/* * Copyright (c) 2016 Cisco and/or its affiliates. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package io.fd.honeycomb.translate.v3po.interfaces.acl.common; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelSession; import io.fd.vpp.jvpp.core.dto.ClassifyAddDelTable; import java.net.InetAddress; import java.net.UnknownHostException; import java.util.BitSet; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv6Prefix; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.AclIpHeaderFields; import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.packet.fields.rev160708.AclIpv6HeaderFields; import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.vpp.acl.rev161214.InterfaceMode; interface Ip6AclTranslator { int ETHER_TYPE_OFFSET = 12; // first 14 bytes represent L2 header (2x6) int IP_VERSION_OFFSET = ETHER_TYPE_OFFSET + 2; int DSCP_MASK1 = 0x0f; int DSCP_MASK2 = 0xc0; int IP_PROTOCOL_OFFSET = IP_VERSION_OFFSET + 6; int IP_PROTOCOL_MASK = 0xff; int IP6_LEN = 16; int SRC_IP_OFFSET = IP_VERSION_OFFSET + 8; int DST_IP_OFFSET = SRC_IP_OFFSET + IP6_LEN; int SRC_PORT_OFFSET = DST_IP_OFFSET + IP6_LEN; int DST_PORT_OFFSET = SRC_PORT_OFFSET + 2; default boolean ip6Mask(final int baseOffset, final InterfaceMode mode, final AclIpHeaderFields header, final AclIpv6HeaderFields ip6, final ClassifyAddDelTable request) { boolean aceIsEmpty = true; if (InterfaceMode.L2.equals(mode)) { // in L2 mode we need to match ether type request.mask[baseOffset + ETHER_TYPE_OFFSET] = (byte) 0xff; request.mask[baseOffset + ETHER_TYPE_OFFSET + 1] = (byte) 0xff; } if (header.getDscp() != null) { aceIsEmpty = false; // DCSP (bits 4-9 of IP6 header) request.mask[baseOffset + IP_VERSION_OFFSET] |= DSCP_MASK1; request.mask[baseOffset + IP_VERSION_OFFSET + 1] |= DSCP_MASK2; } if (header.getProtocol() != null) { // Internet Protocol number aceIsEmpty = false; request.mask[baseOffset + IP_PROTOCOL_OFFSET] = (byte) IP_PROTOCOL_MASK; } if (ip6.getFlowLabel() != null) { aceIsEmpty = false; // bits 12-31 request.mask[baseOffset + IP_VERSION_OFFSET + 1] |= (byte) 0x0f; request.mask[baseOffset + IP_VERSION_OFFSET + 2] = (byte) 0xff; request.mask[baseOffset + IP_VERSION_OFFSET + 3] = (byte) 0xff; } if (header.getSourcePortRange() != null) { // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present aceIsEmpty = false; request.mask[baseOffset + SRC_PORT_OFFSET] = (byte) 0xff; request.mask[baseOffset + SRC_PORT_OFFSET + 1] = (byte) 0xff; } if (header.getDestinationPortRange() != null) { // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present aceIsEmpty = false; request.mask[baseOffset + DST_PORT_OFFSET] = (byte) 0xff; request.mask[baseOffset + DST_PORT_OFFSET + 1] = (byte) 0xff; } if (ip6.getSourceIpv6Network() != null) { aceIsEmpty = false; final byte[] mask = Impl.toByteMask(ip6.getSourceIpv6Network()); System.arraycopy(mask, 0, request.mask, baseOffset + SRC_IP_OFFSET, mask.length); } if (ip6.getDestinationIpv6Network() != null) { aceIsEmpty = false; final byte[] mask = Impl.toByteMask(ip6.getDestinationIpv6Network()); System.arraycopy(mask, 0, request.mask, baseOffset + DST_IP_OFFSET, mask.length); } return aceIsEmpty; } default boolean ip6Match(final int baseOffset, final InterfaceMode mode, final AclIpHeaderFields header, final AclIpv6HeaderFields ip6, final Integer srcPort, final Integer dstPort, final ClassifyAddDelSession request) { boolean noMatch = true; if (InterfaceMode.L2.equals(mode)) { // match IP6 etherType (0x86dd) request.match[baseOffset + ETHER_TYPE_OFFSET] = (byte) 0x86; request.match[baseOffset + ETHER_TYPE_OFFSET + 1] = (byte) 0xdd; } if (header.getDscp() != null) { noMatch = false; final int dcsp = header.getDscp().getValue(); // set bits 4-9 of IP6 header: request.match[baseOffset + IP_VERSION_OFFSET] |= (byte) (DSCP_MASK1 & (dcsp >> 2)); request.match[baseOffset + IP_VERSION_OFFSET + 1] |= (byte) (DSCP_MASK2 & (dcsp << 6)); } if (header.getProtocol() != null) { // Internet Protocol number noMatch = false; request.match[baseOffset + IP_PROTOCOL_OFFSET] = (byte) (IP_PROTOCOL_MASK & header.getProtocol()); } if (ip6.getFlowLabel() != null) { noMatch = false; final int flowLabel = ip6.getFlowLabel().getValue().intValue(); // bits 12-31 request.match[baseOffset + IP_VERSION_OFFSET + 1] |= (byte) (0x0f & (flowLabel >> 16)); request.match[baseOffset + IP_VERSION_OFFSET + 2] = (byte) (0xff & (flowLabel >> 8)); request.match[baseOffset + IP_VERSION_OFFSET + 3] = (byte) (0xff & flowLabel); } if (header.getSourcePortRange() != null) { // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present noMatch = false; request.match[baseOffset + SRC_PORT_OFFSET] = (byte) (0xff & srcPort >> 8); request.match[baseOffset + SRC_PORT_OFFSET + 1] = (byte) (0xff & srcPort); } if (header.getDestinationPortRange() != null) { // TODO (HONEYCOMB-253): port matching will not work correctly if Options are present noMatch = false; request.match[baseOffset + DST_PORT_OFFSET] = (byte) (0xff & dstPort >> 8); request.match[baseOffset + DST_PORT_OFFSET + 1] = (byte) (0xff & dstPort); } if (ip6.getSourceIpv6Network() != null) { noMatch = false; final byte[] match = Impl.toMatchValue(ip6.getSourceIpv6Network()); System.arraycopy(match, 0, request.match, baseOffset + SRC_IP_OFFSET, IP6_LEN); } if (ip6.getDestinationIpv6Network() != null) { noMatch = false; final byte[] match = Impl.toMatchValue(ip6.getDestinationIpv6Network()); System.arraycopy(match, 0, request.match, baseOffset + DST_IP_OFFSET, IP6_LEN); } return noMatch; } class Impl { private static final int IP6_MASK_BIT_LENGTH = 128; private static byte[] toByteMask(final int prefixLength) { final BitSet mask = new BitSet(IP6_MASK_BIT_LENGTH); mask.set(0, prefixLength, true); if (prefixLength < IP6_MASK_BIT_LENGTH) { mask.set(prefixLength, IP6_MASK_BIT_LENGTH, false); } return mask.toByteArray(); } private static byte[] toByteMask(final Ipv6Prefix ipv6Prefix) { final int prefixLength = Short.valueOf(ipv6Prefix.getValue().split("/")[1]); return toByteMask(prefixLength); } private static byte[] toMatchValue(final Ipv6Prefix ipv6Prefix) { final String[] split = ipv6Prefix.getValue().split("/"); final byte[] addressBytes; try { addressBytes = InetAddress.getByName(split[0]).getAddress(); } catch (UnknownHostException e) { throw new IllegalArgumentException("Invalid IP6 address", e); } final byte[] mask = toByteMask(Short.valueOf(split[1])); int pos = 0; for (; pos < mask.length; ++pos) { addressBytes[pos] &= mask[pos]; } // mask can be shorter that address, so we need to clear rest of the address: for (; pos < addressBytes.length; ++pos) { addressBytes[pos] = 0; } return addressBytes; } } }