OFFSET = DST_IP_OFFSET + IP6_LEN;
+ int DST_PORT_OFFSET = SRC_PORT_OFFSET + 2;
default boolean ip6Mask(final int baseOffset, final InterfaceMode mode, final AclIpHeaderFields header,
- final AclIpv6HeaderFields ip6, final ClassifyAddDelTable request, final Logger log) {
+ final AclIpv6HeaderFields ip6, final ClassifyAddDelTable request) {
boolean aceIsEmpty = true;
if (InterfaceMode.L2.equals(mode)) {
// in L2 mode we need to match ether type
@@ -65,10 +66,16 @@ public interface Ip6AclTranslator {
request.mask[baseOffset + IP_VERSION_OFFSET + 3] = (byte) 0xff;
}
if (header.getSourcePortRange() != null) {
- log.warn("L4 Header fields are not supported. Ignoring {}", header.getSourcePortRange());
+ // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present
+ aceIsEmpty = false;
+ request.mask[baseOffset + SRC_PORT_OFFSET] = (byte) 0xff;
+ request.mask[baseOffset + SRC_PORT_OFFSET + 1] = (byte) 0xff;
}
if (header.getDestinationPortRange() != null) {
- log.warn("L4 Header fields are not supported. Ignoring {}", header.getDestinationPortRange());
+ // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present
+ aceIsEmpty = false;
+ request.mask[baseOffset + DST_PORT_OFFSET] = (byte) 0xff;
+ request.mask[baseOffset + DST_PORT_OFFSET + 1] = (byte) 0xff;
}
if (ip6.getSourceIpv6Network() != null) {
aceIsEmpty = false;
@@ -84,7 +91,7 @@ public interface Ip6AclTranslator {
}
default boolean ip6Match(final int baseOffset, final InterfaceMode mode, final AclIpHeaderFields header,
- final AclIpv6HeaderFields ip6, final ClassifyAddDelSession request, final Logger log) {
+ final AclIpv6HeaderFields ip6, final Integer srcPort, final Integer dstPort, final ClassifyAddDelSession request) {
boolean noMatch = true;
if (InterfaceMode.L2.equals(mode)) {
// match IP6 etherType (0x86dd)
@@ -111,10 +118,16 @@ public interface Ip6AclTranslator {
request.match[baseOffset + IP_VERSION_OFFSET + 3] = (byte) (0xff & flowLabel);
}
if (header.getSourcePortRange() != null) {
- log.warn("L4 Header fields are not supported. Ignoring {}", header.getSourcePortRange());
+ // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present
+ noMatch = false;
+ request.match[baseOffset + SRC_PORT_OFFSET] = (byte) (0xff & srcPort >> 8);
+ request.match[baseOffset + SRC_PORT_OFFSET + 1] = (byte) (0xff & srcPort);
}
if (header.getDestinationPortRange() != null) {
- log.warn("L4 Header fields are not supported. Ignoring {}", header.getDestinationPortRange());
+ // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present
+ noMatch = false;
+ request.match[baseOffset + DST_PORT_OFFSET] = (byte) (0xff & dstPort >> 8);
+ request.match[baseOffset + DST_PORT_OFFSET + 1] = (byte) (0xff & dstPort);
}
if (ip6.getSourceIpv6Network() != null) {
noMatch = false;
diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/PortPair.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/PortPair.java
new file mode 100644
index 000000000..274303004
--- /dev/null
+++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/PortPair.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 2016 Cisco and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package io.fd.honeycomb.translate.v3po.interfaces.acl.ingress;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+import java.util.function.BiFunction;
+import javax.annotation.Nullable;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.PortNumber;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.acl.transport.header.fields.DestinationPortRange;
+import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.acl.transport.header.fields.SourcePortRange;
+
+/**
+ * Utility that produces cartesian product out of src and dst port ranges (used to translate ranges into
+ * list of classify sessions).
+ */
+final class PortPair {
+ private final Integer src;
+ private final Integer dst;
+
+ PortPair(@Nullable final Integer src, @Nullable final Integer dst) {
+ this.src = src;
+ this.dst = dst;
+ }
+
+ Integer getSrc() {
+ return src;
+ }
+
+ Integer getDst() {
+ return dst;
+ }
+
+ @Override
+ public String toString() {
+ return "(" + src + "," + dst + ")";
+ }
+
+ @Override
+ public boolean equals(final Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+
+ final PortPair that = (PortPair) o;
+ if (!Objects.equals(src, that.src)) {
+ return false;
+ }
+ if (!Objects.equals(dst, that.dst)) {
+ return false;
+ }
+ return true;
+ }
+
+ @Override
+ public int hashCode() {
+ return Objects.hash(src, dst);
+ }
+
+ static List<PortPair> fromRange(final SourcePortRange srcRange,
+ final DestinationPortRange dstRange) {
+ final List<PortPair> result = new ArrayList<>();
+ if (srcRange == null && dstRange == null) {
+ result.add(new PortPair(null, null));
+ } else if (srcRange != null && dstRange == null) {
+ processSingleRange(result, srcRange.getLowerPort(), srcRange.getUpperPort(), PortPair::new);
+ } else if (srcRange == null && dstRange != null) {
+ processSingleRange(result, dstRange.getLowerPort(), dstRange.getUpperPort(),
+ (dst, src) -> new PortPair(src, dst));
+ } else {
+ processDoubleRange(result, srcRange, dstRange);
+ }
+ return result;
+ }
+
+ private static void processSingleRange(final List<PortPair> result,
+ final PortNumber lowerPort,
+ final PortNumber upperPort,
+ final BiFunction<Integer, Integer, PortPair> f) {
+ int low = lowerPort.getValue(); // mandatory
+ int hi = low;
+ if (upperPort != null) {
+ hi = upperPort.getValue();
+ }
+ for (; low <= hi; ++low) {
+ result.add(f.apply(low, null));
+ }
+ }
+
+ private static void processDoubleRange(final List<PortPair> result, final SourcePortRange srcRange,
+ final DestinationPortRange dstRange) {
+ int srcL = srcRange.getLowerPort().getValue();
+ int srcH = srcL;
+ if (srcRange.getUpperPort() != null) {
+ srcH = srcRange.getUpperPort().getValue();
+ }
+ int dstL = dstRange.getLowerPort().getValue();
+ int dstH = dstL;
+ if (dstRange.getUpperPort() != null) {
+ dstH = dstRange.getUpperPort().getValue();
+ }
+ for (int i=srcL; i <= srcH; ++i) {
+ for (int j=dstL; j <= dstH; ++j) {
+ result.add(new PortPair(i, j));
+ }
+ }
+ }
+}