From e038e92d86fce2df7e50071436ceac5cf0a9ba24 Mon Sep 17 00:00:00 2001 From: Marek Gradzki Date: Tue, 18 Oct 2016 09:48:01 +0200 Subject: Make ip-version mandatory for all ACEs - ip-version was mandatory only when mixing l2/l3 rules in one ACE (vpp api limitation). It needs to be provided also in case of ACEs that define l3 only rules (we allow mixing ip4/ip6 ACEs in one list). - updates postman collestion with example of L4 only acl Change-Id: Ifb863208c21a504cd61843f7540341bc35a6174a Signed-off-by: Marek Gradzki --- v3po/api/src/main/yang/vpp-acl.yang | 15 +++++--- v3po/postman_rest_collection.json | 44 ++++++++++++++++++++++ .../v3po/interfaces/acl/ingress/IetfAclWriter.java | 21 +++++++---- 3 files changed, 67 insertions(+), 13 deletions(-) (limited to 'v3po') diff --git a/v3po/api/src/main/yang/vpp-acl.yang b/v3po/api/src/main/yang/vpp-acl.yang index d0d24c98a..f0c93f45e 100644 --- a/v3po/api/src/main/yang/vpp-acl.yang +++ b/v3po/api/src/main/yang/vpp-acl.yang @@ -82,14 +82,19 @@ module vpp-acl { Update/delete of ACL lists referenced here is not permitted (assignment needs to be removed first). Read is supported only for acls that were created and assigned by Honeycomb agent - (corresponding metadata are present). + (corresponding metadata is present). + + Extensions: + - mixing ACEs of different type in one list is permited + - mixing L2/L3/L4 rules in one ACE is permited Limitations (due to vpp limitations): - egress rules are currently ignored (HONEYCOMB-234) - - L4 rules are currently not supported (limited support will by provided by HONEYCOMB-218) - - mixing L2 and L3 rules is possible only if ace-ip-version is provided - (vpp classfier api limitation: common header fields for IP4/IP6 have different offsets) - - L2 rules on L3 interfaces only to IP traffic (vpp classfier limitation) + - L4 rules support is limited (every port pair from provided ranges is translated to single classify + session; which can very slow or even crash vpp if ranges are big, see HONEYCOMB-260) + - ace-ip-version needs to be provided for all aces (consequence of posibility to mix ACEs of different types, + and vpp classfier api limitation: common header fields for IP4/IP6 have different offsets) + - L2 rules on L3 interfaces are applied only to IP traffic (vpp classfier limitation) - vlan tags are supported only for sub-interfaces defined as exact-match"; list acl { diff --git a/v3po/postman_rest_collection.json b/v3po/postman_rest_collection.json index 5617a98a4..e25cfb6f2 100644 --- a/v3po/postman_rest_collection.json +++ b/v3po/postman_rest_collection.json @@ -98,11 +98,13 @@ "5e93fbca-86d0-12a5-45fd-45d7dfa3bd40", "5140ac58-342a-1576-8b0e-99eb8b3b1fb2", "9f58c827-d698-fc60-ec49-c2ccbca97c35", + "93b5345a-434f-9459-26c2-dc2cad9176e0", "4d3d06fe-8a64-d0e4-400a-79c4fbd6db73", "33280f11-2d61-09d3-f726-9907ef00dc19", "60d4ab79-dea1-de5a-63eb-6e26d3d1481b", "d668c31c-b904-cd65-124c-dd2a89149b70", "13b938a5-7a53-513f-44b9-33d869b8cb53", + "bca26b70-fe05-a1b4-f93a-1f683341d492", "4442a2fd-497d-ee8d-22cd-43b72c358f67", "161987f9-8912-f724-2f2d-d7548b12e8f9" ], @@ -1630,6 +1632,27 @@ "rawModeData": "{\r\n \"acl\": [\r\n {\r\n \"acl-type\": \"vpp-acl:mixed-acl\",\r\n \"acl-name\": \"acl5\",\r\n \"access-list-entries\": {\r\n \"ace\": [\r\n {\r\n \"rule-name\": \"rule1(ip4+mac)\",\r\n \"matches\": {\r\n \"vpp-acl:destination-mac-address\": \"AA:BB:CC:DD:00:00\",\r\n \"vpp-acl:destination-mac-address-mask\": \"FF:FF:FF:FF:00:00\",\r\n \"vpp-acl:source-mac-address\": \"00:00:00:00:AA:BB\",\r\n \"vpp-acl:source-mac-address-mask\": \"00:00:00:00:FF:FF\",\r\n \"vpp-acl:destination-ipv4-network\": \"1.2.3.1/24\",\r\n \"vpp-acl:protocol\": \"4\",\r\n \"vpp-acl:dscp\": \"11\",\r\n \"vpp-acl:source-ipv4-network\": \"1.2.4.2/24\"\r\n },\r\n \"actions\": {\r\n \"deny\": {}\r\n }\r\n },\r\n {\r\n \"rule-name\": \"rule2(ip4+mac)\",\r\n \"matches\": {\r\n \"vpp-acl:source-mac-address\": \"01:02:03:04:05:06\",\r\n \"vpp-acl:destination-ipv4-network\": \"1.1.1.1/16\",\r\n \"vpp-acl:protocol\": \"4\",\r\n \"vpp-acl:dscp\": \"63\",\r\n \"vpp-acl:source-ipv4-network\": \"2.2.2.2/32\"\r\n },\r\n \"actions\": {\r\n \"deny\": {}\r\n }\r\n },\r\n {\r\n \"rule-name\": \"rule3(ip6+mac)\",\r\n \"matches\": {\r\n \"vpp-acl:destination-mac-address\": \"11:22:33:44:55:66\",\r\n \"vpp-acl:destination-ipv6-network\": \"1111:2222:3333:4444:5555:6666:7777:8888/64\"\r\n },\r\n \"actions\": {\r\n \"deny\": {}\r\n }\r\n }\r\n ]\r\n }\r\n }\r\n ]\r\n}", "folder": "c05d7211-11b0-5688-2079-afa51196045c" }, + { + "id": "93b5345a-434f-9459-26c2-dc2cad9176e0", + "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n", + "url": "http://localhost:8183/restconf/config/ietf-access-control-list:access-lists/acl/vpp-acl:mixed-acl/acl6", + "preRequestScript": "", + "pathVariables": {}, + "method": "PUT", + "data": [], + "dataMode": "raw", + "version": 2, + "tests": "", + "currentHelper": "normal", + "helperAttributes": {}, + "time": 1476780298679, + "name": "Write acl6 list (L4 rules)", + "description": "Deny any traffic where destination port is 80 and source port in range [1000,2000].", + "collectionId": "5bad4634-e5cf-900e-9733-0976aa9bea64", + "responses": [], + "rawModeData": "{\n\t\"acl\": [\n\t\t{\n\t\t\t\"acl-name\": \"acl6\", \n\t\t\t\"acl-type\": \"vpp-acl:mixed-acl\", \n\t\t\t\"access-list-entries\": {\n\t\t\t\t\"ace\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"matches\": {\n \"destination-ipv4-network\": \"0.0.0.0/0\",\n\t\t\t\t\t\t\t\"destination-port-range\": {\n\t\t\t\t\t\t\t\t\"lower-port\": 80\n\t\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t}, \n\t\t\t\t\t\t\t\"source-port-range\": {\n\t\t\t\t\t\t\t\t\"lower-port\": 1000,\n\t\t\t\t\t\t\t\t\"upper-port\": 2000\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}, \n\t\t\t\t\t\t\"actions\": {\n\t\t\t\t\t\t\t\"deny\": {}\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\"rule-name\": \"rule1\"\n\t\t\t\t\t}]}}]}\n", + "folder": "c05d7211-11b0-5688-2079-afa51196045c" + }, { "id": "4d3d06fe-8a64-d0e4-400a-79c4fbd6db73", "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n", @@ -1735,6 +1758,27 @@ "rawModeData": "{\n\n \"acl\": [\n {\n \"type\" : \"vpp-acl:mixed-acl\",\n \"name\" : \"acl5\"\n }\n ]\n}", "folder": "c05d7211-11b0-5688-2079-afa51196045c" }, + { + "id": "bca26b70-fe05-a1b4-f93a-1f683341d492", + "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n", + "url": "http://localhost:8183/restconf/config/ietf-interfaces:interfaces/interface/local0/ietf-acl/ingress/access-lists/acl/vpp-acl:mixed-acl/acl6", + "preRequestScript": "", + "pathVariables": {}, + "method": "PUT", + "data": [], + "dataMode": "raw", + "version": 2, + "tests": "", + "currentHelper": "normal", + "helperAttributes": {}, + "time": 1476778885469, + "name": "Enable L4 ACL on local0 interface", + "description": "Creates chain of classfy tabless/sessions in VPP and assigns them to local0 interface.\n\nCan be verified with:\nvppctl show classify table verbose\n\nthen (depending on acl mode):\n\nvppctl show inacl type l2\n\nor\n\nvppctl show inacl type ip4\n\nvppctl show inacl type ip6", + "collectionId": "5bad4634-e5cf-900e-9733-0976aa9bea64", + "responses": [], + "rawModeData": "{\n\n \"acl\": [\n {\n \"type\" : \"vpp-acl:mixed-acl\",\n \"name\" : \"acl6\"\n }\n ]\n}", + "folder": "c05d7211-11b0-5688-2079-afa51196045c" + }, { "id": "4442a2fd-497d-ee8d-22cd-43b72c358f67", "headers": "Authorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application/json\n", diff --git a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java index 58a72ab30..c74845ce7 100644 --- a/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java +++ b/v3po/v3po2vpp/src/main/java/io/fd/honeycomb/translate/v3po/interfaces/acl/ingress/IetfAclWriter.java @@ -152,13 +152,14 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator { private static boolean appliesToIp4Path(final Ace ace) { final AceType aceType = ace.getMatches().getAceType(); - if (aceType instanceof AceIp && ((AceIp) aceType).getAceIpVersion() instanceof AceIpv4) { + final AclType aclType = AclType.fromAce(ace); + if (aclType == AclType.IP4) { return true; } - if (aceType instanceof AceEth) { + if (aclType == AclType.ETH) { return true; // L2 only rules are possible for IP4 traffic } - if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType) + if (aclType == AclType.ETH_AND_IP && ((AceIpAndEth) aceType) .getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv4) { return true; } @@ -167,13 +168,14 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator { private static boolean appliesToIp6Path(final Ace ace) { final AceType aceType = ace.getMatches().getAceType(); - if (aceType instanceof AceIp && ((AceIp) aceType).getAceIpVersion() instanceof AceIpv6) { + final AclType aclType = AclType.fromAce(ace); + if (aclType == AclType.IP6) { return true; } - if (aceType instanceof AceEth) { - return true; // L2 only rules are possible for IP6 traffic + if (aclType == AclType.ETH) { + return true; // L2 only rules are possible for IP6 traffic } - if (aceType instanceof AceIpAndEth && ((AceIpAndEth) aceType) + if (aclType == AclType.ETH_AND_IP && ((AceIpAndEth) aceType) .getAceIpVersion() instanceof org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.access.lists.acl.access.list.entries.ace.matches.ace.type.ace.ip.and.eth.ace.ip.version.AceIpv6) { return true; } @@ -291,9 +293,12 @@ public final class IetfAclWriter implements JvppReplyConsumer, AclTranslator { result = ETH; } else if (aceType instanceof AceIp) { final AceIpVersion aceIpVersion = ((AceIp) aceType).getAceIpVersion(); + if (aceIpVersion == null) { + throw new IllegalArgumentException("Incomplete ACE (ip-version was not provided): " + ace); + } if (aceIpVersion instanceof AceIpv4) { result = IP4; - } else { + } else if (aceIpVersion instanceof AceIpv6) { result = IP6; } } else if (aceType instanceof AceIpAndEth) { -- cgit 1.2.3-korg